<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">Where people have a
right in law to privacy, you cannot charge them to actually
put those rights in place.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2017-10-16 15:43, John Bambenek via
gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:bdcc6f4d-7651-678c-f986-6cdb798de74a@bambenekconsulting.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>Exactly what is the impracticality of not charging people for
not listing their information in WHOIS? Many registries do this
today. Some registrars / ccTLDs operate this way by default.</p>
<p>The only difficulty is setting the fees for the service to
cover the costs of offering said service. Businesses do this
everyday.</p>
<p>Am I missing something?<br>
</p>
<div class="moz-cite-prefix">On 10/16/2017 12:37 PM, David Cake
wrote:<br>
</div>
<blockquote
cite="mid:3ADF4095-E553-4EC9-B28D-6904D4024EBC@davecake.net"
type="cite">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;" class="">
<div dir="auto" style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div dir="auto" style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">I do not think that other
people know what you need to do your job as your currently
do it.
<div class=""><br class="">
<div class="">It is plain that the intent of the GDPR is
to change existing practice. You have suggested
sweeping changes to the way other people practice
their businesses (such as mandatory privacy protection
for free), they have said those changes are
impractical. You have resolutely claimed that
significant changes to the way you do your work are
not only impossible, but so self-evidently so that all
we really need to do is to explain to the DPAs that it
is important that you not have to change. There is, as
yet, no evidence whatsoever that this is a likely
outcome. </div>
<div class=""><br class="">
</div>
<div class="">I do accept that fighting abuse is a
worthy endeavour. I also think there are multiple
forms of abuse, some of which will be significantly m</div>
<div class=""><br class="">
</div>
<div class="">If you accept that the law is unlikely to
be changed or vetoed significantly explicitly to
support the work you do, then we can move on to
considering compromises that might make that
practical, such </div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 29 Sep 2017, at 6:18 am, John
Bambenek via gnso-rds-pdp-wg <<a
moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
class="">gnso-rds-pdp-wg@icann.org</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<p class="">I want to me too this... this is
the single biggest cause of the contention
in this group. I am being told by people who
don't do anti-abuse or investigations on
what I need to do my job and when I tell
them what I need to do my job, my opinion
doesn't matter.</p>
<p class="">**We** are the experts in this
field. It'd be nice when people are talking
about what is needed to fight abuse, we at
least consider the opinions of people that
**actually fight said abuse**.</p>
<p class="">And we will be taking this message
to the DPAs directly so they understand
what's at stake.<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 09/28/2017
05:10 PM, John Horton wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:CADW+euvt1RW8nLdG=3R1WKuFkzgRteO2GyPTpWtL=sgjHv6ssQ@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;color:#444444">Chuck,
let me briefly (I hope briefly) weigh in
in response to that. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;color:#444444"><br
class="">
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;color:#444444">My
observation is that the group does agree
that fighting abuse is a worthy endeavor
-- I suspect you'd get unanimity on that
point. My sense is that where there's
disagreement may be on two points:</div>
<div class="gmail_default">
<ol class="">
<li class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444">Whether
anti-abuse types really need a
Whois record of the domain name in
question to fight abuse -- the
argument has been made that Whois
is so often falsified, or
privacy-protected, etc. that Whois
isn't <u class="">really</u> useful
to anti-abuse types, and that
there are more useful tools than
Whois. </font></li>
<li class=""><font class=""
face="arial, helvetica,
sans-serif" color="#444444">Whether
the entire Whois data set (or,
say, even 95% of it), and being
able to reverse query against it,
is useful to anti-abuse types. <br
class="">
</font></li>
</ol>
<div class=""><font class=""
face="arial, helvetica, sans-serif"
color="#444444">From my perspective,
I do think that there are a few
folks in this working group who,
even when I or others have
repeatedly insisted that (and
provide examples of how) we
genuinely need 1) Whois records on
specific merchants or bad actors,
and 2) need the entire corpus
against which to reverse query, seem
unwilling to take our
representations and examples at face
value. I guess I've become a little
cynical as to whether, even if that
argument is presented objectively
and compellingly, working group
members are willing to be persuaded
of it or not. </font></div>
<div class=""><font class=""
face="arial, helvetica, sans-serif"
color="#444444"><br class="">
</font></div>
<div class=""><font class=""
face="arial, helvetica, sans-serif"
color="#444444"><br class="">
</font></div>
</div>
</div>
<div class="gmail_extra"><br class=""
clear="all">
<div class="">
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class="">
<div dir="ltr"
class=""><font
class=""
face="arial,
helvetica,
sans-serif"
color="#073763">John
Horton<br
class="">
President and
CEO,
LegitScript</font>
<div class=""><img
src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ"
