<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Perhaps this clarifies it more. <br>
</p>
<p><a class="moz-txt-link-freetext" href="https://piwik.pro/blog/what-is-pii-personal-data/">https://piwik.pro/blog/what-is-pii-personal-data/</a></p>
<p>Theo <br>
</p>
<br>
<div class="moz-cite-prefix">On 21-2-2018 14:26, Stephanie Perrin
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c8ad1124-69c0-5253-c314-d3b243a5062f@mail.utoronto.ca">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p><font size="+1"><font face="Lucida Grande">Sorry not to have
answered this last night Steve, I was having the usual
multi-tasking challenges which overtake the 1 AM calls.
There is a fundamental problem here in my view, and that is
the difference between people's understanding of "personally
identifying information" or PII, and "personal information",
which is silent on the matter of whether it can be
identified. For example, your medical data may have all the
identifiers removed (name, address, phone number, health
numbers, etc.) but that does not mean that people could not
figure out it was you, particularly these days when even DNA
data is up on the net. We generally continue to call that
personal data (people can reasonably understand, for
instance, that an x-ray of my lungs is still my personal
information, even if it has been securely anonymized). I
argue that all data associated with your registration
including the assigned data is personal data (for the
purposes of ICANN's treatment of it as a data controller),
but that does not mean it cannot be processed. It is not
usually PII, but that is irrelevant for GDPR discussions
because that is an expression not used in the GDPR, PII that
has been popularized by the US, and that in the absence of
general data protection law. We had a lengthy discussion
of this about a year ago, and I am sure I was unsuccessful
in persuading some folks that a name server could be
personal data. The name of a city is not personally
identifiable information, but if it is the one data element
that distinguishes John Smith of Main street US, among six
John Smiths on Main Street, then it is personal data.<br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Given the ubiquity
of data and data analytics these days, this is an active
area of privacy scholarship, with plenty of practical
implications. We have over many years regularly removed a
few data elements to mask data sufficiently for public
processing purposes; increasingly this does not work anymore
and the field is changing too fast to keep up. This of
course does not mean that name servers, e.g., should not be
published.<br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie</font></font><br>
</p>
<div class="moz-cite-prefix">On 2018-02-20 23:14, Steve Crocker
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EBF0E9FE-21F4-4CBF-A6BC-C4AE6DFB1F1E@shinkuro.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Stephanie,
<div><br>
</div>
<div>Some folks are saying address records, names of name
servers and perhaps other records might have personally
identifying information. I would not argue these records do
not ever have personally identifying information, I do argue
it’s immaterial. It’s essential these records are universally
accessible and because this is well known, anyone who chooses
to publish these records has implicitly granted permission for
others to access this information. Policy people,
legislators, regulators cannot impose a new requirement on the
design and operation of the DNS as if the possibility of
mediating access were an available option.</div>
<div><br>
</div>
<div>Steve</div>
<div><br>
<div id="AppleMailSignature">Sent from my iPhone</div>
<div><br>
On Feb 20, 2018, at 11:02 PM, Stephanie Perrin <<a
href="mailto:stephanie.perrin@mail.utoronto.ca"
moz-do-not-send="true">stephanie.perrin@mail.utoronto.ca</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p><font size="+1"><font face="Lucida Grande">Actually no,
Steve, we sorted this out a few months ago....Andrew
Sullivan explained all of this patiently and in
great detail, as I recall. I tried to explain the
difference between data elements constituting PI,
because of their association with an individual, and
the requirements to protect. I think I failed
dismally in that effort, because I see we are
re-arguing those issues.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">cheers
Stephanie </font></font><br>
</p>
<div class="moz-cite-prefix">On 2018-02-20 11:50, Steve
Crocker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABf5zvKBiiqMTsWGEAdvG8LhZ29GYSkMZFoHg91UHCnTCF-Ehg@mail.gmail.com">
<div dir="ltr">I'm puzzled by the reference to name
servers and A records. These are necessarily public
else the domain name system won't function. Is there
confusion or misunderstanding about the role of these
records?
