<div><div dir="auto">Paul, that's an interesting reference. Thanks for sharing. <br></div><div dir="auto"><br></div><div dir="auto">Here's the link to the GAC's recent comment I was referring to as well for reference <a href="http://mm.icann.org/pipermail/comments-sadag-final-09aug17/attachments/20170922/0108ae32/abuse-statistical-analysis-gac-comment-19sep17-0001.pdf">http://mm.icann.org/pipermail/comments-sadag-final-09aug17/attachments/20170922/0108ae32/abuse-statistical-analysis-gac-comment-19sep17-0001.pdf</a></div><div dir="auto"><br></div><div dir="auto">Benny, only after a *very specific* analysis of data controller, processor, and sub-processing issues are considered--as well as of the recognition some parties or companies may be functioning outside of those roles under GDPR --can anyone form an opinion--and then only as it pertains to a specific set of facts and circumstances. </div><div dir="auto"><br></div><div dir="auto">I'm not sure the scope of this working group conceptually includes opininig on historical Whois datasets outside of a next generation RDS any more so than it would include opining on privacy issues in observing publicly available IP addresses as the analysis of who is the data controller, processor, sub-processor, and corollary contractually-related issues certainly vary from one set of facts to another. </div><div dir="auto"><br></div><div dir="auto">We need to generally ensure the privacy laws are taken seriously by not undermining them unintentionally through generalizing them in ways that may very well be, *way* off the mark. That discredits the opportunities that GDPR presents to educate people about privacy principles, and does a great disservice in my humble opinion because it has the _opposite_ effect. And at the same time it comes off as particularly infuriating to those in the anti-abuse community that governments--and the public--are so heavily relying on to help safeguard the very principles being championed.</div><div dir="auto"><br></div><div dir="auto">I do agree from a privacy perspective that the right to be forgotten seems to be under some circumstances, a potentially relevant issue, but not sure that can't be implemented. The key is within reason and figuring out what that means in practice. An immediately obvious competing concern is that miscreants of all kinds would try to abuse that principle--and in so many ways. </div><div dir="auto"><br></div><div dir="auto"> I admit I haven't studied the legal memo related to RDS yet though. Hope to catch up by Sunday (This month with religious holidays and travel on top of that last week and next is tough for me.) cheers jonathan </div><div dir="auto"><br></div><div class="gmail_quote"><div>On Thu, Sep 28, 2017 at 9:50 PM <a href="mailto:benny@nordreg.se">benny@nordreg.se</a> <<a href="mailto:benny@nordreg.se">benny@nordreg.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I don’t see there have been any dispute of the value of Domaintools… What I have said and I will repeat, it might not be legal in the form it is today after GDPR are in full force next year.<br>
The problem as far as I can see are the historical data stored on private persons who are given a right to withdrawn consent for publishing there data.<br>
<br>
The right to be forgotten are very strong in EU, google have paid there share of fines for not cleaning out data.<br>
<br>
<br>
--<br>
Med vänliga hälsningar / Kind Regards / Med vennlig hilsen<br>
<br>
Benny Samuelsen<br>
Registry Manager - Domainexpert<br>
<br>
Nordreg AB - ICANN accredited registrar<br>
IANA-ID: 638<br>
Phone: +46.42197000<br>
Direct: +47.32260201<br>
Mobile: +47.40410200<br>
<br>
> On 29 Sep 2017, at 01:32, Paul Keating <<a href="mailto:Paul@law.es" target="_blank">Paul@law.es</a>> wrote:<br>
><br>
> All,<br>
><br>
> This came to me as a part of an ongoing investigation directly related to GDPR.<br>
><br>
>> The EU Commission issued a Communication which states as follows: <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=JOIN:2017:450:FIN&rid=3" rel="noreferrer" target="_blank">http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=JOIN:2017:450:FIN&rid=3</a><br>
>><br>
