<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I do not think that other people know what you need to do your job as your currently do it. <div class=""><br class=""><div class="">It is plain that the intent of the GDPR is to change existing practice. You have suggested sweeping changes to the way other people practice their businesses (such as mandatory privacy protection for free), they have said those changes are impractical. You have resolutely claimed that significant changes to the way you do your work are not only impossible, but so self-evidently so that all we really need to do is to explain to the DPAs that it is important that you not have to change. There is, as yet, no evidence whatsoever that this is a likely outcome. </div><div class=""><br class=""></div><div class="">I do accept that fighting abuse is a worthy endeavour. I also think there are multiple forms of abuse, some of which will be significantly m</div><div class=""><br class=""></div><div class="">If you accept that the law is unlikely to be changed or vetoed significantly explicitly to support the work you do, then we can move on to considering compromises that might make that practical, such </div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 29 Sep 2017, at 6:18 am, John Bambenek via gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg@icann.org" class="">gnso-rds-pdp-wg@icann.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class="">I want to me too this... this is the single biggest cause of the
contention in this group. I am being told by people who don't do
anti-abuse or investigations on what I need to do my job and when
I tell them what I need to do my job, my opinion doesn't matter.</p><p class="">**We** are the experts in this field. It'd be nice when people
are talking about what is needed to fight abuse, we at least
consider the opinions of people that **actually fight said
abuse**.</p><p class="">And we will be taking this message to the DPAs directly so they
understand what's at stake.<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 09/28/2017 05:10 PM, John Horton
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:CADW+euvt1RW8nLdG=3R1WKuFkzgRteO2GyPTpWtL=sgjHv6ssQ@mail.gmail.com" class="">
<div dir="ltr" class="">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;color:#444444">Chuck,
let me briefly (I hope briefly) weigh in in response to that. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;color:#444444"><br class="">
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;color:#444444">My
observation is that the group does agree that fighting abuse
is a worthy endeavor -- I suspect you'd get unanimity on that
point. My sense is that where there's disagreement may be on
two points:</div>
<div class="gmail_default">
<ol class="">
<li class=""><font face="arial, helvetica, sans-serif" color="#444444" class="">Whether anti-abuse types really need a
Whois record of the domain name in question to fight
abuse -- the argument has been made that Whois is so
often falsified, or privacy-protected, etc. that Whois
isn't <u class="">really</u> useful to anti-abuse types, and
that there are more useful tools than Whois. </font></li>
<li class=""><font face="arial, helvetica, sans-serif" color="#444444" class="">Whether the entire Whois data set (or,
say, even 95% of it), and being able to reverse query
against it, is useful to anti-abuse types. <br class="">
</font></li>
</ol>
<div class=""><font face="arial, helvetica, sans-serif" color="#444444" class="">From
my perspective, I do think that there are a few folks in
this working group who, even when I or others have
repeatedly insisted that (and provide examples of how) we
genuinely need 1) Whois records on specific merchants or
bad actors, and 2) need the entire corpus against which to
reverse query, seem unwilling to take our representations
and examples at face value. I guess I've become a little
cynical as to whether, even if that argument is presented
objectively and compellingly, working group members are
willing to be persuaded of it or not. </font></div>
<div class=""><font face="arial, helvetica, sans-serif" color="#444444" class=""><br class="">
</font></div>
<div class=""><font face="arial, helvetica, sans-serif" color="#444444" class=""><br class="">
</font></div>
</div>
</div>
<div class="gmail_extra"><br clear="all" class="">
<div class="">
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class=""><font face="arial,
helvetica, sans-serif" color="#073763" class="">John Horton<br class="">
President and CEO, LegitScript</font>
<div class=""><img src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ" moz-do-not-send="true" width="96" height="36" class=""><br class="">
<div class=""><div style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><br class="">
</div><div style="margin: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><b class=""><font color="#444444" class="">Follow</font><font color="#0b5394" class=""> </font><font class="">Legit</font><font color="#0b5394" class="">Script</font></b>: <a href="http://www.linkedin.com/company/legitscript-com" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true" class=""><font color="#cc0000" class="">LinkedIn</font></a>
