[gnso-rds-pdp-wg] What we want redux (was Re: ICANN Meetings/Conversations with Data Protection and Privacy Commissioners)

[allison nixon]

Thank you for your thoughtful reply. We won't all agree on everything but
it is thoughtful arguments made in good faith that drive the group forward.

>>Purpose is critical - which is why this group has to focus on it. As the
legal opinion makes clear, while ‘anti-abuse’ or other issues of the safety
and security of the DNS may not be considered as a primary purpose, the
opinion does suggest that they could be considered as secondary purposes -
and therefore, a legitimate reason/purpose for which information can be
collected.  The test would then be what information is necessary to hold in
order to achieve the purpose(s).

I agree, and I think the issue that many of us are trying to drive home is
that abuse of the domain name system has become such a large problem that
it is threatening the basic functionality of the domain name system. When
domains legitimately purchased from an ICANN approved registrar are
practically useless because its TLD has such a bad reputation that it is
blocked everywhere, that is a sign of a huge problem. The collapsing
legitimacy of the gTLD system needs to be taken seriously.

So perhaps as a secondary purpose, "anti-abuse" may not be the best way to
phrase it, I think "restoring the trust in the gTLD system" is a better way
to phrase it, since that is the underlying issue here.


>>A word of caution here.  Obtaining consent FOLLOWS collection.  That is,
ONLY data necessary to achieve agreed purposes is collected in the first
place.  Consent is about collection AFTER the determination of what
information is collected.  Again, go back to the opinion on that.

I think it's important to specify some requirements in our final
recommendation about how the user should be asked for consent, and that
they are offered alternatives


>>I do not, however, agree with your final point.  It does not follow that
a new RDS scheme will ‘create excessive risks’.  If  fighting spam,
malware, etc is accepted as a legitimate purpose (which seems to be the
case) AND individuals/organisations that are involved in dealing with those
issues need access to information that is necessary to address the
misuse/abuse issues, then the miscreants cannot expect  protection.

I should clarify that final point. Imagine two potential scenarios, one
where there is a legally agreeable public whois, and another scenario where
the exact same data is hidden behind a gate. We know that registrars are
hacked frequently and are high profile targets for hacking. In the latter
scenario, if all of a company's data is stolen in a hack, that's one more
violation under GDPR. In the former scenario, since the data is public and
the users consented to that in the first place, there is no way the data
could add up to an additional violation under GDPR in such a hack scenario.

That was the point I was trying to make. Collecting a whole lot of WHOIS
data and then putting it behind barriers not only hobbles anti-abuse, but
it increases the risks for the company storing the data because it can be
breached.




On Thu, Sep 28, 2017 at 7:54 PM, Holly Raiche <h.raiche at internode.on.net>
wrote:

