[gnso-rds-pdp-wg] Facebook loses Belgian court case over consent and tracking
theo geurts
gtheo at xs4all.nl
Wed Feb 21 13:38:47 UTC 2018
Perhaps this clarifies it more.
https://piwik.pro/blog/what-is-pii-personal-data/
Theo
On 21-2-2018 14:26, Stephanie Perrin wrote:
>
> Sorry not to have answered this last night Steve, I was having the
> usual multi-tasking challenges which overtake the 1 AM calls. There is
> a fundamental problem here in my view, and that is the difference
> between people's understanding of "personally identifying information"
> or PII, and "personal information", which is silent on the matter of
> whether it can be identified. For example, your medical data may have
> all the identifiers removed (name, address, phone number, health
> numbers, etc.) but that does not mean that people could not figure out
> it was you, particularly these days when even DNA data is up on the
> net. We generally continue to call that personal data (people can
> reasonably understand, for instance, that an x-ray of my lungs is
> still my personal information, even if it has been securely
> anonymized). I argue that all data associated with your registration
> including the assigned data is personal data (for the purposes of
> ICANN's treatment of it as a data controller), but that does not mean
> it cannot be processed. It is not usually PII, but that is irrelevant
> for GDPR discussions because that is an expression not used in the
> GDPR, PII that has been popularized by the US, and that in the absence
> of general data protection law. We had a lengthy discussion of this
> about a year ago, and I am sure I was unsuccessful in persuading some
> folks that a name server could be personal data. The name of a city
> is not personally identifiable information, but if it is the one data
> element that distinguishes John Smith of Main street US, among six
> John Smiths on Main Street, then it is personal data.
>
> Given the ubiquity of data and data analytics these days, this is an
> active area of privacy scholarship, with plenty of practical
> implications. We have over many years regularly removed a few data
> elements to mask data sufficiently for public processing purposes;
> increasingly this does not work anymore and the field is changing too
> fast to keep up. This of course does not mean that name servers,
> e.g., should not be published.
>
> Stephanie
>
> On 2018-02-20 23:14, Steve Crocker wrote:
>> Stephanie,
>>
>> Some folks are saying address records, names of name servers and
>> perhaps other records might have personally identifying information.
>> I would not argue these records do not ever have personally
>> identifying information, I do argue it’s immaterial. It’s essential
>> these records are universally accessible and because this is well
>> known, anyone who chooses to publish these records has implicitly
>> granted permission for others to access this information. Policy
>> people, legislators, regulators cannot impose a new requirement on
>> the design and operation of the DNS as if the possibility of
>> mediating access were an available option.
>>
>> Steve
>>
>> Sent from my iPhone
>>
>> On Feb 20, 2018, at 11:02 PM, Stephanie Perrin
>> <stephanie.perrin at mail.utoronto.ca
>> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>>
>>> Actually no, Steve, we sorted this out a few months ago....Andrew
>>> Sullivan explained all of this patiently and in great detail, as I
>>> recall. I tried to explain the difference between data elements
>>> constituting PI, because of their association with an individual,
>>> and the requirements to protect. I think I failed dismally in that
>>> effort, because I see we are re-arguing those issues.
>>>
>>> cheers Stephanie
>>>
>>> On 2018-02-20 11:50, Steve Crocker wrote:
>>>> I'm puzzled by the reference to name servers and A records. These
>>>> are necessarily public else the domain name system won't function.
>>>> Is there confusion or misunderstanding about the role of these
>>>> records?
>>>>
>>>> Steve
>>>>
>>>>
>>>> On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo at gmail.com
>>>> <mailto:elsakoo at gmail.com>> wrote:
>>>>
>>>> 1,000,000% agreed. Registrars cannot eliminate all their risk
>>>> by masking WHOIS into oblivion. The DPAs can still ask why they
>>>> are exposing A records, nameservers, etc, to anyone who asks
>>>> for them, without valid reasons or authentication. Why do they
>>>> expose zone files, etc. The DPAs can ask why customer support
>>>> can sometimes so easily be social engineered into handing over
>>>> accounts to account takeover scammers.
>>>>
>>>> Since most registrars are also hosting providers/mail
>>>> providers, would criminals storing stolen PII on your servers
>>>> be a GDPR issue? After all, the ultimate owner of the server is
>>>> also considered a "processor", which has interesting
>>>> implications if one's customers include phishers, or sell
>>>> stolen credit cards, and one's already been notified. I have
>>>> even seen miscreants putting doxes in TXT records.
>>>>
>>>> I already know of quite a few incidents where people would have
>>>> had standing to file a GDPR complaint against
>>>> registrars/hosters, unrelated to WHOIS.
>>>>
>>>> Eventually the issue is going to impact the core business model
>>>> of registrars. This isn't going to stop at WHOIS. An open
>>>> dialog with the DPAs at an early stage is of utmost importance
>>>> for all parties involved here.
