<div class="protonmail_signature_block"><div>Hi Greg, <br></div><div><br></div><div>I don’t mean to sound provocative, however I would like to make sure I am interpreting your comments correctly. Please see inline below. <br></div><div><br></div><div>Thanks, <br></div><div><br></div><div>Ayden<br></div><div><br></div></div><blockquote class="protonmail_quote" type="cite"><div>-------- Original Message --------<br></div><div>Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical<br></div><div>Local Time: August 18, 2016 7:00 PM<br></div><div>UTC Time: August 18, 2016 6:00 PM<br></div><div>From: gregory.mounier@europol.europa.eu<br></div><div>To: gregshatanipc@gmail.com<br></div><div>icann@ferdeline.com,gnso-rds-pdp-wg@icann.org<br></div><div><br></div><div>
<br></div><div class="WordSection1"><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Yes Greg:
</span></span></span><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font">unlike what Ayden seems to imply:
</span></span><br></p><p style="text-indent:-18.0pt;mso-list:l0 level1 lfo2" class="MsoListParagraph"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Symbol" class="font"><span style="mso-list:Ignore">·<span style="font-family:"Times New Roman"" class="font"><span style="font-size:7pt" class="size">
</span></span></span></span></span><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font">Europol is not advocating that personal information be processed in a manner inconsistent with European law;</span></span><br></p></div></blockquote><div>I am pleased to hear this. However, it the <a href="https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2014/14-04-17_EDPS_letter_to_ICANN_EN.pdf" rel="nofollow" title="https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2014/14-04-17_EDPS_letter_to_ICANN_EN.pdf">opinion</a> of the European Commission’s own Data Protection Supervisor that the data retention requirements contained with the 2013 RAA and the Draft Specification “continue to fall short of compliance with European data protection law.” You have built a use case around how the WHOIS protocol operates today, which itself contains data sourced from registrars through practices which are inconsistent with the privacy laws of many (all?) EU Member States.<br></div><blockquote class="protonmail_quote" type="cite"><div class="WordSection1"><p style="text-indent:-18.0pt;mso-list:l0 level1 lfo2" class="MsoListParagraph"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Symbol" class="font"><span style="font-size:11pt" class="size"><span style="mso-list:Ignore">·<span style="font-family:"Times New Roman"" class="font"><span style="font-size:7pt" class="size">
</span></span></span></span></span></span><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Europol access and processing of WHOIS information is in line with European Data protection rules;</span></span></span><br></p></div></blockquote><div>I am glad that this is the case. Could you please expand upon how, under what circumstances, and how frequently Europol currently retrieves WHOIS records?<br></div><blockquote class="protonmail_quote" type="cite"><div class="WordSection1"><p style="text-indent:-18.0pt;mso-list:l0 level1 lfo2" class="MsoListParagraph"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Symbol" class="font"><span style="font-size:11pt" class="size"><span style="mso-list:Ignore">·<span style="font-family:"Times New Roman"" class="font"><span style="font-size:7pt" class="size">
</span></span></span></span></span></span><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Europol does not “trawl” the WHOIS;</span></span></span><br></p></div></blockquote><div>Are you saying, then, that you do not find the WHOIS protocol useful in solving crime? If you are not collecting its records in bulk, I would suggest that we revise your use case of 25 July to reflect this reality. <br></div><div><br></div><div>We should remove the reference to “Python DNS scripts or domain tool API” being utilised to identify connections between DNS information and potentially troublesome websites, and replace it with something which respects the right to, say, due process. <br></div><div><br></div><div>After all, illegal content like child abuse material (which you flagged in your use case) is just that – illegal. Illegal material should be dealt with in a legal manner. You should not be advocating for the circumvention of the rule of law; to do so is a direct violation of the human rights standards that Europol has committed itself to upholding.<br></div><blockquote class="protonmail_quote" type="cite"><div class="WordSection1"><p style="text-indent:-18.0pt;mso-list:l0 level1 lfo2" class="MsoListParagraph"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Symbol" class="font"><span style="font-size:11pt" class="size"><span style="mso-list:Ignore">·<span style="font-family:"Times New Roman"" class="font"><span style="font-size:7pt" class="size">
</span></span></span></span></span></span><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Europol is indeed subject to one of the most stringent data protection framework in the LEA world.