<div><br>
</div>
<div>Steve</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 20, 2018 at 11:47
AM, allison nixon <span dir="ltr"><<a
href="mailto:elsakoo@gmail.com" target="_blank"
moz-do-not-send="true">elsakoo@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">1,000,000% agreed. Registrars
cannot eliminate all their risk by masking WHOIS
into oblivion. The DPAs can still ask why they
are exposing A records, nameservers, etc, to
anyone who asks for them, without valid reasons
or authentication. Why do they expose zone
files, etc. The DPAs can ask why customer
support can sometimes so easily be social
engineered into handing over accounts to account
takeover scammers.
<div><br>
</div>
<div>Since most registrars are also hosting
providers/mail providers, would criminals
storing stolen PII on your servers be a GDPR
issue? After all, the ultimate owner of the
server is also considered a "processor", which
has interesting implications if one's
customers include phishers, or sell stolen
credit cards, and one's already been notified.
I have even seen miscreants putting doxes in
TXT records.
<div><br>
</div>
<div>I already know of quite a few incidents
where people would have had standing to file
a GDPR complaint against registrars/hosters,
unrelated to WHOIS.<br>
<div><br>
</div>
<div>Eventually the issue is going to impact
the core business model of registrars.
This isn't going to stop at WHOIS. An open
dialog with the DPAs at an early stage is
of utmost importance for all parties
involved here.<br>
</div>
</div>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra">
<div>
<div class="h5"><br>
<div class="gmail_quote">On Mon, Feb 19,
2018 at 10:16 AM, Sam Lanfranco <span
dir="ltr"><<a
href="mailto:sam@lanfranco.net"
target="_blank" moz-do-not-send="true">sam@lanfranco.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Benny,</p>
<p>This is why I support multi-venue
multi-stakholder dialogue with the
DPA's so that they are appraised of
the issues on all sides of the data
protection issue. They are then more
likely to act in a judicious manner,
and less like an attack dog. Watch
the new movie "<b><i>The Post</i></b>"
where when <i>Washington Post</i>
owner <span
class="m_4328131330306589257m_-8009525005773725673st">
Katharine Graham decided to
publish the Vietnam War Pentagon
Papers, with the downside risk
that she could be jailed for
treason. The court ruled in favor
of freedom of the press. It is not
what the DPA can do, but what they
are likely to do, and dialogue
goes a long way to mitigating risk
and shaping appropriate positions
and behavior (with integrity) on
all sides. <br>
</span></p>
<p><span
class="m_4328131330306589257m_-8009525005773725673st">Sam
L.<br>
</span></p>
<span> <br>
<div
class="m_4328131330306589257m_-8009525005773725673moz-cite-prefix">On
2/19/2018 10:02 AM, <a
class="m_4328131330306589257m_-8009525005773725673moz-txt-link-abbreviated"
href="mailto:benny@nordreg.se"
target="_blank"
moz-do-not-send="true">benny@nordreg.se</a>
wrote:<br>
</div>
</span>
<blockquote type="cite"><span>
<ironi on> Now I am
relieved, we as registrars will
not be subject for anything…
</ironi off>
<div><br>
</div>
</span>
<div>None of us know where and what
they will prioritise,<b><i>
remember that it only take 1
complaint to a DPA to get the
snowball moving.</i></b>
[emphasis added] I am sure your
statement have noe value then.</div>
<span>
<div><br>
</div>
<div>
<div>
<div><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
<div>--</div>
<div>Med vänliga
hälsningar / Kind
Regards / Med vennlig
hilsen</div>
</div>
</span><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="text-align:-webkit-auto;border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
</div>
</span><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="text-align:-webkit-auto;border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
<div><br>
Benny Samuelsen<br>
Registry Manager -
Domainexpert<br>
<br>
Nordreg AB - ICANN
accredited registrar</div>
<div>IANA-ID: 638</div>
</div>
</span><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="text-align:-webkit-auto;border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
Phone: <a
href="tel:+46%2042%2019%2070%2000"
value="+4642197000"
target="_blank"
moz-do-not-send="true">+46.42197000</a><br>
Direct: <a
href="tel:+47%2032%2026%2002%2001"
value="+4732260201"
target="_blank"
moz-do-not-send="true">+47.32260201</a><br>
Mobile: <a
href="tel:+47%20404%2010%20200"
value="+4740410200"
target="_blank"
moz-do-not-send="true">+47.40410200</a></div>
</span></div>
</div>
<div><br>
<blockquote type="cite">
<div>On 19 Feb 2018, at
15:29, Sam Lanfranco <<a
href="mailto:sam@lanfranco.net" target="_blank" moz-do-not-send="true">sam@lanfranco.net</a>>
wrote:</div>
<br
class="m_4328131330306589257m_-8009525005773725673Apple-interchange-newline">
<div>
<div text="#000000"
bgcolor="#FFFFFF">
<p>Hi Tim, <br>
</p>
<p>No, completely to the
contrary. My point
with that dollars
reference was that in
some cases litigation
is the preferred
business response,
rather than compliance
and paying fines.
