<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>So you agree that you can educate your customers to make consent
possible? Good.</p>
<p>Now can we move on?<br>
</p>
<br>
<div class="moz-cite-prefix">On 6/1/2017 11:46 AM, Ayden Férdeline
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ZMAMlF9uV1FQfpAFtOR9wfZ31bk3wt_S7MaqnPEFZyziKQvvLG6lFSnBHceC7iV5GZ40X7Z1lIGr8sZdzJ9FhlhzSimTWbNrjYZQ5S8n-CA=@ferdeline.com">
<div>+1 Stephanie. The vast majority of people, if given the
appropriate information and time, are perfectly capable of
understanding a complex or technical issue. <br>
</div>
<div><br>
</div>
<div class="protonmail_signature_block ">
<div class="protonmail_signature_block-user ">
<div>Ayden Férdeline<br>
</div>
<div><a title="http://www.linkedin.com/in/ferdeline"
href="http://www.linkedin.com/in/ferdeline"
moz-do-not-send="true">linkedin.com/in/ferdeline</a><br>
</div>
</div>
<div class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br>
</div>
</div>
<div><br>
</div>
<blockquote type="cite" class="protonmail_quote">
<div>-------- Original Message --------<br>
</div>
<div>Subject: Re: [gnso-rds-pdp-wg] The principle for thin data
(was Re: Principle on Proportionality for "Thin Data"access)<br>
</div>
<div>Local Time: June 1, 2017 3:40 PM<br>
</div>
<div>UTC Time: June 1, 2017 2:40 PM<br>
</div>
<div>From: <a class="moz-txt-link-abbreviated" href="mailto:stephanie.perrin@mail.utoronto.ca">stephanie.perrin@mail.utoronto.ca</a><br>
</div>
<div>To: jonathan matkowsky
<a class="moz-txt-link-rfc2396E" href="mailto:jonathan.matkowsky@riskiq.net"><jonathan.matkowsky@riskiq.net></a><br>
</div>
<div>RDS PDP WG <a class="moz-txt-link-rfc2396E" href="mailto:gnso-rds-pdp-wg@icann.org"><gnso-rds-pdp-wg@icann.org></a><br>
</div>
<div><br>
</div>
<div><br>
</div>
<p><span style="font-size:undefinedpx" class="size"><span
class="font" style="font-family:'Lucida Grande'">I
certainly agree that if people enter personal information
as part of their DNS registration or their motor vehicle
licence registration, it is done with implied consent...
as long as there is sufficient information to permit them
to understand just how the data is being used and where it
is going. However, as I tried to say with respect to
registering a domain name, I really don't think the
average non-expert citizen who might want to register a
domain name would get enough information to truly
understand how far his/her information goes, and how
difficult it is to get it removed once it has appeared in
the public record. We should build this system so that
everyone understands it, not just the experts.</span></span><br>
</p>
<p><span style="font-size:undefinedpx" class="size"><span
class="font" style="font-family:'Lucida Grande'">cheers
Stephanie</span></span><br>
</p>
<div><br>
</div>
<div class="moz-cite-prefix">On 2017-06-01 05:18, jonathan
matkowsky wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Stephanie,<br>
</div>
<div><br>
</div>
<div><span class="font" style="font-family:tahoma,
sans-serif"></span><br>
</div>
<div><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline">I
agree with you that we should not conflate collection
limitation principles with openness principles.<br>
</div>
</span></div>
<div><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline"><br>
</div>
</span></div>
<div><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline">I
respectfully disagree with most of what you wrote in
the first paragraph of your post script. <br>
</div>
</span><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default" style="display:inline">Here
we are talking about users potentially entering
personal or pseudonymous information when they are not
being asked for it (nor is it required) to begin with,
and it is not required for purposes of which it's
being collected. That is the<br>
</div>
</span>
<div> <br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">scope<br>
</div>
<div> of what needs to be assessed <br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">if
at all and how the scope needs to be<br>
</div>
<div> defined from the beginning<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline">if
you were to conduct a PIA<br>
</div>
<div>.<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline"><br>
</div>
</div>
<div><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default" style="display:inline"><br>
</div>
</span></div>
<div><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default" style="display:inline"><br>
</div>
</span><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline"> <br>
</div>
</span><span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default" style="display:inline">Personal
information is not being used or intended to be used
just because a person decides to enter personal
information into a field. <br>
</div>
</span>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">The
example of how you can combine databases to re-identify
a person based on the SOA record is the equivalent of
protecting domain names as personal information because
a person <br>
</div>
<span class="font" style="font-family:tahoma, sans-serif">
<div>can register their driver's license <br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline">or
name and date of birth<br>
</div>
<div>as a domain name.<br>
</div>
</span>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline"> <br>
</div>
<div><span class="font" style="font-family:tahoma,
sans-serif">I would argue no PIA should be required </span>
<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">as
a result <br>
</div>
<div><span class="font" style="font-family:tahoma,
sans-serif">even in accordance even with best
practices.</span> <br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline"> <br>
</div>
<div>A PIA needs to be conducted in a manner that is
commensurate with the level of privacy risk identified<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">. <br>
</div>
</div>
<div><span class="font" style="font-family:tahoma,
sans-serif"> </span><br>
</div>
<div>
<div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline">I
respectfully disagree with you that thin data is
personal. We are talking about identifiers (codes or
strings that represent an individual or device). Many
labels can be used to point to individuals. Some are
precise and most, imprecise or vague. There's no
question that an IP address is a device identifier.
