[gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Fri Aug 19 23:20:21 UTC 2016

I did not find Chuck's comments in any way "accusatory."  If anything, I
found them well-considered and admirable in their restraint.

If anything, Chuck's intervention may have prevented "accusatory" comments
from making their way to the list.  As such, I would suggest that Chuck's
comments were an exercise in "de-escalation."

In that vein, I will refrain from commenting on comments, or commenting on
comments about comments or commenting on comments about comments about
comments, though if I wanted to comment on comments or comments on comments
or comments on comments on comments, I would have comments to make. But I
won't.

Greg

On Fri, Aug 19, 2016 at 7:08 PM, Stephanie Perrin <
stephanie.perrin at mail.utoronto.ca> wrote:

> Gentlemen, with great respect, I think you are being a bit hard on Ayden
> here. If, as our next-gen rep here on the group, he were not questioning
> authority, I might be afraid he had somehow "missed the memo".  I think the
> tone has become a bit accusatory on both sides and we should de-escalate.
> I agree that we must be exceedingly careful about putting words in each
> others mouths.  However, questioning the efficacy of oversight of police
> data protection compliance is fair game in my view and in the view of most
> privacy scholars (Korff, Brown, Bennett and Raab, Anderson etc.).  Diana
> Alonso Blass (who came to ICANN in 2003 or 04 representing the Article 29
> Working Party) and now of Eurojust speaks regularly on some of these issues
> at the data protection commissioners' annual conference and at CPDP and
> there can be heated debate.  Oversight of law enforcement, particularly
> cross border law enforcement, is difficult just as the actual law
> enforcement is difficult.  There are many reasons for this:
>
>    - law enforcement authorities have (legitimate) exemptions under data
>    protection law for collection use and disclosure, making it easy to
>    accidently abuse that discretion
>    - Data protection authorities frequently choose to direct enforcement
>    actions in other areas, given the constant shortage of resources and the
>    publicity (reaching political uproar at times)  that can come with
>    enforcement against police
>    - governments often take a dim view of data protection commissioners
>    who go after the police (I can cite examples if you wish but I realize
>    noone wants to read an article on the difficulties of dp oversight of law
>    enforcement
>
> Some of the European DP authorities testified in the 2014 inquiry into NSA
> surveillance....I realize this is about intelligence, but certainly Europol
> and cybercrime were mentioned.  http://www.europarl.europa.eu/
> sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A7-2014-0139+0+DOC+PDF+V0//EN.
> Given the global nature of law enforcement in our subject area, and the
> perceived failure of certain instruments such as the Cybercrime treaty, and
> the general shock and outrage expressed during the inquiry I just cited,
> particularly over cross border data sharing, I think it is reasonable to
> question assertions of compliance with data protection law. You will find
> the list of witnesses in the appendix.  Jacob Kohnstamm was one of them, as
> was Peter Hustinx, and let me finally remind you of my favorite quote from
> Kohnstamm 's 2012 letter to Crocker:
>
> “The Working Party strongly objects to the introduction of data retention
> by means of a contract issued by a private corporation in order to
> facilitate (public) law enforcement.  If there is a pressing social need
> for specific collections of personal data to be available for law
> enforcement, and the proposed data retention is proportionate to the
> legitimate aim pursued, it is up to national governments to introduce
> legislation that meets the demands of article 8 of the European Convention
> on Human Rights and article 17 of the International Covenant on civil and
> Political rights”.  (Kohnstamm to Crocker and Atallah, 26 September 2012).
>
> The bottom line here is that civil society correctly has questions about
> the efficacy of  oversight.  Please don't take it personally, it is not
> meant that way.  It is our job to question. I would agree that Europol has
> an excellent oversight regime, in comparative terms, (I wish we had it in
> North America) but that does not mean it works all the time. While we are
> not here to criticize particular countries or regions, please admit the
> idea of criticism in general. It is important.
>
> Stephanie Perrin
>
> On 2016-08-18 18:55, Gomes, Chuck wrote:
>
> Ayden,
>
>
>
> I appreciate your frequent contributions because you share some important
> concerns.  But I want to communicate some concerns I have about how you are
> doing that.  Please see my comments below.
