[gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data Protection and Privacy Commissioners
Paul Keating
Paul at law.es
Thu Sep 28 23:32:10 UTC 2017
All,
This came to me as a part of an ongoing investigation directly related to
GDPR.
> The EU Commission issued a Communication which states as follows:
> http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=JOIN:2017:450:FIN&rid=3
>
> More generally, online accountability should be further promoted. This means
> promoting measures to prevent the abuse of domain names for the distribution
> of unsolicited messages or phishing attacks. To this end, the Commission will
> work to improve the functioning of and the availability and accuracy of
> information in the Domain Name and IP WHOIS systems in line with the efforts
> of the Internet Corporation for Assigned Names and Numbers.
>
> While not a legal act per se, this document shows that there are lawmakers in
> the EU who understands the value of DomainTools services.
>
I think this puts an end to this conversation about whether abuse (not
necessarily criminal concerns) is and remains a very important issue in the
EU and this should be considered together with the GDPR.
Paul Keating
From: <gnso-rds-pdp-wg-bounces at icann.org> on behalf of jonathan matkowsky
<jonathan.matkowsky at riskiq.net>
Date: Friday, September 29, 2017 at 1:08 AM
To: John Bambenek <jcb at bambenekconsulting.com>
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data
Protection and Privacy Commissioners
> The GAC's recommendations in their public comment on the recent statistical
> analysis of DNS abuse study shows that when you get down to it, there is
> already understanding by government that we must collect the necessary data
> elements for combatting abuse.
>
> On Thu, Sep 28, 2017 at 3:18 PM, John Bambenek via gnso-rds-pdp-wg
> <gnso-rds-pdp-wg at icann.org> wrote:
>>
>>
>>
>> I want to me too this... this is the single biggest cause of the contention
>> in this group. I am being told by people who don't do anti-abuse or
>> investigations on what I need to do my job and when I tell them what I need
>> to do my job, my opinion doesn't matter.
>>
>>
>> **We** are the experts in this field. It'd be nice when people are talking
>> about what is needed to fight abuse, we at least consider the opinions of
>> people that **actually fight said abuse**.
>>
>>
>> And we will be taking this message to the DPAs directly so they understand
>> what's at stake.
>>
>>
>>
>> On 09/28/2017 05:10 PM, John Horton wrote:
>>
>>
>>>
>>>
>>> Chuck, let me briefly (I hope briefly) weigh in in response to that.
>>>
>>>
>>>
>>>
>>> My observation is that the group does agree that fighting abuse is a worthy
>>> endeavor -- I suspect you'd get unanimity on that point. My sense is that
>>> where there's disagreement may be on two points:
>>>
>>>
>>> 1. Whether anti-abuse types really need a Whois record of the domain name in
>>> question to fight abuse -- the argument has been made that Whois is so often
>>> falsified, or privacy-protected, etc. that Whois isn't really useful to
>>> anti-abuse types, and that there are more useful tools than Whois.
>>> 2. Whether the entire Whois data set (or, say, even 95% of it), and being
>>> able to reverse query against it, is useful to anti-abuse types.
>>> 3.
>>>
>>> From my perspective, I do think that there are a few folks in this working
>>> group who, even when I or others have repeatedly insisted that (and provide
>>> examples of how) we genuinely need 1) Whois records on specific merchants or
>>> bad actors, and 2) need the entire corpus against which to reverse query,
>>> seem unwilling to take our representations and examples at face value. I
>>> guess I've become a little cynical as to whether, even if that argument is
>>> presented objectively and compellingly, working group members are willing to
>>> be persuaded of it or not.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> John Horton
>>> President and CEO, LegitScript
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Follow LegitScript: LinkedIn
>>> <http://www.linkedin.com/company/legitscript-com> | Facebook
>>> <https://www.facebook.com/LegitScript> | Twitter
>>> <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/>
>>> | Newsletter <http://go.legitscript.com/Subscription-Management.html>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Sep 28, 2017 at 2:51 PM, Chuck <consult at cgomes.com> wrote:
>>>
>>>> I could be wrong but I think that we need to first convince ourselves as a
>>>> working group that fighting abuse is a critical and essential need and I
>>>> don't think that should be hard to do. A lot of you have made very strong
>>>> arguments in that regard and I believe that we have already agreed that
>>>> fighting abuse is a legitimate purpose for at least some RDS elements.
>>>>
>>>> Note WG agreement #11: "Criminal Investigation & DNS Abuse Mitigation is a
>>>> legitimate purpose for "Minimum Public Data Set" collection." We
>>>> obviously
>>>> have to get beyond the MPDS and we will.
>>>>
>>>> It seems to me that the following WG agreement, although not directly
>>>> related to abuse mitigation, sets a basis upon which we can further
>>>> deliberate the abuse mitigation purpose: " 17. A purpose of RDS is to
>>>> facilitate dissemination of gTLD registration data of record, such as
>>>> domain
>>>> names and their domain contacts and name servers, in accordance with
>>>> applicable policy." I admit that there is a lot of work we must do to
>>>> develop requirements and ultimately policies to allow and support the use
>>>> of
>>>> RDS data for abuse mitigation purposes but we can do that.
>>>>
>>>> I think all of the following recent WG agreements indirectly support
>>>> further
>>>> deliberation on the abuse mitigation purpose:
>>>> " 30. At least one element identifying the domain name registrant (i.e.,
>>>> registered name holder) must be collected and included in the RDS.
>>>> 31. Data enabling at least one way to contact the registrant must be
>>>> collected and included in the RDS.
>>>> 32. At a minimum, one or more email addresses must be collected for every
>>>> domain name included in the RDS, for contact roles that require an email
>>>> address for contactability.
