[gnso-rds-pdp-wg] WSGR Final Memorandum
theo geurts
gtheo at xs4all.nl
Thu Sep 28 18:10:17 UTC 2017
Allison,
Does this problem also exsist with TLDs like .EU, .NL, .DE, .FR just to
name a few ccTLDs?
Curious,
Theo
On 28-9-2017 19:42, allison nixon wrote:
> >> So, I can see a day that if privacy advocates and/or EU legislation
> fears prevent such a Best Practice as proper WHOIS records, the
> service providers will simply choose practices, such as 'you cannot
> access our service unless you have public whois information available'.
>
> It's already happening. Try sending an e-mail using a domain behind
> WHOIS privacy. Some anti-spam systems drop it straight in the garbage
> because WHOIS privacy is already a negative reputation point. If WHOIS
> gets shut down, I fully expect groups like Spamhaus, M3AAWG, APWG,
> etc, to publish a set of guidelines that registrants need to abide by
> in order to send mail, or be accessible by people behind corporate
> firewalls that block based on reputation. ICANN must understand that
> they are at risk of losing relevancy if they want to take this
> hardline approach, because if a law breaks the continued functioning
> of a network, the network will route around it.
>
> Look at the "cookies" EU law. Did that actually stop any websites from
> using cookies? No, it just created a popup that no one reads but
> everyone clicks through to visit the website. Because breaking cookies
> breaks websites.
>
>
> >>Some of us have real jobs too..
>
> which is the main reason why i can't spend 8 hours every day watching
> this group, unlike some people here who have been active in this group
> for years now.
>
>
>
> My response to Chuck's email earlier, I bolded the responses and
> tagged the start and end of my replies for clarity:
>
> "independent answers to the same questions we asked the European
> data protection experts earlier in the year"
> [Chuck Gomes] That was a request from WG members who felt that the
> DP experts might be biased. The questions were developed by the
> WG. There were two primary reasons for using the same questions:
> 1) both groups would be responding to the same questions and
> therefore make it easy to compare; 2) the questions were approved
> by the WG.
>
>
> *<allison>I don't think anyone accused the DP experts of being biased.
> The objection was that the questions themselves were biased. The words
> "phishing" and "spam" and "malware" never once appeared in this entire
> document, despite being major core issues. The only abuse issues that
> were focused on were in relation to intellectual property violation
> and harassment of women, both of which are not the major issues most
> of us deal with on a daily basis(not to belittle them but they are
> generally not the reason why we are here today). The word "fraud" was
> mentioned once in a question and then never directly addressed in the
> response.*
> *
> *
> *Additionally, my entire industry was grossly misrepresented in
> question #6. None of us operate with police powers, and none of us
> pretend to have any. When we submit a complaint to a registrar about
> one of their customers breaking the law, the illegality of the act
> provides necessary justification for the registrar to drop the
> customer without a refund. This is not prosecution of a crime, and
> claiming it is such is a lie. Evidence of breaking the law is
> necessary because registrars aren't just going to take down any
> customer we say we don't like. I wholly object to the entire line they
> continued on about cybersecurity companies and "quasi-police powers",
> because the question never differentiated between civil and criminal
> actions and it was therefore misleading. *
> *
> *
> *None of the questions addressed the issues that registrants have
> where their WHOIS and other reputation points affect the de-facto
> functionality of a domain, for example a domain's functionality is
> hampered when it is on blocklists. Or if someone sends a complaint
> against the domain and has no tools to differentiate the registrant
> from the criminal (as registrar accounts are often hacked), then the
> incorrect accusation can also affect the operability of the domain as
> it is mistakenly taken down in confusion. None of the questions ask
> about conflicts between GDPR and basic network-level-functionality of
> domains.*
> *
> *
> *Also, none of the questions ask if a free no-obligation alternative
> (whois privacy protect) enhances the validity of consent given for
> making WHOIS records public. </allison>*
>
> So we weren't allowed to ask questions of these legal experts? You
> know, they can't magically divine all legitimate use cases. The
> session with the EU data protection experts earlier this year is
> the exact same one we objected to because anti abuse use cases got
> exactly zero representation. So why choose that exact set of
> questions again especially since an entire group of people have
> joined the group afterwards(actually, due to this specific problem
> of lack of representation)? And then label it "final", really.
> [Chuck Gomes] We didn’t ask them to consider use cases except as
> they were relevant to the questions we asked; that is our job and
> we prepared a list of those a long time ago. We asked them to
> focus on their understanding of European Data Protection law. Our
> WG has a good mix of people that use RDS data for different uses.
