[gnso-rds-pdp-wg] The principle for thin data (was Re: Principle on Proportionality for "Thin Data"access)

John Bambenek jcb at bambenekconsulting.com
Thu Jun 1 16:52:48 UTC 2017 

So you agree that you can educate your customers to make consent
possible?  Good.

Now can we move on?


On 6/1/2017 11:46 AM, Ayden Férdeline wrote:
> +1 Stephanie. The vast majority of people, if given the appropriate
> information and time, are perfectly capable of understanding a complex
> or technical issue. 
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
>
>> -------- Original Message --------
>> Subject: Re: [gnso-rds-pdp-wg] The principle for thin data (was Re:
>> Principle on Proportionality for "Thin Data"access)
>> Local Time: June 1, 2017 3:40 PM
>> UTC Time: June 1, 2017 2:40 PM
>> From: stephanie.perrin at mail.utoronto.ca
>> To: jonathan matkowsky <jonathan.matkowsky at riskiq.net>
>> RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>>
>>
>> I certainly agree that if people enter personal information as part
>> of their DNS registration or their motor vehicle licence
>> registration, it is done with implied consent... as long as there is
>> sufficient information to permit them to understand just how the data
>> is being used and where it is going.  However, as I tried to say with
>> respect to registering a domain name, I really don't think the
>> average non-expert citizen who might want to register a domain name
>> would get enough information to truly understand how far his/her
>> information goes, and how difficult it is to get it removed once it
>> has appeared in the public record.  We should build this system so
>> that everyone understands it, not just the experts.
>>
>> cheers Stephanie
>>
>>
>> On 2017-06-01 05:18, jonathan matkowsky wrote:
>>> Stephanie,
>>>
>>>
>>> I agree with you that we should not conflate collection limitation
>>> principles with openness principles.
>>>
>>> I respectfully disagree with most of what you wrote in the first
>>> paragraph of your post script.  
>>> Here we are talking about users potentially entering personal or
>>> pseudonymous information when they are not being asked for it (nor
>>> is it required) to begin with, and it is not required for purposes
>>> of which it's being collected. That is the
>>>  
>>> scope
>>>  of what needs to be assessed 
>>> if at all and how the scope needs to be
>>>  defined from the beginning
>>> if you were to conduct a PIA
>>> .
>>>
>>>
>>>
>>>  
>>> Personal information is not being used or intended to be used just
>>> because a person decides to enter personal information into a field. 
>>>
>>> The example of how you can combine databases to re-identify a person
>>> based on the SOA record is the equivalent of protecting domain names
>>> as personal information because a person 
>>> can register their driver's license
>>> or name and date of birth
>>> as a domain name.
>>>  
>>> I would argue no PIA should be required 
>>> as a result
>>> even in accordance even with best practices.
>>>  
>>> A PIA needs to be conducted in a manner that is commensurate with
>>> the level of privacy risk identified
>>> . 
>>>  
>>> I respectfully disagree with you that thin data is personal. We are
>>> talking about identifiers (codes or strings that represent an
>>> individual or device).  Many labels can be used to point to
>>> individuals. Some are precise and most, imprecise or vague. There's
>>> no question that an IP address is a device identifier.  Device IDs,
>>> MAC addresses can be a source for user tracking.  But 
>>> i
>>> dentifiers can be strong or weak depending on how precise they are
>>> as well as the context. It cannot be measured without taking
>>> linkability into consideration.  For that reason, name servers are
>>> not the same as IP addresses or MAC addresses any more so than the
>>> existence of a domain name is an identifier. If a person chooses to
>>> use identifiable information when it is not being asked for or
>>> required for purposes of which the data is being collected, that
>>> does that mean we need to classify all the data according to that
>>> unlikely scenario. Those setting up their own DNS would be
>>> relatively speaking, sophisticated Internet users that presumably
>>> know the basics of how DNS operates in any case, so by entering the
>>> information in that way, they are choosing to customize their DNS in
>>> a personal way similar to a person that chooses to show personal
>>> information on their license plate number.  
>>>
>>> I know that the motor vehicle registry is restricted now in most
>>> places so that you would need a subpoena to get that kind of
>>> personal information. This is also true of an IP address though and
>>> IP providers. The fact is a person can put their name and date of
>>> birth on a license plate if they want to customize it. And then they
>>> get on the road. That does not mean the license plate numbers are
>>> all personal information. It's pseudonymous data. It is true that it
>>> is a stronger identifier than an IP address insofar as if you
>>> subpoena the motor vehicle registry operator, you will get the
>>> personal information behind that license plate number. If you
>>> subpoena the ISP, you MIGHT get the personal information depending
>>> on the nature of the IP address. It's still true that to drive a
>>> car, you need to show your license plate number on the vehicle. 
>>>
>>> I would argue that thin Whois data is pseudonymous or personal data
>>> to the same extent that a person can choose to _customize_ a license
