[Gnso-epdp-legal] Updated Question 11

Tue Oct 1 14:03:44 UTC 2019

I am not comfortable with asking this question at this time as it is 
unclear that reverse lookup will gain consensus regardless of the 
legality. The position of registrars remains that RDAP and SSAD lookups 
should not provide new functionalities that were not available as 
standard functions in the whois of yore.

While such features could be available on a voluntary basis by some 
registries, this wouldremain on a strictly voluntary basis to offer such 
a service.

I also object to this version to be sent so shorty before the discussion 
time. I am sure no one had time to review.

Volker

01.10.2019 um 15:56 schrieb Margie Milam:

> Hi-
>
> Here’s my proposal based on prior discussions with Brian, Thomas & 
> Volker.  Please note that this language is not reviewed yet by Thomas, 
> Brian &  Volker,  but I am sharing for the purposes of discussion today.
>
> __________________________
>
> *_Updated Question 11_*
>
> /Status: Thomas, Volker, Brian and Margie to work together on refining 
> this question in advance of the next LC call on Tuesday, 1 October./
>
> (Previous text proposed by Margie)/: /Is it permissible under GDPR to 
> provide fast, automated, and non-rate limited responses (as described 
> in SSAC 101) to nonpublic WHOIS data for properly credentialed 
> security practitioners^1 (as defined in SSAC 101) who are responsible 
> for defense against e-crimes (including network operators, providers 
> of online services, commercial security services, cyber-crime 
> investigators) for use in investigations and mitigation activities to 
> protect their network, information systems or services (as referenced 
> in GDPR Recital 49) and have agreed on appropriate safeguards? Or 
> would any automated disclosure carry a potential for liability of the 
> disclosing party, or the controllers or processors of such data? Can 
> counsel provide examples of safeguards (such as 
> pseudonymization/anonymization) that should be considered?
>
> In addition, does GDPR prohibit  the SSAD to be designed to enable 
> reverse lookups based on contact fields associated with domain names 
> that have been identified as being used for DNS abuse, such as 
> phishing, malware and or similar type of attacks?  What are the risks 
> associated with reverse lookups, and if it is possible to conduct 
> reverse lookups, are there steps that can be taken to mitigate any 
> perceived risks?
>
> For purposes of this question, please assume the following safeguards 
> are in place:
>
> oDisclosure is required under CP’s contract with ICANN (resulting from 
> Phase 2 EPDP policy).
>
> oCP’s contract with ICANN requires CP to notify the data subject of 
> the purposes for which, and types of entities by which, personal data 
> may be processed. CP is required to notify data subject of this with 
> the opportunity to opt out before the data subject enters into the 
> registration agreement with the CP, and again annually via the 
> ICANN-required registration data accuracy reminder. CP has done so.
>
> oICANN or its designee has validated/verified the requestor’s 
> identity, and required in each instance that the requestor:
>
> •                     represents that it has a lawful basis for 
> requesting and processing the data, 
>
> •                     provides its lawful basis,
>
> •                     represents that it is requesting only the data 
> necessary for its purpose, 
>
> •                     agrees to process the data in accordance with 
> GDPR, and 
>
> •                     agrees to EU standard contractual clauses for 
> the data transfer. 
>
> Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those 
> who have a responsibility to perform specific types of functions (as 
> specified in Section 3) related to the identification and mitigation 
> of malicious activity, and the correction of problems that negatively 
> affect services and users online.   are entities that have either 
> legal authority and/or legal responsibility to protect their 
>  technology/network/infrastructure, such as national CERTs, and also 
> DSPs.  (See the UK ICO 
> (https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/ 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_digital-2Dservice-2Dproviders_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=avDrp6cxNXTZKuZCGeGUDM-Cgi0HhyR9IzaQzQAiu3Y&e=>) 
> since these types of companies appear to have security obligations 
> (https://ico.org.uk/for-organisations/the-guide-to-nis/security-requirements/ 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_security-2Drequirements_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=5R4dCyK71voQGm83RO7mPQTr5MU4wMXYqIbyvBJCJUE&e=>). 
>
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191001/7ea4ef56/attachment-0001.html>