>
> *<allison>And his answers are borderline useless. The scenarios
> presented were extremely poor, and not reflecting today's Internet and
> the problems network operators face. For example, when he writes "This
> means that the term 'vital interest' is to be interpreted as referring
> to an individual’s life, health, safety, or other such interest that
> is essential to their physical wellbeing", he goes on to talk about IP
> violations, the rights of a child, the economic interests of a search
> engine, finally concluding "we believe that the **conditions for using
> the 'legitimate interests' legal basis would not be satisfied".*
> *
> *
> *That's a complete misrepresentation of the interests at stake here.
> The issue at hand is not the economic interests of one company nor
> about mere copyright infringement. The WHOIS data resource is used to
> combat all types of fraud, international espionage, rigging of
> elections, and so many hostile attacks. Some of these attacks,
> especially DDOS, frequently threaten basic functionality of the
> Internet. It has an international strategic value and promotes lawful
> behavior far more than it hurts. It's used to create cleaner, safer
> networks. There are countless documented instances where WHOIS played
> a key role and where the replacement system would have allowed the
> malicious behavior to continue. All of these facts have been
> conveniently left out of the question, and since the lawyer can't be
> expected to know all this, he has no choice but to conclude that the
> legitimate interests provided are too weak. </allison>*
>
>
> Havent gone through it yet, will do so as i get time. Expecting to
> see the same result one can expect when one doesn't represent
> entire groups of constituencies.
> [Chuck Gomes] What do you mean by representing ‘entire groups of
> constituencies’? Do you represent an entire constituency? Are
> you aware of any constituencies who are not represented in the
> WG? If so, please encourage them to participate.
>
>
> *<allison>Dozens of people joined this mailing list after numerous
> events demonstrated that this working group did not consider the
> overall well being of the Internet, and had a completely skewed idea
> of the problems the Internet faces today. People were outraged that
> this group was going in the direction it was going, ignoring how the
> Internet actually works. The fact that these questions were chosen-
> and the fact that the new membership(especially those that joined
> after the questions were initially asked) were not given any
> opportunity to provide input on questions to the lawyer- does not
> reflect well on the leadership of this working group. Even when the
> original questions were created, as far as I can tell, only people
> physically present at that meeting had any chance to provide input.
> For those of us with jobs in operations, being ever-present for this
> working group is impossible, and none of us have the stamina that some
> of the people here have, because we are busy working. *
> *
> *
> *At its most charitable interpretation, the choice of these specific
> questions could be an innocent oversight or miscommunication. At its
> least charitable, it looks like ICANN's money was wasted on a
> procedural trick to keep facts out of the conversation and continue to
> push a narrow agenda.*
> *
> *
> *People from numerous unrelated Internet companies and law firms
> flooded this group earlier this year once sunshine was shed on this
> group's activities. Maybe that's important. Please take it seriously.
> </allison>*
>
>
>
>
>
>
>
> On Wed, Sep 27, 2017 at 6:22 PM, Michael Peddemors
> <michael at linuxmagic.com <mailto:michael at linuxmagic.com>> wrote:
>
> IMHO, If ICANN cannot figure out how to make a proper functioning
> WHOIS policy, we have to remember that the community at large
> will, and then simply, ICANN will loose relevance on this issue.
>
> No one passed a law that a mail server had to have a functioning
> PTR record, (well yes, some international spam legislations
> clearly spelled out the need for clearly specifying the operator)
> but if you want to send email today, functionally you need a PTR
> record.
>
> Only problem is, that often it is the biggest players that set
> those standards, and it is the role of organizations like ICANN to
> level the field, and make sure that directions aren't dictated by
> the biggest players on the block, and never more so in a world of
> consolidation and cloud providers.
>
> I think it was Yahoo that was one of the first big players to
> simply not accept connections from IP(s) with no PTR, and I know
> we were one of the early adopters to that strategy..
>
> So, I can see a day that if privacy advocates and/or EU
> legislation fears prevent such a Best Practice as proper WHOIS
> records, the service providers will simply choose practices, such
> as 'you cannot access our service unless you have public whois
> information available'.
>
> It would be far better if ICANN can understand the importance of
> that need, and make a statement that everyone can get behind and
> point to, that levels that field, in 'spite' of possible
> contradictory privacy information.
>
> Let's just simple keep these two conversations separate, one
> should NOT affect the other, this isn't a privacy vs information
> publishing standards issue, we can have both.
