[CPWG] [GTLD-WG] [SPAM] Re: [registration-issues-wg] ALAC Statement regarding EPDP
Evan Leibovitch
evanleibovitch at gmail.com
Tue Aug 7 17:58:51 UTC 2018
I don't know about the Europeans or the California government. I do have
more than a decade's experience in ICANN, however, and have observed that
its track record in both decent privacy and decent accessibility is
abysmal.
___________________
Evan Leibovitch, Toronto
@evanleibovitch/@el56
On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll at ca.inter.net> wrote:
> With respect Evan, saying I am missing the point is not really
> respectful. No one is arguing for privacy without protections. I don't
> have all the information I need to support this, but I have a feeling
> the European Data Protection people might have thought about this. They
> don't want to protect bad actors either. And I have heard that a
> similiar law to GDPR is under consideration in California. So I don't
> see any need to think we are only ones concerned with keeping bad actors
> out of the ring.
>
> Marita
>
>
> On 8/7/2018 7:08 PM, Evan Leibovitch wrote:
> > Hi Marita,
> >
> > I think you may be missing the point when you state that "keeping the
> > private info of registrants out of the hands of bad actors protects
> > both parties". The examples that exist in abundance come from
> > registrants who /ARE themselves/ the bad actors, that hide behind
> > either privacy regulations or inaccurate contact information to avoid
> > being held to account for their harm.
> >
> > Just as the right to freedom of speech is not absolute -- even in
> > America -- neither is the right to privacy a way to hide
> > accountability for causing demonstrable harm. Augmenting privacy with
> > tiered access is fine so long as it is accessible to victims and
> > effective in execution; that is exactly the balance of which I speak.
> > This won't be easy -- being physically threatened demands a different
> > response to merely being insulted -- but it is vital. Without such
> > checks and balances, absolute privacy is a sure source of far more
> > harm than good. For every whistleblower protected, a dozen others will
> > be scammed out of their life savings, and thousands more will live in
> > fear for their lives because of death threats from those with
> > unchecked anonymity. This is not theory, it is happening.
> >
> > In summary, it is both naive and against the global public interest to
> > advocate for privacy without advocating just as strenuously for
> > appropriate protections against bad actors who seek to exploit that
> > privacy to cause harm. At-Large seeks both.
> >
> > - Evan
> >
> >
> > PS: I absolutely reject the assertion that it is fear-mongering to
> > simply want to prevent abuse of privacy by some registrants that is
> > both clearly evidenced and ongoing.
> >
> >
> > On Aug 7, 2018, at 11:55, Marita Moll <mmoll at ca.inter.net
> > <mailto:mmoll at ca.inter.net>> wrote:
> >
> > Hello Evan and Allan. I agree with a number of those here how have
> > suggested that the interests of registrants and end-users are not
> that
> > different. Keeping the private info of registrants out of the hands
> of
> > bad actors protects both parties. If crimes are committed, having
> tiered
> > access to the info would release that info to validated authorities.
> As
> > a registrant, I don't want my private information out there if it
> isn't
> > necessary. And I don't see how shielding my private info on WhoIS
> will
> > endanger my neighbour once tiered access is agreed upon. This is no
> > different from the way the law usually works -- we don't all have to
> > live in glass houses in order to be safe. We need well thought out
> > procedures that protect all of us.
> >
> > It's just my opinion. I know others have good arguments. But I don't
> buy
> > the scary scenarios being presented by some groups hoping to scuttle
> > this whole thing. If the Europeans don't think the world will come
> to an
> > end once GDPR is enforced, why is the boogey man being unleashed in
> > North America?
> >
> > http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/
> >
> > Marita
> >
> >
> > On 8/7/2018 5:09 AM, Alan Greenberg wrote:
> >
> > Marita, you cannot take one phrase out of context. If you go
> > back in the thread (which was not fully copied here) I believe
> > that a major concern of Holly and Bastiaan was that my
> > statement sounded like it was trying to get around GDPR, but
> > in fact compliance with GDPR is (to use a Startrek expression)
> > "the prime directive". It is not a simple matter of security
> > vs privacy. If, for instance, we were talking about USER
> > security vs USER privacy, we would have a real challenge in
> > deciding which was more important and I am pretty sure we
> > would not even try in the general case. But that is not what
> > we are taking about here. We are talking about gTLD REGISTRANT
> > privacy vs USER security. And the ALAC's position has
> > previously been that although we care about registrants (and
> > their privacy and their domains etc) and have put very
> > significant resources into supporting gTLD registrants, the
> > shear number of users makes their security and ability to use
> > the Internet with relative safety and trust takes precedence
> > over the privacy of the relative handful of gTLD registrants.