| <a href="https://www.facebook.com/LegitScript" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true" class=""><font color="#6aa84f" class="">Facebook</font></a>
| <a href="https://twitter.com/legitscript" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true" class=""><font color="#674ea7" class="">Twitter</font></a>
| <font color="#ff9900" class=""><u class=""><a href="http://blog.legitscript.com/" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true" class="">Blog</a></u></font> |<font color="#ff9900" class=""> <a href="http://go.legitscript.com/Subscription-Management.html" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true" class=""><font color="#ff9900" class="">Newsletter</font></a></font><br class="">
</div><div style="margin: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><font color="#ff9900" class=""><br class="">
</font></div><div style="text-align: left; margin: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><font color="#ff9900" class=""><img src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png" moz-do-not-send="true" width="46" height="96" class=""><img src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ" moz-do-not-send="true" width="47" height="96" class=""><br class="">
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
<div class="gmail_quote">On Thu, Sep 28, 2017 at 2:51 PM, Chuck
<span dir="ltr" class=""><<a href="mailto:consult@cgomes.com" target="_blank" moz-do-not-send="true" class="">consult@cgomes.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I could be
wrong but I think that we need to first convince ourselves
as a<br class="">
working group that fighting abuse is a critical and
essential need and I<br class="">
don't think that should be hard to do. A lot of you have
made very strong<br class="">
arguments in that regard and I believe that we have already
agreed that<br class="">
fighting abuse is a legitimate purpose for at least some RDS
elements.<br class="">
<br class="">
Note WG agreement #11: "Criminal Investigation & DNS
Abuse Mitigation is a<br class="">
legitimate purpose for "Minimum Public Data Set"
collection." We obviously<br class="">
have to get beyond the MPDS and we will.<br class="">
<br class="">
It seems to me that the following WG agreement, although not
directly<br class="">
related to abuse mitigation, sets a basis upon which we can
further<br class="">
deliberate the abuse mitigation purpose: " 17. A purpose of
RDS is to<br class="">
facilitate dissemination of gTLD registration data of
record, such as domain<br class="">
names and their domain contacts and name servers, in
accordance with<br class="">
applicable policy." I admit that there is a lot of work we
must do to<br class="">
develop requirements and ultimately policies to allow and
support the use of<br class="">
RDS data for abuse mitigation purposes but we can do that.<br class="">
<br class="">
I think all of the following recent WG agreements indirectly
support further<br class="">
deliberation on the abuse mitigation purpose:<br class="">
" 30. At least one element identifying the domain name
registrant (i.e.,<br class="">
registered name holder) must be collected and included in
the RDS.<br class="">
31. Data enabling at least one way to contact the registrant
must be<br class="">
collected and included in the RDS.<br class="">
32. At a minimum, one or more email addresses must be
collected for every<br class="">
domain name included in the RDS, for contact roles that
require an email<br class="">
address for contactability.<br class="">
33. For resiliency, data enabling alternative or preferred
method(s) of<br class="">
contact should be included in the RDS; further deliberation
to determine<br class="">
whether such data element(s) should be optional or mandatory
to collect.<br class="">
34. At least one element enabling contact must be based on
an open standard<br class="">
and not a proprietary communication method.<br class="">
35. To improve contactability with the domain name
registrant (or authorized<br class="">
agent of the registrant), the RDS must be capable of
supporting at least one<br class="">
alternative contact method as an optional field.<br class="">
36. Purpose-based contact (PBC) types identified (Admin,
Legal, Technical,<br class="">
Abuse, Proxy/Privacy, Business) must be supported by the RDS
but optional<br class="">
for registrants to provide.<br class="">
37. The URL of the Internic Complaint Site must be supported
for inclusion<br class="">
in the RDS.<br class="">
38. The Registrar Abuse Contact Email Address must be
supported for<br class="">
inclusion in the RDS, and must be provided by Registrars.<br class="">
39. Reseller Name MUST be supported by the RDS. Note: There
may be a chain<br class="">
or Resellers identified by Reseller Name.<br class="">
40. Per recently-approved consensus policy on consistent
labeling and<br class="">
display, BOTH the Registrar Abuse Contact Email and
Registrar Abuse Contact<br class="">
Phone must be supported for inclusion in the RDS, and MUST
be provided by<br class="">
Registrars.<br class="">
41. In the interest of maximizing contactability, additional
contact methods<br class="">
MUST be supported by the RDS as an open-ended list and be
optional for<br class="">
Registrants to provide. This does not preclude agreements on
requirements to<br class="">
