<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>ICANN is US-based and the gTLDs we care about are owned by US
companies... I don't even have to take extraterritoriality for a
ride to get what I want.<br>
</p>
<br>
<div class="moz-cite-prefix">On 10/17/2017 08:27 AM, Stephanie
Perrin wrote:<br>
</div>
<blockquote
cite="mid:091b2d15-6009-d1d2-2c19-de5a4563469f@mail.utoronto.ca"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p><font size="+1"><font face="Lucida Grande">Where people have a
right in law to privacy, you cannot charge them to actually
put those rights in place.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2017-10-16 15:43, John Bambenek
via gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:bdcc6f4d-7651-678c-f986-6cdb798de74a@bambenekconsulting.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>Exactly what is the impracticality of not charging people for
not listing their information in WHOIS? Many registries do
this today. Some registrars / ccTLDs operate this way by
default.</p>
<p>The only difficulty is setting the fees for the service to
cover the costs of offering said service. Businesses do this
everyday.</p>
<p>Am I missing something?<br>
</p>
<div class="moz-cite-prefix">On 10/16/2017 12:37 PM, David Cake
wrote:<br>
</div>
<blockquote
cite="mid:3ADF4095-E553-4EC9-B28D-6904D4024EBC@davecake.net"
type="cite">
<div dir="auto" style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div dir="auto" style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div dir="auto" style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">I do not think that other
people know what you need to do your job as your
currently do it.
<div class=""><br class="">
<div class="">It is plain that the intent of the GDPR
is to change existing practice. You have suggested
sweeping changes to the way other people practice
their businesses (such as mandatory privacy
protection for free), they have said those changes
are impractical. You have resolutely claimed that
significant changes to the way you do your work are
not only impossible, but so self-evidently so that
all we really need to do is to explain to the DPAs
that it is important that you not have to change.
There is, as yet, no evidence whatsoever that this
is a likely outcome. </div>
<div class=""><br class="">
</div>
<div class="">I do accept that fighting abuse is a
worthy endeavour. I also think there are multiple
forms of abuse, some of which will be significantly
m</div>
<div class=""><br class="">
</div>
<div class="">If you accept that the law is unlikely
to be changed or vetoed significantly explicitly to
support the work you do, then we can move on to
considering compromises that might make that
practical, such </div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 29 Sep 2017, at 6:18 am, John
Bambenek via gnso-rds-pdp-wg <<a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
class="">gnso-rds-pdp-wg@icann.org</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<p class="">I want to me too this... this is
the single biggest cause of the contention
in this group. I am being told by people
who don't do anti-abuse or investigations
on what I need to do my job and when I
tell them what I need to do my job, my
opinion doesn't matter.</p>
<p class="">**We** are the experts in this
field. It'd be nice when people are
talking about what is needed to fight
abuse, we at least consider the opinions
of people that **actually fight said
abuse**.</p>
<p class="">And we will be taking this
message to the DPAs directly so they
understand what's at stake.<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 09/28/2017
05:10 PM, John Horton wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:CADW+euvt1RW8nLdG=3R1WKuFkzgRteO2GyPTpWtL=sgjHv6ssQ@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;color:#444444">Chuck,
let me briefly (I hope briefly) weigh
in in response to that. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;color:#444444"><br
class="">
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;color:#444444">My
observation is that the group does
agree that fighting abuse is a worthy
endeavor -- I suspect you'd get
unanimity on that point. My sense is
that where there's disagreement may be
on two points:</div>
<div class="gmail_default">
<ol class="">
<li class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444">Whether
anti-abuse types really need a
Whois record of the domain name
in question to fight abuse --
the argument has been made that
Whois is so often falsified, or
privacy-protected, etc. that
Whois isn't <u class="">really</u> useful
to anti-abuse types, and that
there are more useful tools than
Whois. </font></li>
<li class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444">Whether
the entire Whois data set (or,
say, even 95% of it), and being
able to reverse query against
it, is useful to anti-abuse
types. <br class="">
</font></li>
</ol>
<div class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444">From
my perspective, I do think that
there are a few folks in this
working group who, even when I or
others have repeatedly insisted
that (and provide examples of how)
we genuinely need 1) Whois records
on specific merchants or bad
actors, and 2) need the entire
corpus against which to reverse
query, seem unwilling to take our
representations and examples at
face value. I guess I've become a
little cynical as to whether, even
if that argument is presented
objectively and compellingly,
working group members are willing
to be persuaded of it or not. </font></div>
<div class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444"><br
class="">
</font></div>
<div class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444"><br
class="">
</font></div>
</div>
</div>
<div class="gmail_extra"><br class=""
clear="all">
<div class="">