>> More generally, online accountability should be further promoted. This means promoting measures to prevent the abuse of domain names for the distribution of unsolicited messages or phishing attacks. To this end, the Commission will work to improve the functioning of and the availability and accuracy of information in the Domain Name and IP WHOIS systems in line with the efforts of the Internet Corporation for Assigned Names and Numbers.<br>
>><br>
>> While not a legal act per se, this document shows that there are lawmakers in the EU who understands the value of DomainTools services.<br>
>><br>
> I think this puts an end to this conversation about whether abuse (not necessarily criminal concerns) is and remains a very important issue in the EU and this should be considered together with the GDPR.<br>
><br>
> Paul Keating<br>
><br>
> From: <<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.org</a>> on behalf of jonathan matkowsky <<a href="mailto:jonathan.matkowsky@riskiq.net" target="_blank">jonathan.matkowsky@riskiq.net</a>><br>
> Date: Friday, September 29, 2017 at 1:08 AM<br>
> To: John Bambenek <<a href="mailto:jcb@bambenekconsulting.com" target="_blank">jcb@bambenekconsulting.com</a>><br>
> Cc: RDS PDP WG <<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>><br>
> Subject: Re: [gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data Protection and Privacy Commissioners<br>
><br>
>> The GAC's recommendations in their public comment on the recent statistical analysis of DNS abuse study shows that when you get down to it, there is already understanding by government that we must collect the necessary data elements for combatting abuse.<br>
>><br>
>> On Thu, Sep 28, 2017 at 3:18 PM, John Bambenek via gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>> wrote:<br>
>>> I want to me too this... this is the single biggest cause of the contention in this group. I am being told by people who don't do anti-abuse or investigations on what I need to do my job and when I tell them what I need to do my job, my opinion doesn't matter.<br>
>>> **We** are the experts in this field. It'd be nice when people are talking about what is needed to fight abuse, we at least consider the opinions of people that **actually fight said abuse**.<br>
>>> And we will be taking this message to the DPAs directly so they understand what's at stake.<br>
>>><br>
>>> On 09/28/2017 05:10 PM, John Horton wrote:<br>
>>>> Chuck, let me briefly (I hope briefly) weigh in in response to that.<br>
>>>><br>
>>>> My observation is that the group does agree that fighting abuse is a worthy endeavor -- I suspect you'd get unanimity on that point. My sense is that where there's disagreement may be on two points:<br>
>>>> • Whether anti-abuse types really need a Whois record of the domain name in question to fight abuse -- the argument has been made that Whois is so often falsified, or privacy-protected, etc. that Whois isn't really useful to anti-abuse types, and that there are more useful tools than Whois.<br>
>>>> • Whether the entire Whois data set (or, say, even 95% of it), and being able to reverse query against it, is useful to anti-abuse types.<br>
>>>> From my perspective, I do think that there are a few folks in this working group who, even when I or others have repeatedly insisted that (and provide examples of how) we genuinely need 1) Whois records on specific merchants or bad actors, and 2) need the entire corpus against which to reverse query, seem unwilling to take our representations and examples at face value. I guess I've become a little cynical as to whether, even if that argument is presented objectively and compellingly, working group members are willing to be persuaded of it or not.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> John Horton<br>
>>>> President and CEO, LegitScript<br>
>>>><br>
>>>><br>
>>>> Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter<br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Thu, Sep 28, 2017 at 2:51 PM, Chuck <<a href="mailto:consult@cgomes.com" target="_blank">consult@cgomes.com</a>> wrote:<br>
>>>>> I could be wrong but I think that we need to first convince ourselves as a<br>
>>>>> working group that fighting abuse is a critical and essential need and I<br>
>>>>> don't think that should be hard to do. A lot of you have made very strong<br>
>>>>> arguments in that regard and I believe that we have already agreed that<br>
>>>>> fighting abuse is a legitimate purpose for at least some RDS elements.<br>
>>>>><br>
>>>>> Note WG agreement #11: "Criminal Investigation & DNS Abuse Mitigation is a<br>