</span></span></span><br></p></div></blockquote><div>Whether that is reality or rhetoric, I do not know. My gut feeling is that Europol’s data protection provisions are comprehensive in theory, but critically undermined by procedural weakness. One example that comes to mind: the Europol Joint Supervisory Body is the independent body which supposedly monitors your adherence to data protection rules. However, it has no powers of enforcement, it can only “make any complaints it deems necessary to the Director” of Europol.<br></div><blockquote class="protonmail_quote" type="cite"><div class="WordSection1"><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">I’ll stop here because this is only partially relevant to this PDP.</span></span></span><br></p></div></blockquote><div>My understanding has been that some politicians in the EU have been reluctant to expand Europol’s remit/mandate, given concerns around effectiveness and a perceived democratic deficit, so it is fascinating to me to see Europol working to expand its powers and data collection abilities in working groups such as this one.<br></div><blockquote class="protonmail_quote" type="cite"><div class="WordSection1"><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Best</span></span></span><br></p><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Greg</span></span></span><br></p><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p class="MsoNormal"><b><span style="font-family:Tahoma, sans-serif" class="font"><span style="font-size:10pt" class="size">From:</span></span></b><span style="font-family:Tahoma, sans-serif" class="font"><span style="font-size:10pt" class="size"> Greg Shatan [mailto:gregshatanipc@gmail.com]
<br>
<b>Sent:</b> 18 August 2016 19:49<br>
<b>To:</b> Mounier, Grégory<br>
<b>Cc:</b> Ayden Férdeline; RDS PDP WG<br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical</span></span></p><p class="MsoNormal"> <br></p><div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font">Greg,</span><br></p></div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font"> </span><br></p></div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font">For the rest of us who may not be so well informed, is there something more we should understand and take into account in considering this particular back-and-forth?</span><br></p></div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font"> </span><br></p></div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font">Thanks!</span><br></p></div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font"> </span><br></p></div><div><p class="MsoNormal"><span style="font-family:Verdana, sans-serif" class="font">Greg Shatan</span><br></p></div></div><div><p class="MsoNormal"> <br></p><div><p class="MsoNormal">On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <<a href="mailto:gregory.mounier@europol.europa.eu">gregory.mounier@europol.europa.eu</a>> wrote:<br></p><div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Dear Ayden,
</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">I objected because some of your statements were misinformed so I thought that I should help and clarify.
But it seems that you are very well informed and that you don’t need further explanations
</span></span></span><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Wingdings" class="font"><span style="font-size:11pt" class="size">J</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Best regards,
</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Greg</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><b><span style="font-family:Tahoma, sans-serif" class="font"><span style="font-size:10pt" class="size">From:</span></span></b><span style="font-family:Tahoma, sans-serif" class="font"><span style="font-size:10pt" class="size"> Ayden
Férdeline [mailto:<a href="mailto:icann@ferdeline.com">icann@ferdeline.com</a>]
<br>
<b>Sent:</b> 18 August 2016 19:27<br>
<b>To:</b> Mounier, Grégory<br>
<b>Cc:</b> Rob Golding; RDS PDP WG<br>
<b>Subject:</b> Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical</span></span></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Thank you for the response, Greg. I did not mean to suggest that Europol was
<b>wholly</b>exempt from European data protection regulations, because it is not. In my original message, I wrote:
<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><i>"...your agency is exempt from
<b>some</b> of the general provisions on data processing." </i><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">I have bolded the word ‘some’ on this occasion for emphasis. When I wrote that Europol had exemptions from
<b>some</b>of the general provisions on data processing, I was referring to the Europol Council Decision as published in the Official Journal of the European Union on 15 May 2009. I am sure you are intimately familiar with this document, as you cited it in
your email to me today as providing the “basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as
it is relevant to the performance of its tasks.” <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Aside from this, this decision contains data processing rules which were, to quote you again in your email, "tailor-made" for Europol, and is complemented by a set of implementation
guidelines which privilege Europol with the ability to process personal data “for the purpose of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties” in a manner that would not be permitted of other
stakeholders.<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Given this, I'm unsure as to why you found my comments so objectionable, but I hope this email has brought about some more clarity. If not, I am happy to expand upon my thoughts.<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Thanks,<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Ayden
<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">-------- Original Message --------<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Local Time: August 18, 2016 5:54 PM<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">UTC Time: August 18, 2016 4:54 PM<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">From:
<a href="mailto:gregory.mounier@europol.europa.eu">gregory.mounier@europol.europa.eu</a><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">To:
<a href="mailto:icann@ferdeline.com">icann@ferdeline.com</a><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><a href="mailto:rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org">rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org</a><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Dear Ayden,
</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Thank you very much for sharing your concerns and apologies for the late response, I was away from
the office.</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">I am not sure how you got the perception that Europol was “trawling” through WHOIS records or that Europol was “exempt from some of the general provisions on data processing” or
even that our legal framework limited the ability of Europol staff to process data from publicly available sources related to “terror manuals” or “criminals claiming credit for attacks”.</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">In fact, I can assure you that
<u>Europol is not exempted from the general provisions on data protection</u>. European data protection legislation has been implemented in the organisation with the aim of creating a legal framework which balances the fundamental interests of freedom and security.
