<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Lucida Grande">I beg your pardon, I
was referring to the discussion between Greg and Ayden, not
Chuck's intervention.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">this is of course a
comment on the comment.....but not on the other comment.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2016-08-19 19:20, Greg Shatan wrote:<br>
</div>
<blockquote
cite="mid:CA+aOHUSWA_KYV0Mh0L0beZHtee-6=3-F3w2OPVegN4e-LR0QsQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif">I did not find Chuck's
comments in any way "accusatory." If anything, I found them
well-considered and admirable in their restraint.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">If anything, Chuck's
intervention may have prevented "accusatory" comments from
making their way to the list. As such, I would suggest that
Chuck's comments were an exercise in "de-escalation."</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">In that vein, I will
refrain from commenting on comments, or commenting on comments
about comments or commenting on comments about comments about
comments, though if I wanted to comment on comments or
comments on comments or comments on comments on comments, I
would have comments to make. But I won't.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">Greg</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 19, 2016 at 7:08 PM,
Stephanie Perrin <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:stephanie.perrin@mail.utoronto.ca"
target="_blank">stephanie.perrin@mail.utoronto.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Lucida Grande">Gentlemen,
with great respect, I think you are being a bit hard
on Ayden here. If, as our next-gen rep here on the
group, he were not questioning authority, I might be
afraid he had somehow "missed the memo". I think
the tone has become a bit accusatory on both sides
and we should de-escalate. I agree that we must be
exceedingly careful about putting words in each
others mouths. However, questioning the efficacy of
oversight of police data protection compliance is
fair game in my view and in the view of most privacy
scholars (Korff, Brown, Bennett and Raab, Anderson
etc.). Diana Alonso Blass (who came to ICANN in
2003 or 04 representing the Article 29 Working
Party) and now of Eurojust speaks regularly on some
of these issues at the data protection
commissioners' annual conference and at CPDP and
there can be heated debate. Oversight of law
enforcement, particularly cross border law
enforcement, is difficult just as the actual law
enforcement is difficult. There are many reasons
for this:</font></font></p>
<ul>
<li><font size="+1"><font face="Lucida Grande">law
enforcement authorities have (legitimate)
exemptions under data protection law for
collection use and disclosure, making it easy to
accidently abuse that discretion <br>
</font></font></li>
<li><font size="+1"><font face="Lucida Grande">Data
protection authorities frequently choose to direct
enforcement actions in other areas, given the
constant shortage of resources and the publicity
(reaching political uproar at times) that can
come with enforcement against police<br>
</font></font></li>
<li><font size="+1"><font face="Lucida Grande">governments
often take a dim view of data protection
commissioners who go after the police (I can cite
examples if you wish but I realize noone wants to
read an article on the difficulties of dp
oversight of law enforcement</font></font></li>
</ul>
<p><font size="+1"><font face="Lucida Grande">Some of the
European DP authorities testified in the 2014
inquiry into NSA surveillance....I realize this is
about intelligence, but certainly Europol and
cybercrime were mentioned. <a
moz-do-not-send="true"
href="http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A7-2014-0139+0+DOC+PDF+V0//EN"
target="_blank">http://www.europarl.europa.eu/<wbr>sides/getDoc.do?pubRef=-//EP//<wbr>NONSGML+REPORT+A7-2014-0139+0+<wbr>DOC+PDF+V0//EN</a>.
Given the global nature of law enforcement in our
subject area, and the perceived failure of certain
instruments such as the Cybercrime treaty, and the
general shock and outrage expressed during the
inquiry I just cited, particularly over cross border
data sharing, I think it is reasonable to question
assertions of compliance with data protection law.
You will find the list of witnesses in the
appendix. Jacob Kohnstamm was one of them, as was
Peter Hustinx, and let me finally remind you of my
favorite quote from Kohnstamm</font> <font
face="Lucida Grande">'s 2012 letter to Crocker: </font></font><br>
</p>
<p> </p>
<p class="MsoNormal"
style="margin-left:36.0pt;line-height:200%"><span
lang="EN-US">“The Working Party strongly objects to
the introduction of data retention by means of a
contract issued by a private corporation in order to
facilitate (public) law enforcement.<span> </span>If
there is a pressing social need for specific
collections of personal data to be available for law
enforcement, and the proposed data retention is
proportionate to the legitimate aim pursued, it is up
to national governments to introduce legislation that
meets the demands of article 8 of the European
Convention on Human Rights and article 17 of the
International Covenant on civil and Political rights”.