>
>
>
> Chuck
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Ayden
> Férdeline
> *Sent:* Thursday, August 18, 2016 4:48 PM
> *To:* Mounier, Grégory
> *Cc:* RDS PDP WG
> *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental,
> Incidental, and Theoretical
>
>
>
> Hi Greg,
>
>
>
> I don’t mean to sound provocative, however I would like to make sure I am
> interpreting your comments correctly. Please see inline below.
>
>
>
> Thanks,
>
>
>
> Ayden
>
>
>
> -------- Original Message --------
>
> Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical
>
> Local Time: August 18, 2016 7:00 PM
>
> UTC Time: August 18, 2016 6:00 PM
>
> From: gregory.mounier at europol.europa.eu
>
> To: gregshatanipc at gmail.com
>
> icann at ferdeline.com,gnso-rds-pdp-wg at icann.org
>
>
>
>
>
> Yes Greg: unlike what Ayden seems to imply:
>
> ·         Europol is not advocating that personal information be
> processed in a manner inconsistent with European law;
>
> I am pleased to hear this. However, it the opinion
> <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2014/14-04-17_EDPS_letter_to_ICANN_EN.pdf>
> of the European Commission’s own Data Protection Supervisor that the data
> retention requirements contained with the 2013 RAA and the Draft
> Specification “continue to fall short of compliance with European data
> protection law.” You have built a use case around how the WHOIS protocol
> operates today, which itself contains data sourced from registrars through
> practices which are inconsistent with the privacy laws of many (all?) EU
> Member States.
>
> *[Chuck Gomes] Greg did not say that the 2013 RAA is compliant with
> European law; he only said Europol is.*
>
> ·         Europol access and processing of WHOIS information is in line
> with European Data protection rules;
>
> I am glad that this is the case. Could you please expand upon how, under
> what circumstances, and how frequently Europol currently retrieves WHOIS
> records?
>
> *[Chuck Gomes] This is a terribly broad request and one that I suspect may
> be very difficult to respond to.  Europol is not the topic of discussion .
> Insight they can provide will be helpful when we deliberate just like your
> insights.  In all cases we will do our best to validate information we use.*
>
> ·         Europol does not “trawl” the WHOIS;
>
> Are you saying, then, that you do not find the WHOIS protocol useful in
> solving crime? If you are not collecting its records in bulk, I would
> suggest that we revise your use case of 25 July to reflect this reality.
>
> *[Chuck Gomes] He did not say that.  I encourage you to avoid adding to
> what he said.*
>
>
>
> We should remove the reference to “Python DNS scripts or domain tool API”
> being utilised to identify connections between DNS information and
> potentially troublesome websites, and replace it with something which
> respects the right to, say, due process.
>
> *[Chuck Gomes] Please remember that our objective is not to create perfect
> use cases.*
>
>
>
> After all, illegal content like child abuse material (which you flagged in
> your use case) is just that – illegal. Illegal material should be dealt
> with in a legal manner. You should not be advocating for the circumvention
> of the rule of law; to do so is a direct violation of the human rights
> standards that Europol has committed itself to upholding.
>
> *[Chuck Gomes] Who is advocating for the “*the circumvention of the rule
> of law*”?  I think that the implication you make here is inappropriate.*
>
> ·         Europol is indeed subject to one of the most stringent data
> protection framework in the LEA world.
>
> Whether that is reality or rhetoric, I do not know. My gut feeling is that
> Europol’s data protection provisions are comprehensive in theory, but
> critically undermined by procedural weakness. One example that comes to
> mind: the Europol Joint Supervisory Body is the independent body which
> supposedly monitors your adherence to data protection rules. However, it
> has no powers of enforcement, it can only “make any complaints it deems
> necessary to the Director” of Europol.
>
> *[Chuck Gomes] I think it best if you avoid criticizing specific
> organizations and stick to issues.*
>
> I’ll stop here because this is only partially relevant to this PDP.