The tailor-made set of rules provides Europol with one of the strongest, most robust data protection framework in the world of law enforcement.</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">As far as data exchange inside the EU is concerned, Art.22-25 of Europol Council Decision (ECD) provides a basis for Europol to establish and maintain cooperative relations with
Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Europol exchanges personal data only with third parties which have an adequate level of data protection. The prior data protection assessment of the third party involves a check
on the necessary data protection legislation and confidentiality rules in place and in practice. The list of the third countries with which Europol has established an operational agreement is published on our website.
</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">In addition, Europol can receive information from private parties such as companies, business associations or non-profit organisations. As with any transfer of personal data, this
process is subject to data protection controls. </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Last but not least, in line with the respective provisions of the ECD, Europol can also retrieve and process data, including personal data, from publicly available sources, such
as media and public data and commercial intelligence providers, in accordance with the data protection framework.</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">I hope that I could clarify some of the issues you raised.
</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Kind regards,
</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:justify" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size">Greg</span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="color:rgb(31, 73, 125)" class="colour"><span style="font-family:Calibri, sans-serif" class="font"><span style="font-size:11pt" class="size"> </span></span></span><br></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><b><span style="font-family:Tahoma, sans-serif" class="font"><span style="font-size:10pt" class="size">From:</span></span></b><span style="font-family:Tahoma, sans-serif" class="font"><span style="font-size:10pt" class="size"> Ayden Férdeline [<a href="mailto:icann@ferdeline.com">mailto:icann@ferdeline.com</a>]
<br>
<b>Sent:</b> 08 August 2016 14:11<br>
<b>To:</b> Mounier, Grégory<br>
<b>Cc:</b> Rob Golding; RDS PDP WG<br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical</span></span></p></div></div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p><table style="width:100.0%" width="100%" cellpadding="0" cellspacing="0" border="0" class="MsoNormalTable"><tbody><tr><td style="padding:0cm 0cm 0cm 0cm" valign="top"><table cellpadding="0" cellspacing="0" border="0" class="MsoNormalTable"><tbody><tr><td style="padding:0cm 0cm 0cm 0cm" valign="top"><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">Greg,</span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font"> </span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">I am disappointed that Europol seems to be advocating that personal information be processed in a manner inconsistent with European
law.</span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font"> </span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">I fully appreciate that, in order to allow Europol to collect sensitive information from the Member States in the pursuit of investigations,
your agency is exempt from some of the general provisions on data processing. You are permitted to directly retrieve and process information obtained from publicly-available sources, but the promotional literature on the Europol website suggests Europol agents
searching for publicly-available ‘terror manuals’ or criminals claiming credit for attacks. There is no indication that this includes Europol trawling through things like WHOIS records to identify the administrator of a website, something far less sinister.