> > That is why ICANN has (and continues to) support the existing
> > WHOIS system to the extent possible. That is the entire gist
> > of the Temporary Spec. - /"Consistent with ICANN’s stated
> > objective to comply with the GDPR, while maintaining the
> > existing WHOIS system to the greatest extent possible, the
> > Temporary Specification maintains....." /And I note with some
> > amusement that some filter along the way has flagged this
> > entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita
> > Moll wrote:
> >
> > I am in agreement with Tijani, Holly, Bastian and Michele.
> > Perhaps it is unintentional, but the language does send
> > the message that we are looking more carefully at security
> > than privacy. I am also not convinced that end-users would
> > want us to do that. Marita On 8/3/2018 10:30 AM, Tijani
> > BEN JEMAA wrote:
> >
> > Very interesting discussion. This issue has been
> > discussed several times and the positions didn’t
> > change. What bothers me is the presentation of the
> > registrants interest as opposite to the remaining
> > users ones. they are not since the registrants are
> > also subject to the domain abuse. You are speaking
> > about 4 billion users; these include all: contracted
> > parties, business, registrants, governments, etc. We
> > are about defending the interest of all of them as
> > individual end users, not as registry, registrar,
> > businessman, minister, etc…. You included theÂ
> > cybersecurity researchers; you know how Cambridge
> > Analytica got the American data from Facebook? They
> > requested to have access to these data for research,
> > and the result was the American election result
> > impacted. So, I agree with Bastiaan that we need to be
> > careful and care about the protection of personal data
> > as well as the prevention of any harmful use of the
> > domain names, both together.
> >
> ------------------------------------------------------------------------
> > *Tijani BEN JEMAA* Executive Director Mediterranean
> > Federation of Internet Associations (*FMAI*) Phone:
> > +216 98 330 114 +216 52 385 114
> >
> ------------------------------------------------------------------------
> >
> > Le 3 août 2018 à 07:22, Bastiaan Goslings
> > <bastiaan.goslings at ams-ix.net
> > <mailto:bastiaan.goslings at ams-ix.net
> > <mailto:bastiaan.goslings at ams-ix.net>>> a écrit :
> > Thanks for clarifying, Alan. As a matter of
> > principle I agree with Holly - and Michele. While
> > I think I understand the good intent of what you
> > are saying, your earlier responses almost sound to
> > me like a false ‘security versus privacy’
> > dichotomy. Like, the number of people (users) that
> > care about security as opposed to those
> > (registrants) that want their privacy protected to
> > the max is larger. Etc. Apologies if I am
> > oversimplifying things here, I do not mean to. In
> > this particular EPDP case though I am convinced
> > that we can find a common ground on what the ALAC
> > members and alternates should bring to the table.
> > In terms of perceived registrants’ and general
> > Internet end-users’ interests. As you rightly
> > state, it is about being GDPR compliant. So we do
> > not have to be philosophical about a rather broad
> > term like ‘privacy’ and argue about whether it
> > is in conflict with e.g. the interest of LEAs.
> > Indeed, ‘Privacy is not absolute’. However,
> > ‘due process’ is a(nother) no brainer, not
> > just because it might be a legal requirement. From
> > what I understand the work being done on defining
> > Access and Accreditation criteria is keeping that
> > principle in mind, and within in the MS context of
> > the EPDP we can together see to it that it does
> > end up properly enshrined in policy and contracts.
