[gnso-rds-pdp-wg] CIRCL - Luxembourg CERT Statement on WHOIS

Paul Keating Paul at law.es
Sat Apr 14 14:42:25 UTC 2018 

To me this is abundantly clear:

constitutes a legitimate interest of the data controller concerned.


The issue is then one of ensuring that access is limited to those falling
within the description in the Recital AND ensuring that the users are
informed and retain such rights relative to the data as the GDPR would
otherwise require.

Insofar as what data is "strictly necessary and proportionate for the
purposes of ensuring network
and information security,Š², that certainly includes the following:

Name (or other means of permitting attribution and identification)
Email (same)
IP address
Creation date (statistics show that domains are weaponized very shortly
after registraiton.  However, once the bad actors are aware of this they
will pivot to using stale domains they have long ago registered)
History (this is important so as to track domain abuse both in terms of
highjacking and to verify ownership t rails relative to attribution and
identification)

I am sure that we can (and should) ask the security experts to chime in
here as to what data elements are strictly necessary and proportionate for
the purposes of ensuring network and information security,


Paul


On 4/14/18, 8:50 AM, "gnso-rds-pdp-wg on behalf of Tapani Tarvainen"
<gnso-rds-pdp-wg-bounces at icann.org on behalf of
ncsg at tapani.tarvainen.info> wrote:

>On Apr 13 19:28, farzaneh badii (farzaneh.badii at gmail.com) wrote:
>
>> the recital 49 of GDPR
>
>> Lets look at the text:  "The processing of personal data to the extent
>> strictly necessary and proportionate for the purposes of ensuring
>>network
>> and information security, i.e. the ability of a network or an
>>information
>> system to resist, at a given level of confidence, accidental events or
>> unlawful or malicious actions that compromise the availability,
>> authenticity, integrity and confidentiality of stored or transmitted
>> personal data, and the security of the related services offered by, or
>> accessible via, those networks and systems, by public authorities, by
>> computer emergency response teams (CERTs), computer security incident
>> response teams (CSIRTs), by providers of electronic communications
>>networks
>> and services and by providers of security technologies and services,
>> constitutes a legitimate interest of the data controller concerned."
>> 
>> I am not clear whether this recital is actually talking about the public
>> availability of data. It is talking about the processing of data.
>
>Publication is just a special case of processing.
>
>But the requirement "strictly necessary and proportionate" is pretty
>high bar, and I find all but unthinkable that making personal details
>publicly visible to the entire world would pass it.
>
>Arguing that Article 32 justifies it is a bit surprising. At first
>reading I reach exactly opposite conclusion, taking the "risk" there
>to mean risk to personal data, rather than as a general risk that
>would justify less strict treatment of personal data.
>
>-- 
>Tapani Tarvainen
>_______________________________________________
>gnso-rds-pdp-wg mailing list
>gnso-rds-pdp-wg at icann.org
>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list