include other contact methods.<br class="">
42. The RDS must support Registrant Postal Address data
elements: Registrant<br class="">
Street Address, City, State/Province, and Postal Code.<br class="">
43. The RDS must support Registrant Phone + Registrant Phone
Ext (extension)<br class="">
data elements " I call this one out in reaction to some
discussion on the<br class="">
WG list today about identification of the domain name
registrant."<br class="">
These may not go far enough for some but they provide a
start that we can<br class="">
build on.<br class="">
<span class="HOEnZb"><font color="#888888" class=""><br class="">
Chuck<br class="">
</font></span><span class="im HOEnZb"><br class="">
-----Original Message-----<br class="">
From: <a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg-bounces@icann.<wbr class="">org</a><br class="">
[mailto:<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg-<wbr class="">bounces@icann.org</a>]
On Behalf Of theo geurts<br class="">
Sent: Thursday, September 28, 2017 11:07 AM<br class="">
To: Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com" moz-do-not-send="true" class="">ajs@anvilwalrusden.com</a>>; <a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br class="">
Subject: Re: [gnso-rds-pdp-wg] ICANN
Meetings/Conversations with Data<br class="">
Protection and Privacy Commissioners<br class="">
<br class="">
</span>
<div class="HOEnZb">
<div class="h5">Hello Andrew,<br class="">
<br class="">
1 I agree you need to be specific, but also you should
ask, would a DPA<br class="">
accept it? Regardless if that is a DPA in Europe or
China or Jamaica.<br class="">
Setting the baseline to the GDPR would be a mistake,
these data protection<br class="">
laws are always in motion. As such you need to implement
data protection<br class="">
principles when you define purpose. Did we really do
that?<br class="">
<br class="">
2 I am not sure if there is a misapprehension. I do
think we did not go out<br class="">
of the box far enough. We somehow keep circling back to
the WHOIS, and that<br class="">
is somewhat strange given the composition of the WG.<br class="">
We did put a ton of work into looking at the current
data elements and all<br class="">
that, but we never into the concept of no WHOIS/RDS and
come up with a<br class="">
solution in such a scenario.<br class="">
<br class="">
If we want to convince these policymakers of what we are
facing abuse wise,<br class="">
we must do better.<br class="">
<br class="">
Theo<br class="">
<br class="">
<br class="">
On 28-9-2017 19:11, Andrew Sullivan wrote:<br class="">
> On Thu, Sep 28, 2017 at 06:46:29PM +0200, theo
geurts wrote:<br class="">
>> I think it is meant that IP addresses will be
considered personal<br class="">
>> information under the GDPR, that concept might
be new to folks in this<br class="">
WG.<br class="">
> I _know_ that. But there are two issues here:<br class="">
><br class="">
> 1. It appears entirely clear, both from
previous discussions and<br class="">
> from the legal analysis that was just
delivered, that collection<br class="">
> of certain data (and we're still talking about
collection,<br class="">
> remember) is permitted if you have legitimate
purposes.<br class="">
> Therefore, we should be paying attention to
those purposes, and be<br class="">
> specific about it.<br class="">
><br class="">
> 2. It is possible that any law, or any
interpretation of the law,<br class="">
> is being made with a misapprehension of how
the Internet actually<br class="">
> works. Quite frankly, it is apparent to me
that an alarming<br class="">
> number of policymakers have a deeply mistaken
model for the way<br class="">
> the Internet works, mostly aligned with a
picture that looks like<br class="">
> the way the phone system used to work. But we
have to make policy<br class="">
> for the actual Internet, rather than for some
system that does not<br class="">
> actually exist. This is why I sent that note
the other day about<br class="">
> figuring out what we want and then asking
lawyers how that can be<br class="">
> made to comport with such legal regimes as we
know, rather than<br class="">
> doing it the other way.<br class="">
><br class="">
> Best regards,<br class="">
><br class="">
> A<br class="">
><br class="">
<br class="">
______________________________<wbr class="">_________________<br class="">
gnso-rds-pdp-wg mailing list<br class="">
<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br class="">
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">https://mm.icann.org/mailman/<wbr class="">listinfo/gnso-rds-pdp-wg</a><br class="">
<br class="">
______________________________<wbr class="">_________________<br class="">
gnso-rds-pdp-wg mailing list<br class="">
<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a><br class="">
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank" moz-do-not-send="true" class="">https://mm.icann.org/mailman/<wbr class="">listinfo/gnso-rds-pdp-wg</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">gnso-rds-pdp-wg mailing list<br class=""><a href="mailto:gnso-rds-pdp-wg@icann.org" class="">gnso-rds-pdp-wg@icann.org</a><br class="">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</div></blockquote></div><br class=""></div></div></div></div></div></body></html>