[gnso-rds-pdp-wg] CIRCL - Luxembourg CERT Statement on WHOIS

farzaneh badii farzaneh.badii at gmail.com
Fri Apr 13 23:28:25 UTC 2018 

Dear John


What you have shared is interesting and is a legitimate source. But it is
very brief. I read the recital 49 of GDPR and I have another interpretation
of this recital. This is why I believe we need a neutral independent GDPR
legal team to tell us.

Lets look at the text:  "The processing of personal data to the extent
strictly necessary and proportionate for the purposes of ensuring network
and information security, i.e. the ability of a network or an information
system to resist, at a given level of confidence, accidental events or
unlawful or malicious actions that compromise the availability,
authenticity, integrity and confidentiality of stored or transmitted
personal data, and the security of the related services offered by, or
accessible via, those networks and systems, by public authorities, by
computer emergency response teams (CERTs), computer security incident
response teams (CSIRTs), by providers of electronic communications networks
and services and by providers of security technologies and services,
constitutes a legitimate interest of the data controller concerned."

I am not clear whether this recital is actually talking about the public
availability of data. It is talking about the processing of data. But I am
no GDPR expert. In our discussions, we talk about publicly available
personal data and that is what I personally believe should be restricted.
Of course, with an accreditation system we might be able to resolve the
access issue for legitimate purposes according to ICANN mission and GDPR.

I personally don't think the responses given in the link you shared with us
are sufficient. But I understand the concern. I and I believe many in this
group don't think  that security researchers and private actors who use
WHOIS to ensure cybersecurity are human rights violators.  I just wish they
could find better ways other than using personal information to carry out
their important task. It's been a long time! lets get creative... lets have
a better more exciting model ...

I also think we should not undermine the expertise and experiences of those
who do not agree with us. Not getting involved with operational matters
does not really reduce the credibility and expertise of advocates. As to
whether security researchers protect human rights .... it is the end of my
day ... I need to pick up a glass of wine and not think about ICANN.

Have a nice weekend.






Farzaneh

On Fri, Apr 13, 2018 at 6:38 PM, John Bambenek via gnso-rds-pdp-wg <
gnso-rds-pdp-wg at icann.org> wrote:

> Why not? Its not the most illegitimate reason someone here has dismissed
> the expertise of ACTUAL security and privacy professionals.
>
> --
> John Bambenek
>
> On Apr 13, 2018, at 17:34, Greg Shatan <gregshatanipc at gmail.com> wrote:
>
> But John, they referred to a Recital when they meant to refer to an
> Article.  Isn’t that sufficient grounds to dismiss their concerns entirely?
>
> On Fri, Apr 13, 2018 at 6:25 PM John Bambenek via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
>> CIRCL as well as the many security and anti-abuse professionals on this
>> list are individuals charged with ACTUALLY protecting human rights on the
>> Internet.
>>
>> The fact that our expertise in this very area is routinely discarded if
>> not mocked is a large source of the consternation that continues in his
>> group.
>>
>> Its bad enough people on this list have taken to implying security
>> professionals are criminals and human rights violators... we’re now going
>> to imply the same of national computer emergency response teams?
>>
>> What does this say about the multistakeholder model when we keep
>> returning to this discussion where people are not only ignoring
>> stakeholders, but openly denigrating them?
>>
>> J
>>
>> --
>> John Bambenek
>>
>> On Apr 13, 2018, at 15:20, Ayden Férdeline <icann at ferdeline.com> wrote:
>>
>> This publication is dependent on, and only cites, the GDPR's recitals.
>> While the recitals may inform the interpretation of the GDPR's articles,
>> they are not legally binding. Only the GDPR's articles are binding
>> instruments. I would also like to note that no human rights impact
>> assessment appears to have been conducted in the preparation of this
>> publication. If one had been, I am confident we would have seen that the
>> protection of the privacy rights of a domain name registrant outweigh the
>> claimed security risks.
>>
>> Ayden Férdeline
>>
>>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On 12 April 2018 7:47 PM, John Bambenek via gnso-rds-pdp-wg <
>> gnso-rds-pdp-wg at icann.org> wrote:
>>
>> A good read from a European entity on why open and free access to whois
>> data is both essential AND legal under GDPR. And its coming from a state
>> sponsored entity.
>>
>> https://www.circl.lu/pub/tr-53/
>>
>> --
>> John Bambenek
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180413/9c527406/attachment.html>

More information about the gnso-rds-pdp-wg mailing list