<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">"</font></font><font
size="+1"><font face="Lucida Grande">We aren’t there yet because
the DPAs are only starting to hear from us." If by us you mean
the current members of the anti-cybercrime community
represented in the current RDS group, fine. If you mean the
multi-stakeholder community represented at ICANN (in which
there have always been members of the anti-cybercrime
community), I would suggest that this is not the case. </font></font></p>
<p><font size="+1"><font face="Lucida Grande">I would add to David's
response that the data protection supervisors have been in
discussions with the non-commercial users constituency since
the birth of ICANN. Rodota (the first Italian DPA, and second
chair of the Article 29 group) wrote about ICANN and WHOIS in
1998. The Berlin group (of data commissioners) posted their
common position on WHOIS in 2000, the common position of the Article
29 group was in 2003. Buttarelli, then 2IC in Rome, came to
the 2004 meeting (he referred to this in his remarks in
Copenhagen). The NCUC has been in regular contact with
them....I speak without saying "we" here because I was the one
that spoke at the privacy workshop in Vancouver, when I was
Director of Policy at the Canadian DPA.....and it was Kathy Kleiman
of the NCUC who invited the Commissioner, as I recall. [The
task was relegated to me because it was thought that I could
better answer the questions, having crafted the first CIRA
policy when I was working in the private sector.]</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Please John, read some
of the back history. This is a very long struggle over
privacy in WHOIS, and the data commissioners are certainly not
hearing about this for the first time. Most of the DPAs who
signed the original documents have retired and are now working
together, loosely at a couple of think tanks. The
cybercrime-fighting argument has always been extremely
effectively represented in the debate by ICANN technical
staff, the US Commerce department, and various other members
of the security and technical community. The DPAs are very
aware of that aspect of the discussion. <br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin<br>
</font></font></p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 2017-10-22 15:33, David Cake wrote:<br>
</div>
<blockquote type="cite"
cite="mid:083D89C0-03B1-4106-9CA9-A8E03563DBDF@davecake.net">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 22 Oct 2017, at 9:38 pm, John Bambenek <<a
href="mailto:jcb@bambenekconsulting.com" class=""
moz-do-not-send="true">jcb@bambenekconsulting.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="auto" class="">I would argue that their views are
uninformed on other points of view or other changes that
could be made that would satisfy their objectives which is
similar but has important differences. So I disagree we
are at the point we are violating EU law. </div>
</div>
</blockquote>
<div><br class="">
</div>
<span class="Apple-tab-span" style="white-space:pre">        </span>Lets
just say that two law firms with significant GDPR experience
have now commented, and you seem to disagree with both, and the
DPAs. </div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="auto" class="">
<div class=""><br class="">
</div>
<div class="">EU DPAs may never change their mind. I’ll
just get US law changed so that US entities offering
domains have to list ownership information which means
most if not all of the gTLDs I care about if not ICANN
also. </div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<span class="Apple-tab-span" style="white-space:pre">        </span>I
think it would be for the best if the working group, and you,
proceeded with current law until you have succeeded in getting
US law changed. Please let us know when you have achieved that. </div>
<div><br class="">
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="auto" class="">
<div class="">We aren’t there yet because the DPAs are
only starting to hear from us. Until now these
discussions were populated by ICANN and
registrars/registries who want whois to go away anyway. </div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<span class="Apple-tab-span" style="white-space:pre">        </span>The
idea that ICANN wants whois to go away does not accord with
observed behaviour. <br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="auto" class="">
<div class=""><br class="">
</div>
<div class="">This solitary focus on EU law presupposes
that people believe that of the laws of the ~200
countries in the world, it is EU law that should be the
controlling force of internet governance. Is that what
you are saying?<br class="">
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<span class="Apple-tab-span" style="white-space:pre">        </span>Privacy
law in most of the world tends to follow the EU, and it is
likely that if we designed a system that functioned under EU law
it would work under the law of the vast majority of the world,
Until you get US law changed, So you’d better get onto that. </div>
<div><br class="">
</div>
<div>David</div>
<div><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class="">
<div dir="auto" class="">
<div class=""><br class="">
<div class="">--
<div class="">John Bambenek</div>
</div>
<div class=""><br class="">
On Oct 22, 2017, at 01:13, David Cake <<a
href="mailto:dave@davecake.net" class=""
moz-do-not-send="true">dave@davecake.net</a>>
wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">John, if that is you acknowledging that
the current advice from DPAs (and legal advice) does
not concur with the position the abuse and security
community (or at least, the part of it that you
represent) that is at least a step forward.