<span> </span>(Kohnstamm to Crocker and Atallah, 26
September 2012).</span></p>
<p><font face="Lucida Grande" size="+1">The bottom line
here is that civil society correctly has questions
about the efficacy of oversight. Please don't take
it personally, it is not meant that way. It is our
job to question. I would agree that Europol has an
excellent oversight regime, in comparative terms, (I
wish we had it in North America) but that does not
mean it works all the time. While we are not here to
criticize particular countries or regions, please
admit the idea of criticism in general. It is
important. <br>
<span class="HOEnZb"><font color="#888888"> </font></span></font></p>
<span class="HOEnZb"><font color="#888888">
<p><font face="Lucida Grande" size="+1">Stephanie
Perrin</font><br>
</p>
</font></span>
<div>
<div class="h5"> <br>
<div>On 2016-08-18 18:55, Gomes, Chuck wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ayden,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I
appreciate your frequent contributions because
you share some important concerns. But I want
to communicate some concerns I have about how
you are doing that. Please see my comments
below.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Chuck</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank">gnso-rds-pdp-wg-bounces@icann.<wbr>org</a>
[<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank">mailto:gnso-rds-pdp-wg-<wbr>bounces@icann.org</a>]
<b>On Behalf Of </b>Ayden Férdeline<br>
<b>Sent:</b> Thursday, August 18, 2016 4:48 PM<br>
<b>To:</b> Mounier, Grégory<br>
<b>Cc:</b> RDS PDP WG<br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] @EXT:
RE: Use cases: Fundamental, Incidental, and
Theoretical</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Hi Greg, </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I don’t mean to sound
provocative, however I would like to make
sure I am interpreting your comments
correctly. Please see inline below. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks, </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Ayden</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">-------- Original Message
--------</p>
</div>
<div>
<p class="MsoNormal">Subject: @EXT: RE: Use
cases: Fundamental, Incidental, and
Theoretical</p>
</div>
<div>
<p class="MsoNormal">Local Time: August 18,
2016 7:00 PM</p>
</div>
<div>
<p class="MsoNormal">UTC Time: August 18, 2016
6:00 PM</p>
</div>
<div>
<p class="MsoNormal">From: <a
moz-do-not-send="true"
href="mailto:gregory.mounier@europol.europa.eu"
target="_blank">gregory.mounier@europol.<wbr>europa.eu</a></p>
</div>
<div>
<p class="MsoNormal">To: <a
moz-do-not-send="true"
href="mailto:gregshatanipc@gmail.com"
target="_blank">gregshatanipc@gmail.com</a></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="mailto:icann@ferdeline.com,gnso-rds-pdp-wg@icann.org"
target="_blank">icann@ferdeline.com,gnso-rds-<wbr>pdp-wg@icann.org</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yes
Greg: </span></span><span><span
style="font-family:"Calibri","sans-serif";color:#1f497d">unlike
what Ayden seems to imply: </span></span></p>
<p><span><span
style="font-family:Symbol;color:#1f497d">·</span></span><span><span
style="font-size:7.0pt;color:#1f497d">
</span></span><span><span
style="font-family:"Calibri","sans-serif";color:#1f497d">Europol
is not advocating that personal
information be processed in a manner
inconsistent with European law;</span></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal">I am pleased to hear this.