>
> My understanding has been that some politicians in the EU have been
> reluctant to expand Europol’s remit/mandate, given concerns around
> effectiveness and a perceived democratic deficit, so it is fascinating to
> me to see Europol working to expand its powers and data collection
> abilities in working groups such as this one.
>
> *[Chuck Gomes] Once again I think you are concluding more than is
> reasonable and also don’t find you comment here constructive.*
>
> Best
>
> Greg
>
>
>
>
>
> *From:* Greg Shatan [mailto:gregshatanipc at gmail.com
> <gregshatanipc at gmail.com>]
> *Sent:* 18 August 2016 19:49
> *To:* Mounier, Grégory
> *Cc:* Ayden Férdeline; RDS PDP WG
> *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental,
> Incidental, and Theoretical
>
>
>
> Greg,
>
>
>
> For the rest of us who may not be so well informed, is there something
> more we should understand and take into account in considering this
> particular back-and-forth?
>
>
>
> Thanks!
>
>
>
> Greg Shatan
>
>
>
> On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <
> gregory.mounier at europol.europa.eu> wrote:
>
> Dear Ayden,
>
> I objected because some of your statements were misinformed so I thought
> that I should help and clarify. But it seems that you are very well
> informed and that you don’t need further explanations J
>
> Best regards,
>
> Greg
>
>
>
> *From:* Ayden Férdeline [mailto:icann at ferdeline.com]
> *Sent:* 18 August 2016 19:27
> *To:* Mounier, Grégory
> *Cc:* Rob Golding; RDS PDP WG
> *Subject:* Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental,
> Incidental, and Theoretical
>
>
>
> Thank you for the response, Greg. I did not mean to suggest that Europol
> was *wholly*exempt from European data protection regulations, because it
> is not. In my original message, I wrote:
>
>
>
> *"...your agency is exempt from some of the general provisions on data
> processing." *
>
>
>
> I have bolded the word ‘some’ on this occasion for emphasis. When I wrote
> that Europol had exemptions from *some*of the general provisions on data
> processing, I was referring to the Europol Council Decision as published in
> the Official Journal of the European Union on 15 May 2009. I am sure you
> are intimately familiar with this document, as you cited it in your email
> to me today as providing the “basis for Europol to establish and maintain
> cooperative relations with Union or Community institutions, bodies, offices
> and agencies; third States and organisations; private parties and private
> persons in so far as it is relevant to the performance of its tasks.”
>
>
>
> Aside from this, this decision contains data processing rules which were,
> to quote you again in your email, "tailor-made" for Europol, and is
> complemented by a set of implementation guidelines which privilege Europol
> with the ability to process personal data “for the purpose of prevention,
> investigation, detection and prosecution of criminal offences or the
> execution of criminal penalties” in a manner that would not be permitted of
> other stakeholders.
>
>
>
> Given this, I'm unsure as to why you found my comments so objectionable,
> but I hope this email has brought about some more clarity. If not, I am
> happy to expand upon my thoughts.
>
>
>
> Thanks,
>
>
>
> Ayden
>
>
>
> -------- Original Message --------
>
> Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental,
> and Theoretical
>
> Local Time: August 18, 2016 5:54 PM
>
> UTC Time: August 18, 2016 4:54 PM
>
> From: gregory.mounier at europol.europa.eu
>
> To: icann at ferdeline.com
>
> rob.golding at astutium.com,gnso-rds-pdp-wg at icann.org
>
>
>
>
>
> Dear Ayden,
>
>
>
> Thank you very much for sharing your concerns and apologies for the late
> response, I was away from the office.
>
>
>
> I am not sure how you got the perception that Europol was “trawling”
> through WHOIS records or that Europol was “exempt from some of the general
> provisions on data processing” or even that our legal framework limited the
> ability of Europol staff to process data from publicly available sources
> related to “terror manuals” or “criminals claiming credit for attacks”.
>
>
>
> In fact, I can assure you that *Europol is not exempted from the general
> provisions on data protection*. European data protection legislation has
> been implemented in the organisation with the aim of creating a legal
> framework which balances the fundamental interests of freedom and security.