<div class=""><br class="">
</div>
<div class="">You may be significantly more
optimistic about the chances of the DPAs changing
their position in response to hearing your
concerns than others are. If you could, perhaps,
set out some future circumstances under which you
might might acknowledge that this effort had
failed and we could proceed to move discussion
forward under the basis of current EU law rather
than a possible future in which you are able to
change it to suit your preferences, that would be
helpful. </div>
<div class=""><br class="">
</div>
<div class="">Davud</div>
<div class=""><br class="">
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 21 Oct 2017, at 8:41 am,
John Bambenek via gnso-rds-pdp-wg <<a
href="mailto:gnso-rds-pdp-wg@icann.org"
class="" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="auto" class="">Not the last few
items discussed, no. That said I have
been traveling from the past few weeks
and need to read them side by side for a
definitive synthesis. That aside, my
primary concern is that said officials
are not hearing enough from the
anti-abuse and security community on
these tools to have a more fully
informed discussion. We are working to
rectify that. <br class="">
<br class="">
<div class="">Sent from my iPad</div>
<div class=""><br class="">
On Oct 21, 2017, at 2:35 AM, Ayden
Férdeline <<a
href="mailto:icann@ferdeline.com"
class="" moz-do-not-send="true">icann@ferdeline.com</a>>
wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">
<div class="">My apologies, John. It
was not clear to me that you had
read the memo. I am glad to hear
that you have. Particularly in
relation to consent, I thought the
advice that the memo contained
(along with the Hamilton memo) was
consistent with the advice that we
received from the European Data
Protection Commissioners earlier
this year. Would you agree?<br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">—Ayden<br class="">
</div>
<div
class="protonmail_signature_block">
<div
class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<blockquote class="protonmail_quote"
type="cite">
<div class="">-------- Original
Message --------<br class="">
</div>
<div class="">Subject: Re:
[gnso-rds-pdp-wg] another
document that might be of
interest<br class="">
</div>
<div class="">Local Time: 21
October 2017 1:27 AM<br class="">
</div>
<div class="">UTC Time: 21 October
2017 00:27<br class="">
</div>
<div class="">From: <a
href="mailto:jcb@bambenekconsulting.com"
class=""
moz-do-not-send="true">jcb@bambenekconsulting.com</a><br
class="">
</div>
<div class="">To: Ayden Férdeline
<<a
href="mailto:icann@ferdeline.com"
class=""
moz-do-not-send="true">icann@ferdeline.com</a>><br
class="">
</div>
<div class="">Victoria Sheckler
<<a
href="mailto:vsheckler@riaa.com"
class=""
moz-do-not-send="true">vsheckler@riaa.com</a>>,
GNSO RDS PDP <<a
href="mailto:gnso-rds-pdp-wg@icann.org"
class=""
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">Yes, I believe I
pointed out on this very list
that among other things, the
notion the EU law should reign
supreme globally even when it
conflicts with local laws as
patently offensive, among other
things. <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Is there a
particular outcome that you are
trying to achieve by insinuating
that I am ignorant and not
reading the mounds of paperwork
generated by this group? I mean
besides the continual,
consistent, and vigorous
disrespect shown to those who
work in anti-abuse or security?<br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">And if you’d like an
analysis of the legal memo it is
this: it is always better to
take the word of the regulators
over merely that of some
lawfirm. Which is what I thought
we were actually talking about
in the first place. <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">
<div class="">--<br class="">
</div>
<div class="">John Bambenek<br
class="">
</div>
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">On Oct 20,
2017, at 19:10, Ayden
Férdeline <<a
href="mailto:icann@ferdeline.com"
class=""
moz-do-not-send="true">icann@ferdeline.com</a>>
wrote:<br class="">
</div>
</div>
<blockquote type="cite"
class="">
<div class="">
<div class="">
<div class="">John,<br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">Have you
read the legal memo
that we received from
Wilson Sonsini
Goodrich & Rosati?