However, it the <a moz-do-not-send="true"
href="https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2014/14-04-17_EDPS_letter_to_ICANN_EN.pdf"
title="https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2014/14-04-17_EDPS_letter_to_ICANN_EN.pdf"
target="_blank"> opinion</a> of the European
Commission’s own Data Protection Supervisor
that the data retention requirements contained
with the 2013 RAA and the Draft Specification
“continue to fall short of compliance with
European data protection law.” You have built
a use case around how the WHOIS protocol
operates today, which itself contains data
sourced from registrars through practices
which are inconsistent with the privacy laws
of many (all?) EU Member States.</p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] Greg did not say that the 2013
RAA is compliant with European law; he
only said Europol is.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p><span><span
style="font-size:11.0pt;font-family:Symbol;color:#1f497d">·</span></span><span><span
style="font-size:7.0pt;color:#1f497d">
</span></span><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Europol
access and processing of WHOIS
information is in line with European
Data protection rules;</span></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal">I am glad that this is the
case. Could you please expand upon how, under
what circumstances, and how frequently Europol
currently retrieves WHOIS records?</p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] This is a terribly broad request
and one that I suspect may be very
difficult to respond to. Europol is not
the topic of discussion . Insight they
can provide will be helpful when we
deliberate just like your insights. In
all cases we will do our best to
validate information we use.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p><span><span
style="font-size:11.0pt;font-family:Symbol;color:#1f497d">·</span></span><span><span
style="font-size:7.0pt;color:#1f497d">
</span></span><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Europol
does not “trawl” the WHOIS;</span></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal">Are you saying, then, that
you do not find the WHOIS protocol useful in
solving crime? If you are not collecting its
records in bulk, I would suggest that we
revise your use case of 25 July to reflect
this reality. </p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] He did not say that. I encourage
you to avoid adding to what he said.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">We should remove the
reference to “Python DNS scripts or domain
tool API” being utilised to identify
connections between DNS information and
potentially troublesome websites, and replace
it with something which respects the right to,
say, due process. </p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] Please remember that our
objective is not to create perfect use
cases.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">After all, illegal content
like child abuse material (which you flagged
in your use case) is just that – illegal.
Illegal material should be dealt with in a
legal manner. You should not be advocating for
the circumvention of the rule of law; to do so
is a direct violation of the human rights
standards that Europol has committed itself to
upholding.</p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] Who is advocating for the “</span></i></b>the
circumvention of the rule of law<b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">”?
I think that the implication you make
here is inappropriate.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p><span><span
style="font-size:11.0pt;font-family:Symbol;color:#1f497d">·</span></span><span><span
style="font-size:7.0pt;color:#1f497d">
</span></span><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Europol
is indeed subject to one of the most
stringent data protection framework in
the LEA world. </span></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal">Whether that is reality or
rhetoric, I do not know. My gut feeling is
that Europol’s data protection provisions are
comprehensive in theory, but critically
undermined by procedural weakness. One example
that comes to mind: the Europol Joint
Supervisory Body is the independent body which
supposedly monitors your adherence to data
protection rules. However, it has no powers of
enforcement, it can only “make any complaints
it deems necessary to the Director” of
Europol.</p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] I think it best if you avoid
criticizing specific organizations and
stick to issues.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’ll
stop here because this is only partially
relevant to this PDP.</span></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal">My understanding has been
that some politicians in the EU have been
reluctant to expand Europol’s remit/mandate,
given concerns around effectiveness and a
perceived democratic deficit, so it is
fascinating to me to see Europol working to
expand its powers and data collection
abilities in working groups such as this one.</p>
<p class="MsoNormal"><b><i><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[Chuck
Gomes] Once again I think you are
concluding more than is reasonable and
also don’t find you comment here