> The tailor-made set of rules provides Europol with one of the strongest,
> most robust data protection framework in the world of law enforcement.
>
>
>
> As far as data exchange inside the EU is concerned, Art.22-25 of Europol
> Council Decision (ECD) provides a basis for Europol to establish and
> maintain cooperative relations with Union or Community institutions,
> bodies, offices and agencies; third States and organisations; private
> parties and private persons in so far as it is relevant to the performance
> of its tasks.
>
>
>
> Europol exchanges personal data only with third parties which have an
> adequate level of data protection. The prior data protection assessment of
> the third party involves a check on the necessary data protection
> legislation and confidentiality rules in place and in practice. The list of
> the third countries with which Europol has established an operational
> agreement is published on our website.
>
>
>
> In addition, Europol can receive information from private parties such as
> companies, business associations or non-profit organisations. As with any
> transfer of personal data, this process is subject to data protection
> controls.
>
>
>
> Last but not least, in line with the respective provisions of the ECD,
> Europol can also retrieve and process data, including personal data, from
> publicly available sources, such as media and public data and commercial
> intelligence providers, in accordance with the data protection framework.
>
>
>
> I hope that I could clarify some of the issues you raised.
>
>
>
> Kind regards,
>
>
>
> Greg
>
>
>
>
>
>
>
> *From:* Ayden Férdeline [mailto:icann at ferdeline.com <icann at ferdeline.com>]
>
> *Sent:* 08 August 2016 14:11
> *To:* Mounier, Grégory
> *Cc:* Rob Golding; RDS PDP WG
> *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental,
> Incidental, and Theoretical
>
>
>
> Greg,
>
>
>
> I am disappointed that Europol seems to be advocating that personal
> information be processed in a manner inconsistent with European law.
>
>
>
> I fully appreciate that, in order to allow Europol to collect sensitive
> information from the Member States in the pursuit of investigations, your
> agency is exempt from some of the general provisions on data processing.
> You are permitted to directly retrieve and process information obtained
> from publicly-available sources, but the promotional literature on the
> Europol website suggests Europol agents searching for publicly-available
> ‘terror manuals’ or criminals claiming credit for attacks. There is no
> indication that this includes Europol trawling through things like WHOIS
> records to identify the administrator of a website, something far less
> sinister. And if the RDS evolves into something very different from what it
> is today – perhaps not open to any and everyone to query, or federated into
> a single data store – my understanding is that the routing of information
> from a private party to Europol would be subject to European data
> protection controls and safeguards.
>
>
>
> The very specific exemptions that Europol has received in order to carry
> out its work simply do not call for Europol to advocate for a lower
> standard of privacy protection for European residents in privately-owned or
> publicly-accessible sources of information.
>
>
>
> There is no doubt that effective police work requires top intelligence,
> but equally as important is the employment of sound data protection
> safeguards which strike an appropriate balance between the interests of
> freedom and security.
>
>
>
> Just my $0.02.
>
>
>
> - Ayden
>
>
>
>
>
> On Thu, Aug 4, 2016 1:59 PM, wrote:
>
> Dear Rob,
>
>
>
> Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents.
> I feel that I need to step in to provide a different perspective than the
> one you just gave on the law enforcement use of the WHOIS. It might be a
> matter of interpretation but the views expressed by your interlocutors are
> not shared by my colleagues working throughout European police cyber
> divisions.
>
>
>
> If European cyber investigators are obviously all aware of the fact that
> WHOIS registration data can sometime be inaccurate and not up-to-date
> (ICANN compliance reported that for the first quarter of 2015, WHOIS
> inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start
> their investigations with a WHOIS lookup. This is really the first step.
>
>
>
> Despite the lack of accuracy, WHOIS information is useful in so many
> different ways. One of the first them is to make correlations and link
> pieces of information obtained through other means than from the WHOIS.
> This was the point I tried to make on Tuesday during the conference call.
>
>
>
> Accurate and reliable WHOIS data helps crime attribution and can save
> precious investigation time (you can rule out wrong investigative leads).