>>> plate if they want to, and put personal or psuedonymous data into
>>> fields
>>> for which the data being collected does not ask for or require them
>>> to do so.  
>>>
>>>
>>> A
>>>  person can register their driver's license as a domain name.
>>> They can use a personal email in their SOA record, or personal NS.  
>>> Just because it's theoretically possible for someone to enter
>>> pseudonymous (or even personal) data into multiple databases when
>>> they are not being asked for it, and those combination of choices
>>> make it possible to identify them, does not mean one of the sets
>>> (Thin Whois) should be classified as personal information subject to
>>> a PIA. 
>>>
>>>
>>>
>>> Jonathan Matkowsky,
>>> VP – IP & Brand Security
>>> USA:: 1.347.467.1193 | Office:: +972-(0)8-926-2766
>>> Emergency mobile:: +972-(0)54-924-0831
>>> Company Reg. No. 514805332  
>>> 11/1 Nachal Chever, Modiin Israel
>>> Website <http://www.riskiq.co.il>
>>> RiskIQ Technologies Ltd. (wholly-owned by RiskIQ, Inc.)
>>>
>>> On Thu, Jun 1, 2017 at 12:02 AM, Stephanie Perrin
>>> <stephanie.perrin at mail.utoronto.ca
>>> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>>>
>>>     Your summary today was great Andrew.
>>>
>>>     I am not arguing about the disclosure of thin data.  We already
>>>     voted on unauthenticated mandatory disclosure, weeks ago (or at
>>>     least it feels like weeks ago).  Lets please move on.  We are
>>>     debating this yet again, because people keep asking, is thin
>>>     data personal? [lots of people missed the last call]  The answer
>>>     is yes (IMHO).  Does that mean it cannot be disclosed?  The
>>>     answer is no.  Does the proportionality principle apply?  Yes. 
>>>     Have we already gone through this?  Yes.  Can we come back to
>>>     it?  Yes, but hopefully only if we have to.....we will have to
>>>     when we get to data elements.
>>>
>>>     cheers Stephanie
>>>     PS a fundamental problem here is that people try to categorize
>>>     information that in their view should be disclosed, as not
>>>     personal information.  This fight has gone on for years over IP
>>>     address, for instance.  The important question is not actually
>>>     whether it is personal data or not, it is "do you need to
>>>     disclose it to make things work?"....and if the answer is yes
>>>     then you try to mitigate the disclosure and try to keep it
>>>     minimized to what is absolutely required.  Hence the PIA, which
>>>     should employ both data minimization and the test in the
>>>     proportionality principle as techniques to evaluate data elements.
>>>     A good and really simple example is a phone number.  IS it
>>>     personal info?  (the telcos fought for years, trying to claim
>>>     they owned it and it was not personal).  Obviously it pertains
>>>     to you, people feel strongly that it is personal (culturally
>>>     relative of course but...) and yet if noone ever learns your
>>>     number your phone won't ever receive a call.  That does not mean
>>>     you have to disclose it everywhere.....only where necessary. 
>>>     And it should mean that it does not have to follow you
>>>     everywhere, but that is becoming increasingly hard to manage....
>>>
>>>     By the way, informed consent is not the same as transparency
>>>     requirements.  Transparency requirements are exactly that....you
>>>     have to be transparent about what you are doing with data.  Let
>>>     us not conflate that with consent.
>>>
>>>     I will quit now and stop trying to answer questions.  I would
>>>     like to humbly suggest, however, that we have a real shortage of
>>>     basic understanding of how data protection law works and is
>>>     interpreted.  If there is a data protection law expert that
>>>     folks might listen to, we should hire that person to advise us. 
>>>     It might save a lot of time.
>>>
>>>     On 2017-05-31 16:00, Andrew Sullivan wrote:
>>>>     Hi,
>>>>
>>>>     On Wed, May 31, 2017 at 03:20:59PM -0400, Stephanie Perrin wrote:
>>>>
>>>>>     That does not mean we need to protect it, it means we have to examine it in
>>>>>     terms of DP law.  May I repeat the suggestion that Canatacci made in
>>>>>     Copenhagen in response to a question.....(I forget the precise question he
>>>>>     was asked, sorry). If you want to figure out whether you have to protect
>>>>>     something or not, do a privacy impact assessment.
>>>>>
>>>>     As I think I've said more than once in this thread, I think we _have_
>>>>     done that assessment and I think the answers are obvious and I think
>>>>     therefore that there is nothing more to say about this principle in
>>>>     respect of thin data:
>>>>
>>>>         - the data is either necessary for the operation of the system
>>>>           itself or else necessary for distributed operation and
>>>>           troubleshooting on the Internet.
>>>>
>>>>         - the data does not expose identifying information about anyone,
>>>>           except in rather strained examples where the identifying
>>>>           information is already completely available via other means.
>>>>
>>>>     What more is one supposed to do? 
>>>>
>>>>     Best regards,
>>>>
>>>>     A
>>>>
>>>>
>>>
>>>
>>>     _______________________________________________
>>>     gnso-rds-pdp-wg mailing list
>>>     gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>     https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>     <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170601/192802c8/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list