<div><div dir="auto">One more thought - sort of reflections on the last call, and where we are at. I think we are wasting time because we are being asked to come up with an RDS on the basis existing Whois policies including exemptions available, conflict with GDPR or other potentially more strict data protection regimes we have not studied. This is a big mistake. It is not necessary. It’s pretty clear to me that a privacy impact assessment is needed in designing the next generation of Whois, which should run in parallel with Whois at least for a while if not foreseeably forever, with the goal of improving Whois functionality, which clearly at least to me, can be greatly improved. We just have to make sure it functions as intended.</div><div dir="auto"><br></div><div dir="auto">So I don’t see why our work needs to create all this conflict deciding about existing Whois policies frankly, which we clearly have not adequately addressed because we have never studied the exemptions available etc. And this group would be a lot more productive frankly, if we framed our charter in that regard differently. Just food for thought.</div><br><div class="gmail_quote"><div>On Wed, Oct 4, 2017 at 12:31 PM jonathan matkowsky <<a href="mailto:jonathan.matkowsky@riskiq.net">jonathan.matkowsky@riskiq.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="auto">Hello, Maxim ,</div><div dir="auto"><br></div><div dir="auto">I disagree with your analysis. The memo supports that economic repercussions for cyber security firms does not take precedence over fundamental human rights, and that private cyber security firms are not exempt under GDPR currently, absent specific legislation coming into effect consistent with GDPR. I agree with both of these conclusions.</div></div></div><div dir="auto"><br></div><div dir="auto">Specifying the purposes of processing is expressly outside the scope of the memorandum, and in that regard, private cyber security firms may very well play a special role. I believe they do. This doesn’t mean GDPR exempts them but that they may need very thinly gated access to certain information that registrants consent to providing for certain specified purposes.</div><div dir="auto"><br></div><div dir="auto">I also understand there may be a privacy framework in Europe that addresses public directories that may still be in effect when GDPR is implemented, and additional analysis may be needed in this regard, but I am still looking into this as it has been only anecdotal information provided to me at this time. I hope to have more in that regard by next week.</div><div dir="auto"><br></div><div dir="auto">Cheers,</div><div dir="auto">Jonathan Matkowsky </div><div><div><div dir="auto"><br></div><div dir="auto"><br></div><br><div class="gmail_quote"><div>On Wed, Oct 4, 2017 at 9:04 AM Maxim Alzoba <<a href="mailto:m.alzoba@gmail.com" target="_blank">m.alzoba@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Hello Chuck, <div><br></div><div>Reading the memo I came to the conclusion that all cyber investigating companies, which do not have accreditation of sorts of at least one EU country </div><div>are pure third parties and police exemptions from personal data legislation will not work for them.</div><div><br></div><div>(it was page 9)</div><div><br></div><div>Following this logic, they play no special role according to GDPR and thus I am not sure we can make it a primary purpose (or at least I am not sure it will be accepted by EU DPAs).</div><div><br></div><div>P.s: I do understand importance of anti-abuse cyber investigations, but not sure how to fit their special role into purposes, compliant with GDPR.</div><div>And which might be worse, local Law Enforcement do not fit either (if they are not from EU or there is no special treaty between EU and that country). </div><div><br></div><div><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-variant-east-asian:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-variant-east-asian:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-variant-east-asian:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-variant-east-asian:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-variant-east-asian:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-style-span" style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-variant-east-asian:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word"><div>Sincerely Yours,<br><br>Maxim Alzoba<br>Special projects manager,<br>International Relations Department,<br>FAITID<br><br>m. +7 916 6761580<span style="text-align:-webkit-auto">(+whatsapp)</span></div><div>skype oldfrogger</div><div><br></div><div>Current UTC offset: +3.00 (.Moscow)</div></div></span></div></div></div></div></div>
</div></div></div><div style="word-wrap:break-word"><div>
<br><div><blockquote type="cite"><div>On Oct 4, 2017, at 16:08, Chuck <<a href="mailto:consult@cgomes.com" target="_blank">consult@cgomes.com</a>> wrote:</div><br class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-interchange-newline"><div><div class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Note that the WG has already reached rough consensus that anti-abuse is a legitimate purpose for at least the minimum public data set. (WG Agreement 11: “<span style="font-size:13pt;font-family:Arial,sans-serif">Criminal Investigation & DNS Abuse Mitigation is a legitimate purpose for “Minimum Public Data Set” collection.</span>”<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Chuck<span style="font-size:13pt;font-family:Arial,sans-serif"><u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>From:</b><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" style="color:purple;text-decoration:underline" target="_blank">gnso-rds-pdp-wg-bounces@icann.org</a><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span>[<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" style="color:purple;text-decoration:underline" target="_blank">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]<span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><b>On Behalf Of<span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span></b>allison nixon<br><b>Sent:</b><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span>Tuesday, October 03, 2017 2:57 PM<br><b>To:</b><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span>Jeremy Malcolm <<a href="mailto:jmalcolm@eff.org" style="color:purple;text-decoration:underline" target="_blank">jmalcolm@eff.org</a>><br><b>Cc:</b><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color:purple;text-decoration:underline" target="_blank">gnso-rds-pdp-wg@icann.org</a><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span>>><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color:purple;text-decoration:underline" target="_blank">gnso-rds-pdp-wg@icann.org</a><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><<a href="mailto:gnso-rds-pdp-wg@icann.org" style="color:purple;text-decoration:underline" target="_blank">gnso-rds-pdp-wg@icann.org</a>><br><b>Subject:</b><span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span>Re: [gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thank you for the clarification. I still disagree with it but it makes more sense. <u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I would like to highlight the ICANN webpage on WHOIS:<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://whois.icann.org/en/what-whois-data-used" style="color:purple;text-decoration:underline" target="_blank">https://whois.icann.org/en/what-whois-data-used</a><u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><blockquote style="margin-left:30pt;margin-right:0in" type="cite"><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">What is WHOIS data used for?