<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">Thanks Theo, that is a
helpful cheatsheet. I would just add that privacy advocates
and DPAs have been fighting machine identifiers for
years...Remember the Big Brother Inside campaign against the
Intel chip?</font></font></p>
<p><font size="+1"><font face="Lucida Grande">cheers Stephanie</font></font><br>
</p>
<div class="moz-cite-prefix">On 2018-02-21 08:38, theo geurts wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5aecfc3d-94f8-bf28-980b-af96a9d93cc3@xs4all.nl">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Perhaps this clarifies it more. <br>
</p>
<p><a class="moz-txt-link-freetext"
href="https://piwik.pro/blog/what-is-pii-personal-data/"
moz-do-not-send="true">https://piwik.pro/blog/what-is-pii-personal-data/</a></p>
<p>Theo <br>
</p>
<br>
<div class="moz-cite-prefix">On 21-2-2018 14:26, Stephanie Perrin
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c8ad1124-69c0-5253-c314-d3b243a5062f@mail.utoronto.ca">
<p><font size="+1"><font face="Lucida Grande">Sorry not to have
answered this last night Steve, I was having the usual
multi-tasking challenges which overtake the 1 AM calls.
There is a fundamental problem here in my view, and that
is the difference between people's understanding of
"personally identifying information" or PII, and "personal
information", which is silent on the matter of whether it
can be identified. For example, your medical data may
have all the identifiers removed (name, address, phone
number, health numbers, etc.) but that does not mean that
people could not figure out it was you, particularly these
days when even DNA data is up on the net. We generally
continue to call that personal data (people can reasonably
understand, for instance, that an x-ray of my lungs is
still my personal information, even if it has been
securely anonymized). I argue that all data associated
with your registration including the assigned data is
personal data (for the purposes of ICANN's treatment of it
as a data controller), but that does not mean it cannot be
processed. It is not usually PII, but that is irrelevant
for GDPR discussions because that is an expression not
used in the GDPR, PII that has been popularized by the US,
and that in the absence of general data protection law.
We had a lengthy discussion of this about a year ago, and
I am sure I was unsuccessful in persuading some folks that
a name server could be personal data. The name of a city
is not personally identifiable information, but if it is
the one data element that distinguishes John Smith of Main
street US, among six John Smiths on Main Street, then it
is personal data.<br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Given the ubiquity
of data and data analytics these days, this is an active
area of privacy scholarship, with plenty of practical
implications. We have over many years regularly removed a
few data elements to mask data sufficiently for public
processing purposes; increasingly this does not work
anymore and the field is changing too fast to keep up.
This of course does not mean that name servers, e.g.,
should not be published.<br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie</font></font><br>
</p>
<div class="moz-cite-prefix">On 2018-02-20 23:14, Steve Crocker
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EBF0E9FE-21F4-4CBF-A6BC-C4AE6DFB1F1E@shinkuro.com">
Stephanie,
<div><br>
</div>
<div>Some folks are saying address records, names of name
servers and perhaps other records might have personally
identifying information. I would not argue these records do
not ever have personally identifying information, I do argue
it’s immaterial. It’s essential these records are
universally accessible and because this is well known,
anyone who chooses to publish these records has implicitly
granted permission for others to access this information.
Policy people, legislators, regulators cannot impose a new
requirement on the design and operation of the DNS as if the
possibility of mediating access were an available option.</div>
<div><br>
</div>
<div>Steve</div>
<div><br>
<div id="AppleMailSignature">Sent from my iPhone</div>
<div><br>
On Feb 20, 2018, at 11:02 PM, Stephanie Perrin <<a
href="mailto:stephanie.perrin@mail.utoronto.ca"
moz-do-not-send="true">stephanie.perrin@mail.utoronto.ca</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p><font size="+1"><font face="Lucida Grande">Actually
no, Steve, we sorted this out a few months
ago....Andrew Sullivan explained all of this
patiently and in great detail, as I recall. I
tried to explain the difference between data
elements constituting PI, because of their
association with an individual, and the
requirements to protect. I think I failed
dismally in that effort, because I see we are
re-arguing those issues.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">cheers
Stephanie </font></font><br>
</p>
<div class="moz-cite-prefix">On 2018-02-20 11:50, Steve
Crocker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABf5zvKBiiqMTsWGEAdvG8LhZ29GYSkMZFoHg91UHCnTCF-Ehg@mail.gmail.com">
<div dir="ltr">I'm puzzled by the reference to name
servers and A records. These are necessarily public
else the domain name system won't function. Is
there confusion or misunderstanding about the role
of these records?