moz-do-not-send="true" class="" width="96" height="36"><br class="">
<div class="">
<div
style="margin:
0px;
font-style:
normal;
font-variant-caps:
normal;
font-weight:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><br
class="">
</div>
<div
style="margin:
0px;
font-style:
normal;
font-variant-ligatures:
normal;
font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><b
class=""><font
class=""
color="#444444">Follow</font><font
class=""
color="#0b5394"> </font><font
class="">Legit</font><font
class=""
color="#0b5394">Script</font></b>: <a
href="http://www.linkedin.com/company/legitscript-com"
style="color:rgb(17,85,204)"
target="_blank" moz-do-not-send="true" class=""><font class=""
color="#cc0000">LinkedIn</font></a>
| <a
href="https://www.facebook.com/LegitScript"
style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"
class=""><font
class=""
color="#6aa84f">Facebook</font></a>
| <a
href="https://twitter.com/legitscript"
style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"
class=""><font
class=""
color="#674ea7">Twitter</font></a>
| <font
class=""
color="#ff9900"><u
class=""><a
href="http://blog.legitscript.com/"
style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"
class="">Blog</a></u></font> |<font
class=""
color="#ff9900"> <a
href="http://go.legitscript.com/Subscription-Management.html"
style="color:rgb(17,85,204)"
target="_blank" moz-do-not-send="true" class=""><font class=""
color="#ff9900">Newsletter</font></a></font><br
class="">
</div>
<div
style="margin:
0px;
font-style:
normal;
font-variant-ligatures:
normal;
font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><font
class=""
color="#ff9900"><br
class="">
</font></div>
<div
style="text-align:
left; margin:
0px;
font-style:
normal;
font-variant-ligatures:
normal;
font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal;
font-size:
12px;
line-height:
normal;
font-family:
Helvetica;"
class=""><font
class=""
color="#ff9900"><img
src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png"
moz-do-not-send="true" class="" width="46" height="96"><img
src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ"
moz-do-not-send="true" class="" width="47" height="96"><br class="">
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
<div class="gmail_quote">On Thu, Sep 28,
2017 at 2:51 PM, Chuck <span dir="ltr"
class=""><<a
href="mailto:consult@cgomes.com"
target="_blank"
moz-do-not-send="true" class="">consult@cgomes.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">I could be
wrong but I think that we need to
first convince ourselves as a<br
class="">
working group that fighting abuse is a
critical and essential need and I<br
class="">
don't think that should be hard to
do. A lot of you have made very
strong<br class="">
arguments in that regard and I believe
that we have already agreed that<br
class="">
fighting abuse is a legitimate purpose
for at least some RDS elements.<br
class="">
<br class="">
Note WG agreement #11: "Criminal
Investigation & DNS Abuse
Mitigation is a<br class="">
legitimate purpose for "Minimum Public
Data Set" collection." We obviously<br
class="">
have to get beyond the MPDS and we
will.<br class="">
<br class="">
It seems to me that the following WG
agreement, although not directly<br
class="">
related to abuse mitigation, sets a
basis upon which we can further<br
class="">
deliberate the abuse mitigation
purpose: " 17. A purpose of RDS is to<br
class="">
facilitate dissemination of gTLD
registration data of record, such as
domain<br class="">
names and their domain contacts and
name servers, in accordance with<br
class="">
applicable policy." I admit that
there is a lot of work we must do to<br
class="">
develop requirements and ultimately
policies to allow and support the use
of<br class="">
RDS data for abuse mitigation purposes
but we can do that.<br class="">
<br class="">
I think all of the following recent WG
agreements indirectly support further<br
class="">
deliberation on the abuse mitigation
purpose:<br class="">
" 30. At least one element identifying
the domain name registrant (i.e.,<br
class="">
registered name holder) must be
collected and included in the RDS.<br
class="">
31. Data enabling at least one way to
contact the registrant must be<br
class="">
collected and included in the RDS.<br
class="">
32. At a minimum, one or more email
addresses must be collected for every<br
class="">
domain name included in the RDS, for
contact roles that require an email<br
class="">
address for contactability.<br
class="">
33. For resiliency, data enabling
alternative or preferred method(s) of<br
class="">
contact should be included in the RDS;
further deliberation to determine<br
class="">
whether such data element(s) should be
optional or mandatory to collect.<br
class="">
34. At least one element enabling
contact must be based on an open
standard<br class="">
and not a proprietary communication
method.<br class="">
35. To improve contactability with the
domain name registrant (or authorized<br
class="">
agent of the registrant), the RDS must
be capable of supporting at least one<br
class="">
alternative contact method as an
optional field.<br class="">
36. Purpose-based contact (PBC) types
identified (Admin, Legal, Technical,<br
class="">
Abuse, Proxy/Privacy, Business) must
be supported by the RDS but optional<br
class="">
for registrants to provide.<br
class="">
37. The URL of the Internic Complaint
Site must be supported for inclusion<br
class="">
in the RDS.<br class="">
38. The Registrar Abuse Contact Email
Address must be supported for<br
class="">
inclusion in the RDS, and must be
provided by Registrars.<br class="">
39. Reseller Name MUST be supported by
the RDS. Note: There may be a chain<br
