[gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data Protection and Privacy Commissioners

Tue Sep 26 15:25:07 UTC 2017

I dont know if there have been regulatory rulings about WHOIS but
Companieshouse in the UK might be something comparable. Here's an example
company listing (I searched "lloyds bank"):

https://beta.companieshouse.gov.uk/company/00002065
https://beta.companieshouse.gov.uk/company/00002065/officers

So you have a physical address, a list of people's names, their physical
addresses, and their entire filing history. Is this "leaked" data as well?
Or is this information necessary to comply with the regulations of that
country? Is Companieshouse going to shut down to comply with GDPR?

Is data really "leaked" when everyone knew it was going to be public in the
first place? Does the definition of "leak" now mean every instance of
publicly released data?

Do these privacy laws outlaw the release of public data, and do they have
no allowance for the concept of publicly releasing data, when the user is
informed prior to them giving the data?

On Tue, Sep 26, 2017 at 11:12 AM, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:

> On Tue, Sep 26, 2017 at 10:59:15AM -0400, Dotzero wrote:
> > predecessor regulations have been around for quite some time and if the
> > whois privacy issues we have been debating are truly a significant
> problem
> > to the extent that some represent them to be, I would expect that there
> > would have been at least some sort of precedents specific to whois.
>
> I think that, regardless of any legal cases, the current whois leaks
> way too much information.  ICANN has an enormous bureaucracy around
> "whois accuracy" partly (but only partly) because ordinary people
> don't want to pay extra to keep their home telephone numbers off from
> being wide open on the Internet, so they lie about it.  There is _no
> reason_ that we are still using an ancient protocol that was designed
> for a completely different network environment.
>
> The IAB recommends, in RFC 6973, that protocols do something about
> data minimization (see section 6.1).  The evidence we have is that
> greater exposure of data provides a vector for attacks we haven't even
> thought about.  Therefore, we should not expose data to everyone
> unless we are sure that it is necessary (and some of this data _is_
> necessary to expose to everyone); and we should be able to track who
> got the data if we're exposing data that is not published to everyone.
>
> I don't think any of this should be news, and I think it is really
> strange that we seem still to be discussing whether it is something we
> need to embrace.
>
> Best regards,
>
> A
>
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>

-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170926/29e2db1b/attachment.html>