> > -Bastiaan
> >
> > On 3 Aug 2018, at 01:10, Alan Greenberg
> > <alan.greenberg at mcgill.ca
> > <mailto:alan.greenberg at mcgill.ca
> > <mailto:alan.greenberg at mcgill.ca>>> wrote:
> > Holly, the original statement ends with "All
> > within the constraints of GDPR of course." I
> > don't know how to make that clearer. We would
> > be absolutely FOOLISH to argue for anything
> > else, since it will not be implementable. That
> > being said, if through the EPDP or otherwise
> > we can help make the legal argument for why
> > good access for the folks we list at the end
> > is within GDPR, more power to us. GDPR (and
> > eventually similar legislation/regulation
> > elsewhere) is the overall constraint. It is
> > equivalent to the laws of physics which for
> > the moment we need to consider inviolate. So
> > my statement that "other issues trump privacy"
> > is within that context. But just as
> > proportionality governs what GDPR will decree
> > as private in any given case, so it will
> > govern what is not private. It all depends on
> > making the legal argument and ultimately in
> > needed convincing the courts. They are the
> > arbiters, not me or anyone else in ICANN. In
> > the US, there is the constitutional right to
> > freedom of speech, but it is not unconstrained
> > and there are limits to what you are allowed
> > and not allowed to say. And from time to time,
> > the courts and legislatures weigh in and
> > decide where the line is. Alan At 02/08/2018
> > 06:42 PM, Holly Raiche wrote:
> >
> > Hi Alan I have concerns with your
> > statement - and since your reply below,
> > with our statement of principles for the
> > EPDP. As I suggested in my email of 1
> > August, we need to be VERY clear that we
> > are NOT arguing against implementation a
> > policy that is compliant with the GDPR. Â
> > We are arguing for other issues that
> > impact on users - WITHIN the umbrella of
> > the GDPR. Â And if we do not make that
> > very clear, then we look as if we are not
> > prepared to operate within the bounds of
> > the EPDP - which is all about developing a
> > new policy to replace the RDS requirements
> > that will allow registries/registrars to
> > comply with their ICANN contracts and
> > operate within the GDPR framework. So your
> > statement below that ‘yes, other issues
> > trump privacyÂ’ - misstates that. Â What
> > we are (or should be) arguing for is a
> > balance of rights of access that - to the
> > greatest extend possible - recognises the
> > value of RDS to some constituencies with
> > legitimate purposes - WITHIN the GDPR
> > framework. That implicitly accepts that
> > people/organisations that once had free
> > and unrestricted access to the data will
> > no longer have that open access. And for
> > ALAC generally, I will repeat what I said
> > in my 1 August email - our statement of
> > principles must be VERY clear that we are
> > NOT arguing for a new RDS policy that goes
> > outside of the GDPR. Holly On 3 Aug 2018,
> > at 1:29 am, Alan Greenberg
> > <alan.greenberg at mcgill.ca
> > <mailto:alan.greenberg at mcgill.ca
> > <mailto:alan.greenberg at mcgill.ca>> > wrote:
> >
> > At 02/08/2018 10:37 AM, Michele Neylon
> > - Blacknight wrote:
> >
> > Jonathan / Alan Thanks for the
> > clarifications. 3 - I don't know
> > how you can know what the
> > interests of a user are. The
> > assumption you seem to be making
> > is that due process and privacy
> > should take a backseat to access
> > to data
> >
> > Privacy is not absolute but based on
> > various other issues. So yes, we are
> > saying that in some cases, the other
> > issues trump privacy. Perhaps we
> > differ on where the dividing line is.
> >
> > 4 - Same as 3. Plenty of ccTLDs
> > never offered PII in their public
> > whois and there weren't any issues
> > with security or stability.
> > Skipping due process for "ease of
> > access" is a very slippery and
> > dangerous slope.
> >
> > Both here and in reply to #3, the term
> > "due process" tends to be used in
> > reference to legal constraints
> > associated with law enforcement
> > actions as sanctioned by laws and
> > courts. That is one path to unlocking
> > otherwise private information. A major
> > aspect of the GDPR implementation will
> > be identifying other less cumbersome
> > and restricted processes for accessing
> > WHOIS data by a variety of partners.
> > It will not be unconstrained nor will
> > it be as cumbersome as going to court
> > (hopefully). Alan
> >
> > Regards Michele -- Mr Michele
> > Neylon Blacknight Solutions
> > Hosting, Colocation & Domains
> > https://www.blacknight.com/
> > <https://www.blacknight.com/>
> > https://blacknight.blog/
> > <https://blacknight.blog/> Intl.