>
> It raises the bar and makes it more difficult for criminals to abuse
> domain names. It pushes them to resort to more complex techniques such as
> ID theft to register domains for malicious purposes.
>
>
>
> In short, for LEA WHOIS is certainly not the silver bullet to attribute
> crime on line but it is an essential tool in the tool box of law
> enforcement.
>
>
>
> Best,
>
>
>
> Greg
>
>
>
>
>
> -----Original Message-----
>
> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org <gnso-rds-pdp-wg-bounces at icann.org>] On Behalf Of Rob
> Golding
>
> Sent: 04 August 2016 01:46
>
> To: RDS PDP WG
>
> Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and
> Theoretical
>
>
>
> >> Theoretical
>
> >> ===========
>
> >> We have seen a couple of proposed use cases that seem to be ideas
>
> >> that people have for useful or harmful ways that RDS can be used, but
>
> >> that do not exist today (at least not that anyone can fully
>
> >> document).
>
> >>
>
> >> For example, there seems to be a desire to use the RDS as a way to
>
> >> issue warrants for information about registrants. While this may be
>
> >> useful, this is not possible today (even with RDAP, I note).
>
>
>
> It not only is possible today, it's also "common" (although thankfully not
> frequent)
>
>
>
> Registrars get served warrants for details about registrants, and the
> _only_ information from WHOIS that's "needed" or used for such cases is the
> name of the Registrar.
>
>
>
> I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at
> HostingCon last week - asked about WHOIS/domain data he said "we dont use
> it"
>
>
>
> Last year at the UKNOF event in Sheffield I spent quite some time talking
> with some amazing people from the UK CyberCrime departments - asked the
> same questions, they confirmed that although whois _might_ be looked at to
> see if it matches _data they already have_ for confirmation, it's not used
> or relied on.
>
>
>
> Which beggars the question, should "LawEnforcement" use cases even be part
> of the discussions ?
>
>
>
> Rob
>
> --
>
> Rob Golding rob.golding at astutium.com
>
> Astutium Ltd, Number One Poultry, London. EC2R 8JR
>
>
>
> * domains * hosting * vps * servers * cloud * backups *
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> *******************
>
>
>
> DISCLAIMER : This message is sent in confidence and is only intended for
> the named recipient. If you receive this message by mistake, you may not
> use, copy, distribute or forward this message, or any part of its contents
> or rely upon the information contained in it.
>
> Please notify the sender immediately by e-mail and delete the relevant
> e-mails from any computer. This message does not constitute a commitment by
> Europol unless otherwise indicated.
>
>
>
> *******************
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
>
> Ayden Férdeline
>
> Statement of Interest
> <https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI>
>
> *******************
>
>
>
> DISCLAIMER : This message is sent in confidence and is only intended for
> the named recipient. If you receive this message by mistake, you may not
> use, copy, distribute or forward this message, or any part of its contents
> or rely upon the information contained in it.
>
> Please notify the sender immediately by e-mail and delete the relevant
> e-mails from any computer. This message does not constitute a commitment by
> Europol unless otherwise indicated.
>
>
>
> *******************
>
>
>
> *******************
>
>
>
> DISCLAIMER : This message is sent in confidence and is only intended for
> the named recipient. If you receive this message by mistake, you may not
> use, copy, distribute or forward this message, or any part of its contents
> or rely upon the information contained in it.
>
> Please notify the sender immediately by e-mail and delete the relevant
> e-mails from any computer. This message does not constitute a commitment by
> Europol unless otherwise indicated.
>
>
>
> *******************
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> *******************
>
>
>
> DISCLAIMER : This message is sent in confidence and is only intended for
> the named recipient. If you receive this message by mistake, you may not
> use, copy, distribute or forward this message, or any part of its contents
> or rely upon the information contained in it.
>
> Please notify the sender immediately by e-mail and delete the relevant
> e-mails from any computer. This message does not constitute a commitment by
> Europol unless otherwise indicated.
>
>
>
> *******************
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160819/38199b5c/attachment.html>