[gnso-rds-pdp-wg] Dangers of public whois
benny at nordreg.se
benny at nordreg.se
Tue Feb 14 22:21:21 UTC 2017
Proof of ownership of the registration for example
The hidden data can be turned public for getting a ssl certificate and then hidden again
I am not saying it's a perfect solution but a start to think different from what we have today in the gTLD world
Sent from my iPhone
On 14 Feb 2017, at 23:11, allison nixon <elsakoo at gmail.com<mailto:elsakoo at gmail.com>> wrote:
What would the WHOIS data be used for once it is made private? Why would people want to supply correct, or any, data? If it isn't used for financial transactions with the registrar, and can no longer be used as a public contact "phone book", then aside from criminal investigations what is the point of this?
On Tue, Feb 14, 2017 at 5:02 PM, benny at nordreg.se<mailto:benny at nordreg.se> <benny at nordreg.se<mailto:benny at nordreg.se>> wrote:
Oh sorry I forgot that it was stated that just give fake info and you are safe...
That's in my opinion a sign of a sick system which badly need to be fixed!
I will point to a previous post with .SE which have a build in protection of private registered domains, people gives correct data because they can trust the system for not leaking data.
Are there abuse cases, yes but they are solvable even with the non public data
But if you have a good example of a cost free alternative solution which will work in any jurisdiction I will be happy to hear about it. It will probably educate others too with knowledge...
Sent from my iPhone
> On 14 Feb 2017, at 22:48, Kiran Malancharuvil <Kiran.Malancharuvil at markmonitor.com<mailto:Kiran.Malancharuvil at markmonitor.com>> wrote:
>
> Why would the cost of owning a domain name be giving up sensitive private information when there are so many alternatives? Contactable information does not mean information that makes you vulnerable.
>
> Kiran Malancharuvil
> Policy Counselor
> MarkMonitor
> 415-419-9138<tel:415-419-9138> (m)
>
> Sent from my mobile, please excuse any typos.
>
>> On Feb 14, 2017, at 1:41 PM, "benny at nordreg.se<mailto:benny at nordreg.se>" <benny at nordreg.se<mailto:benny at nordreg.se>> wrote:
>>
>> I will admit that stupid was a bad choice of word.
>>
>> But we all know that most people don't read the info about privacy and what they agree too by accepting conditions and so on. I will still argue that that is not an excuse for not making a better system which prevent public data in Whois to be abused on a daily basis.
>>
>> That can't be all put on the registrars responsibility it must be anchored through policy and community support through a system that provide the best possible solution for all parts. If that is realistic is another question which only time will show what we can deliver as a united group were compromises from all must be admitted.
>>
>> If owning a domain are a privilege and the cost are giving up you private info receiving spam and your date being used for fraud and ID theft then we can just conclude that personal domains are only for the elite who pay the extra costs of privacy and the rest can sell their souls to Google, Microsoft or some of the others with so-called free services. But is that what we really want?
>>
>> I doubt it....
>>
>> Sent from my iPhone
>>
>>> On 14 Feb 2017, at 22:10, Kiran Malancharuvil <Kiran.Malancharuvil at markmonitor.com<mailto:Kiran.Malancharuvil at markmonitor.com>> wrote:
>>>
>>> Benny,
>>>
>>> Perhaps you recall in the article that sparked this discussion that even the author acknowledges that education about Whois and who has access to the data may be key to avoid disclosure of sensitive data, and perhaps that is the responsibility of the Registrar. I don't think anyone suggested that only "stupid people" put in real addresses. Lack of education about something doesn't mean you're stupid, it may mean you weren't given the proper education and resources. With the proper education and resources, perhaps people will do what they do whenever they have to give an address for public records (such as business incorporation documents), e.g.: create a d/b/a. After all, it's not as if everyone is forced to own a domain name and forced to put in home contact information. Like owning a business, owning a domain name is a privilege that should (of course) be afforded to as many people as possible, according to desire and (perhaps) comes with some responsibilities such as providing contactable information.