> > +353 (0) 59 Â 9183072 Direct Dial:
> > +353 (0)59 9183090 Personal blog:
> > https://michele.blog/ Some
> > thoughts: https://ceo.hosting/
> >
> ------------------------------------------------------------------------
> > Blacknight Internet Solutions Ltd,
> > Unit 12A,Barrowside Business
> > Park,Sleaty
> > Road,Graiguecullen,Carlow,R93
> > X265,Ireland  Company No.: 370845
> > On 02/08/2018, 15:03,
> > "Jonathan Zuck"
> > <JZuck at innovatorsnetwork.org>
> > wrote: Â Â Thanks Michele! Â Â 3.
> > Where there appears to be a
> > conflict of interest between a
> > registrant and non-registrant end
> > user, we'll be endeavoring to
> > represent the interests of the
> > non-registrant end user. Â Â 4.
> > Related to 3. This is simply an
> > affirmation of the interests of
> > end users in a stable and secure
> > internet and it is those interests
> > we'll be representing. We've
> > included law enforcement because
> > efficiencies regarding their
> > access may come up. Just because
> > there's always a way for them to
> > get to data doesn't mean it's the
> > best way. Â Â Make sense? Â Â
> > Jonathan   -----Original
> > Message----- Â Â From: GTLD-WG
> > <
> gtld-wg-bounces at atlarge-lists.icann.org>
> > On Behalf Of Michele Neylon -
> > Blacknight   Sent: Wednesday,
> > August 1, 2018 12:34 PM Â Â To:
> > Alan Greenberg
> > <alan.greenberg at mcgill.ca>; CPWG
> > <cpwg at icann.org> Â Â Subject: Re:
> > [GTLD-WG] [CPWG]
> > [registration-issues-wg] ALAC
> > Statement regarding EPDP Â Â Alan
> >   1 - good   2 - good   3 -
> > I don't understand what that means
> > Â Â 4 - Why are you combining law
> > enforcement and private parties?
> > Law enforcement can always get
> > access to data when they follow
> > due process.   Regards  Â
> > Michele   --   Mr Michele
> > Neylon   Blacknight Solutions Â
> > Â Hosting, Colocation & Domains Â
> > Â https://www.blacknight.com/
> > <https://www.blacknight.com/> Â Â
> > https://blacknight.blog/
> > <https://blacknight.blog/> Â Â
> > Intl. +353 (0) 59 Â 9183072 Â Â
> > Direct Dial: +353 (0)59 9183090 Â
> > Â Personal blog:
> > https://michele.blog/ Â Â Some
> > thoughts: https://ceo.hosting/ Â Â
> >
> ------------------------------------------------------------------------
> > Â Â Blacknight Internet Solutions
> > Ltd, Unit 12A,Barrowside Business
> > Park,Sleaty  Â
> > Road,Graiguecullen,Carlow,R93
> > X265,Ireland  Company No.: 370845
> > Â Â On 01/08/2018, 17:27,
> > "registration-issues-wg on behalf
> > of Alan Greenberg"
> > <
> registration-issues-wg-bounces at atlarge-lists.icann.org
> > on behalf of
> > alan.greenberg at mcgill.ca> wrote: Â
> > Â Â Â Â Â Yesterday, the EPDP
> > Members were asked to present a
> > 1-3 minute       summary of
> > their groups position in regard to
> > the EPDP. The following     Â
> > Â is the statement agreed to by
> > me, Hadia, Holly and Seun. Â Â Â Â
> > Â Â 1. Â Â The ALAC believes that
> > the EPDP MUST succeed and will be
> > working       toward that
> > end. Â Â Â Â Â Â 2. Â Â We have a
> > support structure that we are
> > organizing to ensure      Â
> > that what we present here is
> > understood by our community and
> > has       their input and
> > support. Â Â Â Â Â Â 3. Â Â The
> > ALAC believes that individual
> > registrants are users and we   Â
> > Â Â Â have regularly worked on
> > their behalf (as in the PDP that
> > we       initiated to
> > protect registrant rights when
> > their domains expire), if    Â
> > Â Â registrant needs differ from
> > those of the 4 billion Internet
> > users       who are not
> > registrants, those latter needs
> > take precedence. We      Â
> > believe that GDPR and this EPDP
> > are such a situation. Â Â Â Â Â Â
> > 4. Â Â Although some Internet
> > users consult WHOIS and will not
> > be able       to do so in
> > some cases going forward, our main
> > concern is access for      Â
> > those third parties who work to
> > ensure that the Internet is a safe
> > Â Â Â Â Â Â and secure place for
> > users and that means that law
> > enforcement, Â Â Â Â Â Â
> > cybersecurity researchers, those
> > combatting fraud in domain names,
