[Accred-Model] Letter from FIRST to ICANN regarding GDPR impact on WHOIS

[Rubens Kuhl]

> On 20 Apr 2018, at 18:57, John R. Levine <johnl at iecc.com> wrote:
> 
>> It would be of real benefit if FIRST and WP29 came up together with legal basis for accessing whole data repositories in doing threat intelligence, anti-abuse and incident response, ...
> 
> A quick look at Article 6, section 1, of the GDPR, finds subsection e) a task carried out in the public interest, and f) legitimate interests [of] the controller or a third party.  Considering the GAC advice that ICANN has received, I think the case for both public interest and legitimate interest are overwhelming.
> 
> You may disagree, but give it a rest, please.

While I do disagree, based on the many legal opinions I've read (where the EU definition on public interest doesn't equate to the commonplace US one and only allows public organisations to claim public interest), my opinion doesn't carry any weight whatsoever; DPAs opinions do. What I'm suggesting is to cut the middle-man (the data controllers) and go directly to DPAs, present a compelling case and get basis that allow InfoSec work with WHOIS to keep going. No issues with interpretations, biases, agendas; and frankly, I hope the InfoSec community does succeed in getting it.


> 
> Regards,
> John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
> 
> PS: I do agree that consent is not a strong basis here.


That's a start. ;-)


Rubens


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180420/62818cd5/signature.asc>