>>>
>>> Thanks,
>>>
>>> Kiran
>>>
>>> Kiran Malancharuvil
>>> Policy
>>> MarkMonitor
>>> 415.222.8318<tel:415.222.8318> (t)
>>> 415.419.9138<tel:415.419.9138> (m)
>>> www.markmonitor.com<http://www.markmonitor.com>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> [mailto:gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org>] On Behalf Of benny at nordreg.se<mailto:benny at nordreg.se>
>>> Sent: Tuesday, February 14, 2017 10:35 AM
>>> To: allison nixon <elsakoo at gmail.com<mailto:elsakoo at gmail.com>>
>>> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
>>> Subject: Re: [gnso-rds-pdp-wg] Dangers of public whois
>>>
>>> Can you please reveal where you work and you job title? I would love to put these advices forward to ICANN compliance when we will be held up for allowing this…
>>>
>>> I would be very helpful to have a good reference saying that only stupid people put in there real adress
>>> --
>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>
>>> Benny Samuelsen
>>> Registry Manager - Domainexpert
>>>
>>> Nordreg AB - ICANN accredited registrar
>>> IANA-ID: 638
>>> Phone: +46.42197080<tel:%2B46.42197080>
>>> Direct: +47.32260201<tel:%2B47.32260201>
>>> Mobile: +47.40410200<tel:%2B47.40410200>
>>>
>>>> On 14 Feb 2017, at 19:20, allison nixon <elsakoo at gmail.com<mailto:elsakoo at gmail.com>> wrote:
>>>>
>>>>>> to your first point: the right to privacy of ones own data may be different where I live and where you live. Suffice it to say that in our day-to-day business we get eough complaints from customers who feel their rivacy has been violated either by our putting their data out for everyone to see or by customers of ours who provide services that do the same. And we both agree that whois privacy will not protect you 100%.
>>>>
>>>> So put your contact address as "123 fake st" and your phone number as "555-555-5555". Make a fake email. No one is forcing you to disclose more than you want to. And the only people who disclose too much are doing so by mistake, not by coercion.
>>>>
>>>>>> to your second point: why is requiring the same legal standard for accessing data of customers of hosting service providers, of ebay account holders, of Amazon sellers and many other areas where the data is not public suddenly not feasible for customers of domain name registrars? Our privacy service gets regular subpoenas for data of customers. Why is making that the standard suddenly the end of the world?
>>>>
>>>> Because when I purchase something from Amazon, I need to give my credit card number, address, zip, etc. Similarly, we do not get payment details from the registrar, even though they require billing address and zip code, which is a completely different dataset than the zip codes in WHOIS data. WHOIS data is completely arbitrary and not required to complete any transactions.
>>>>
>>>>>> And while I appreciate the good work that many like John are doing on a private level, ultimately they are not law enforcement and are not entitled to the same level of access as law enforcement has just like a rent-a-cop does not have the same law enforcement powers a real cop has.
>>>>
>>>> Your comparisons between anti-abuse and rent-a-cops further demonstrates your disrespect. I am happy to allow law enforcement to fully take over this work, but this field has not matured enough yet, and the literacy just isn't there. The skills, experience, and power rests almost fully in the private sector. This isn't some mall cop operation. It's the last line of defense between you and all manner of bad things happening to you. You might not like that, and you probably don't want to recognize that as legitimate, but it's reality. You should thank the people defending your networks, and the people defending the networks of companies you do business with.
>>>>
>>>>>> Re:Spamhaus: I have worked with them and while they provide a valuable anti-spam service, some of their methods or publications leave a lot to be desired. The fact that they ofter outright refuse to provide evidence of their claims, the fact that they outright lie to ICANN compliance, and the fact that they bend numbers anyway they need to fit their narrative do not help to build trust and work with them as partners. I think they provide a good service but ultimately they are vigilantes and often overshoot their mark. This "study" is one such instance where they present a result without allowing the reader to look at the work that led to the result. And that makes it worthless for peer review or for basing anything on their results.
