<div dir="ltr"><div>The issue you raise is addressed simply enough by requiring a privacy disclosure be displayed at the time of domain registration. This requirement can be incorporated into the ICANN registry agreements. Note that this does not resolve the issue for CC domains.<br><br></div>Michael Hammer<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 1, 2017 at 10:43 AM, Stephanie Perrin <span dir="ltr"><<a href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank">stephanie.perrin@mail.utoronto.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Lucida Grande">I certainly agree that
if people enter personal information as part of their DNS
registration or their motor vehicle licence registration, it
is done with implied consent... as long as there is sufficient
information to permit them to understand just how the data is
being used and where it is going. However, as I tried to say
with respect to registering a domain name, I really don't
think the average non-expert citizen who might want to
register a domain name would get enough information to truly
understand how far his/her information goes, and how difficult
it is to get it removed once it has appeared in the public
record. We should build this system so that everyone
understands it, not just the experts.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">cheers Stephanie</font></font><br>
</p><div><div class="h5">
<br>
<div class="m_2166171403518111352moz-cite-prefix">On 2017-06-01 05:18, jonathan matkowsky
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Stephanie,<br>
<div><font face="tahoma, sans-serif"><br>
</font></div>
<div><font face="tahoma, sans-serif">
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline">I
agree with you that we should not conflate collection
limitation principles with openness principles.</div>
</font></div>
<div><font face="tahoma, sans-serif">
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline"><br>
</div>
</font></div>
<div><font face="tahoma, sans-serif">
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline">I
respectfully disagree with most of what you wrote in the
first paragraph of your post script. </div>
</font><font face="tahoma, sans-serif">
<div class="gmail_default" style="display:inline">Here we
are talking about users potentially entering personal or
pseudonymous information when they are not being asked for
it (nor is it required) to begin with, and it is not
required for purposes of which it's being collected. That
is the</div>
</font>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">scope</div>
of what needs to be assessed
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">if at
all and how the scope needs to be</div>
defined from the beginning
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline">
if you were to conduct a PIA</div>
.
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"> </div>
</div>
<div><span style="font-family:tahoma,sans-serif">
<div class="gmail_default" style="display:inline"><br>
</div>
</span></div>
<div><span style="font-family:tahoma,sans-serif">
<div class="gmail_default" style="display:inline"></div>
</span><span style="font-family:tahoma,sans-serif">
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline"> </div>
</span><span style="font-family:tahoma,sans-serif">
<div class="gmail_default" style="display:inline">Personal
information is not being used or intended to be used just
because a person decides to enter personal information
into a field. </div>
</span>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"></div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">The
example of how you can combine databases to re-identify a
person based on the SOA record is the equivalent of
protecting domain names as personal information because a
person </div>
<span style="font-family:tahoma,sans-serif">can register their
driver's license
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline">
or name and date of birth</div>
as a domain name.</span>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"> </div>
<span style="font-family:tahoma,sans-serif">I would argue no
PIA should be required </span>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">as a
result </div>
<span style="font-family:tahoma,sans-serif">even in accordance
even with best practices.</span>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"> </div>
A PIA needs to be conducted in a manner that is commensurate
with the level of privacy risk identified
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">. </div>
</div>
<div><span style="font-family:tahoma,sans-serif"> </span></div>
<div>
<div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline">I
respectfully disagree with you that thin data is
personal. We are talking about identifiers (codes or
strings that represent an individual or device). Many
labels can be used to point to individuals. Some are
precise and most, imprecise or vague. There's no question
that an IP address is a device identifier. Device IDs,
MAC addresses can be a source for user tracking. But </div>
<span style="font-family:tahoma,sans-serif">
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline">i</div>
</span>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline">dentifiers
can be strong or weak depending on how precise they are as
well as the context. It cannot be measured without taking
linkability into consideration. For that reason, name
servers are not the same as IP addresses or MAC addresses
any more so than the existence of a domain name is an
identifier. If a person chooses to use identifiable
information when it is not being asked for or required for
purposes of which the data is being collected, that does
that mean we need to classify all the data according to
that unlikely scenario. Those setting up their own DNS
would be relatively speaking, sophisticated Internet users
that presumably know the basics of how DNS operates in any
case, so by entering the information in that way, they are
choosing to customize their DNS in a personal way similar
to a person that chooses to show personal information on
their license plate number. </div>
</div>
<div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"><br>
</div>
</div>
<div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">I
know that the motor vehicle registry is restricted now in
most places so that you would need a subpoena to get that
kind of personal information. This is also true of an IP
address though and IP providers. The fact is a person can
put their name and date of birth on a license plate if
they want to customize it. And then they get on the road.
That does not mean the license plate numbers are all
personal information. It's pseudonymous data. It is true
that it is a stronger identifier than an IP address
insofar as if you subpoena the motor vehicle registry
operator, you will get the personal information behind
that license plate number. If you subpoena the ISP, you
MIGHT get the personal information depending on the nature
of the IP address. It's still true that to drive a car,
you need to show your license plate number on the
vehicle. </div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small"><br>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">I
would argue that thin Whois data is pseudonymous or
personal data to the same extent that a person can choose
to <u>customize</u> a license plate if they want to, and
put personal or psuedonymous data into fields
<div class="gmail_default" style="display:inline">for
which the data being collected does not ask for or
require them to do so. </div>
<div class="gmail_default" style="display:inline"></div>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">
<div class="gmail_default" style="display:inline"><br>
</div>
</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">
<div class="gmail_default" style="display:inline">A</div>
person can register their driver's license as a domain
name.