constructive.</span></i></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Best</span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Greg</span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"><span><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b></span><span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Greg Shatan [<a moz-do-not-send="true"
href="mailto:gregshatanipc@gmail.com"
target="_blank">mailto:gregshatanipc@gmail.<wbr>com</a>]
</span></span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<span><b>Sent:</b> 18 August 2016 19:49</span><br>
<span><b>To:</b> Mounier, Grégory</span><br>
<span><b>Cc:</b> Ayden Férdeline; RDS PDP
WG</span><br>
<span><b>Subject:</b> Re:
[gnso-rds-pdp-wg] @EXT: RE: Use cases:
Fundamental, Incidental, and Theoretical</span></span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif"">Greg,</span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif""> </span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif"">For
the rest of us who may not be so
well informed, is there something
more we should understand and take
into account in considering this
particular back-and-forth?</span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif""> </span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif"">Thanks!</span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif""> </span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-family:"Verdana","sans-serif"">Greg
Shatan</span></span></p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Thu, Aug 18, 2016
at 1:45 PM, Mounier, Grégory <<a
moz-do-not-send="true"
href="mailto:gregory.mounier@europol.europa.eu"
target="_blank">gregory.mounier@europol.<wbr>europa.eu</a>>
wrote:</p>
<div>
<div>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dear
Ayden, </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I
objected because some of your
statements were misinformed so I
thought that I should help and
clarify. But it seems that you
are very well informed and that
you don’t need further
explanations </span></span><span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1f497d">J</span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Best
regards, </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Greg</span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"><span><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b></span><span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ayden Férdeline [mailto:<a
moz-do-not-send="true"
href="mailto:icann@ferdeline.com"
target="_blank">icann@ferdeline.com</a>]
</span></span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<span><b>Sent:</b> 18 August 2016
19:27</span><br>
<span><b>To:</b> Mounier, Grégory</span><br>
<span><b>Cc:</b> Rob Golding; RDS
PDP WG</span><br>
<span><b>Subject:</b> Re: @EXT:
RE: [gnso-rds-pdp-wg] Use cases:
Fundamental, Incidental, and
Theoretical</span></span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Thank you for
the response, Greg. I did not mean
to suggest that Europol was <b>wholly</b>exempt
from European data protection
regulations, because it is not. In
my original message, I wrote: </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><i>"...your
agency is exempt from <b>some</b>
of the general provisions on
data processing." </i></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I have bolded
the word ‘some’ on this occasion
for emphasis. When I wrote that
Europol had exemptions from <b>some</b>of
the general provisions on data
processing, I was referring to the
Europol Council Decision as
published in the Official Journal
of the European Union on 15 May
2009. I am sure you are intimately
familiar with this document, as
you cited it in your email to me
today as providing the “basis for
Europol to establish and maintain
cooperative relations with Union
or Community institutions, bodies,
offices and agencies; third States
and organisations; private parties
and private persons in so far as
it is relevant to the performance
of its tasks.” </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Aside from
this, this decision contains data
processing rules which were, to
quote you again in your email,
"tailor-made" for Europol, and is
complemented by a set of
implementation guidelines which
privilege Europol with the ability
to process personal data “for the
purpose of prevention,
investigation, detection and
prosecution of criminal offences
or the execution of criminal
penalties” in a manner that would
not be permitted of other
stakeholders.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Given this, I'm
unsure as to why you found my
comments so objectionable, but I
hope this email has brought about
some more clarity. If not, I am
happy to expand upon my thoughts.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<p class="MsoNormal">Ayden </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">--------
Original Message --------</p>
</div>
<div>
<p class="MsoNormal">Subject:
@EXT: RE: [gnso-rds-pdp-wg] Use
cases: Fundamental, Incidental,
and Theoretical</p>
</div>
<div>
<p class="MsoNormal">Local Time:
August 18, 2016 5:54 PM</p>
</div>
<div>
<p class="MsoNormal">UTC Time:
August 18, 2016 4:54 PM</p>
</div>
<div>
<p class="MsoNormal">From: <a
moz-do-not-send="true"
href="mailto:gregory.mounier@europol.europa.eu"
target="_blank">gregory.mounier@europol.<wbr>europa.eu</a></p>
</div>
<div>
<p class="MsoNormal">To: <a
moz-do-not-send="true"
href="mailto:icann@ferdeline.com"
target="_blank">icann@ferdeline.com</a></p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="mailto:rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org"