>>>>> legitimate purpose for "Minimum Public Data Set" collection." We obviously<br>
>>>>> have to get beyond the MPDS and we will.<br>
>>>>><br>
>>>>> It seems to me that the following WG agreement, although not directly<br>
>>>>> related to abuse mitigation, sets a basis upon which we can further<br>
>>>>> deliberate the abuse mitigation purpose: " 17. A purpose of RDS is to<br>
>>>>> facilitate dissemination of gTLD registration data of record, such as domain<br>
>>>>> names and their domain contacts and name servers, in accordance with<br>
>>>>> applicable policy." I admit that there is a lot of work we must do to<br>
>>>>> develop requirements and ultimately policies to allow and support the use of<br>
>>>>> RDS data for abuse mitigation purposes but we can do that.<br>
>>>>><br>
>>>>> I think all of the following recent WG agreements indirectly support further<br>
>>>>> deliberation on the abuse mitigation purpose:<br>
>>>>> " 30. At least one element identifying the domain name registrant (i.e.,<br>
>>>>> registered name holder) must be collected and included in the RDS.<br>
>>>>> 31. Data enabling at least one way to contact the registrant must be<br>
>>>>> collected and included in the RDS.<br>
>>>>> 32. At a minimum, one or more email addresses must be collected for every<br>
>>>>> domain name included in the RDS, for contact roles that require an email<br>
>>>>> address for contactability.<br>
>>>>> 33. For resiliency, data enabling alternative or preferred method(s) of<br>
>>>>> contact should be included in the RDS; further deliberation to determine<br>
>>>>> whether such data element(s) should be optional or mandatory to collect.<br>
>>>>> 34. At least one element enabling contact must be based on an open standard<br>
>>>>> and not a proprietary communication method.<br>
>>>>> 35. To improve contactability with the domain name registrant (or authorized<br>
>>>>> agent of the registrant), the RDS must be capable of supporting at least one<br>
>>>>> alternative contact method as an optional field.<br>
>>>>> 36. Purpose-based contact (PBC) types identified (Admin, Legal, Technical,<br>
>>>>> Abuse, Proxy/Privacy, Business) must be supported by the RDS but optional<br>
>>>>> for registrants to provide.<br>
>>>>> 37. The URL of the Internic Complaint Site must be supported for inclusion<br>
>>>>> in the RDS.<br>
>>>>> 38. The Registrar Abuse Contact Email Address must be supported for<br>
>>>>> inclusion in the RDS, and must be provided by Registrars.<br>
>>>>> 39. Reseller Name MUST be supported by the RDS. Note: There may be a chain<br>
>>>>> or Resellers identified by Reseller Name.<br>
>>>>> 40. Per recently-approved consensus policy on consistent labeling and<br>
>>>>> display, BOTH the Registrar Abuse Contact Email and Registrar Abuse Contact<br>
>>>>> Phone must be supported for inclusion in the RDS, and MUST be provided by<br>
>>>>> Registrars.<br>
>>>>> 41. In the interest of maximizing contactability, additional contact methods<br>
>>>>> MUST be supported by the RDS as an open-ended list and be optional for<br>
>>>>> Registrants to provide. This does not preclude agreements on requirements to<br>
>>>>> include other contact methods.<br>
>>>>> 42. The RDS must support Registrant Postal Address data elements: Registrant<br>
>>>>> Street Address, City, State/Province, and Postal Code.<br>
>>>>> 43. The RDS must support Registrant Phone + Registrant Phone Ext (extension)<br>
>>>>> data elements " I call this one out in reaction to some discussion on the<br>
>>>>> WG list today about identification of the domain name registrant."<br>
>>>>> These may not go far enough for some but they provide a start that we can<br>
>>>>> build on.<br>
>>>>><br>
>>>>> Chuck<br>
>>>>><br>
>>>>> -----Original Message-----<br>
>>>>> From: <a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.org</a><br>
>>>>> [mailto:<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.org</a>] On Behalf Of theo geurts<br>
>>>>> Sent: Thursday, September 28, 2017 11:07 AM<br>
>>>>> To: Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>>; <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
>>>>> Subject: Re: [gnso-rds-pdp-wg] ICANN Meetings/Conversations with Data<br>
>>>>> Protection and Privacy Commissioners<br>
>>>>><br>
>>>>> Hello Andrew,<br>
>>>>><br>
>>>>> 1 I agree you need to be specific, but also you should ask, would a DPA<br>