>>>>
>>>> And it shows how bad the situation is when an operation of this quality is still the best and most used blocklist out there. When the volume of abuse is so high that "due process" is, literally, a mathematically impossible order. And despite all of those flaws, their actions do more to protect privacy than anything discussed in this working group.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Feb 14, 2017 at 1:03 PM, Volker Greimann <vgreimann at key-systems.net<mailto:vgreimann at key-systems.net>> wrote:
>>>> Hi Allion,
>>>>
>>>> to your first point: the right to privacy of ones own data may be different where I live and where you live. Suffice it to say that in our day-to-day business we get eough complaints from customers who feel their rivacy has been violated either by our putting their data out for everyone to see or by customers of ours who provide services that do the same. And we both agree that whois privacy will not protect you 100%.
>>>>
>>>> to your second point: why is requiring the same legal standard for accessing data of customers of hosting service providers, of ebay account holders, of Amazon sellers and many other areas where the data is not public suddenly not feasible for customers of domain name registrars? Our privacy service gets regular subpoenas for data of customers. Why is making that the standard suddenly the end of the world?
>>>>
>>>> And while I appreciate the good work that many like John are doing on a private level, ultimately they are not law enforcement and are not entitled to the same level of access as law enforcement has just like a rent-a-cop does not have the same law enforcement powers a real cop has.
>>>> Re:Spamhaus: I have worked with them and while they provide a valuable anti-spam service, some of their methods or publications leave a lot to be desired. The fact that they ofter outright refuse to provide evidence of their claims, the fact that they outright lie to ICANN compliance, and the fact that they bend numbers anyway they need to fit their narrative do not help to build trust and work with them as partners. I think they provide a good service but ultimately they are vigilantes and often overshoot their mark. This "study" is one such instance where they present a result without allowing the reader to look at the work that led to the result. And that makes it worthless for peer review or for basing anything on their results.
>>>> Best,
>>>>
>>>> Volker
>>>>
>>>>
>>>>
>>>> Am 14.02.2017 um 18:39 schrieb allison nixon:
>>>>>>> Here you go with the edge cases again.
>>>>>
>>>>> The mother of all edge cases is the main contention of this entire working group. The theory that an innocent domain registrant's privacy is either "violated" or "not violated" and that this somehow hinges on the privacy status of the WHOIS data. This is absolutely a false premise. If I want to find someone, and they frequently use the Internet and aren't extremely OPSEC-aware, I'm going to find them. WHOIS privacy absolutely will not protect them.
>>>>>
>>>>> Does anyone believe this premise that also has experience in investigations? I do not believe any such person exists, because when you are experienced in tracking people down, you will know that this premise is factually untrue.
>>>>>
>>>>>>> Well it might be so, but every singel person “claiming” they use
>>>>>>> whois for investigation seems to lack the understanding that they
>>>>>>> will get the access it will just be a little harder to get the
>>>>>>> normal misuse of whois info can be prevented but looks like noen of
>>>>>>> you want that to happen
>>>>>
>>>>> Is this an assurance? Because the talk I see here is about requiring paperwork like subpeonas and search warrants and that isn't feasible both from an investigation or automation standpoint as well as the fact that the vast majority of the anti-abuse community are not cops. There's no sign whatsoever that there is consideration towards anti-abuse.
>>>>>
>>>>>>> I trust these statistics by spamhaus less than anything coming out of the mouth of the orange menace. And that is saying something.
>>>>>
>>>>> You stand alone in that opinion. Spamhaus is not perfect but they are the most widely used blocklists among network operators. The amount of harm prevented by Spamhaus's block lists eclipses the harm prevented by registrants receiving WHOIS spam. It is like comparing the size of the sun to the size of an ant. If you have ever tried to operate from infrastructure that's on Spamhaus's block lists, your access to the Internet at large will be very poor indeed.