target="_blank">rob.golding@astutium.com,gnso-<wbr>rds-pdp-wg@icann.org</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dear
Ayden, </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thank
you very much for sharing
your concerns and apologies
for the late response, I was
away from the office.</span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I
am not sure how you got the
perception that Europol was
“trawling” through WHOIS
records or that Europol was
“exempt from some of the
general provisions on data
processing” or even that our
legal framework limited the
ability of Europol staff to
process data from publicly
available sources related to
“terror manuals” or
“criminals claiming credit
for attacks”.</span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In
fact, I can assure you that
<u>Europol is not exempted
from the general
provisions on data
protection</u>. European
data protection legislation
has been implemented in the
organisation with the aim of
creating a legal framework
which balances the
fundamental interests of
freedom and security. The
tailor-made set of rules
provides Europol with one of
the strongest, most robust
data protection framework in
the world of law
enforcement.</span></span></p>
<p class="MsoNormal"
style="text-align:justify"> </p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As
far as data exchange inside
the EU is concerned,
Art.22-25 of Europol Council
Decision (ECD) provides a
basis for Europol to
establish and maintain
cooperative relations with
Union or Community
institutions, bodies,
offices and agencies; third
States and organisations;
private parties and private
persons in so far as it is
relevant to the performance
of its tasks.</span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Europol
exchanges personal data only
with third parties which
have an adequate level of
data protection. The prior
data protection assessment
of the third party involves
a check on the necessary
data protection legislation
and confidentiality rules in
place and in practice. The
list of the third countries
with which Europol has
established an operational
agreement is published on
our website. </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In
addition, Europol can
receive information from
private parties such as
companies, business
associations or non-profit
organisations. As with any
transfer of personal data,
this process is subject to
data protection controls. </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Last
but not least, in line with
the respective provisions of
the ECD, Europol can also
retrieve and process data,
including personal data,
from publicly available
sources, such as media and
public data and commercial
intelligence providers, in
accordance with the data
protection framework.</span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I
hope that I could clarify
some of the issues you
raised. </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Kind
regards, </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"
style="text-align:justify"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Greg</span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<p class="MsoNormal"><span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></span></p>
<div>
<div
style="border:none;border-top:solid
#b5c4df 1.0pt;padding:3.0pt
0in 0in 0in">
<p class="MsoNormal"><span><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b></span><span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ayden Férdeline [<a
moz-do-not-send="true"
href="mailto:icann@ferdeline.com" target="_blank">mailto:icann@ferdeline.com</a>]
</span></span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<span><b>Sent:</b> 08
August 2016 14:11</span><br>
<span><b>To:</b> Mounier,
Grégory</span><br>
<span><b>Cc:</b> Rob
Golding; RDS PDP WG</span><br>
<span><b>Subject:</b> Re:
[gnso-rds-pdp-wg] @EXT:
RE: Use cases:
Fundamental, Incidental,
and Theoretical</span></span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<table style="width:100.0%"
border="0" cellpadding="0"
cellspacing="0" width="100%">
<tbody>
<tr>
<td style="padding:0in 0in
0in 0in" valign="top">
<table border="0"
cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td
style="padding:0in
0in 0in 0in"
valign="top">
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">Greg,</span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif""> </span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">I am
disappointed
that Europol
seems to be
advocating
that personal
information be
processed in a
manner
inconsistent
with European
law.</span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif""> </span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">I fully
appreciate
that, in order
to allow
Europol to
collect
sensitive
information
from the
Member States
in the pursuit
of
investigations,
your agency is
exempt from
some of the
general
provisions on
data
processing.
You are
permitted to
directly
retrieve and
process
information
obtained from
publicly-available sources, but the promotional literature on the
Europol
website
suggests
Europol agents
searching for
publicly-available ‘terror manuals’ or criminals claiming credit for
attacks. There
is no
indication
that this
includes
Europol
trawling
through things
like WHOIS
records to
identify the
administrator
of a website,
something far
less sinister.