Device IDs, MAC addresses can be a source for user
tracking. But <br>
</div>
<span class="font" style="font-family:tahoma,
sans-serif">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline">i<br>
</div>
</span>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline">dentifiers
can be strong or weak depending on how precise they
are as well as the context. It cannot be measured
without taking linkability into consideration. For
that reason, name servers are not the same as IP
addresses or MAC addresses any more so than the
existence of a domain name is an identifier. If a
person chooses to use identifiable information when it
is not being asked for or required for purposes of
which the data is being collected, that does that mean
we need to classify all the data according to that
unlikely scenario. Those setting up their own DNS
would be relatively speaking, sophisticated Internet
users that presumably know the basics of how DNS
operates in any case, so by entering the information
in that way, they are choosing to customize their DNS
in a personal way similar to a person that chooses to
show personal information on their license plate
number. <br>
</div>
</div>
<div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;display:inline"><br>
</div>
</div>
<div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small">I
know that the motor vehicle registry is restricted now
in most places so that you would need a subpoena to
get that kind of personal information. This is also
true of an IP address though and IP providers. The
fact is a person can put their name and date of birth
on a license plate if they want to customize it. And
then they get on the road. That does not mean the
license plate numbers are all personal information.
It's pseudonymous data. It is true that it is a
stronger identifier than an IP address insofar as if
you subpoena the motor vehicle registry operator, you
will get the personal information behind that license
plate number. If you subpoena the ISP, you MIGHT get
the personal information depending on the nature of
the IP address. It's still true that to drive a car,
you need to show your license plate number on the
vehicle. <br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small">
<div>I would argue that thin Whois data is
pseudonymous or personal data to the same extent
that a person can choose to <u>customize</u> a
license plate if they want to, and put personal or
psuedonymous data into fields <br>
</div>
<div class="gmail_default" style="display:inline">for
which the data being collected does not ask for or
require them to do so. <br>
</div>
<div class="gmail_default" style="display:inline"><br>
</div>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small">
<div class="gmail_default" style="display:inline"><br>
</div>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small">
<div class="gmail_default" style="display:inline">A<br>
</div>
<div> person can register their driver's license as a
domain name.<br>
</div>
<div class="gmail_default" style="display:inline">They
can use a personal email in their SOA record, or
personal NS. <br>
</div>
<div>Just because it's theoretically possible for
someone to enter pseudonymous (or even personal)
data into multiple databases when they are not being
asked for it, and those combination of choices make
it possible to identify them, does not mean one of
the sets (Thin Whois) should be classified as
personal information subject to a PIA. <br>
</div>
</div>
</div>
<div><br>
</div>
<div class="gmail_extra">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;display:inline"><br>
</div>
<div><br>
</div>
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div>Jonathan Matkowsky,<br>
</div>
<div>VP – IP & Brand Security<br>
</div>
<div>USA:: 1.347.467.1193 | Office::
+972-(0)8-926-2766<br>
</div>
<div>Emergency mobile:: +972-(0)54-924-0831<br>
</div>
<div>Company Reg. No. 514805332 <br>
</div>
<div>11/1 Nachal Chever, Modiin Israel<br>
</div>
<div><a rel="noreferrer nofollow noopener"
href="http://www.riskiq.co.il"
moz-do-not-send="true">Website</a><br>
</div>
<div>RiskIQ Technologies Ltd. (wholly-owned by
RiskIQ, Inc.)<br>
</div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<div class="gmail_quote">
<div>On Thu, Jun 1, 2017 at 12:02 AM, Stephanie Perrin
<span dir="ltr"><<a rel="noreferrer nofollow
noopener"
href="mailto:stephanie.perrin@mail.utoronto.ca"
moz-do-not-send="true">stephanie.perrin@mail.utoronto.ca</a>></span>
wrote:<br>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><span style="font-size:undefinedpx"
class="size"><span class="font"
style="font-family:'Lucida Grande'">Your
summary today was great Andrew.</span></span><br>
</p>
<p><span style="font-size:undefinedpx"
class="size"><span class="font"
style="font-family:'Lucida Grande'">I am not
arguing about the disclosure of thin data.