>>>>>
>>>>> How many of you people actually have day to day experience in fighting spam and preventing the massive privacy invasions that happen on a daily basis to innocent people? I am getting the feeling that this group badly needs to gain some perspective. WHOIS spam is a problem and is an annoyance, privacy is important, but this group keeps talking about WHOIS privacy and completely ignoring the fact that by volume such a scheme would cause great harms for mostly imaginary gain. To me this shows a sign that many of the arguments here are about idealism without practical experience.
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Feb 14, 2017 at 12:24 PM, benny at nordreg.se<mailto:benny at nordreg.se> <benny at nordreg.se<mailto:benny at nordreg.se>> wrote:
>>>>> Hi John
>>>>>
>>>>> None in the group can do that, just as little as the opposite if we dont work together on the needs, give and take on it, we will not move forward.
>>>>> But the attitude which I see where the Status Quo are the driver for
>>>>> the discussions are not really productive…
>>>>>
>>>>> Everything can be changed with new privacy laws coming in to force
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>
>>>>> Benny Samuelsen
>>>>> Registry Manager - Domainexpert
>>>>>
>>>>> Nordreg AB - ICANN accredited registrar
>>>>> IANA-ID: 638
>>>>> Phone: +46.42197080<tel:%2B46.42197080>
>>>>> Direct: +47.32260201<tel:%2B47.32260201>
>>>>> Mobile: +47.40410200<tel:%2B47.40410200>
>>>>>
>>>>>> On 14 Feb 2017, at 18:18, John Horton <john.horton at legitscript.com<mailto:john.horton at legitscript.com>> wrote:
>>>>>>
>>>>>> Hi Benny,
>>>>>>
>>>>>> Let me try to dig into that a little bit with a serious question. What assurance do those of us engaged in cybercrime investigation -- or not yet created organizations that are legitimate -- have that we would have the same level of access in the future? Is it possible for this group to make that assurance? To be sure, this isn't my only concern or objection, but part of what I'm trying to get at is: even if those of us on this working group were to agree that cybercrime-mitigation entities should have the same access we have today, what's to prevent a stricter regime from changing the rules in the future? In other words, if we create a system that empowers one central organization to say that Allison's reasons (for example) are valid now, there's nothing to prevent that organization from deciding to block her in the future because they don't believe her reasons for investigating cybercrime are valid. Put another way, my concern isn't that you personally or anyone on this group wants to block cybercrime mitigation from happening -- rather, I'm wondering how this group could bind a future RDS 1, 5 or 10 years down the road not to change the goalposts.
>>>>>>
>>>>>> John Horton
>>>>>> President and CEO, LegitScript
>>>>>>
>>>>>>
>>>>>> Follow LegitScript: LinkedIn | Facebook | Twitter | Blog |
>>>>>> Google+
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 14, 2017 at 9:05 AM, benny at nordreg.se<mailto:benny at nordreg.se> <benny at nordreg.se<mailto:benny at nordreg.se>> wrote:
>>>>>> Well it might be so, but every singel person “claiming” they use whois for investigation seems to lack the understanding that they will get the access it will just be a little harder to get the normal misuse of whois info can be prevented but looks like noen of you want that to happen...
>>>>>>
>>>>>> --
>>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>>
>>>>>> Benny Samuelsen
>>>>>> Registry Manager - Domainexpert
>>>>>>
>>>>>> Nordreg AB - ICANN accredited registrar
>>>>>> IANA-ID: 638
>>>>>> Phone: +46.42197080<tel:%2B46.42197080>
>>>>>> Direct: +47.32260201<tel:%2B47.32260201>
>>>>>> Mobile: +47.40410200<tel:%2B47.40410200>
>>>>>>
>>>>>>> On 14 Feb 2017, at 17:58, allison nixon <elsakoo at gmail.com<mailto:elsakoo at gmail.com>> wrote:
>>>>>>>
>>>>>>> Benny, dude, you just wrote "Buhu my work will get harder", so
>>>>>>> please don't complain about adult and mature answers
>>>>>>>
>>>>>>> On Tue, Feb 14, 2017 at 11:56 AM, benny at nordreg.se<mailto:benny at nordreg.se> <benny at nordreg.se<mailto:benny at nordreg.se>> wrote:
>>>>>>> A very adult and mature answer… with some nice baked in threats,
>>>>>>> funny its only your kind of crimes which matter apparantly… oh
>>>>>>> and the final on which always are been draged out when there are
>>>>>>> no more arguments, think about the one child we can save…
>>>>>>>
>>>>>>> To answer your questions hidden in the threats, yes you are part of the better for all but that also means everyone have to give and take to come to a better solution.