<div><br>
</div>
<div>Steve</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 20, 2018 at
11:47 AM, allison nixon <span dir="ltr"><<a
href="mailto:elsakoo@gmail.com"
target="_blank" moz-do-not-send="true">elsakoo@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">1,000,000% agreed. Registrars
cannot eliminate all their risk by masking
WHOIS into oblivion. The DPAs can still ask
why they are exposing A records, nameservers,
etc, to anyone who asks for them, without
valid reasons or authentication. Why do they
expose zone files, etc. The DPAs can ask why
customer support can sometimes so easily be
social engineered into handing over accounts
to account takeover scammers.
<div><br>
</div>
<div>Since most registrars are also hosting
providers/mail providers, would criminals
storing stolen PII on your servers be a GDPR
issue? After all, the ultimate owner of the
server is also considered a "processor",
which has interesting implications if one's
customers include phishers, or sell stolen
credit cards, and one's already been
notified. I have even seen miscreants
putting doxes in TXT records.
<div><br>
</div>
<div>I already know of quite a few incidents
where people would have had standing to
file a GDPR complaint against
registrars/hosters, unrelated to WHOIS.<br>
<div><br>
</div>
<div>Eventually the issue is going to
impact the core business model of
registrars. This isn't going to stop at
WHOIS. An open dialog with the DPAs at
an early stage is of utmost importance
for all parties involved here.<br>
</div>
</div>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra">
<div>
<div class="h5"><br>
<div class="gmail_quote">On Mon, Feb 19,
2018 at 10:16 AM, Sam Lanfranco <span
dir="ltr"><<a
href="mailto:sam@lanfranco.net"
target="_blank"
moz-do-not-send="true">sam@lanfranco.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Benny,</p>
<p>This is why I support multi-venue
multi-stakholder dialogue with the
DPA's so that they are appraised
of the issues on all sides of the
data protection issue. They are
then more likely to act in a
judicious manner, and less like an
attack dog. Watch the new movie "<b><i>The
Post</i></b>" where when <i>Washington
Post</i> owner <span
class="m_4328131330306589257m_-8009525005773725673st">
Katharine Graham decided to
publish the Vietnam War Pentagon
Papers, with the downside risk
that she could be jailed for
treason. The court ruled in
favor of freedom of the press.
It is not what the DPA can do,
but what they are likely to do,
and dialogue goes a long way to
mitigating risk and shaping
appropriate positions and
behavior (with integrity) on all
sides. <br>
</span></p>
<p><span
class="m_4328131330306589257m_-8009525005773725673st">Sam
L.<br>
</span></p>
<span> <br>
<div
class="m_4328131330306589257m_-8009525005773725673moz-cite-prefix">On
2/19/2018 10:02 AM, <a
class="m_4328131330306589257m_-8009525005773725673moz-txt-link-abbreviated"
href="mailto:benny@nordreg.se"
target="_blank"
moz-do-not-send="true">benny@nordreg.se</a>
wrote:<br>
</div>
</span>
<blockquote type="cite"><span>
<ironi on> Now I am
relieved, we as registrars will
not be subject for anything…
</ironi off>
<div><br>
</div>
</span>
<div>None of us know where and
what they will prioritise,<b><i>
remember that it only take 1
complaint to a DPA to get
the snowball moving.</i></b>
[emphasis added] I am sure your
statement have noe value then.</div>
<span>
<div><br>
</div>
<div>
<div>
<div><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
<div>--</div>
<div>Med vänliga
hälsningar / Kind
Regards / Med
vennlig hilsen</div>
</div>
</span><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="text-align:-webkit-auto;border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
</div>
</span><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="text-align:-webkit-auto;border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
<div><br>
Benny Samuelsen<br>
Registry Manager -
Domainexpert<br>
<br>
Nordreg AB - ICANN
accredited registrar</div>
<div>IANA-ID: 638</div>
</div>
</span><span
class="m_4328131330306589257m_-8009525005773725673Apple-style-span"
style="text-align:-webkit-auto;border-collapse:separate;border-spacing:0px">
<div
style="word-wrap:break-word">
Phone: <a
href="tel:+46%2042%2019%2070%2000"
value="+4642197000"
target="_blank"
moz-do-not-send="true">+46.42197000</a><br>
Direct: <a
href="tel:+47%2032%2026%2002%2001"
value="+4732260201"
target="_blank"
moz-do-not-send="true">+47.32260201</a><br>
Mobile: <a
href="tel:+47%20404%2010%20200"
value="+4740410200"
target="_blank"