> > Â Â Â Â Â Â and others who help
> > protect users from phishing,
> > malware, spam, Â Â Â Â Â Â fraud,
> > DDoS attacks and such can work
> > with minimal reduction in    Â
> > Â Â access to WHOIS data. All
> > within the constraints of GDPR of
> > course. Â Â Â Â Â Â
> >
> ------------------------------------------------------------------------
> >       CPWG mailing list  Â
> >     CPWG at icann.org      Â
> >
> https://mm.icann.org/mailman/listinfo/cpwg
> > <
> https://mm.icann.org/mailman/listinfo/cpwg>
> > Â Â Â Â Â Â
> >
> ------------------------------------------------------------------------
> > Â Â Â Â Â Â registration-issues-wg
> > mailing list      Â
> >
> registration-issues-wg at atlarge-lists.icann.org
> > Â Â Â Â Â Â
> >
> https://mm.icann.org/mailman/listinfo/registration-issues-wg
> > Â Â
> >
> ------------------------------------------------------------------------
> >   CPWG mailing list  Â
> > CPWG at icann.org  Â
> >
> https://mm.icann.org/mailman/listinfo/cpwg
> > <
> https://mm.icann.org/mailman/listinfo/cpwg>
> > Â Â
> >
> ------------------------------------------------------------------------
> >   GTLD-WG mailing list  Â
> > GTLD-WG at atlarge-lists.icann.org Â
> > Â
> >
> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
> > Â Â Working Group direct URL:
> >
> https://community.icann.org/display/atlarge/New+GTLDs
> >
> >
> >
> ------------------------------------------------------------------------
> > CPWG mailing list CPWG at icann.org
> > <mailto:CPWG at icann.org
> > <mailto:CPWG at icann.org>>
> >
> https://mm.icann.org/mailman/listinfo/cpwg
> > <
> https://mm.icann.org/mailman/listinfo/cpwg>
> >
> >
> ------------------------------------------------------------------------
> > registration-issues-wg mailing list
> >
> registration-issues-wg at atlarge-lists.icann.org
> >
> https://mm.icann.org/mailman/listinfo/registration-issues-wg
> >
> >
> >
> ------------------------------------------------------------------------
> > CPWG mailing list CPWG at icann.org
> > <mailto:CPWG at icann.org
> > <mailto:CPWG at icann.org>>
> > https://mm.icann.org/mailman/listinfo/cpwg
> > <https://mm.icann.org/mailman/listinfo/cpwg>
> >
> >
> ------------------------------------------------------------------------
> > CPWG mailing list CPWG at icann.org
> > <mailto:CPWG at icann.org <mailto:CPWG at icann.org>>
> > https://mm.icann.org/mailman/listinfo/cpwg
> > <https://mm.icann.org/mailman/listinfo/cpwg>
> >
> >
> ------------------------------------------------------------------------
> > CPWG mailing list CPWG at icann.org
> > https://mm.icann.org/mailman/listinfo/cpwg
> > <https://mm.icann.org/mailman/listinfo/cpwg>
> >
> >
> ------------------------------------------------------------------------
> > CPWG mailing list CPWG at icann.org
> > https://mm.icann.org/mailman/listinfo/cpwg
> > <https://mm.icann.org/mailman/listinfo/cpwg>
> >
> ------------------------------------------------------------------------
> > GTLD-WG mailing list GTLD-WG at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
> > <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>
> > Working Group direct URL:
> > https://community.icann.org/display/atlarge/New+GTLDs
> > <https://community.icann.org/display/atlarge/New+GTLDs>
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > CPWG mailing list
> > CPWG at icann.org
> > https://mm.icann.org/mailman/listinfo/cpwg
> >
> >
> ------------------------------------------------------------------------
> >
> > GTLD-WG mailing list
> > GTLD-WG at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
> >
> > Working Group direct URL:
> https://community.icann.org/display/atlarge/New+GTLDs
> >
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> _______________________________________________
> GTLD-WG mailing list
> GTLD-WG at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
>
> Working Group direct URL:
> https://community.icann.org/display/atlarge/New+GTLDs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20180807/942c45c5/attachment-0001.html>
More information about the CPWG
mailing list