And if the RDS evolves into something very different from what it is today – perhaps not open to any and everyone to query, or federated into a single data store – my understanding is that the routing of information from a private party to Europol would be
subject to European data protection controls and safeguards.</span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font"> </span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">The very specific exemptions that Europol has received in order to carry out its work simply do not call for Europol to advocate
for a lower standard of privacy protection for European residents in privately-owned or publicly-accessible sources of information.</span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font"> </span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">There is no doubt that effective police work requires top intelligence, but equally as important is the employment of sound data
protection safeguards which strike an appropriate balance between the interests of freedom and security.</span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font"> </span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">Just my $0.02.</span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font"> </span><br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><span style="font-family:Calibri, sans-serif" class="font">- Ayden</span><br></p></div><p class="MsoNormal"><img align="left" src="https://app.mixmax.com/api/track/v2/PsCAAXCzeb1f72NwN/i02bj5SZulGblRmclZGQu5WYjlmI/ISdl5SYw9mc1VmLs9GcvJXdlBkcllmb19WbukncvdWZydmI/gI5J3bnl6wydEIsIXZp5Wdv1kI?sc=false"><br></p></td></tr></tbody></table></td></tr></tbody></table><div><div><p> <br></p><div><p> <br></p><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">On Thu, Aug 4, 2016 1:59 PM, wrote:<br></p><p>Dear Rob, <br></p><p> <br></p><p>Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the
views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.
<br></p><p> <br></p><p>If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints),
in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.
<br></p><p> <br></p><p>Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday
during the conference call. <br></p><p> <br></p><p>Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).
<br></p><p>It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.<br></p><p> <br></p><p>In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.<br></p><p> <br></p><p>Best, <br></p><p> <br></p><p>Greg<br></p><p> <br></p><p> <br></p><p>-----Original Message-----<br></p><p>From: <a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a> [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>] On Behalf Of Rob Golding<br></p><p>Sent: 04 August 2016 01:46<br></p><p>To: RDS PDP WG<br></p><p>Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical<br></p><p> <br></p><p>>> Theoretical<br></p><p>>> ===========<br></p><p>>> We have seen a couple of proposed use cases that seem to be ideas <br></p><p>>> that people have for useful or harmful ways that RDS can be used, but
<br></p><p>>> that do not exist today (at least not that anyone can fully <br></p><p>>> document).<br></p><p>>> <br></p><p>>> For example, there seems to be a desire to use the RDS as a way to <br></p><p>>> issue warrants for information about registrants. While this may be <br></p><p>>> useful, this is not possible today (even with RDAP, I note).<br></p><p> <br></p><p>It not only is possible today, it's also "common" (although thankfully not frequent)<br></p><p> <br></p><p>Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.<br></p><p> <br></p><p>I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"<br></p><p> <br></p><p>Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already
have_ for confirmation, it's not used or relied on.<br></p><p> <br></p><p>Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?<br></p><p> <br></p><p>Rob<br></p><p>--<br></p><p>Rob Golding <a href="mailto:rob.golding@astutium.com">rob.golding@astutium.com</a><br></p><p>Astutium Ltd, Number One Poultry, London. EC2R 8JR<br></p><p> <br></p><p>* domains * hosting * vps * servers * cloud * backups * _______________________________________________<br></p><p>gnso-rds-pdp-wg mailing list<br></p><p><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br></p><p><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br></p><p>*******************<br></p><p> <br></p><p>DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained
in it.<br></p><p>Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.<br></p><p> <br></p><p>*******************<br></p><p> <br></p><p>_______________________________________________<br></p><p>gnso-rds-pdp-wg mailing list<br></p><p><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br></p><p><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br></p><p> <br></p></div></div></div></div><p style="mso-margin-top-alt:auto;margin-bottom:12.0pt" class="MsoNormal"> <br></p><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Ayden Férdeline<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"><a href="https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI" rel="noreferrer"><span style="background-color: white" class="highlight"><span style="font-family:Calibri, sans-serif" class="font">Statement of Interest</span></span></a><br></p></div></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">*******************<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward
this message, or any part of its contents or rely upon the information contained in it.<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.<br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal">*******************
<br></p></div></blockquote><div><p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto" class="MsoNormal"> <br></p></div></div><p class="MsoNormal"></p><div>*******************<br></div><div>
<br></div><div>
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained
in it.<br></div><div>
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.<br></div><div>
<br></div><div>
*******************<br></div><p></p></div><p class="MsoNormal"></p><div><br></div><div>_______________________________________________<br></div><div>
gnso-rds-pdp-wg mailing list<br></div><div>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br></div><div>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br></div><p></p></div><p class="MsoNormal"> <br></p></div></div><div>*******************<br></div><div><br></div><div>DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.<br></div><div>Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.<br></div><div><br></div><div>*******************
<br></div></blockquote><div><br></div>