<br class="">
</div>
<div class=""><br
class="">
</div>
<div class="">It states
on page 14, "asking
for consent would not
be simple, would not
solve all data
protection issues, and
would pose a number of
organizational
challenges."<br
class="">
</div>
</div>
<div class=""><br class="">
</div>
<div class="">The
rationale behind this
statement is contained
within the memo.<br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">—Ayden<br
class="">
</div>
<div
class="protonmail_signature_block">
<div
class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<blockquote type="cite"
class="protonmail_quote">
<div class="">--------
Original Message
--------<br class="">
</div>
<div class="">Subject:
Re: [gnso-rds-pdp-wg]
another document that
might be of interest<br
class="">
</div>
<div class="">Local
Time: 21 October 2017
1:06 AM<br class="">
</div>
<div class="">UTC Time:
21 October 2017 00:06<br
class="">
</div>
<div class="">From: <a
href="mailto:jcb@bambenekconsulting.com" class="" moz-do-not-send="true">jcb@bambenekconsulting.com</a><br
class="">
</div>
<div class="">To: Ayden
Férdeline <<a
href="mailto:icann@ferdeline.com"
class=""
moz-do-not-send="true">icann@ferdeline.com</a>><br
class="">
</div>
<div class="">Victoria
Sheckler <<a
href="mailto:vsheckler@riaa.com"
class=""
moz-do-not-send="true">vsheckler@riaa.com</a>>,
GNSO RDS PDP <<a
href="mailto:gnso-rds-pdp-wg@icann.org"
class=""
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">So, in
short, if we create a
consent system, we are
fine. <br class="">
</div>
<div class=""><br
class="">
</div>
<div class="">
<div class="">Am I
missing something?<br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">
<div class="">--<br
class="">
</div>
<div class="">John
Bambenek<br
class="">
</div>
</div>
<div class="">
<div class=""><br
class="">
</div>
<div class="">On Oct
20, 2017, at
17:31, Ayden
Férdeline <<a
href="mailto:icann@ferdeline.com"
class=""
moz-do-not-send="true">icann@ferdeline.com</a>>
wrote:<br class="">
</div>
</div>
<blockquote
type="cite" class="">
<div class="">
<div class="">I
would like to
flag two
extracts from
this Regulation
that may be
relevant to our
work:<br
class="">
</div>
<ul class="">
<li class="">"The
Registry
should also
comply with
the relevant
data
protection
rules,
principles,
guidelines and
best
practices,
notably
concerning the
amount and
type of data
displayed in
the WHOIS
database."
(page 3)<br
class="">
</li>
<li class="">"The
WHOIS database
shall contain
information
about the
holder of a
domain name
that is
relevant and
not excessive
in relation to
the purpose of
the database.
In as far as
the
information is
not strictly
necessary in
relation to
the purpose of
the database,
and <b
class="">if
the domain
name holder is
a natural
person, the
information
that is to be
made publicly
available
shall be
subject to the
unambiguous
consent of the
domain name
holder</b>."
(page 10 -
emphasis
added)<br
class="">
</li>
</ul>
<div class="">Thank
you, <br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">Ayden
Férdeline<br
class="">
</div>
<div class=""><br
class="">
</div>
<div
class="protonmail_signature_block">
<div
class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br class="">
</div>
</div>
<div class=""><br
class="">
</div>
<blockquote
class="protonmail_quote"
type="cite">
<div class="">--------
Original
Message
--------<br
class="">
</div>
<div class="">Subject:
[gnso-rds-pdp-wg] another document that might be of interest<br class="">
</div>
<div class="">Local
Time: 20
October 2017
10:47 PM<br
class="">
</div>
<div class="">UTC
Time: 20
October 2017
21:47<br
class="">
</div>
<div class="">From:
<a
href="mailto:vsheckler@riaa.com"
class=""
moz-do-not-send="true">vsheckler@riaa.com</a><br
class="">
</div>
<div class="">To:
GNSO RDS PDP
<<a
href="mailto:gnso-rds-pdp-wg@icann.org"
class=""
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br
class="">
</div>
<div class=""><br
class="">
</div>
<div class=""><br
class="">
</div>
<div
class="WordSection1">
<p
class="MsoNormal">I
think we
missed this
document when
we were
reviewing
documents for
this WG back
in the day,
and thought
some of you
might find it
of interest
given our
current
discussions on
GDPR<br
class="">
</p>
<p
class="MsoNormal"> <br
class="">
</p>
<p
class="MsoNormal">COMMISSION
REGULATION
(EC) No
874/2004 of 28
April 2004
laying down
public policy
rules
concerning the
implementation
and functions
of the .eu Top
Level Domain
and the
principles
governing
registration,
available at <a
href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF"
class=""
moz-do-not-send="true">
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF</a><br
class="">
</p>
</div>
</blockquote>
<div class=""><br
class="">
</div>
</div>
</blockquote>
<blockquote
type="cite" class="">
<div class="">
<div class=""><span
class="">_______________________________________________</span><br
class="">
</div>
<div class=""><span
class="">gnso-rds-pdp-wg
mailing list</span><br
class="">
</div>
<div class=""><span
class=""><a
href="mailto:gnso-rds-pdp-wg@icann.org"
class=""
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a></span><br
class="">
</div>
<div class=""><span
class=""><a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
class=""
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span><br
class="">
</div>
</div>
</blockquote>
</div>
</blockquote>
<div class=""><br class="">
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
</div>
</blockquote>
</div>
_______________________________________________<br class="">
gnso-rds-pdp-wg mailing list<br class="">
<a href="mailto:gnso-rds-pdp-wg@icann.org"
class="" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br
class="">
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
class="" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>