>
> (And again, I assert that simply 'informed consent' can always
> deal with any situations where they conflict)
>
> -- Michael --
>
> PS, my concern is that this lengthy wrangling prevents real work
> from getting done, and the participants who are integral to this
> conversation will fall by the way side, and the lobbyist's will
> simply wear them down ..
>
> Some of us have real jobs too..
>
>
> On 17-09-27 02:58 PM, John Bambenek via gnso-rds-pdp-wg wrote:
>
> A simple policy proscription would be, for instance, to say
> under US law if you get a domain under the control of a US
> registrar, we need you to consent to full disclosure. Don't
> like it, pick a European ccTLD. I don't advocate that, mind
> you, but that's the kind of policy balkanization could produce.
>
> j
>
>
> On 09/27/2017 04:31 PM, Paul Keating wrote:
>
> I am failing to understand how such a walled-garden
> approach will solve anything.
>
> 1.EU <http://1.EU> registrars/registries would still have
> to deal with GDPR.
>
> 2.Registrars are not aided by the distinction since they
> would still end up with EU customers and EU registrant data.
>
> PRK
>
> From: <gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>
> <mailto:gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>>> on behalf of
> jonathan matkowsky <jonathan.matkowsky at riskiq.net
> <mailto:jonathan.matkowsky at riskiq.net>
> <mailto:jonathan.matkowsky at riskiq.net
> <mailto:jonathan.matkowsky at riskiq.net>>>
> Date: Wednesday, September 27, 2017 at 11:03 PM
> To: Rubens Kuhl <rubensk at nic.br <mailto:rubensk at nic.br>
> <mailto:rubensk at nic.br <mailto:rubensk at nic.br>>>
> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> <mailto:gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>>>
> Subject: Re: [gnso-rds-pdp-wg] WSGR Final Memorandum
>
> Assuming for argument's sake that's true without
> taking any
> position as I'm still catching up from a week ago, I'm
> not sure
> this should be dismissed without consideration as a
> possibility,
> although obviously not by any stretch of the
> imagination ideal -->
> non-EU registrars block EU registrants, and registries
> contract
> with non-EU registrars.
>
> On Tue, Sep 26, 2017 at 8:25 PM, Rubens Kuhl
> <rubensk at nic.br <mailto:rubensk at nic.br>
> <mailto:rubensk at nic.br <mailto:rubensk at nic.br>>> wrote:
>
>
> On Sep 26, 2017, at 7:17 PM, John Horton
> <john.horton at legitscript.com
> <mailto:john.horton at legitscript.com>
> <mailto:john.horton at legitscript.com
> <mailto:john.horton at legitscript.com>>> wrote:
>
> Much of this problem goes away if we all agree
> that EU-based
> registrars should henceforth only be allowed
> to accept
> registrants in the EU. Aside from the effect on EU
> registrars' revenue, what's the logical
> argument against that
> from a policy perspective?
>
> After all, isn't the purpose of the GDPR to
> protect _EU
> residents_?
>
>
> That's correct, but the conclusion is not. Non-EU
> registrars
> are also subject to GDPR if targeting EU
> customers, which
> could be as simple as providing services in EU
> languages and
> accepting registration transactions from the EU.
> So, for the problem to go away non-EU registrars
> would need to
> block EU registrants, and registries would only be
> able to
> enter contracts with non-EU registrars.
>
> So EU users would either be happy using numeric IP
> addresses,
> or develop a naming system of their own. Then we
> would have
> balkanisation, this time actually including the
> original balkans.
>
>
> Rubens
>
>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> <mailto:gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>>
>
>
>
>
> *******************************************************************
> This message was sent from RiskIQ, and is intended
> only for the
> designated recipient(s). It may contain confidential or
> proprietary information and may be subject to
> confidentiality
> protections. If you are not a designated recipient,
> you may not
> review, copy or distribute this message. If you
> receive this in
> error, please notify the sender by reply e-mail and
> delete this
> message. Thank
>
> you.*******************************************************************_______________________________________________
> gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> <mailto:gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> --
> "Catch the Magic of Linux..."
> ------------------------------------------------------------------------
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> ------------------------------------------------------------------------
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices
> Ltd.
> ------------------------------------------------------------------------
> 604-682-0300 <tel:604-682-0300> Beautiful British Columbia, Canada
>
> This email and any electronic data contained are confidential and
> intended
> solely for the use of the individual or entity to which they are
> addressed.
> Please note that any views or opinions presented in this email are
> solely
> those of the author and are not intended to represent those of the
> company.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170928/19d72571/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list