<u></u><u></u></div></div></div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">WHOIS is indispensable to the smooth operation of the DNS and is used for many legitimate purposes, including:<u></u><u></u></div></div></div></blockquote><div><div><ul type="disc" style="margin-bottom:0in"><ul type="circle" style="margin-bottom:0in"><li class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">To contact network administrators for resolution of technical matters related to networks associated with a domain name (e.g., DNS or routing matter, origin and path analysis of DoS and other network-based attacks).<u></u><u></u></li><li class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">To obtain the real world identity, business location and contact information of an online merchant or business, or generally, any organization that has an online presence.<u></u><u></u></li><li class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">To establish or look into an identity in cyberspace, and as part of an incident response following an Internet or computer attack. (Security professionals and law enforcement agents use WHOIS to identify points of contact for a domain name.)<u></u><u></u></li><li class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">To gather investigative leads (i.e., to identify parties from whom additional information might be obtained). Law enforcement agents use WHOIS to find email addresses and attempt to identify the location of an alleged perpetrator of a crime involving fraud.<u></u><u></u></li><li class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">To investigate spam, law enforcement agents look to the WHOIS database to collect information on the website advertised in the spam.<u></u><u></u></li></ul></ul></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Those and others are currently listed on ICANN's website as uses for WHOIS data. To reject anti-abuse as a purpose would be to shift away from the currently accepted purposes of WHOIS. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Tue, Oct 3, 2017 at 5:41 PM, Jeremy Malcolm <<a href="mailto:jmalcolm@eff.org" style="color:purple;text-decoration:underline" target="_blank">jmalcolm@eff.org</a>> wrote:<u></u><u></u></div><blockquote style="border-style:none none none solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in" type="cite"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On 3/10/17 2:31 pm, John Bambenek via gnso-rds-pdp-wg wrote:<br>><br>> To confirm and clarify your meaning... you don't think there should be<br>> a WHOIS/RDS and the only means to contact a domain owner should be on<br>> their website. Is that correct?<br>><br><br>No, we are fine with registrants making some information available<br>through WHOIS/RDS subject to data protection law (eg. informed consent,<br>etc). But we don't think that a starting point for the design of the<br>RDS has to take the requirements of anti-abuse specialists or reputation<br>systems as an essential element.<u></u><u></u></div><div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><br>--<br>Jeremy Malcolm<br>Senior Global Policy Analyst<br>Electronic Frontier Foundation<br><a href="https://eff.org/" style="color:purple;text-decoration:underline" target="_blank">https://eff.org</a><br><a href="mailto:jmalcolm@eff.org" style="color:purple;text-decoration:underline" target="_blank">jmalcolm@eff.org</a><br><br>Tel:<span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><a href="tel:415.436.9333%20ext%20161" style="color:purple;text-decoration:underline" target="_blank">415.436.9333 ext 161</a><br><br>:: Defending Your Rights in the Digital World ::<br><br>Public key:<span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><a href="https://www.eff.org/files/2016/11/27/key_jmalcolm.txt" style="color:purple;text-decoration:underline" target="_blank">https://www.eff.org/files/2016/11/27/key_jmalcolm.txt</a><br>PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122<br><br><br><br><u></u><u></u></p></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>_______________________________________________<br>gnso-rds-pdp-wg mailing list<br><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color:purple;text-decoration:underline" target="_blank">gnso-rds-pdp-wg@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" style="color:purple;text-decoration:underline" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><u></u><u></u></div></blockquote></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br><br clear="all"><u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">--<span class="m_7406089597629729227m_-2449397515639811802m_5709486960701476254Apple-converted-space"> </span><u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">_________________________________<br>Note to self: Pillage BEFORE burning.<u></u><u></u></div></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">gnso-rds-pdp-wg mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color:purple;text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">gnso-rds-pdp-wg@icann.org</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" style="color:purple;text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div></blockquote></div><br></div></div>_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></blockquote></div></div></div><div>-- <br></div><div class="m_7406089597629729227gmail_signature" data-smartmail="gmail_signature">Jonathan Matkowsky</div></blockquote></div></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature">Jonathan Matkowsky</div>
<br>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>*******<br></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.</span><p style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"></p><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)">******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>******************************</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;background-color:rgb(255,255,255)"><wbr>*******</span>