>>>>>>> In you ignorance you completely miss the point that by have all
>>>>>>> these data public there are commited crimes every minut by using
>>>>>>> those data nut hey what does that matter as long as you business
>>>>>>> can roll on… I guess those people will thank you for you helpful
>>>>>>> insights…
>>>>>>>
>>>>>>> Welcome to the discussion
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>>>
>>>>>>> Benny Samuelsen
>>>>>>> Registry Manager - Domainexpert
>>>>>>>
>>>>>>> Nordreg AB - ICANN accredited registrar
>>>>>>> IANA-ID: 638
>>>>>>> Phone: +46.42197080
>>>>>>> Direct: +47.32260201
>>>>>>> Mobile: +47.40410200
>>>>>>>
>>>>>>>> On 14 Feb 2017, at 17:29, John Bambenek <jcb at bambenekconsulting.com<mailto:jcb at bambenekconsulting.com>> wrote:
>>>>>>>>
>>>>>>>> Let me translate Allison's comments in the light of your mockery.
>>>>>>>>
>>>>>>>> You're ideas of privacy are patently absurd and your arrogance that entire industries need to rewrite how they do things to suit your effete and fantastical notions is breathtaking. Your mockery of people who investigate crime is just icing on the cake. Its not a question of looking past your own walls, its a question of whether you religious fanatics can acknowledge that other use cases are valid (or are we not part of the "all" in "better for all"). Are you really suggesting preventing spam is a higher priority than stopping human trafficking online?
>>>>>>>>
>>>>>>>> If someone who had need of privacy came to me for advice on registering a domain name I would tell them absolutely not to do it. Use blogspot or any other mechanism that doesn't involve a financial transaction to shield your privacy. Creating paper trails is always a poor life decision when OPSEC matters. Anything less and I would stop taking your concerns seriously.
>>>>>>>>
>>>>>>>> That said, we have a viable compromise, its called whois privacy protection. And it allows me to use risk based decisions on how I treat traffic to such domains.
>>>>>>>>
>>>>>>>> But if you wish to enable criminals to better hide so they can steal people's life savings, so they can anonymously traffic in child exploitation or to engage in sextortion against teenage girls all because you can't handle a spam filter, you can count me one that will line up against you and very publicly label you an enabler of child sexual exploitation. Then I will go to Congress, drag ICANN back under the Department of Commerce and ensure some adult supervision is had.
>>>>>>>>
>>>>>>>> Or you can calm the hell down and knock it off with your attitude and we can find a viable middle ground. Totally your call.
>>>>>>>>
>>>>>>>> And if you are really concerned about spammers, I help run investigations against them too (using whois data, in part) and could totally use the help.
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On Feb 14, 2017, at 05:28, "benny at nordreg.se<mailto:benny at nordreg.se>" <benny at nordreg.se<mailto:benny at nordreg.se>> wrote:
>>>>>>>>>
>>>>>>>>> So basicaly what you say are… Buhu my work will get harder, let all innocent registrants suffer from spam/scam mail sprung out of the whois data published, all those registrants who get fake mails about renewing there domain or buying fake SEO plans?
>>>>>>>>> How can anyone defend that we have data published to get
>>>>>>>>> abused just because some bad guys registrer domains? And those
>>>>>>>>> of you who does will still have access to the date just not in
>>>>>>>>> the same easy way…
>>>>>>>>>
>>>>>>>>> Sorry for my harsh tone but I really don’t see why we cant look past our own walls and find a solution which are to the better for all..
