[gnso-rds-pdp-wg] CIRCL - Luxembourg CERT Statement on WHOIS

John Bambenek jcb at bambenekconsulting.com
Sat Apr 14 00:15:06 UTC 2018 

I can invite one of them to the list to have a further in depth discussion if you’d like. I need not middleman it. 

--
John Bambenek

> On Apr 13, 2018, at 18:28, farzaneh badii <farzaneh.badii at gmail.com> wrote:
> 
> Dear John
> 
> 
> What you have shared is interesting and is a legitimate source. But it is very brief. I read the recital 49 of GDPR and I have another interpretation of this recital. This is why I believe we need a neutral independent GDPR legal team to tell us.
> 
> Lets look at the text:  "The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned."
> 
> I am not clear whether this recital is actually talking about the public availability of data. It is talking about the processing of data. But I am no GDPR expert. In our discussions, we talk about publicly available personal data and that is what I personally believe should be restricted. Of course, with an accreditation system we might be able to resolve the access issue for legitimate purposes according to ICANN mission and GDPR. 
> 
> I personally don't think the responses given in the link you shared with us are sufficient. But I understand the concern. I and I believe many in this group don't think  that security researchers and private actors who use WHOIS to ensure cybersecurity are human rights violators.  I just wish they could find better ways other than using personal information to carry out their important task. It's been a long time! lets get creative... lets have a better more exciting model ...
> 
> I also think we should not undermine the expertise and experiences of those who do not agree with us. Not getting involved with operational matters does not really reduce the credibility and expertise of advocates. As to whether security researchers protect human rights .... it is the end of my day ... I need to pick up a glass of wine and not think about ICANN. 
> 
> Have a nice weekend. 
> 
> 
> 
> 
> 
> 
> Farzaneh
> 
>> On Fri, Apr 13, 2018 at 6:38 PM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
>> Why not? Its not the most illegitimate reason someone here has dismissed the expertise of ACTUAL security and privacy professionals. 
>> 
>> --
>> John Bambenek
>> 
>>> On Apr 13, 2018, at 17:34, Greg Shatan <gregshatanipc at gmail.com> wrote:
>>> 
>>> But John, they referred to a Recital when they meant to refer to an Article.  Isn’t that sufficient grounds to dismiss their concerns entirely?
>>> 
>>>> On Fri, Apr 13, 2018 at 6:25 PM John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
>>>> CIRCL as well as the many security and anti-abuse professionals on this list are individuals charged with ACTUALLY protecting human rights on the Internet. 
>>>> 
>>>> The fact that our expertise in this very area is routinely discarded if not mocked is a large source of the consternation that continues in his group. 
>>>> 
>>>> Its bad enough people on this list have taken to implying security professionals are criminals and human rights violators... we’re now going to imply the same of national computer emergency response teams?
>>>> 
>>>> What does this say about the multistakeholder model when we keep returning to this discussion where people are not only ignoring stakeholders, but openly denigrating them?
>>>> 
>>>> J
>>>> 
>>>> --
>>>> John Bambenek
>>>> 
>>>>> On Apr 13, 2018, at 15:20, Ayden Férdeline <icann at ferdeline.com> wrote:
>>>>> 
>>>>> This publication is dependent on, and only cites, the GDPR's recitals. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments. I would also like to note that no human rights impact assessment appears to have been conducted in the preparation of this publication. If one had been, I am confident we would have seen that the protection of the privacy rights of a domain name registrant outweigh the claimed security risks.
>>>>> 
>>>>> Ayden Férdeline 
>>>>> 
>>>>> 
>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>>>> On 12 April 2018 7:47 PM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
>>>>>> 
>>>>>> A good read from a European entity on why open and free access to whois data is both essential AND legal under GDPR. And its coming from a state sponsored entity. 
>>>>>> 
>>>>>> https://www.circl.lu/pub/tr-53/
>>>>>> 
>>>>>> --
>>>>>> John Bambenek
>>>>> 
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> 
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180413/cf7aa71c/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list