[Accred-Model] Letter to ICANN from RiskIQ

Rubens Kuhl rubensk at nic.br
Sun Apr 22 18:21:20 UTC 2018 


> On 22 Apr 2018, at 14:46, <trachtenbergm at gtlaw.com> <trachtenbergm at gtlaw.com> wrote:
> 
> Rubens,
> 
> See some preliminary responses below to your responses. I will likely have additional ones later, but am traveling and these jump out at me:
> 
>> No contract can exempt parties from following applicable law, otherwise there would be no laws.
> 
> This is not true in the U.S.   In the U.S. Courts may choose to enforce some provisions in contracts even though they violate applicable law. If course I recognize that EU and EU member state law are applicable here in the relevant cases, but are you certain that the same is not true in all EU and member state courts? Have you done legal research on this or are you just making a logical conclusion? If the latter, often times logical conclusions and how the law is drafted or applied are not the same.

Not a legal research, not a logical conclusion; it's the experience of living in a civil law country, opposed to a case law country like the US. Welcome to our side of the world.

> I  would also point out that we do not know that showing registrant name and email violates GDPR and there is no evidence or indication that there is not a sufficient legitimate interest to display such that doesn't outweigh the data subject's interest in privacy.

You are welcome to make that point to DPAs and get them to say so. Before that happens, the many lawyers hired by contracted parties and ICANN seem to be in large agreement that they are. From the first part of the Hamilton papers:
https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en.pdf <https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en.pdf>

"Some of this data is clearly personal data (e.g. the name and address of a natural person)"
" Even if the information relates only to a legal person, it would still constitute personal data if, for instance, the company name includes the name of an identifiable natural person, if the contact address is a natural person’s residence or if the e-mail contact address contains the name of a natural person. "


> 
>> While WHOIS was an useful correlation tool, other techniques such as Passive DNS(2004) have been providing real good intelligence from actual attempts at bypassing security... so it's not fair to say that without WHOIS, everything falls apart.
> 
> This could only be said by someone who does not do online enforcement on an everyday or even regular basis. As someone who does, I can assure you that WhoIs is the foundation and starting  point for all online investigation and enforcement and without it those conducting such efforts to protect everyone, including you, like law enforcement, researchers, and intellectual property owners, will be blind. This is particularly the case that the majority of attacks now are not content (i.e.) website based. Without WhoIs that shows registrant name and email there is no effective online investigation and enforcement, plain and simple.

The problem with choosing an ad-hominem attack on someone you don't know is that it increases your odds of being wrong. I happen to take down a dozen domains a day as part of my mission as liaison to a threat intelligence community, and just last week I was coordinating a take-down of a 300+ domain set owned by a single criminal organisation. So,  I'm talking from 20+ years experience and technical knowledge when I say what other avenues there are to achieve the same goals.

And if this group wants to proceed towards a community-acceptable model, I strongly suggest to refrain from ad-hominem arguments.


> 
>> "force majeure" clause that, among other things, prevents liability from change of applicable law.
> 
> 
> Most force majeure clauses I have seen in contracts, including those governed by EU member state law do not include change in law as a trigger. Rather they refer to things like "Acts of God", strikes, and natural disasters. But even if such clauses do cover change in law, as I mentioned above, we do not know that showing registrant name and email violates GDPR and there is no evidence or indication that there is not a sufficient legitimate interest to display such that doesn't outweigh the data subject's interest in privacy.
> 

https://www.icann.org/en/system/files/correspondence/falque-pierrotin-to-chalaby-marby-06Dec17-en.pdf <https://www.icann.org/en/system/files/correspondence/falque-pierrotin-to-chalaby-marby-06Dec17-en.pdf>

"ICANN and the registries would also not be able to rely on a legitimate interest for making available all personal data in WHOIS directories to the general public."

But as I said before, cut the middle-man and get the DPAs to say exactly what you believe is right. Then anyone not agreeing would first have to challenge that in an European court, but still comply with it in the mean time.


Rubens





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180422/85e4e050/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180422/85e4e050/signature.asc>

More information about the Accred-Model mailing list