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>>>>>
>>>>>>>>> Benny Samuelsen
>>>>>>>>> Registry Manager - Domainexpert
>>>>>>>>>
>>>>>>>>> Nordreg AB - ICANN accredited registrar
>>>>>>>>> IANA-ID: 638
>>>>>>>>> Phone: +46.42197080
>>>>>>>>> Direct: +47.32260201
>>>>>>>>> Mobile: +47.40410200
>>>>>>>>>
>>>>>>>>>> On 14 Feb 2017, at 06:38, allison nixon <elsakoo at gmail.com<mailto:elsakoo at gmail.com>> wrote:
>>>>>>>>>>
>>>>>>>>>> This car metaphor isn't complete without also stating that some car owners purchase them for the sole purpose of running over people!
>>>>>>>>>>
>>>>>>>>>> Some car owners purchase fleets of cars to run over as many people as possible. Even though they re-use their name on every single vehicle registration, the subpeona takes so long that the city can no longer automatically block the cars as they enter, and need to wait for them to run over a few people before they can do anything about it.
>>>>>>>>>>
>>>>>>>>>> This metaphor has obviously been tortured past the point of absurdity, I'll leave it alone now.
>>>>>>>>>>
>>>>>>>>>> I've mostly been lurking for the whole duration of this group, and please forgive me if I'm missing something massive here, but I get the impression that most people here don't spend a lot of time doing investigations. But this is my life. If I needed a subpeona for every single historical lookup, pivot, and reverse search, I would get zero done due to a lack of legal authority. Many if not most of the people doing the heavy lifting in anti-cybercrime efforts are private citizens with no government issued authority. It seems that the general expectation here is that limiting access to people with badges is OK, but I'm telling you there is a severe lack of those skillsets and it will be years before we see widespread technical literacy among the police. Whatever system results, private citizens need a path for unrestricted and automated access. And if we want to talk protecting privacy, I think criminally motivated violations of privacy are far more likely to affect everyone's day to day life right now, and automated WHOIS lookups are used heavily especially in anti-phishing and anti-spam operations.
>>>>>>>>>>
>>>>>>>>>> With the status quo, I can go on fishing expeditions through the WHOIS data and turn up hundreds of domains used for the same type of malicious activity, and predict with a high accuracy which domains will be malicious before they are used for anything. It sometimes turns up domains owned by innocent people, and I doubt privacy minded people would like that, but the reality is I rarely ever encounter WHOIS data that is convincing PII. It's almost all fake. And if it's not fake, it's a company's public contact info, or it's a foolish person who turned down WHOIS privacy protection, and will change their WHOIS as soon as the spam starts flowing.
>>>>>>>>>>
>>>>>>>>>> Have there been any studies on what percentage of WHOIS data is real and correct? Can we ever expect to have meaningful data when registrars are allowed to take Bitcoins over Tor as payment? At what point does "privacy" become an empty argument when some of these Internet hosting/registrar companies clearly profit from facilitating abuse, and network defenders block entire TLDs due to the saturation of abuse?
>>>>>>>>>>
>>>>>>>>>> From my vantage point, I see great benefit from seeing patterns in the fake data submitted by fraudsters, and I see few harms from the privacy side of things, because people seem to generally realize that "123 fake st" is a perfectly acceptable WHOIS entry.
>>>>>>>>>>
>>>>>>>>>> I also recognize this situation is completely absurd. Every aspect of this is surely an abuse of the original system. But it seems like building a pyramid from the top down, restricting access to supposed "PII" that is unlikely to contain PII, to the detriment of legitimate efforts that also seek to enhance privacy by preventing criminal theft of private data like bank account numbers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Feb 13, 2017 at 9:14 PM, Sam Lanfranco <sam at lanfranco.net<mailto:sam at lanfranco.net>> wrote:
>>>>>>>>>> I have to strongly agree with Alex that whatever the criteria are for thin data, they cannot include that thin data "is transitive" in some sort of bread crumb trail manner.