>>>> 33. For resiliency, data enabling alternative or preferred method(s) of
>>>> contact should be included in the RDS; further deliberation to determine
>>>> whether such data element(s) should be optional or mandatory to collect.
>>>> 34. At least one element enabling contact must be based on an open
>>>> standard
>>>> and not a proprietary communication method.
>>>> 35. To improve contactability with the domain name registrant (or
>>>> authorized
>>>> agent of the registrant), the RDS must be capable of supporting at least
>>>> one
>>>> alternative contact method as an optional field.
>>>> 36. Purpose-based contact (PBC) types identified (Admin, Legal, Technical,
>>>> Abuse, Proxy/Privacy, Business) must be supported by the RDS but optional
>>>> for registrants to provide.
>>>> 37. The URL of the Internic Complaint Site must be supported for inclusion
>>>> in the RDS.
>>>> 38. The Registrar Abuse Contact Email Address must be supported for
>>>> inclusion in the RDS, and must be provided by Registrars.
>>>> 39. Reseller Name MUST be supported by the RDS. Note: There may be a chain
>>>> or Resellers identified by Reseller Name.
>>>> 40. Per recently-approved consensus policy on consistent labeling and
>>>> display, BOTH the Registrar Abuse Contact Email and Registrar Abuse
>>>> Contact
>>>> Phone must be supported for inclusion in the RDS, and MUST be provided by
>>>> Registrars.
>>>> 41. In the interest of maximizing contactability, additional contact
>>>> methods
>>>> MUST be supported by the RDS as an open-ended list and be optional for
>>>> Registrants to provide. This does not preclude agreements on requirements
>>>> to
>>>> include other contact methods.
>>>> 42. The RDS must support Registrant Postal Address data elements:
>>>> Registrant
>>>> Street Address, City, State/Province, and Postal Code.
>>>> 43. The RDS must support Registrant Phone + Registrant Phone Ext
>>>> (extension)
>>>> data elements " I call this one out in reaction to some discussion on the
>>>> WG list today about identification of the domain name registrant."
>>>> These may not go far enough for some but they provide a start that we can
>>>> build on.
>>>>
>>>> Chuck
>>>>
>>>> -----Original Message-----
>>>> From: gnso-rds-pdp-wg-bounces at icann.org
>>>> [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of theo geurts
>>>> Sent: Thursday, September 28, 2017 11:07 AM
>>>> To: Andrew Sullivan <ajs at anvilwalrusden.com>; gnso-rds-pdp-wg at icann.org
>>>> Subject: Re: [gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data
>>>> Protection and Privacy Commissioners
>>>>
>>>>
>>>>
>>>> Hello Andrew,
>>>>
>>>> 1 I agree you need to be specific, but also you should ask, would a DPA
>>>> accept it? Regardless if that is a DPA in Europe or China or Jamaica.
>>>> Setting the baseline to the GDPR would be a mistake, these data protection
>>>> laws are always in motion. As such you need to implement data protection
>>>> principles when you define purpose. Did we really do that?
>>>>
>>>> 2 I am not sure if there is a misapprehension. I do think we did not go
>>>> out
>>>> of the box far enough. We somehow keep circling back to the WHOIS, and
>>>> that
>>>> is somewhat strange given the composition of the WG.
>>>> We did put a ton of work into looking at the current data elements and all
>>>> that, but we never into the concept of no WHOIS/RDS and come up with a
>>>> solution in such a scenario.
>>>>
>>>> If we want to convince these policymakers of what we are facing abuse
>>>> wise,
>>>> we must do better.
>>>>
>>>> Theo
>>>>
>>>>
>>>> On 28-9-2017 19:11, Andrew Sullivan wrote:
>>>>> > On Thu, Sep 28, 2017 at 06:46:29PM +0200, theo geurts wrote:
>>>>>> >> I think it is meant that IP addresses will be considered personal
>>>>>> >> information under the GDPR, that concept might be new to folks in
>>>>>> this
>>>> WG.
>>>>> > I _know_ that. But there are two issues here:
>>>>> >
>>>>> > 1. It appears entirely clear, both from previous discussions and
>>>>> > from the legal analysis that was just delivered, that collection
>>>>> > of certain data (and we're still talking about collection,
>>>>> > remember) is permitted if you have legitimate purposes.
>>>>> > Therefore, we should be paying attention to those purposes, and be
>>>>> > specific about it.
>>>>> >
>>>>> > 2. It is possible that any law, or any interpretation of the law,
>>>>> > is being made with a misapprehension of how the Internet actually
>>>>> > works. Quite frankly, it is apparent to me that an alarming
>>>>> > number of policymakers have a deeply mistaken model for the way
>>>>> > the Internet works, mostly aligned with a picture that looks like
>>>>> > the way the phone system used to work. But we have to make policy
>>>>> > for the actual Internet, rather than for some system that does not
>>>>> > actually exist. This is why I sent that note the other day about
>>>>> > figuring out what we want and then asking lawyers how that can be
>>>>> > made to comport with such legal regimes as we know, rather than
>>>>> > doing it the other way.
>>>>> >
>>>>> > Best regards,
>>>>> >
>>>>> > A
>>>>> >
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-
>>> wg
>>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> *******************************************************************
> This message was sent from RiskIQ, and is intended only for the designated
> recipient(s). It may contain confidential or proprietary information and may
> be subject to confidentiality protections. If you are not a designated
> recipient, you may not review, copy or distribute this message. If you receive
> this in error, please notify the sender by reply e-mail and delete this
> message. Thank you.
>
> *******************************************************************___________
> ____________________________________ gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170929/4aa84b7f/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list