>>>>> accept it? Regardless if that is a DPA in Europe or China or Jamaica.<br>
>>>>> Setting the baseline to the GDPR would be a mistake, these data protection<br>
>>>>> laws are always in motion. As such you need to implement data protection<br>
>>>>> principles when you define purpose. Did we really do that?<br>
>>>>><br>
>>>>> 2 I am not sure if there is a misapprehension. I do think we did not go out<br>
>>>>> of the box far enough. We somehow keep circling back to the WHOIS, and that<br>
>>>>> is somewhat strange given the composition of the WG.<br>
>>>>> We did put a ton of work into looking at the current data elements and all<br>
>>>>> that, but we never into the concept of no WHOIS/RDS and come up with a<br>
>>>>> solution in such a scenario.<br>
>>>>><br>
>>>>> If we want to convince these policymakers of what we are facing abuse wise,<br>
>>>>> we must do better.<br>
>>>>><br>
>>>>> Theo<br>
>>>>><br>
>>>>><br>
>>>>> On 28-9-2017 19:11, Andrew Sullivan wrote:<br>
>>>>> > On Thu, Sep 28, 2017 at 06:46:29PM +0200, theo geurts wrote:<br>
>>>>> >> I think it is meant that IP addresses will be considered personal<br>
>>>>> >> information under the GDPR, that concept might be new to folks in this<br>
>>>>> WG.<br>
>>>>> > I _know_ that. But there are two issues here:<br>
>>>>> ><br>
>>>>> > 1. It appears entirely clear, both from previous discussions and<br>
>>>>> > from the legal analysis that was just delivered, that collection<br>
>>>>> > of certain data (and we're still talking about collection,<br>
>>>>> > remember) is permitted if you have legitimate purposes.<br>
>>>>> > Therefore, we should be paying attention to those purposes, and be<br>
>>>>> > specific about it.<br>
>>>>> ><br>
>>>>> > 2. It is possible that any law, or any interpretation of the law,<br>
>>>>> > is being made with a misapprehension of how the Internet actually<br>
>>>>> > works. Quite frankly, it is apparent to me that an alarming<br>
>>>>> > number of policymakers have a deeply mistaken model for the way<br>
>>>>> > the Internet works, mostly aligned with a picture that looks like<br>
>>>>> > the way the phone system used to work. But we have to make policy<br>
>>>>> > for the actual Internet, rather than for some system that does not<br>
>>>>> > actually exist. This is why I sent that note the other day about<br>
>>>>> > figuring out what we want and then asking lawyers how that can be<br>
>>>>> > made to comport with such legal regimes as we know, rather than<br>
>>>>> > doing it the other way.<br>
>>>>> ><br>
>>>>> > Best regards,<br>
>>>>> ><br>
>>>>> > A<br>
>>>>> ><br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> gnso-rds-pdp-wg mailing list<br>
>>>>> <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
>>>>> <a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> gnso-rds-pdp-wg mailing list<br>
>>>>> <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
>>>>> <a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>> ______________________________<br>
>>>> _________________<br>
>>>> gnso-rds-pdp-wg mailing list<br>
>>>><br>
>>>> gnso-rds-pdp-wg@icann.orghttps://<a href="http://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> gnso-rds-pdp-wg mailing list<br>
>>> <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
>>> <a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br>
>><br>
>><br>
>> *******************************************************************<br>
>> This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.<br>
>><br>
>> *******************************************************************_______________________________________________ gnso-rds-pdp-wg mailing list <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a> <a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br>
> _______________________________________________<br>
> gnso-rds-pdp-wg mailing list<br>
> <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
> <a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br>
<br>
</blockquote></div></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature">Jonathan Matkowsky</div>
<br>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>*******<br></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.</span><p style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"></p><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>*******</span>