[registration-issues-wg] [CPWG] Urgent EPDP question

Alan Greenberg alan.greenberg at mcgill.ca
Tue Oct 16 03:49:22 UTC 2018


There are all sorts of shortcuts and mechanisms to do this "sorting". But yes, ultimately there is a cost. And the only source of funds is registrants or other business if you chose to cross-subsidize. Just the same question as "who is paying for GDPR implementation?" or participation in the EPDP. No one forces you or anyone to be a registrar.

Alan


At 15/10/2018 03:50 PM, theo geurts wrote:

Who is going to pay to sort out millions of records? We talking 3 decades of data.  If we can exclude legacy data we might get somewhere.

Theo

On 15-10-2018 21:45, Alan Greenberg wrote:
Anyone else from the ALAC?  One more and we have a majority.

Alan

At 15/10/2018 05:14 AM, Tijani BEN JEMAA wrote:
I agree that Legal persons should be treated differently as required by the GDPR: Only natural persons are concerned.

- ----------------------------------------------------------------------------
Tijani BEN JEMAA
Executive Director
Mediterranean Federation of Internet Associations (FMAI)
Phone: +216 98 330 114
          +216 52 385 114
-----------------------------------------------------------------------------


Le 15 oct. 2018 à 10:01, Michele Neylon - Blacknight <michele at blacknight.com<mailto:michele at blacknight.com> > a écrit :

Derek

You can see exactly which version of the RAA registrars are signed onto here:

https://www.icann.org/registrar-reports/accredited-list.html

While there might have been one or two left on the 2009 contract up until relatively recently I cannot find any on the list now.

Regards

Michele



--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 15/10/2018, 08:17, "registration-issues-wg on behalf of Derek Smythe" <registration-issues-wg-bounces at atlarge-lists.icann.org on behalf of derek at aa419.org><mailto:registration-issues-wg-bounces at atlarge-lists.icann.orgonbehalfofderek@aa419.org> wrote:

   Yes, agreed 100%.

   Contracted parties should treat Legal Persons differently from Natural
   Persons.

   We are essentially asking consumers to sign a blank check/cheque when
   they try and deal with a new business that's GDPR protected as they
   can't do any form of due diligence in reality. This makes any consumer
   a potential target to loss of privacy, fraud and more.

   The only argument should really be as to whether this extends to all
   Natural Persons or just those of the EU.

   We need to consider a major concern here is the abuse of domains. How
   do we protect or mitigate? This is what keeps us all safer. Law
   enforcement simply cannot do it all as is a matter of record. Nor will
   litigation for numerous reasons.

   We also need to ask what happens is a domain claims to be a natural
   person, but is used for a company? We most certainly have malicious
   "Interpol", "United Nations" clone domains out there registered to
   natural persons. And fictitious companies. Even a registrant name "Bar
   Clay" used for a fake bank. This needs to be addressed as well as we
   are guaranteed to see abuse of the definitions here.

(As you may note if you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA must do some validation of contact information for new an transfered domains, but none to simple renewal. so there are currently 140,000,000 domains without verified information (5 years after the 2013 RAA came into force) and there is no requirement to ever validate their information - so unspecified time frames can last a LONG time.)

   I believe we see the most abuse at the start of the domain's life
   cycle and the chance of abuse declines over time. This has most
   certainly been my experience in advance fee fraud. So we can be
   somewhat flexible on older established domains.

   A bigger danger is registrars that have not signed the RAA 2013 and
   still bound under older versions of the RAA. I discovered one
   recently, much abused.

   A potential loophole is in private domain resales. We encounter
   situations where the new owner simply changes the emails and not the
   other details, then starts abusing that domain. This is also used as a
   stepping stone to purchase new domains at the original registrar.


   Something to chew on, three years old but still as valid as ever:

   http://www.securityskeptic.com/2015/07/how-to-register-a-gtld-domain-name-without-disclosing-personal-data.html

   Obviously there is a risk in displaying Legal Persons details. But if
   they can't protect themselves, how can they be expected to protect
   those they deal with? A simple explanation page to each registrant
   email would be simpler than trying to fix later where we're heading to.

   Derek Smythe
   Artists Against 419
   http://www.aa419.org<http://www.aa419.org/>


   On 2018/10/15 03:12, Alan Greenberg wrote:
Here is a question that we need an answer on no later than Tuesday
morning.

GDPR requires the information related to Natural Persons be protected
(for those resident in Europe) be protected. GDPR does not apply to
Legal Persons (ie companies).

ICANN's Temporary Spec allows contracted parties to treat all
registrant alike and subject to GDPR.

The EPDP Charter includes questions about whether contracted parties
may or must treat Legal Persons differently from Natural Persons.

The GAC, BC and IPC have made strong statements about the need to
restrict GDPS to Natural Persons. The contracted parties are pushing
back - strongly. The words vary, but in essence what they are saying
ranges from there should be no constraint on them to yes, they may
differentiate but with an unspecified time-frame.  (As you may note if
you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA
must do some validation of contact information for new an transfered
domains, but none to simple renewal. so there are currently
140,000,000 domains without verified information (5 years after the
2013 RAA came into force) and there is no requirement to ever validate
their information - so unspecified time frames can last a LONG time.)

I personally feel that it is essential that we should differentiate
between legal persons and natural persons, just as GDPR and other
privacy legislation does.

Comments?

Alan

_______________________________________________
CPWG mailing list
CPWG at icann.org<mailto:CPWG at icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
registration-issues-wg mailing list
registration-issues-wg at atlarge-lists.icann.org<mailto:registration-issues-wg at atlarge-lists.icann.org>
https://mm.icann.org/mailman/listinfo/registration-issues-wg
   _______________________________________________
   registration-issues-wg mailing list
   registration-issues-wg at atlarge-lists.icann.org<mailto:registration-issues-wg at atlarge-lists.icann.org>
   https://mm.icann.org/mailman/listinfo/registration-issues-wg


_______________________________________________
registration-issues-wg mailing list
registration-issues-wg at atlarge-lists.icann.org<mailto:registration-issues-wg at atlarge-lists.icann.org>
https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________
registration-issues-wg mailing list
registration-issues-wg at atlarge-lists.icann.org<mailto:registration-issues-wg at atlarge-lists.icann.org>
https://mm.icann.org/mailman/listinfo/registration-issues-wg




_______________________________________________
registration-issues-wg mailing list

registration-issues-wg at atlarge-lists.icann.org<mailto:registration-issues-wg at atlarge-lists.icann.org>

https://mm.icann.org/mailman/listinfo/registration-issues-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/registration-issues-wg/attachments/20181016/31f26c11/attachment-0001.html>


More information about the registration-issues-wg mailing list