>>>>>>>>>>
>>>>>>>>>> Everything is potentially transitive in that sense. I observe a vehicle but all I get is make, model and license plate, and in most jurisdictions that is all I get. It is the vehicle owner's "thin data". Of course I can hang around, see that the car has a baby seat, witness a woman or man putting a child in the car, assume that she/he has legitimate access to the car, follow the car and assemble more personal information (lives at; works at; shops at; visits;) The license plate didn't facilitate that crumb train discovery, but no license plate would hamper legitimate seeking of information about who owns the car (issuing a parking ticket, LEA investigation, etc.) . License plate is part of thin data with no gated access. Of course, this will change in the era of the digital vehicle. Depending on security, and authorization, one will be able to just ask the car, and ask about a lot of things...like whose cell phone was in the passenger's seat last night, when I was supposed to be alone )-:
>>>>>>>>>>
>>>>>>>>>> There needs to be a similar balance (license plate but no owner's name unless wanted, like Sam's Curry Pizza Barn logo, phone number and website URL painted on the side).
>>>>>>>>>>
>>>>>>>>>> More Important, have we made progress (convergence) on the working principles that should be brought to bear in building a thin data set. A lot of time has been spent looking at good case and bad case scenarios. What operational principles have been distilled from all these examples? What is the balance between thin data inclusion and exclusion, and design and technical solutions that can be used to prevent (for example) robotic harvesting? There is another frontier here, and that is what governments will do to restrain or enable certain uses of thin data? While ICANN needs to be aware of what is going on there, that part is beyond ICANN's remit, but those policies will help shape some of the context within which ICANN deals with the thin data task.
>>>>>>>>>>
>>>>>>>>>> Sam L
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 2017-02-14 1:23 AM, Deacon, Alex wrote:
>>>>>>>>>> All,
>>>>>>>>>>
>>>>>>>>>> So it seems the debate has progressed from “thin data” to
>>>>>>>>>> “thick data” (i.e. data that includes email). I know we are
>>>>>>>>>> all super excited to talk about “thick data” but I don’t
>>>>>>>>>> think we are there yet (are we? Hopefully I didn’t miss the
>>>>>>>>>> party…)
>>>>>>>>>>
>>>>>>>>>> Focusing on thin data for the moment I struggle to understand how it is personal data. I do not believe it is. As for the odd logic proposed by some that the property of privacy is transitive (i.e. Because “thin data” can be used to link/point/discover other data then “thin data” equals “personal data”) I just don’t buy it.
>>>>>>>>>>
>>>>>>>>>> I don’t disagree with much of what was expressed in this thread, however we must keep in mind that balance and proportionality are important concepts in many (all?) data privacy laws. Any arguments that imply that no such balance exists (or should exist) is obstructive IMO.
>>>>>>>>>>
>>>>>>>>>> Alex
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 2/13/17, 5:42 AM, <gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> on behalf of michele at blacknight.com<mailto:michele at blacknight.com>> wrote:
>>>>>>>>>>
>>>>>>>>>> I agree and I know from how I’ve used various email addresses that they are actively being harvested and spammed.
>>>>>>>>>> Also it’s one of the biggest sources of complaints we get from our clients (registrants)
>>>>>>>>>> It’s definitely not an “edge case”.