And if the RDS
evolves into
something very
different from
what it is
today –
perhaps not
open to any
and everyone
to query, or
federated into
a single data
store – my
understanding
is that the
routing of
information
from a private
party to
Europol would
be subject to
European data
protection
controls and
safeguards.</span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif""> </span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">The very
specific
exemptions
that Europol
has received
in order to
carry out its
work simply do
not call for
Europol to
advocate for a
lower standard
of privacy
protection for
European
residents in
privately-owned
or
publicly-accessible
sources of
information.</span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif""> </span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">There is
no doubt that
effective
police work
requires top
intelligence,
but equally as
important is
the employment
of sound data
protection
safeguards
which strike
an appropriate
balance
between the
interests of
freedom and
security.</span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif""> </span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">Just my
$0.02.</span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif""> </span></span></p>
</div>
<div>
<p
class="MsoNormal"><span><span
style="font-family:"Calibri","sans-serif"">- Ayden</span></span></p>
</div>
<p
class="MsoNormal"><img
moz-do-not-send="true"
src="https://app.mixmax.com/api/track/v2/PsCAAXCzeb1f72NwN/i02bj5SZulGblRmclZGQu5WYjlmI/ISdl5SYw9mc1VmLs9GcvJXdlBkcllmb19WbukncvdWZydmI/gI5J3bnl6wydEIsIXZp5Wdv1kI?sc=false"
align="left"></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<p> </p>
<div>
<p> </p>
<div>
<p class="MsoNormal">On
Thu, Aug 4, 2016 1:59
PM, wrote:</p>
<p>Dear Rob, </p>
<p> </p>
<p>Thanks for sharing the
outcome of your chat
with ex-FBI and UK LEA
agents. I feel that I
need to step in to
provide a different
perspective than the one
you just gave on the law
enforcement use of the
WHOIS. It might be a
matter of interpretation
but the views expressed
by your interlocutors
are not shared by my
colleagues working
throughout European
police cyber divisions.
</p>
<p> </p>
<p>If European cyber
investigators are
obviously all aware of
the fact that WHOIS
registration data can
sometime be inaccurate
and not up-to-date
(ICANN compliance
reported that for the
first quarter of 2015,
WHOIS inaccuracy
comprised 74.0 % of
complaints), in 90% of
cases they will start
their investigations
with a WHOIS lookup.
This is really the first
step. </p>
<p> </p>
<p>Despite the lack of
accuracy, WHOIS
information is useful in
so many different ways.
One of the first them is
to make correlations and
link pieces of
information obtained
through other means than
from the WHOIS. This was
the point I tried to
make on Tuesday during
the conference call. </p>
<p> </p>
<p>Accurate and reliable
WHOIS data helps crime
attribution and can save
precious investigation
time (you can rule out
wrong investigative
leads). </p>
<p>It raises the bar and
makes it more difficult
for criminals to abuse
domain names. It pushes
them to resort to more
complex techniques such
as ID theft to register
domains for malicious
purposes.</p>
<p> </p>
<p>In short, for LEA WHOIS
is certainly not the
silver bullet to
attribute crime on line
but it is an essential
tool in the tool box of
law enforcement.</p>
<p> </p>
<p>Best, </p>
<p> </p>
<p>Greg</p>
<p> </p>
<p> </p>
<p>-----Original
Message-----</p>
<p>From: <a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.<wbr>org</a>
[<a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">mailto:gnso-rds-pdp-wg-<wbr>bounces@icann.org</a>]
On Behalf Of Rob Golding</p>
<p>Sent: 04 August 2016
01:46</p>
<p>To: RDS PDP WG</p>
<p>Subject: Re:
[gnso-rds-pdp-wg] Use
cases: Fundamental,
Incidental, and
Theoretical</p>
<p> </p>
<p>>> Theoretical</p>
<p>>> ===========</p>
<p>>> We have seen a
couple of proposed use
cases that seem to be
ideas </p>
<p>>> that people
have for useful or
harmful ways that RDS
can be used, but </p>
<p>>> that do not
exist today (at least
not that anyone can
fully </p>
<p>>> document).</p>
<p>>> </p>
<p>>> For example,
there seems to be a
desire to use the RDS as
a way to </p>
<p>>> issue warrants
for information about
registrants. While this
may be </p>
<p>>> useful, this
is not possible today
(even with RDAP, I
note).</p>
<p> </p>
<p>It not only is possible
today, it's also
"common" (although
thankfully not frequent)</p>
<p> </p>
<p>Registrars get served
warrants for details
about registrants, and
the _only_ information
from WHOIS that's
"needed" or used for
such cases is the name
of the Registrar.</p>
<p> </p>
<p>I had the pleasure of
meeting Chris Tarbell,
ex-FBI Cyber Crime, at
HostingCon last week -
asked about WHOIS/domain
data he said "we dont
use it"</p>
<p> </p>
<p>Last year at the UKNOF
event in Sheffield I
spent quite some time
talking with some
amazing people from the
UK CyberCrime
departments - asked the
same questions, they
confirmed that although
whois _might_ be looked
at to see if it matches
_data they already have_
for confirmation, it's
not used or relied on.</p>
<p> </p>
<p>Which beggars the
question, should
"LawEnforcement" use
cases even be part of
the discussions ?</p>
<p> </p>
<p>Rob</p>
<p>--</p>
<p>Rob Golding <a
moz-do-not-send="true"
href="mailto:rob.golding@astutium.com" target="_blank">rob.golding@astutium.com</a></p>
<p>Astutium Ltd, Number
One Poultry, London.