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class=""><font
class=""
face="arial,
helvetica,
sans-serif"
color="#073763">John
Horton<br
class="">
President and
CEO,
LegitScript</font>
<div class=""><img
src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ"
moz-do-not-send="true" class="" height="36" width="96"><br class="">
<div class="">
<div
style="margin:
0px;
font-style:
normal;
font-variant-caps:
normal;
font-weight:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><br
class="">
</div>
<div
style="margin:
0px;
font-style:
normal;
font-variant-ligatures:
normal;
font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><b
class=""><font
class=""
color="#444444">Follow</font><font
class=""
color="#0b5394"> </font><font
class="">Legit</font><font
class=""
color="#0b5394">Script</font></b>: <a
href="http://www.linkedin.com/company/legitscript-com"
style="color:rgb(17,85,204)"
target="_blank" moz-do-not-send="true" class=""><font class=""
color="#cc0000">LinkedIn</font></a>
| <a
href="https://www.facebook.com/LegitScript"
style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"
class=""><font
class=""
color="#6aa84f">Facebook</font></a>
| <a
href="https://twitter.com/legitscript"
style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"
class=""><font
class=""
color="#674ea7">Twitter</font></a>
| <font
class=""
color="#ff9900"><u
class=""><a
href="http://blog.legitscript.com/"
style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"
class="">Blog</a></u></font> |<font
class=""
color="#ff9900"> <a
href="http://go.legitscript.com/Subscription-Management.html"
style="color:rgb(17,85,204)"
target="_blank" moz-do-not-send="true" class=""><font class=""
color="#ff9900">Newsletter</font></a></font><br
class="">
</div>
<div
style="margin:
0px;
font-style:
normal;
font-variant-ligatures:
normal;
font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><font
class=""
color="#ff9900"><br
class="">
</font></div>
<div
style="text-align:
left; margin:
0px;
font-style:
normal;
font-variant-ligatures:
normal;
font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><font
class=""
color="#ff9900"><img
src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png"
moz-do-not-send="true" class="" height="96" width="46"><img
src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ"
moz-do-not-send="true" class="" height="96" width="47"><br class="">
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
<div class="gmail_quote">On Thu, Sep 28,
2017 at 2:51 PM, Chuck <span
dir="ltr" class=""><<a
href="mailto:consult@cgomes.com"
target="_blank"
moz-do-not-send="true" class="">consult@cgomes.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">I could be
wrong but I think that we need to
first convince ourselves as a<br
class="">
working group that fighting abuse is
a critical and essential need and I<br
class="">
don't think that should be hard to
do. A lot of you have made very
strong<br class="">
arguments in that regard and I
believe that we have already agreed
that<br class="">
fighting abuse is a legitimate
purpose for at least some RDS
elements.<br class="">
<br class="">
Note WG agreement #11: "Criminal
Investigation & DNS Abuse
Mitigation is a<br class="">
legitimate purpose for "Minimum
Public Data Set" collection." We
obviously<br class="">
have to get beyond the MPDS and we
will.<br class="">
<br class="">
It seems to me that the following WG
agreement, although not directly<br
class="">
related to abuse mitigation, sets a
basis upon which we can further<br
class="">
deliberate the abuse mitigation
purpose: " 17. A purpose of RDS is
to<br class="">
facilitate dissemination of gTLD
registration data of record, such as
domain<br class="">
names and their domain contacts and
name servers, in accordance with<br
class="">
applicable policy." I admit that
there is a lot of work we must do to<br
class="">
develop requirements and ultimately
policies to allow and support the
use of<br class="">
RDS data for abuse mitigation
purposes but we can do that.<br
class="">
<br class="">
I think all of the following recent
WG agreements indirectly support
further<br class="">
deliberation on the abuse mitigation
purpose:<br class="">
" 30. At least one element
identifying the domain name
registrant (i.e.,<br class="">
registered name holder) must be
collected and included in the RDS.<br
class="">
31. Data enabling at least one way
to contact the registrant must be<br
class="">
collected and included in the RDS.<br
class="">
32. At a minimum, one or more email
addresses must be collected for
every<br class="">
domain name included in the RDS, for
contact roles that require an email<br
class="">
address for contactability.<br
class="">
33. For resiliency, data enabling
alternative or preferred method(s)
of<br class="">
contact should be included in the
RDS; further deliberation to
determine<br class="">
whether such data element(s) should
be optional or mandatory to collect.<br
class="">
34. At least one element enabling
contact must be based on an open
standard<br class="">
and not a proprietary communication
method.<br class="">
35. To improve contactability with
the domain name registrant (or
authorized<br class="">
agent of the registrant), the RDS
must be capable of supporting at
least one<br class="">
alternative contact method as an
optional field.<br class="">
36. Purpose-based contact (PBC)
types identified (Admin, Legal,
Technical,<br class="">
Abuse, Proxy/Privacy, Business) must
be supported by the RDS but optional<br
class="">
for registrants to provide.<br
class="">
37. The URL of the Internic
Complaint Site must be supported for
inclusion<br class="">
in the RDS.<br class="">
38. The Registrar Abuse Contact
Email Address must be supported for<br
class="">
inclusion in the RDS, and must be
provided by Registrars.<br class="">
39. Reseller Name MUST be supported
by the RDS. Note: There may be a
chain<br class="">