>>>>
>>>>
>>>> On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco
>>>> <sam at lanfranco.net <mailto:sam at lanfranco.net>> wrote:
>>>>
>>>> Benny,
>>>>
>>>> This is why I support multi-venue multi-stakholder dialogue
>>>> with the DPA's so that they are appraised of the issues on
>>>> all sides of the data protection issue. They are then more
>>>> likely to act in a judicious manner, and less like an
>>>> attack dog. Watch the new movie "*/The Post/*" where when
>>>> /Washington Post/ owner Katharine Graham decided to publish
>>>> the Vietnam War Pentagon Papers, with the downside risk
>>>> that she could be jailed for treason. The court ruled in
>>>> favor of freedom of the press. It is not what the DPA can
>>>> do, but what they are likely to do, and dialogue goes a
>>>> long way to mitigating risk and shaping appropriate
>>>> positions and behavior (with integrity) on all sides.
>>>>
>>>> Sam L.
>>>>
>>>>
>>>> On 2/19/2018 10:02 AM, benny at nordreg.se
>>>> <mailto:benny at nordreg.se> wrote:
>>>>> <ironi on> Now I am relieved, we as registrars will not be
>>>>> subject for anything… </ironi off>
>>>>>
>>>>> None of us know where and what they will
>>>>> prioritise,*/remember that it only take 1 complaint to a
>>>>> DPA to get the snowball moving./* [emphasis added] I am
>>>>> sure your statement have noe value then.
>>>>>
>>>>> --
>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>
>>>>> Benny Samuelsen
>>>>> Registry Manager - Domainexpert
>>>>>
>>>>> Nordreg AB - ICANN accredited registrar
>>>>> IANA-ID: 638
>>>>> Phone: +46.42197000 <tel:+46%2042%2019%2070%2000>
>>>>> Direct: +47.32260201 <tel:+47%2032%2026%2002%2001>
>>>>> Mobile: +47.40410200 <tel:+47%20404%2010%20200>
>>>>>
>>>>>> On 19 Feb 2018, at 15:29, Sam Lanfranco
>>>>>> <sam at lanfranco.net <mailto:sam at lanfranco.net>> wrote:
>>>>>>
>>>>>> Hi Tim,
>>>>>>
>>>>>> No, completely to the contrary. My point with that
>>>>>> dollars reference was that in some cases litigation is
>>>>>> the preferred business response, rather than compliance
>>>>>> and paying fines. Also, the big revenues in mining big
>>>>>> data are outside the DNS sphere, and outside the abuses
>>>>>> and "bad things" that websites do to people. The big EU
>>>>>> fines are more likely to hit social media than
>>>>>> Registrars, although they are risks there as well. The
>>>>>> revenues, and privacy violations, will come from
>>>>>> profiling users by mining big data for scraps of personal
>>>>>> date to individualize target marketing.
>>>>>>
>>>>>> */As a brief aside:/* This goes well beyond the remit of
>>>>>> ICANN and is actually worse than just being inundated by
>>>>>> adverts base on personal online behavior. Artificial
>>>>>> Intelligence mining apps are increasingly customizing the
>>>>>> "news" one gets from news feeds, to help "glue the
>>>>>> eyeballs" to the adverts, creating a news silo of one.
>>>>>> (That is amusing for me since I virtually live in two
>>>>>> towns in two countries). Even more worrisome is the
>>>>>> growing practice for A.I. companies where A.I. "writes"
>>>>>> the news releases, now mainly in sports and finance, for
>>>>>> thousands of print and online news outlets. I know all of
>>>>>> this is outside the ICANN remit so I will stop there.
>>>>>>
>>>>>> Sam L.
>>>>>>
>>>>>>
>>>>>> On 2/18/2018 5:43 PM, Chen, Tim wrote:
>>>>>>> Hi Sam,
>>>>>>>
>>>>>>> When you say these are hundred million dollar issues for
>>>>>>> "the companies",which companies are you talking about?
>>>>>>> Large Registrars?
>>>>>>>
>>>>>>> I hope you are not comparing cybersecurity professionals
>>>>>>> and the good work they are trying to enable, to a
>>>>>>> completely separate privacy issue around data used for
>>>>>>> ad tracking or behavior tracking across websites. If I
>>>>>>> spent my days trying to protect people on the internet
>>>>>>> from bad things, I would certainly not appreciate any
>>>>>>> allusion that I was engaged on the whois data issue 'for
>>>>>>> the money'.
>>>>>>>
>>>>>>> Tim
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>
>>>>
>>>> --
>>>> ------------------------------------------------
>>>> "It is a disgrace to be rich and honoured
>>>> in an unjust state" -Confucius
>>>> 邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也
>>>> ------------------------------------------------
>>>> Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China
>>>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
>>>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
>>>> email:sam at lanfranco.net <mailto:sam at lanfranco.net> Skype: slanfranco
>>>> blog:https://samlanfranco.blogspot.com
>>>> <https://samlanfranco.blogspot.com>
>>>> Phone:+1 613-476-0429 <tel:%28613%29%20476-0429> cell:+1 416-816-2852 <tel:%28416%29%20816-2852>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> _________________________________
>>>> Note to self: Pillage BEFORE burning.
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180221/01a4b450/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list