[gnso-rds-pdp-wg] What we want redux (was Re: ICANN Meetings/Conversations with Data Protection and Privacy Commissioners)

allison nixon elsakoo at gmail.com
Thu Sep 28 22:52:45 UTC 2017 

I agree with Andrew on this one, the discussion lately is putting the cart
before the horse in many respects. The GNSO and most privacy laws will say
that data can't be collected for no purpose, and this group has yet to
seriously put forth purposes. So when we ask "can we legally collect
data?", and provide no real reasons why, of course the answer is no. And
when those of us who deal with anti-abuse state our purposes, it only gets
sucked into the circular arguments, not actually recorded anywhere official
as a group stance.

But according to GDPR and many other privacy laws, if we have clearly
stated purposes, AND we have a clearly defined consent process, we actually
can do all these things and don't have to throw the internet into chaos in
the name of GDPR. We can even have a public WHOIS just as it is, probably
with minor tweaks on the consent side.

So reasons why we should collect WHOIS data can start with like this:


   - A significant percentage of domains are malicious, and public trust in
   the entire domain name system is in question. People's increasing reliance
   on blacklists, whitelists, and filters, is a direct consequence of this
   lack of safety.
   - WHOIS is a vital tool for members of the public to ensure safety and
   interoperability.
   - The police are unable to deal with the sheer volume of malicious
   domains, so locking up information behind a slow-and-expensive-to-obtain
   court order will hobble network operators and network defenders. Criminals
   will actively exploit this.
   - Fighting spam, malware, espionage, fraud, and other forms of abuse is
   a legitimate purpose that WHOIS serves, and restrictions on how WHOIS is
   displayed or collected cannot hinder any of these purposes.
   - We should not identify the person serving legitimate anti-abuse
   purposes before they can access WHOIS data, because in the case of high
   profile crime and espionage, it will endanger the person's life.
   - All the currently collected information, even the falsified
   information, is vitally important for these purposes, and every currently
   collected field has played a pivotal role in numerous network incidents
   over the years.
   - Collecting WHOIS data under a scheme that gives the users an
   expectation of privacy will create excessive risks as this data is highly
   likely to be targeted by hackers and stolen. Especially if it contains
   identities of people investigating espionage. The latter can be a life and
   death concern.
   - etc

Once we have defined purposes, then we should see what the legal opinions
are about those purposes. Hard evidence can be supplied for each of these
purposes, likely in excess of what is required.







On Thu, Sep 28, 2017 at 2:16 PM, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:

> On Thu, Sep 28, 2017 at 08:06:55PM +0200, theo geurts wrote:
> > 1 I agree you need to be specific, but also you should ask, would a DPA
> > accept it? Regardless if that is a DPA in Europe or China or Jamaica.
> > Setting the baseline to the GDPR would be a mistake, these data
> protection
> > laws are always in motion. As such you need to implement data protection
> > principles when you define purpose. Did we really do that?
>
> What I am trying to say is that we ought to work out what we need to
> solve.  I think we have only half-done that.  I would like for us to
> complete that, and in particular to look carefully at what data needs
> to be exposed to whom under what conditions in order to move something
> ahead.  I believe that it is not helpful for people to bang shoes on
> the table and say "whois privacy" or "DPA won't accept it".  We ought
> instead to figure out what our problem is and what we want to do to
> solve it, and then ask legal permission _after_ that.
>
> I think Allison elsewhere just today pointed out that the legal
> analysis currently focusses too much on direct contractual
> relationships and misses the voluntary, no-contract nature of Internet
> operations.  We need to design an answer for that, and then figure out
> how to make the laws as we undertand them to work with that answer.
>
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170928/61116d95/attachment.html>

More information about the gnso-rds-pdp-wg mailing list