or Resellers identified by Reseller
Name.<br class="">
40. Per recently-approved consensus
policy on consistent labeling and<br
class="">
display, BOTH the Registrar Abuse
Contact Email and Registrar Abuse
Contact<br class="">
Phone must be supported for
inclusion in the RDS, and MUST be
provided by<br class="">
Registrars.<br class="">
41. In the interest of maximizing
contactability, additional contact
methods<br class="">
MUST be supported by the RDS as an
open-ended list and be optional for<br
class="">
Registrants to provide. This does
not preclude agreements on
requirements to<br class="">
include other contact methods.<br
class="">
42. The RDS must support Registrant
Postal Address data elements:
Registrant<br class="">
Street Address, City,
State/Province, and Postal Code.<br
class="">
43. The RDS must support Registrant
Phone + Registrant Phone Ext
(extension)<br class="">
data elements " I call this one out
in reaction to some discussion on
the<br class="">
WG list today about identification
of the domain name registrant."<br
class="">
These may not go far enough for some
but they provide a start that we can<br
class="">
build on.<br class="">
<span class="HOEnZb"><font class=""
color="#888888"><br class="">
Chuck<br class="">
</font></span><span class="im
HOEnZb"><br class="">
-----Original Message-----<br
class="">
From: <a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg-bounces@icann.<wbr
class="">org</a><br class="">
[mailto:<a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg-<wbr
class="">bounces@icann.org</a>]
On Behalf Of theo geurts<br
class="">
Sent: Thursday, September 28, 2017
11:07 AM<br class="">
To: Andrew Sullivan <<a
href="mailto:ajs@anvilwalrusden.com"
moz-do-not-send="true" class="">ajs@anvilwalrusden.com</a>>;
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
Subject: Re: [gnso-rds-pdp-wg]
ICANN Meetings/Conversations with
Data<br class="">
Protection and Privacy
Commissioners<br class="">
<br class="">
</span>
<div class="HOEnZb">
<div class="h5">Hello Andrew,<br
class="">
<br class="">
1 I agree you need to be
specific, but also you should
ask, would a DPA<br class="">
accept it? Regardless if that is
a DPA in Europe or China or
Jamaica.<br class="">
Setting the baseline to the GDPR
would be a mistake, these data
protection<br class="">
laws are always in motion. As
such you need to implement data
protection<br class="">
principles when you define
purpose. Did we really do that?<br
class="">
<br class="">
2 I am not sure if there is a
misapprehension. I do think we
did not go out<br class="">
of the box far enough. We
somehow keep circling back to
the WHOIS, and that<br class="">
is somewhat strange given the
composition of the WG.<br
class="">
We did put a ton of work into
looking at the current data
elements and all<br class="">
that, but we never into the
concept of no WHOIS/RDS and come
up with a<br class="">
solution in such a scenario.<br
class="">
<br class="">
If we want to convince these
policymakers of what we are
facing abuse wise,<br class="">
we must do better.<br class="">
<br class="">
Theo<br class="">
<br class="">
<br class="">
On 28-9-2017 19:11, Andrew
Sullivan wrote:<br class="">
> On Thu, Sep 28, 2017 at
06:46:29PM +0200, theo geurts
wrote:<br class="">
>> I think it is meant
that IP addresses will be
considered personal<br class="">
>> information under the
GDPR, that concept might be new
to folks in this<br class="">
WG.<br class="">
> I _know_ that. But there
are two issues here:<br class="">
><br class="">
> 1. It appears
entirely clear, both from
previous discussions and<br
class="">
> from the legal
analysis that was just
delivered, that collection<br
class="">
> of certain data (and
we're still talking about
collection,<br class="">
> remember) is permitted
if you have legitimate purposes.<br
class="">
> Therefore, we should
be paying attention to those
purposes, and be<br class="">
> specific about it.<br
class="">
><br class="">
> 2. It is possible
that any law, or any
interpretation of the law,<br
class="">
> is being made with a
misapprehension of how the
Internet actually<br class="">
> works. Quite frankly,
it is apparent to me that an
alarming<br class="">
> number of policymakers
have a deeply mistaken model for
the way<br class="">
> the Internet works,
mostly aligned with a picture
that looks like<br class="">
> the way the phone
system used to work. But we
have to make policy<br class="">
> for the actual
Internet, rather than for some
system that does not<br class="">
> actually exist. This
is why I sent that note the
other day about<br class="">
> figuring out what we
want and then asking lawyers how
that can be<br class="">
> made to comport with
such legal regimes as we know,
rather than<br class="">
> doing it the other
way.<br class="">
><br class="">
> Best regards,<br class="">
><br class="">
> A<br class="">
><br class="">
<br class="">
______________________________<wbr
class="">_________________<br
class="">
gnso-rds-pdp-wg mailing list<br
class="">
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true"
class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer"
target="_blank"
moz-do-not-send="true"
class="">https://mm.icann.org/mailman/<wbr
class="">listinfo/gnso-rds-pdp-wg</a><br
class="">
<br class="">
______________________________<wbr
class="">_________________<br
class="">
gnso-rds-pdp-wg mailing list<br
class="">
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true"
class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer"
target="_blank"
moz-do-not-send="true"
class="">https://mm.icann.org/mailman/<wbr
class="">listinfo/gnso-rds-pdp-wg</a><br
class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">
gnso-rds-pdp-wg mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a class="moz-txt-link-freetext"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>