[gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data Protection and Privacy Commissioners

[Dotzero]

Stephanie,

Thanks for your thoughtful reply. Comments in-line.

On Tue, Sep 26, 2017 at 2:34 PM, Stephanie Perrin <
stephanie.perrin at mail.utoronto.ca> wrote:

> I am going to attempt to answer your question.  Has there been a case
> against ICANN and the WHOIS that has gone to the European Court of
> Justice?  not that I am aware of, and I have looked.  Have the data
> protection commissioners been warning ICANN that the WHOIS is violating EU
> law?  Most assuredly, since 1998, actually.  CHeck the Annual report filed
> by Stefano Rodota, then Chairman of the Article 29 Working group, Available
> on the EC website.
>
 Not having the full history of who said what to whom when, I'm at a
disadvantage. I'll look for the annual report.

> Volker's point is that the fact that there has not been a case yet does
> not mean the Data Commissioners are wrong, it means noone has taken a
> case.  And quite frankly, they ( the article 29 Working Party) knew that
> the Safe Harbor agreement was not "adequate", but they had to accept it.
> (political compromise).  The fact that it took a lawsuit filed by a student
> to get the Safe Harbor agreement thrown out, after the gallons of ink that
> has been spilled in the intervening years (17, if you are counting) only
> amplifies the risk, in my view.  Data commissioners are being challenged as
> never before to enforce the law.
>
>From my perspective, both Safe Harbor and Data Shield are somewhat
irrelevant in that organizations are self certifying. I specifically asked
for cases because those tend to be the strongest and clearest precedent.


> As for privacy proxy solving the problem, it does not.  Over collection is
> not solved by providing a proxy in the third party disclosure mechanism.
> It is still over-collection, disproportionate to needs. Data escrow and
> data retention are also not in compliance with the GDPR, and while they are
> somewhat out of scope for this PDP, the fact that the elements cited as
> requisite for WHOIS are also the elements required for data retention and
> disclosure makes the waters rather muddy.  The data commissioners are
> unlikely to worry themselves about the scope of our PDP, they are expecting
> ICANN to come up with a set of requirements (as data controller) that
> complies with law.
>
It's not clear to me whether whois is over collection or not because people
seem to be talking past each other as to the use(s) of whois (primary and
secondary) and the impact on the Internet ecosystem of pruning back to
various degrees or even eliminating whois entirely. Depending on where
people sit and the constituency(s) they assert they are representing, I
hear differing statements as to the purposes and justification for whois.
Where you stand depends on where you sit.

I'm still cogitating on things.


> I hope this helps.
>

It does.

> Stephanie Perrin
>
>
Michael Hammer


> On 2017-09-26 12:13, Dotzero wrote:
>
> You are raising a different discussion/issue Andrew. A discussion of what
> the working group thinks is appropriate is a different discussion vs
> assertions as to the legal requirements from various jurisdictions as to
> what we are obliged to do.
>
> I keep on hearing law invoked and therefore asked what precedent there is
> specific to whois and CBDF. It's a straight forward question and with the
> various privacy and legal experts on the list, one that should be easily
> answered if there are precedents specific to whois out there. Volker threw
> up a laundry list of references that don't really apply to the question I
> asked.
>
> Michael Hammer
>
> On Tue, Sep 26, 2017 at 11:12 AM, Andrew Sullivan <ajs at anvilwalrusden.com>
> wrote:
>
>> On Tue, Sep 26, 2017 at 10:59:15AM -0400, Dotzero wrote:
>> > predecessor regulations have been around for quite some time and if the
>> > whois privacy issues we have been debating are truly a significant
>> problem
>> > to the extent that some represent them to be, I would expect that there
>> > would have been at least some sort of precedents specific to whois.
>>
>> I think that, regardless of any legal cases, the current whois leaks
>> way too much information.  ICANN has an enormous bureaucracy around
>> "whois accuracy" partly (but only partly) because ordinary people
>> don't want to pay extra to keep their home telephone numbers off from
>> being wide open on the Internet, so they lie about it.  There is _no
>> reason_ that we are still using an ancient protocol that was designed
>> for a completely different network environment.
>>
>> The IAB recommends, in RFC 6973, that protocols do something about
>> data minimization (see section 6.1).  The evidence we have is that
>> greater exposure of data provides a vector for attacks we haven't even
>> thought about.  Therefore, we should not expose data to everyone
>> unless we are sure that it is necessary (and some of this data _is_
>> necessary to expose to everyone); and we should be able to track who
>> got the data if we're exposing data that is not published to everyone.
>>
>> I don't think any of this should be news, and I think it is really
>> strange that we seem still to be discussing whether it is something we
>> need to embrace.
>>
>> Best regards,
>>
>> A
>>
>>
>> --
>> Andrew Sullivan
>> ajs at anvilwalrusden.com
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170926/a3fed9f0/attachment-0001.html>