<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
em
{mso-style-priority:20;
font-weight:bold;
font-style:normal;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Century Gothic",sans-serif;
color:#0D0D0D;
font-weight:normal;
font-style:normal;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Century Gothic",sans-serif;
color:#0D0D0D;
font-weight:normal;
font-style:normal;}
span.st1
{mso-style-name:st1;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:497502151;
mso-list-type:hybrid;
mso-list-template-ids:-451084768 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>Agreed that the GDPR should empower Data Subjects to have more control over their PII.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>However, this isn’t the only consideration:<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='color:#0D0D0D;margin-bottom:6.0pt;margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Century Gothic",sans-serif'>The GDPR also states: “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” (Recital 4)<o:p></o:p></span></li></ol><p class=MsoListParagraph><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>I think Rod’s suggestions are a good faith effort to achieve that proportionality.<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><o:p> </o:p></span></p><ol style='margin-top:0in' start=2 type=1><li class=MsoListParagraph style='color:#0D0D0D;margin-bottom:6.0pt;margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-family:"Century Gothic",sans-serif'>In meetings w/ the European Commission (28-May-18), the commission said they shared the concerns of trademark rights advocates that there be standardized & predictable access to necessary WHOIS information.<o:p></o:p></span></li></ol><p class=MsoListParagraph style='margin-bottom:6.0pt'><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>I believe the Commission is aware that an ad hoc system of response is not only chaotic, but potentially unsafe. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>A consistent & reliable system that balances the privacy rights of certain individuals against the threat of harm to (potentially countless) others, will be a difficult - but not impossible - balancing act.<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Century Gothic",sans-serif;color:#0D0D0D'>Cyntia King<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>O: +1 816.633.7647<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'>C: +1 818.209.6088<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><img width=129 height=58 style='width:1.3437in;height:.6041in' id="Picture_x0020_1" src="cid:image001.jpg@01D4242A.9289FC90" alt="Email Logo5"><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif;color:#0D0D0D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Accred-Model <accred-model-bounces@icann.org> <b>On Behalf Of </b>Michael Palage<br><b>Sent:</b> Wednesday, July 25, 2018 3:13 PM<br><b>To:</b> 'Rod Rasmussen' <rod@rodrasmussen.com>; jdm@riskiq.net<br><b>Cc:</b> accred-model@icann.org; gdpr@icann.org<br><b>Subject:</b> Re: [Accred-Model] Codes of conduct<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Rod,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I hear your concerns, but I think Jonathan’s original comments about “ignoring these issues won’t make them go away” remains on point.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In reviewing the Version 1.7 there does not appear to have been any expansion on the Auditing and Penalties sections (Section IV, Paragraphs G & J respectively).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The bedrock of the GDPR is about empowering Data Subjects with the right to control the processing of their data and the latest model remains largely devoid of this right. Until the IPC/BC decide to incorporate some type of Data Subject “rights centric” approach into their model, I do not see how it will pass EDPB muster. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Just my personal two cents as well. Perhaps with another 4 bucks we might be able to split a cup of Starbucks coffee while in Panama.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best regards,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Michael<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Accred-Model <<a href="mailto:accred-model-bounces@icann.org">accred-model-bounces@icann.org</a>> <b>On Behalf Of </b>Rod Rasmussen<br><b>Sent:</b> Wednesday, July 25, 2018 12:11 PM<br><b>To:</b> <a href="mailto:jdm@riskiq.net">jdm@riskiq.net</a><br><b>Cc:</b> <a href="mailto:accred-model@icann.org">accred-model@icann.org</a>; <a href="mailto:gdpr@icann.org">gdpr@icann.org</a><br><b>Subject:</b> Re: [Accred-Model] Codes of conduct<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jonathan,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thank you very much for your thoughts here! To me, this analysis of yours screams for standards so that this can scale, otherwise we will end up with a system that is far too much dependent upon manual determination of issues by all parties to be useful in the real world of abuse that moves at automated speeds (i.e. the bad guys registering or compromising domains at scale (each using thousand of domains per day via automation). My thesis is that you need a well-defined taxonomy of abuse types, domain abuse scenarios (e.g. abusively registered, compromised in-part, compromised in-full), and threat level (e.g. ongoing mass attack, ongoing targeted attack, potential attack). From that you can build a matrix of what information is required, what information about requestors can be readily revealed, and who is requested to make what kind of actions and in what timeframe. For example, for a wide-scale, current phishing attack using a compromised website, a very timely response (within minutes or hours) of a technical contact and registrant contact e-mail and phone number would facilitate solving both the phishing attack and the potential for the registrant to be exposing PII of its own users given that their website tied to a domain is compromised. The identity of the