> Allison
>
> I agree with Andrew and you - up to a point.
>
> Purpose is critical - which is why this group has to focus on it. As the
> legal opinion makes clear, while ‘anti-abuse’ or other issues of the safety
> and security of the DNS may not be considered as a primary purpose, the
> opinion does suggest that they could be considered as secondary purposes -
> and therefore, a legitimate reason/purpose for which information can be
> collected.  The test would then be what information is necessary to hold in
> order to achieve the purpose(s).
>
> Who can have access to what information is a separate question - we aren’t
> there yet. But it will ask why the individual/organisation needs access to
> what specific information. And - using gated access mechanisms - access to
> such individuals/organisations for agreed purpose(s) would be permitted.
> The opinion’s discussion of access by law enforcement agencies supports
> that.
>
> A word of caution here.  Obtaining consent FOLLOWS collection.  That is,
> ONLY data necessary to achieve agreed purposes is collected in the first
> place.  Consent is about collection AFTER the determination of what
> information is collected.  Again, go back to the opinion on that.
>
> I do not, however, agree with your final point.  It does not follow that a
> new RDS scheme will ‘create excessive risks’.  If  fighting spam, malware,
> etc is accepted as a legitimate purpose (which seems to be the case) AND
> individuals/organisations that are involved in dealing with those issues
> need access to information that is necessary to address the misuse/abuse
> issues, then the miscreants cannot expect  protection.
>
> So yes, let’s please focus on purpose - both primary and secondary.
>
> Holly
>
>
>
>
> On 29 Sep 2017, at 8:52 am, allison nixon <elsakoo at gmail.com> wrote:
>
> I agree with Andrew on this one, the discussion lately is putting the cart
> before the horse in many respects. The GNSO and most privacy laws will say
> that data can't be collected for no purpose, and this group has yet to
> seriously put forth purposes. So when we ask "can we legally collect
> data?", and provide no real reasons why, of course the answer is no. And
> when those of us who deal with anti-abuse state our purposes, it only gets
> sucked into the circular arguments, not actually recorded anywhere official
> as a group stance.
>
> But according to GDPR and many other privacy laws, if we have clearly
> stated purposes, AND we have a clearly defined consent process, we actually
> can do all these things and don't have to throw the internet into chaos in
> the name of GDPR. We can even have a public WHOIS just as it is, probably
> with minor tweaks on the consent side.
>
> So reasons why we should collect WHOIS data can start with like this:
>
>
>    - A significant percentage of domains are malicious, and public trust
>    in the entire domain name system is in question. People's increasing
>    reliance on blacklists, whitelists, and filters, is a direct consequence of
>    this lack of safety.
>    - WHOIS is a vital tool for members of the public to ensure safety and
>    interoperability.
>    - The police are unable to deal with the sheer volume of malicious
>    domains, so locking up information behind a slow-and-expensive-to-obtain
>    court order will hobble network operators and network defenders. Criminals
>    will actively exploit this.
>    - Fighting spam, malware, espionage, fraud, and other forms of abuse
>    is a legitimate purpose that WHOIS serves, and restrictions on how WHOIS is
>    displayed or collected cannot hinder any of these purposes.
>    - We should not identify the person serving legitimate anti-abuse
>    purposes before they can access WHOIS data, because in the case of high
>    profile crime and espionage, it will endanger the person's life.
>    - All the currently collected information, even the falsified
>    information, is vitally important for these purposes, and every currently
>    collected field has played a pivotal role in numerous network incidents
>    over the years.
>    - Collecting WHOIS data under a scheme that gives the users an
>    expectation of privacy will create excessive risks as this data is highly
>    likely to be targeted by hackers and stolen. Especially if it contains
>    identities of people investigating espionage. The latter can be a life and
>    death concern.
>    - etc
>
> Once we have defined purposes, then we should see what the legal opinions
> are about those purposes. Hard evidence can be supplied for each of these
> purposes, likely in excess of what is required.
>
>
>
>
>
>
>
> On Thu, Sep 28, 2017 at 2:16 PM, Andrew Sullivan <ajs at anvilwalrusden.com>
> wrote:
>
>> On Thu, Sep 28, 2017 at 08:06:55PM +0200, theo geurts wrote:
>> > 1 I agree you need to be specific, but also you should ask, would a DPA
>> > accept it? Regardless if that is a DPA in Europe or China or Jamaica.
>> > Setting the baseline to the GDPR would be a mistake, these data
>> protection
>> > laws are always in motion. As such you need to implement data protection
>> > principles when you define purpose. Did we really do that?
>>
>> What I am trying to say is that we ought to work out what we need to
>> solve.  I think we have only half-done that.  I would like for us to
>> complete that, and in particular to look carefully at what data needs
>> to be exposed to whom under what conditions in order to move something
>> ahead.  I believe that it is not helpful for people to bang shoes on
>> the table and say "whois privacy" or "DPA won't accept it".  We ought
>> instead to figure out what our problem is and what we want to do to
>> solve it, and then ask legal permission _after_ that.
>>
>> I think Allison elsewhere just today pointed out that the legal
>> analysis currently focusses too much on direct contractual
>> relationships and misses the voluntary, no-contract nature of Internet
>> operations.  We need to design an answer for that, and then figure out
>> how to make the laws as we undertand them to work with that answer.
>>
>> Best regards,
>>
>> A
>>
>> --
>> Andrew Sullivan
>> ajs at anvilwalrusden.com
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170929/dfa2f2ed/attachment.html>