[Gnso-rds-pdp-7] Proposed roll-up purposes

[Ayden Férdeline]

Hi,

Apologies that I was unable to attend yesterday's call.

I understand that we are not yet at the stage where we are assessing the validity of a purpose, so I have been trying to avoid entering into that arena, however I find it very problematic the broad categories of users who supposedly need access to all of this data:

"regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders"

This is simply too broad. These parties may have a legitimate need for domain meta data (though I question what "IT administrators" and "other incident responders" are - I think we should define all user types and strike these two out, rather than have something so open-ended listed), but they do not necessarily have a need for registrant contact information. In some instances, perhaps.

I would also like to strike "etc" from the final sentence of investigation, notification, and reputation, because it is too expansive. Thanks.

—Ayden

> -------- Original Message --------
> Subject: [Gnso-rds-pdp-7] Proposed roll-up purposes
> Local Time: 8 November 2017 6:15 AM
> UTC Time: 8 November 2017 06:15
> From: rod at rodrasmussen.com
> To: gnso-rds-pdp-7 at icann.org
>
> I’m going to leave off the “consequences of not providing information" for now - that’s not part of the purpose.  However, we should work on that separately and include that feedback as part of our final product.
>
> Investigation:
>
> The following information is to be made available to regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders for the purpose of enabling identification of the nature of the registration and operation of a domain name linked to abuse and/or criminal activities to facilitate the eventual mitigation and resolution of the abuse identified: Domain metadata (registrar, registration date, nameservers, etc.), Registrant contact information, Registrar contact Information, DNS contact, etc..
>
> Notification:
>
> The following information is collected and made available for the purpose of enabling notification by regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders of the appropriate party (registrant, providers of associated services, registrar, etc), of abuse linked to a certain domain name registration to facilitate the mitigation and resolution of the abuse identified: Registrant contact information, Registrar contact Information, DNS contact, etc..
>
> Reputation:
>
> The following information is to be made available to organizations running automated protection systems for the purpose of enabling the establishment of reputation for a domain name to facilitate the provision of services and acceptance of communications from the domain name examined: Domain metadata (registrar, registration date, nameservers, etc.), Registrant contact information, Registrar contact Information, DNS contact, etc..
>
> We should chat more about the particulars here, but these cover the concepts.  I would argue that the first and third are purely a “display” purpose, but the second could be used as justification of collection.  If nothing else, collecting an “abuse contact” requires number two for justification at all.
>
> Cheers,
>
> Rod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-7/attachments/20171108/66294081/attachment.html>