requestor would not need to be confidential in such a scenario since they *want* the registrant to know that the registrant has a serious problem to solve that could put the registrant in dire straits vis-a-vis GDPR. Separately, a detection of potentially malicious set of domain registrations that have a high probability that they will be used to launch various fraudulent and illegal scams based on prior observed behavior could result in a longer-term response (day/days) with full information about the registrant of the domain(s) and even other domains registered at near the same time, being provided with the requestor’s information not being revealed to the registrant without them going through process themselves. The main thing is to agree on what information is appropriate to reveal and how long the responses should take. From there, all parties can build automated systems to create and accept responses for contact information requests, with attestation of the harms driving the actual process that ensues.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It’s all about proportionality and the ability for various harms to be balanced in a non-biased fashion. I think that if we can approach the various scenarios dispassionately and scientifically, we could provide solid guidance on how any request for registration contact information is dealt with across all registrar/registry players *and* requestors. The key is putting together a good matrix that all stakeholders can live with, and then making sure people involved in this in all roles understand how to work within the system properly and *do*so. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The current ad-hoc situation on both the requestor and provider sides is untenable and is already on the path to major negative consequences for all. Beyond the waste of manpower and unintentional abetting of crime that we’re already seeing, my major fear is that these negative consequences eventually draw the attention of various national governments whose citizens are being abused, who then decide how things should work instead of the parties actually involved. That scenario historically doesn’t work out well for the affected parties.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>My 2 cents.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Rod Rasmussen<o:p></o:p></p></div><div><p class=MsoNormal>Speaking personally and not on behalf of any organization I am part of.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jul 16, 2018, at 3:54 PM, jonathan m <<a href="mailto:jonathan.matkowsky@riskiq.net">jonathan.matkowsky@riskiq.net</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal>All,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Any model that doesn’t take into account for transparency of processing that a data subject has the right to typically object and freeze the processing is not compliant with GDPR. I think the registrar as a controller must also have the right to object. That doesn’t mean that the processing won’t eventually continue if it is compelling and overrides the rights and freedoms of the individual but subject to Chapter 7 of the GDPR.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>When safety is a concern, then as long as the data subject knows which supervisory authority is overseeing the code of conduct under which the request is being made, it’s possible to protect the identity of the requestor. This should be relatively rare. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Not every legitimate interest outweighs the rights and freedoms of the data subject, and a privacy impact assessment is required. Not every legitimate interest is entitled to the same weight under GDPR, and the risks and severity of harm to the person must be considered especially when certain interests at stake aren’t the same as those of the controller. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We need RDAP to accommodate these concerns. When law enforcement has legitimate interests, they can use the same RDAP tier of access, but when pursuing a criminal offense or investigation, a different model of access must be accommodated under the LED etc.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Ignoring these issues won’t make them go away. I hope that truly consensus-building voices participate in the EPDP, because it’s time we stop trying to keep Whois to the greatest extent possible and instead design the next generation to be better—more accurate, with more accountability and integrity but also consistent with data protection laws and internationally recognized norms. It makes sense to generally treat all people — regardless of where they reside, with the same inherent rights and freedoms that European laws are attempting to protect.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Jonathan Matkowsky<o:p></o:p></p></div><div><p class=MsoNormal>VP - Cybersecurity, Privacy & IP<o:p></o:p></p></div><div><p class=MsoNormal>JD, CIPT, CIPP/EU<o:p></o:p></p></div><div><p class=MsoNormal>RiskIQ, Inc.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><p class=MsoNormal><o:p> </o:p></p></blockquote></div></div><p class=MsoNormal>-- <o:p></o:p></p><div><p class=MsoNormal>Jonathan Matkowsky<o:p></o:p></p></div><p class=MsoNormal><br><span style='font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222;background:white'>*******************************************************************<br>This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.</span><o:p></o:p></p><div><p class=MsoNormal style='background:white'><span style='font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='font-size:9.5pt;font-family:"Arial",sans-serif;color:#222222;background:white'>*******************************************************************</span>_______________________________________________<br>Accred-Model mailing list<br><a href="mailto:Accred-Model@icann.org">Accred-Model@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/accred-model">https://mm.icann.org/mailman/listinfo/accred-model</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>