<div dir="ltr"><div>Stephanie,<br><br></div>Thanks for your thoughtful reply. Comments in-line.<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 26, 2017 at 2:34 PM, Stephanie Perrin <span dir="ltr"><<a href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank">stephanie.perrin@mail.utoronto.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">I am going to attempt
to answer your question. Has there been a case against ICANN
and the WHOIS that has gone to the European Court of Justice?
not that I am aware of, and I have looked. Have the data
protection commissioners been warning ICANN that the WHOIS is
violating EU law? Most assuredly, since 1998, actually.
CHeck the Annual report filed by Stefano Rodota, then Chairman
of the Article 29 Working group, Available on the EC website.
<br></font></font></p></div></blockquote><div> Not having the full history of who said what to whom when, I'm at a disadvantage. I'll look for the annual report.<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><p><font size="+1"><font face="Lucida Grande">
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Volker's point is that
the fact that there has not been a case yet does not mean the
Data Commissioners are wrong, it means noone has taken a
case. And quite frankly, they ( the article 29 Working Party)
knew that the Safe Harbor agreement was not "adequate", but they
had to accept it. (political compromise). The fact that it
took a lawsuit filed by a student to get the Safe Harbor
agreement thrown out, after the gallons of ink that has been
spilled in the intervening years (17, if you are counting)
only amplifies the risk, in my view. Data commissioners are
being challenged as never before to enforce the law. <br></font></font></p></div></blockquote><div>From my perspective, both Safe Harbor and Data Shield are somewhat irrelevant in that organizations are self certifying. I specifically asked for cases because those tend to be the strongest and clearest precedent.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><p><font size="+1"><font face="Lucida Grande">
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">As for privacy proxy
solving the problem, it does not. Over collection is not
solved by providing a proxy in the third party disclosure
mechanism. It is still over-collection, disproportionate to
needs. Data escrow and data retention are also not in
compliance with the GDPR, and while they are somewhat out of
scope for this PDP, the fact that the elements cited as requisite
for WHOIS are also the elements required for data retention
and disclosure makes the waters rather muddy. The data
commissioners are unlikely to worry themselves about the scope
of our PDP, they are expecting ICANN to come up with a set of
requirements (as data controller) that complies with law.</font></font></p></div></blockquote><div>It's not clear to me whether whois is over collection or not because people seem to be talking past each other as to the use(s) of whois (primary and secondary) and the impact on the Internet ecosystem of pruning back to various degrees or even eliminating whois entirely. Depending on where people sit and the constituency(s) they assert they are representing, I hear differing statements as to the purposes and justification for whois. Where you stand depends on where you sit.<br><br></div><div>I'm still cogitating on things.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">I hope this helps.</font></font></p></div></blockquote><div><br></div><div>It does. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class="HOEnZb"><font color="#888888">
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin<br>
</font></font></p></font></span><div><div class="h5">
<br></div></div></div></blockquote><div><br></div><div>Michael Hammer <br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><div><div class="h5">
<div class="m_1920905434721192983moz-cite-prefix">On 2017-09-26 12:13, Dotzero wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>You are raising a different discussion/issue Andrew. A
discussion of what the working group thinks is appropriate is
a different discussion vs assertions as to the legal
requirements from various jurisdictions as to what we are
obliged to do.<br>
<br>
I keep on hearing law invoked and therefore asked what
precedent there is specific to whois and CBDF. It's a straight
forward question and with the various privacy and legal
experts on the list, one that should be easily answered if
there are precedents specific to whois out there. Volker threw
up a laundry list of references that don't really apply to the
question I asked. <br>
<br>
</div>
Michael Hammer<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep 26, 2017 at 11:12 AM,
Andrew Sullivan <span dir="ltr"><<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="m_1920905434721192983gmail-">On
Tue, Sep 26, 2017 at 10:59:15AM -0400, Dotzero wrote:<br>
> predecessor regulations have been around for quite
some time and if the<br>
> whois privacy issues we have been debating are
truly a significant problem<br>
> to the extent that some represent them to be, I
would expect that there<br>
> would have been at least some sort of precedents
specific to whois.<br>
<br>
</span>I think that, regardless of any legal cases, the
current whois leaks<br>
way too much information. ICANN has an enormous
bureaucracy around<br>
"whois accuracy" partly (but only partly) because ordinary
people<br>
don't want to pay extra to keep their home telephone
numbers off from<br>
being wide open on the Internet, so they lie about it.
There is _no<br>
reason_ that we are still using an ancient protocol that
was designed<br>
for a completely different network environment.<br>
<br>
The IAB recommends, in RFC 6973, that protocols do
something about<br>
data minimization (see section 6.1). The evidence we have
is that<br>
greater exposure of data provides a vector for attacks we
haven't even<br>
thought about. Therefore, we should not expose data to
everyone<br>
unless we are sure that it is necessary (and some of this
data _is_<br>
necessary to expose to everyone); and we should be able to
track who<br>
got the data if we're exposing data that is not published
to everyone.<br>
<br>
I don't think any of this should be news, and I think it
is really<br>
strange that we seem still to be discussing whether it is
something we<br>
need to embrace.<br>
<span class="m_1920905434721192983gmail-"><br>
Best regards,<br>
<br>
A<br>
<br>
<br>
--<br>
Andrew Sullivan<br>
<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a><br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
</span><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="m_1920905434721192983mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
gnso-rds-pdp-wg mailing list
<a class="m_1920905434721192983moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>
<a class="m_1920905434721192983moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br></blockquote></div><br></div></div>