We already voted on unauthenticated
mandatory disclosure, weeks ago (or at least
it feels like weeks ago). Lets please move
on. We are debating this yet again, because
people keep asking, is thin data personal? <span
style="font-size:undefinedpx" class="size"><span
class="font" style="font-family:'Lucida
Grande'"> [lots of people missed the
last call]</span></span> The answer is
yes (IMHO). Does that mean it cannot be
disclosed? The answer is no. Does the
proportionality principle apply? Yes. Have
we already gone through this? Yes. Can we
come back to it? Yes, but hopefully only if
we have to.....we will have to when we get
to data elements.</span></span><br>
</p>
<div>cheers Stephanie<br>
</div>
<div><span style="font-size:undefinedpx"
class="size">PS a fundamental problem here is
that people try to categorize information that
in their view should be disclosed, as not
personal information. This fight has gone on
for years over IP address, for instance. The
important question is not actually whether it
is personal data or not, it is "do you need to
disclose it to make things work?"....and if
the answer is yes then you try to mitigate the
disclosure and try to keep it minimized to
what is absolutely required. Hence the PIA,
which should employ both data minimization and
the test in the proportionality principle as
techniques to evaluate data elements.<br>
A good and really simple example is a phone
number. IS it personal info? (the telcos
fought for years, trying to claim they owned
it and it was not personal). Obviously it
pertains to you, people feel strongly that it
is personal (culturally relative of course
but...) and yet if noone ever learns your
number your phone won't ever receive a call.
That does not mean you have to disclose it
everywhere.....only where necessary. And it
should mean that it does not have to follow
you everywhere, but that is becoming
increasingly hard to manage....<br>
<br>
By the way, informed consent is not the same
as transparency requirements. Transparency
requirements are exactly that....you have to
be transparent about what you are doing with
data. Let us not conflate that with consent.<br>
<br>
I will quit now and stop trying to answer
questions. I would like to humbly suggest,
however, that we have a real shortage of basic
understanding of how data protection law works
and is interpreted. If there is a data
protection law expert that folks might listen
to, we should hire that person to advise us.
It might save a lot of time.<br>
<br>
</span></div>
<div
class="gmail-m_7395020479003268935moz-cite-prefix">On
2017-05-31 16:00, Andrew Sullivan wrote:<br>
</div>
<blockquote type="cite">
<pre>Hi,
On Wed, May 31, 2017 at 03:20:59PM -0400, Stephanie Perrin wrote:
</pre>
<blockquote type="cite">
<pre>That does not mean we need to protect it, it means we have to examine it in
terms of DP law. May I repeat the suggestion that Canatacci made in
Copenhagen in response to a question.....(I forget the precise question he
was asked, sorry). If you want to figure out whether you have to protect
something or not, do a privacy impact assessment.
</pre>
</blockquote>
<pre>As I think I've said more than once in this thread, I think we _have_
done that assessment and I think the answers are obvious and I think
therefore that there is nothing more to say about this principle in
respect of thin data:
- the data is either necessary for the operation of the system
itself or else necessary for distributed operation and
troubleshooting on the Internet.
- the data does not expose identifying information about anyone,
except in rather strained examples where the identifying
information is already completely available via other means.
What more is one supposed to do?
Best regards,
A
</pre>
</blockquote>
<div><br>
</div>
</div>
<div><br>
</div>
<div>______________________________<wbr>_________________<br>
</div>
<div>gnso-rds-pdp-wg mailing list<br>
</div>
<div><a rel="noreferrer nofollow noopener"
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
</div>
<div><a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer nofollow noopener"
moz-do-not-send="true">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</blockquote>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>