<div class="gmail_default" style="display:inline">They can
use a personal email in their SOA record, or personal
NS. </div>
Just because it's theoretically possible for someone to
enter pseudonymous (or even personal) data into multiple
databases when they are not being asked for it, and those
combination of choices make it possible to identify them,
does not mean one of the sets (Thin Whois) should be
classified as personal information subject to a PIA. </div>
</div>
<div><br>
</div>
<div class="gmail_extra">
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;display:inline"></div>
<br clear="all">
<div>
<div class="m_2166171403518111352gmail_signature">
<div dir="ltr">
<div>Jonathan Matkowsky,<br>
VP – IP & Brand Security<br>
USA:: <a href="tel:(347)%20467-1193" value="+13474671193" target="_blank">1.347.467.1193</a> | Office:: <a href="tel:+972%208-926-2766" value="+97289262766" target="_blank">+972-(0)8-926-2766</a><br>
Emergency mobile:: <a href="tel:+972%2054-924-0831" value="+972549240831" target="_blank">+972-(0)54-924-0831</a><br>
Company Reg. No. 514805332 <br>
11/1 Nachal Chever, Modiin Israel<br>
<a href="http://www.riskiq.co.il" target="_blank">Website</a><br>
RiskIQ Technologies Ltd. (wholly-owned by RiskIQ,
Inc.)</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Thu, Jun 1, 2017 at 12:02 AM,
Stephanie Perrin <span dir="ltr"><<a href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank">stephanie.perrin@mail.<wbr>utoronto.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">Your
summary today was great Andrew.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">I am not
arguing about the disclosure of thin data. We
already voted on unauthenticated mandatory
disclosure, weeks ago (or at least it feels like
weeks ago). Lets please move on. We are
debating this yet again, because people keep
asking, is thin data personal? </font></font><font size="+1"><font face="Lucida Grande"><font size="+1"><font face="Lucida Grande"> [lots of
people missed the last call]</font></font>
The answer is yes (IMHO). Does that mean it
cannot be disclosed? The answer is no. Does
the proportionality principle apply? Yes. Have
we already gone through this? Yes. Can we come
back to it? Yes, but hopefully only if we have
to.....we will have to when we get to data
elements.</font></font><br>
</p>
cheers Stephanie<br>
<font size="+1">PS a fundamental problem here is that
people try to categorize information that in their
view should be disclosed, as not personal
information. This fight has gone on for years over
IP address, for instance. The important question is
not actually whether it is personal data or not, it
is "do you need to disclose it to make things
work?"....and if the answer is yes then you try to
mitigate the disclosure and try to keep it minimized
to what is absolutely required. Hence the PIA,
which should employ both data minimization and the
test in the proportionality principle as techniques
to evaluate data elements.<br>
A good and really simple example is a phone number.
IS it personal info? (the telcos fought for years,
trying to claim they owned it and it was not
personal). Obviously it pertains to you, people
feel strongly that it is personal (culturally
relative of course but...) and yet if noone ever
learns your number your phone won't ever receive a
call. That does not mean you have to disclose it
everywhere.....only where necessary. And it should
mean that it does not have to follow you everywhere,
but that is becoming increasingly hard to manage....<br>
<br>
By the way, informed consent is not the same as
transparency requirements. Transparency
requirements are exactly that....you have to be
transparent about what you are doing with data. Let
us not conflate that with consent.<br>
<br>
I will quit now and stop trying to answer
questions. I would like to humbly suggest, however,
that we have a real shortage of basic understanding
of how data protection law works and is
interpreted. If there is a data protection law
expert that folks might listen to, we should hire
that person to advise us. It might save a lot of
time.<br>
<br>
<br>
</font>
<div class="m_2166171403518111352gmail-m_7395020479003268935moz-cite-prefix">On
2017-05-31 16:00, Andrew Sullivan wrote:<br>
</div>
<blockquote type="cite">
<pre>Hi,
On Wed, May 31, 2017 at 03:20:59PM -0400, Stephanie Perrin wrote:
</pre>
<blockquote type="cite">
<pre>That does not mean we need to protect it, it means we have to examine it in
terms of DP law. May I repeat the suggestion that Canatacci made in
Copenhagen in response to a question.....(I forget the precise question he
was asked, sorry). If you want to figure out whether you have to protect
something or not, do a privacy impact assessment.
</pre>
</blockquote>
<pre>As I think I've said more than once in this thread, I think we _have_
done that assessment and I think the answers are obvious and I think
therefore that there is nothing more to say about this principle in
respect of thin data:
- the data is either necessary for the operation of the system
itself or else necessary for distributed operation and
troubleshooting on the Internet.
- the data does not expose identifying information about anyone,
except in rather strained examples where the identifying
information is already completely available via other means.
What more is one supposed to do?
Best regards,
A
</pre>
</blockquote>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br></blockquote></div><br></div>