class="">
or Resellers identified by Reseller
Name.<br class="">
40. Per recently-approved consensus
policy on consistent labeling and<br
class="">
display, BOTH the Registrar Abuse
Contact Email and Registrar Abuse
Contact<br class="">
Phone must be supported for inclusion
in the RDS, and MUST be provided by<br
class="">
Registrars.<br class="">
41. In the interest of maximizing
contactability, additional contact
methods<br class="">
MUST be supported by the RDS as an
open-ended list and be optional for<br
class="">
Registrants to provide. This does not
preclude agreements on requirements to<br
class="">
include other contact methods.<br
class="">
42. The RDS must support Registrant
Postal Address data elements:
Registrant<br class="">
Street Address, City, State/Province,
and Postal Code.<br class="">
43. The RDS must support Registrant
Phone + Registrant Phone Ext
(extension)<br class="">
data elements " I call this one out
in reaction to some discussion on the<br
class="">
WG list today about identification of
the domain name registrant."<br
class="">
These may not go far enough for some
but they provide a start that we can<br
class="">
build on.<br class="">
<span class="HOEnZb"><font class=""
color="#888888"><br class="">
Chuck<br class="">
</font></span><span class="im
HOEnZb"><br class="">
-----Original Message-----<br
class="">
From: <a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg-bounces@icann.<wbr
class="">org</a><br class="">
[mailto:<a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg-<wbr
class="">bounces@icann.org</a>]
On Behalf Of theo geurts<br class="">
Sent: Thursday, September 28, 2017
11:07 AM<br class="">
To: Andrew Sullivan <<a
href="mailto:ajs@anvilwalrusden.com"
moz-do-not-send="true" class="">ajs@anvilwalrusden.com</a>>;
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
Subject: Re: [gnso-rds-pdp-wg] ICANN
Meetings/Conversations with Data<br
class="">
Protection and Privacy Commissioners<br
class="">
<br class="">
</span>
<div class="HOEnZb">
<div class="h5">Hello Andrew,<br
class="">
<br class="">
1 I agree you need to be specific,
but also you should ask, would a
DPA<br class="">
accept it? Regardless if that is a
DPA in Europe or China or Jamaica.<br
class="">
Setting the baseline to the GDPR
would be a mistake, these data
protection<br class="">
laws are always in motion. As such
you need to implement data
protection<br class="">
principles when you define
purpose. Did we really do that?<br
class="">
<br class="">
2 I am not sure if there is a
misapprehension. I do think we did
not go out<br class="">
of the box far enough. We somehow
keep circling back to the WHOIS,
and that<br class="">
is somewhat strange given the
composition of the WG.<br class="">
We did put a ton of work into
looking at the current data
elements and all<br class="">
that, but we never into the
concept of no WHOIS/RDS and come
up with a<br class="">
solution in such a scenario.<br
class="">
<br class="">
If we want to convince these
policymakers of what we are facing
abuse wise,<br class="">
we must do better.<br class="">
<br class="">
Theo<br class="">
<br class="">
<br class="">
On 28-9-2017 19:11, Andrew
Sullivan wrote:<br class="">
> On Thu, Sep 28, 2017 at
06:46:29PM +0200, theo geurts
wrote:<br class="">
>> I think it is meant that
IP addresses will be considered
personal<br class="">
>> information under the
GDPR, that concept might be new to
folks in this<br class="">
WG.<br class="">
> I _know_ that. But there are
two issues here:<br class="">
><br class="">
> 1. It appears entirely
clear, both from previous
discussions and<br class="">
> from the legal analysis
that was just delivered, that
collection<br class="">
> of certain data (and
we're still talking about
collection,<br class="">
> remember) is permitted
if you have legitimate purposes.<br
class="">
> Therefore, we should be
paying attention to those
purposes, and be<br class="">
> specific about it.<br
class="">
><br class="">
> 2. It is possible that
any law, or any interpretation of
the law,<br class="">
> is being made with a
misapprehension of how the
Internet actually<br class="">
> works. Quite frankly,
it is apparent to me that an
alarming<br class="">
> number of policymakers
have a deeply mistaken model for
the way<br class="">
> the Internet works,
mostly aligned with a picture that
looks like<br class="">
> the way the phone system
used to work. But we have to make
policy<br class="">
> for the actual Internet,
rather than for some system that
does not<br class="">
> actually exist. This is
why I sent that note the other day
about<br class="">
> figuring out what we
want and then asking lawyers how
that can be<br class="">
> made to comport with
such legal regimes as we know,
rather than<br class="">
> doing it the other way.<br
class="">
><br class="">
> Best regards,<br class="">
><br class="">
> A<br class="">
><br class="">
<br class="">
______________________________<wbr
class="">_________________<br
class="">
gnso-rds-pdp-wg mailing list<br
class="">
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="">https://mm.icann.org/mailman/<wbr
class="">listinfo/gnso-rds-pdp-wg</a><br
class="">
<br class="">
______________________________<wbr
class="">_________________<br
class="">
gnso-rds-pdp-wg mailing list<br
class="">
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="">https://mm.icann.org/mailman/<wbr
class="">listinfo/gnso-rds-pdp-wg</a><br
class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br
class="">
gnso-rds-pdp-wg mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
class="">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a class="moz-txt-link-freetext"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>