[registration-issues-wg] [CPWG] Urgent EPDP question

Alan Greenberg alan.greenberg at mcgill.ca
Mon Oct 15 19:45:46 UTC 2018


Anyone else from the ALAC?  One more and we have a majority.

Alan

At 15/10/2018 05:14 AM, Tijani BEN JEMAA wrote:
>I agree that Legal persons should be treated 
>differently as required by the GDPR: Only natural persons are concerned.
>
>-----------------------------------------------------------------------------
>Tijani BEN JEMAA
>Executive Director
>Mediterranean Federation of Internet Associations (FMAI)
>Phone: +216 98 330 114
>           +216 52 385 114
>-----------------------------------------------------------------------------
>
>
>>Le 15 oct. 2018 Ã  10:01, Michele Neylon - 
>>Blacknight <<mailto:michele at blacknight.com>michele at blacknight.com> a écrit :
>>
>>Derek
>>
>>You can see exactly which version of the RAA registrars are signed onto here:
>>
>><https://www.icann.org/registrar-reports/accredited-list.html>https://www.icann.org/registrar-reports/accredited-list.html
>>
>>While there might have been one or two left on 
>>the 2009 contract up until relatively recently 
>>I cannot find any on the list now.
>>
>>Regards
>>
>>Michele
>>
>>
>>
>>--
>>Mr Michele Neylon
>>Blacknight Solutions
>>Hosting, Colocation & Domains
>>https://www.blacknight.com/
>>https://blacknight.blog/
>>Intl. +353 (0) 59  9183072
>>Direct Dial: +353 (0)59 9183090
>>Personal blog: https://michele.blog/
>>Some thoughts: https://ceo.hosting/
>>-------------------------------
>>Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>>
>>On 15/10/2018, 08:17, 
>>"registration-issues-wg on behalf of Derek 
>>Smythe" 
>><registration-issues-wg-bounces at atlarge-lists.icann.org 
>>on behalf of derek at aa419.org> wrote:
>>
>>    Yes, agreed 100%.
>>
>>    Contracted parties should treat Legal Persons differently from Natural
>>    Persons.
>>
>>    We are essentially asking consumers to sign a blank check/cheque when
>>    they try and deal with a new business that's GDPR protected as they
>>    can't do any form of due diligence in reality. This makes any consumer
>>    a potential target to loss of privacy, fraud and more.
>>
>>    The only argument should really be as to whether this extends to all
>>    Natural Persons or just those of the EU.
>>
>>    We need to consider a major concern here is the abuse of domains. How
>>    do we protect or mitigate? This is what keeps us all safer. Law
>>    enforcement simply cannot do it all as is a matter of record. Nor will
>>    litigation for numerous reasons.
>>
>>    We also need to ask what happens is a domain claims to be a natural
>>    person, but is used for a company? We most certainly have malicious
>>    "Interpol", "United Nations" clone domains out there registered to
>>    natural persons. And fictitious companies. Even a registrant name "Bar
>>    Clay" used for a fake bank. This needs to be addressed as well as we
>>    are guaranteed to see abuse of the definitions here.
>>
>>>(As you may note if you looked at the 
>>>RDS-WHOIS2 report, registrars under the 2013 
>>>RAA must do some validation of contact 
>>>information for new an transfered domains, but 
>>>none to simple renewal. so there are currently 
>>>140,000,000 domains without verified 
>>>information (5 years after the 2013 RAA came 
>>>into force) and there is no requirement to 
>>>ever validate their information - so 
>>>unspecified time frames can last a LONG time.)
>>
>>    I believe we see the most abuse at the start of the domain's life
>>    cycle and the chance of abuse declines over time. This has most
>>    certainly been my experience in advance fee fraud. So we can be
>>    somewhat flexible on older established domains.
>>
>>    A bigger danger is registrars that have not signed the RAA 2013 and
>>    still bound under older versions of the RAA. I discovered one
>>    recently, much abused.
>>
>>    A potential loophole is in private domain resales. We encounter
>>    situations where the new owner simply changes the emails and not the
>>    other details, then starts abusing that domain. This is also used as a
>>    stepping stone to purchase new domains at the original registrar.
>>
>>
>>    Something to chew on, three years old but still as valid as ever:
>>
>> 
>>http://www.securityskeptic.com/2015/07/how-to-register-a-gtld-domain-name-without-disclosing-personal-data.html
>>
>>    Obviously there is a risk in displaying Legal Persons details. But if
>>    they can't protect themselves, how can they be expected to protect
>>    those they deal with? A simple explanation page to each registrant
>>    email would be simpler than trying to fix later where we're heading to.
>>
>>    Derek Smythe
>>    Artists Against 419
>>    http://www.aa419.org
>>
>>
>>    On 2018/10/15 03:12, Alan Greenberg wrote:
>>>Here is a question that we need an answer on no later than Tuesday
>>>morning.
>>>
>>>GDPR requires the information related to Natural Persons be protected
>>>(for those resident in Europe) be protected. GDPR does not apply to
>>>Legal Persons (ie companies).
>>>
>>>ICANN's Temporary Spec allows contracted parties to treat all
>>>registrant alike and subject to GDPR.
>>>
>>>The EPDP Charter includes questions about whether contracted parties
>>>may or must treat Legal Persons differently from Natural Persons.
>>>
>>>The GAC, BC and IPC have made strong statements about the need to
>>>restrict GDPS to Natural Persons. The contracted parties are pushing
>>>back - strongly. The words vary, but in essence what they are saying
>>>ranges from there should be no constraint on them to yes, they may
>>>differentiate but with an unspecified time-frame.  (As you may note if
>>>you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA
>>>must do some validation of contact information for new an transfered
>>>domains, but none to simple renewal. so there are currently
>>>140,000,000 domains without verified information (5 years after the
>>>2013 RAA came into force) and there is no requirement to ever validate
>>>their information - so unspecified time frames can last a LONG time.)
>>>
>>>I personally feel that it is essential that we should differentiate
>>>between legal persons and natural persons, just as GDPR and other
>>>privacy legislation does.
>>>
>>>Comments?
>>>
>>>Alan
>>>
>>>_______________________________________________
>>>CPWG mailing list
>>>CPWG at icann.org
>>>https://mm.icann.org/mailman/listinfo/cpwg
>>>_______________________________________________
>>>registration-issues-wg mailing list
>>>registration-issues-wg at atlarge-lists.icann.org
>>>https://mm.icann.org/mailman/listinfo/registration-issues-wg
>>    _______________________________________________
>>    registration-issues-wg mailing list
>>    registration-issues-wg at atlarge-lists.icann.org
>>    https://mm.icann.org/mailman/listinfo/registration-issues-wg
>>
>>
>>_______________________________________________
>>registration-issues-wg mailing list
>>registration-issues-wg at atlarge-lists.icann.org
>>https://mm.icann.org/mailman/listinfo/registration-issues-wg
>
>_______________________________________________
>registration-issues-wg mailing list
>registration-issues-wg at atlarge-lists.icann.org
>https://mm.icann.org/mailman/listinfo/registration-issues-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/registration-issues-wg/attachments/20181015/d4a30f2e/attachment-0001.html>


More information about the registration-issues-wg mailing list