moz-do-not-send="true">+47.40410200</a></div>
</span></div>
</div>
<div><br>
<blockquote type="cite">
<div>On 19 Feb 2018, at
15:29, Sam Lanfranco
<<a
href="mailto:sam@lanfranco.net"
target="_blank"
moz-do-not-send="true">sam@lanfranco.net</a>>
wrote:</div>
<br
class="m_4328131330306589257m_-8009525005773725673Apple-interchange-newline">
<div>
<div text="#000000"
bgcolor="#FFFFFF">
<p>Hi Tim, <br>
</p>
<p>No, completely to
the contrary. My
point with that
dollars reference
was that in some
cases litigation is
the preferred
business response,
rather than
compliance and
paying fines. Also,
the big revenues in
mining big data are
outside the DNS
sphere, and outside
the abuses and "bad
things" that
websites do to
people. The big EU
fines are more
likely to hit social
media than
Registrars, although
they are risks there
as well. The
revenues, and
privacy violations,
will come from
profiling users by
mining big data for
scraps of personal
date to
individualize target
marketing. <br>
</p>
<p><b><i>As a brief
aside:</i></b>
This goes well
beyond the remit of
ICANN and is
actually worse than
just being inundated
by adverts base on
personal online
behavior. Artificial
Intelligence mining
apps are
increasingly
customizing the
"news" one gets from
news feeds, to help
"glue the eyeballs"
to the adverts,
creating a news silo
of one. (That is
amusing for me since
I virtually live in
two towns in two
countries). Even
more worrisome is
the growing practice
for A.I. companies
where A.I. "writes"
the news releases,
now mainly in sports
and finance, for
thousands of print
and online news
outlets. I know all
of this is outside
the ICANN remit so I
will stop there. <br>
</p>
<p>Sam L. <br>
</p>
<br>
<div
class="m_4328131330306589257m_-8009525005773725673moz-cite-prefix">On
2/18/2018 5:43 PM,
Chen, Tim wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Hi
Sam,
<div><br>
</div>
<div>When you say
these are
hundred million
dollar issues
for "the
companies",which
companies are
you talking
about? Large
Registrars?</div>
<div><br>
</div>
<div>I hope you
are not
comparing
cybersecurity
professionals
and the good
work they are
trying to
enable, to a
completely
separate privacy
issue around
data used for ad
tracking or
behavior
tracking across
websites. If I
spent my days
trying to
protect people
on the internet
from bad things,
I would
certainly not
appreciate any
allusion that I
was engaged on
the whois data
issue 'for the
money'.</div>
<div><br>
</div>
<div>Tim</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing
list<br>
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
class="m_4328131330306589257m_-8009525005773725673moz-txt-link-freetext"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
target="_blank"
moz-do-not-send="true">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a></div>
</blockquote>
</div>
<br>
</div>
</span></blockquote>
<span
class="m_4328131330306589257HOEnZb"><font
color="#888888"> <br>
<pre class="m_4328131330306589257m_-8009525005773725673moz-signature" cols="72">--
------------------------------<wbr>------------------
"It is a disgrace to be rich and honoured
in an unjust state" -Confucius
邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也
------------------------------<wbr>------------------
Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China
Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
email: <a class="m_4328131330306589257m_-8009525005773725673moz-txt-link-abbreviated" href="mailto:sam@lanfranco.net" target="_blank" moz-do-not-send="true">sam@lanfranco.net</a> Skype: slanfranco
blog: <a class="m_4328131330306589257m_-8009525005773725673moz-txt-link-freetext" href="https://samlanfranco.blogspot.com" target="_blank" moz-do-not-send="true">https://samlanfranco.blogspot.<wbr>com</a>
Phone: <a href="tel:%28613%29%20476-0429" value="+16134760429" target="_blank" moz-do-not-send="true">+1 613-476-0429</a> cell: <a href="tel:%28416%29%20816-2852" value="+14168162852" target="_blank" moz-do-not-send="true">+1 416-816-2852</a></pre>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<div
class="m_4328131330306589257gmail_signature"
data-smartmail="gmail_signature">______________________________<wbr>___<br>
Note to self: Pillage BEFORE burning.</div>
</div>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>gnso-rds-pdp-wg mailing list</span><br>
<span><a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a></span><br>
<span><a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></div>
</blockquote>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</blockquote>
</body>
</html>