>>>>>>>>>> Regards
>>>>>>>>>> Michele
>>>>>>>>>> --
>>>>>>>>>> Mr Michele Neylon
>>>>>>>>>> Blacknight Solutions
>>>>>>>>>> Hosting, Colocation & Domains
>>>>>>>>>> https://www.blacknight.com/
>>>>>>>>>> http://blacknight.blog/
>>>>>>>>>> Intl. +353 (0) 59 9183072
>>>>>>>>>> Direct Dial: +353 (0)59 9183090
>>>>>>>>>> Social: http://mneylon.social
>>>>>>>>>> Some thoughts: http://ceo.hosting/
>>>>>>>>>> -------------------------------
>>>>>>>>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>>>>>>>>> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
>>>>>>>>>> _______________________________________________
>>>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> *--------------------------------------------*
>>>>>>>>>> "It is a disgrace to be rich and honoured in an unjust state"
>>>>>>>>>> -Confucius
>>>>>>>>>> ----------------------------------------------
>>>>>>>>>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York
>>>>>>>>>> U., Toronto, Ontario, CANADA - M3J 1P3
>>>>>>>>>> YorkU email: Lanfran at Yorku.ca<mailto:Lanfran at Yorku.ca> Skype: slanfranco
>>>>>>>>>> blog: http://samlanfranco.blogspot.com
>>>>>>>>>> Phone: 613 476-0429 cell: 416-816-2852
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> _________________________________ Note to self: Pillage
>>>>>>>>>> BEFORE burning.
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> _________________________________ Note to self: Pillage BEFORE
>>>>>>> burning.
>>>>>>
>>>>>> _______________________________________________
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> _________________________________
>>>>> Note to self: Pillage BEFORE burning.
>>>>>
>>>>>
>>>>> ______________________________
>>>>> _________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>>
>>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>> --
>>>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>>>
>>>> Mit freundlichen Grüßen,
>>>>
>>>> Volker A. Greimann
>>>> - Rechtsabteilung -
>>>>
>>>> Key-Systems GmbH
>>>> Im Oberen Werk 1
>>>> 66386 St. Ingbert
>>>> Tel.:
>>>> +49 (0) 6894 - 9396 901
>>>>
>>>> Fax.:
>>>> +49 (0) 6894 - 9396 851
>>>>
>>>> Email:
>>>> vgreimann at key-systems.net<mailto:vgreimann at key-systems.net>
>>>>
>>>>
>>>> Web:
>>>> www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> /
>>>> www.BrandShelter.com<http://www.BrandShelter.com>
>>>>
>>>>
>>>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>>>>
>>>> www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>
>>>> www.twitter.com/key_systems<http://www.twitter.com/key_systems>
>>>>
>>>>
>>>> Geschäftsführer: Alexander Siffrin
>>>> Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.:
>>>> DE211006534
>>>>
>>>> Member of the KEYDRIVE GROUP
>>>>
>>>> www.keydrive.lu<http://www.keydrive.lu>
>>>>
>>>>
>>>> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
>>>>
>>>> ------------------------------
>>>> --------------
>>>>
>>>> Should you have any further questions, please do not hesitate to contact us.
>>>>
>>>> Best regards,
>>>>
>>>> Volker A. Greimann
>>>> - legal department -
>>>>
>>>> Key-Systems GmbH
>>>> Im Oberen Werk 1
>>>> 66386 St. Ingbert
>>>> Tel.:
>>>> +49 (0) 6894 - 9396 901
>>>>
>>>> Fax.:
>>>> +49 (0) 6894 - 9396 851
>>>>
>>>> Email:
>>>> vgreimann at key-systems.net<mailto:vgreimann at key-systems.net>
>>>>
>>>>
>>>> Web:
>>>> www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> /
>>>> www.BrandShelter.com<http://www.BrandShelter.com>
>>>>
>>>>
>>>> Follow us on Twitter or join our fan community on Facebook and stay updated:
>>>>
>>>> www.facebook.com/KeySystems<http://www.facebook.com/KeySystems>
>>>> www.twitter.com/key_systems<http://www.twitter.com/key_systems>
>>>>
>>>>
>>>> CEO: Alexander Siffrin
>>>> Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
>>>>
>>>> Member of the KEYDRIVE GROUP
>>>>
>>>> www.keydrive.lu<http://www.keydrive.lu>
>>>>
>>>>
>>>> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>>
>>>>
>>>> --
>>>> _________________________________
>>>> Note to self: Pillage BEFORE burning.
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/b61d0605/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list