Also, the big revenues
in mining big data are
outside the DNS
sphere, and outside
the abuses and "bad
things" that websites
do to people. The big
EU fines are more
likely to hit social
media than Registrars,
although they are
risks there as well.
The revenues, and
privacy violations,
will come from
profiling users by
mining big data for
scraps of personal
date to individualize
target marketing. <br>
</p>
<p><b><i>As a brief
aside:</i></b>
This goes well beyond
the remit of ICANN and
is actually worse than
just being inundated
by adverts base on
personal online
behavior. Artificial
Intelligence mining
apps are increasingly
customizing the "news"
one gets from news
feeds, to help "glue
the eyeballs" to the
adverts, creating a
news silo of one.
(That is amusing for
me since I virtually
live in two towns in
two countries). Even
more worrisome is the
growing practice for
A.I. companies where
A.I. "writes" the news
releases, now mainly
in sports and finance,
for thousands of print
and online news
outlets. I know all of
this is outside the
ICANN remit so I will
stop there. <br>
</p>
<p>Sam L. <br>
</p>
<br>
<div
class="m_4328131330306589257m_-8009525005773725673moz-cite-prefix">On
2/18/2018 5:43 PM,
Chen, Tim wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Sam,
<div><br>
</div>
<div>When you say
these are hundred
million dollar
issues for "the
companies",which
companies are you
talking about?
Large Registrars?</div>
<div><br>
</div>
<div>I hope you are
not comparing
cybersecurity
professionals and
the good work they
are trying to
enable, to a
completely
separate privacy
issue around data
used for ad
tracking or
behavior tracking
across websites.
If I spent my days
trying to protect
people on the
internet from bad
things, I would
certainly not
appreciate any
allusion that I
was engaged on the
whois data issue
'for the money'.</div>
<div><br>
</div>
<div>Tim</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing
list<br>
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
class="m_4328131330306589257m_-8009525005773725673moz-txt-link-freetext"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
target="_blank"
moz-do-not-send="true">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a></div>
</blockquote>
</div>
<br>
</div>
</span></blockquote>
<span
class="m_4328131330306589257HOEnZb"><font
color="#888888"> <br>
<pre class="m_4328131330306589257m_-8009525005773725673moz-signature" cols="72">--
------------------------------<wbr>------------------
"It is a disgrace to be rich and honoured
in an unjust state" -Confucius
邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也
------------------------------<wbr>------------------
Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China
Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
email: <a class="m_4328131330306589257m_-8009525005773725673moz-txt-link-abbreviated" href="mailto:sam@lanfranco.net" target="_blank" moz-do-not-send="true">sam@lanfranco.net</a> Skype: slanfranco
blog: <a class="m_4328131330306589257m_-8009525005773725673moz-txt-link-freetext" href="https://samlanfranco.blogspot.com" target="_blank" moz-do-not-send="true">https://samlanfranco.blogspot.<wbr>com</a>
Phone: <a href="tel:%28613%29%20476-0429" value="+16134760429" target="_blank" moz-do-not-send="true">+1 613-476-0429</a> cell: <a href="tel:%28416%29%20816-2852" value="+14168162852" target="_blank" moz-do-not-send="true">+1 416-816-2852</a></pre>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<div
class="m_4328131330306589257gmail_signature"
data-smartmail="gmail_signature">______________________________<wbr>___<br>
Note to self: Pillage BEFORE burning.</div>
</div>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>gnso-rds-pdp-wg mailing list</span><br>
<span><a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a></span><br>
<span><a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></div>
</blockquote>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>