EC2R 8JR</p>
<p> </p>
<p>* domains * hosting *
vps * servers * cloud *
backups *
______________________________<wbr>_________________</p>
<p>gnso-rds-pdp-wg mailing
list</p>
<p><a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a></p>
<p><a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a></p>
<p>*******************</p>
<p> </p>
<p>DISCLAIMER : This
message is sent in
confidence and is only
intended for the named
recipient. If you
receive this message by
mistake, you may not
use, copy, distribute or
forward this message, or
any part of its contents
or rely upon the
information contained in
it.</p>
<p>Please notify the
sender immediately by
e-mail and delete the
relevant e-mails from
any computer. This
message does not
constitute a commitment
by Europol unless
otherwise indicated.</p>
<p> </p>
<p>*******************</p>
<p> </p>
<p>______________________________<wbr>_________________</p>
<p>gnso-rds-pdp-wg mailing
list</p>
<p><a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a></p>
<p><a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a></p>
<p> </p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"> </p>
<div>
<p class="MsoNormal">Ayden
Férdeline</p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI"
target="_blank"><span><span
style="font-family:"Calibri","sans-serif";background:white">Statement
of Interest</span></span></a></p>
</div>
</div>
<div>
<p class="MsoNormal">*******************</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">DISCLAIMER :
This message is sent in
confidence and is only intended
for the named recipient. If you
receive this message by mistake,
you may not use, copy,
distribute or forward this
message, or any part of its
contents or rely upon the
information contained in it.</p>
</div>
<div>
<p class="MsoNormal">Please notify
the sender immediately by e-mail
and delete the relevant e-mails
from any computer. This message
does not constitute a commitment
by Europol unless otherwise
indicated.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">*******************
</p>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal">*******************</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">DISCLAIMER : This
message is sent in confidence and is
only intended for the named
recipient. If you receive this
message by mistake, you may not use,
copy, distribute or forward this
message, or any part of its contents
or rely upon the information
contained in it.</p>
</div>
<div>
<p class="MsoNormal">Please notify the
sender immediately by e-mail and
delete the relevant e-mails from any
computer. This message does not
constitute a commitment by Europol
unless otherwise indicated.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">*******************</p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">______________________________<wbr>_________________</p>
</div>
<div>
<p class="MsoNormal">gnso-rds-pdp-wg
mailing list</p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank">gnso-rds-pdp-wg@icann.org</a></p>
</div>
<div>
<p class="MsoNormal"><a
moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a></p>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal">*******************</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">DISCLAIMER : This message
is sent in confidence and is only intended
for the named recipient. If you receive this
message by mistake, you may not use, copy,
distribute or forward this message, or any
part of its contents or rely upon the
information contained in it.</p>
</div>
<div>
<p class="MsoNormal">Please notify the sender
immediately by e-mail and delete the
relevant e-mails from any computer. This
message does not constitute a commitment by
Europol unless otherwise indicated.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">******************* </p>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________<wbr>_________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a>
</blockquote></div>
</div>
</blockquote>
</body></html>