[gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Tue Feb 13 22:06:04 UTC 2018

> On 13 Feb 2018, at 19:49, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
> 
> Theo, as to your earlier question re: ccTLDs -- all I can offer is my own experience and analysis (but we've got a lot of data, so here goes). There is quite a bit of abuse there as well, but to the extent it's less or more than .COM or other gTLDs, it's often a result of some policy directly related to Whois.
> .US, with a nexus requirement and no privacy/proxy (historically, at least, can't remember if that went away) was easier from our perspective to address abuse on. In my world, if you want to sell Vicodin without a prescription online and can't hide behind p/p, have to have a US nexus and know that there's a Whois validity requirement...you aren't going to use .US. :) Those that did were pretty easy to address -- you didn't even necessarily have to address content, but could just show that the Whois was inaccurate in many cases.
> Unless there's a lot of pre-validation of meeting a nexus requirement, there's more abuse we see where a ccTLD has unavailable Whois. Who knows if they are really meeting the nexus requirement or not! So yeah, there's abuse in ccTLDs, some more than others, largely depending on Whois policy and nexus requirements, in my view.
> I agree with Tim's larger point. You simply can't, in my view, have accountability and prevent certain types of abuse without transparency as to the right to operate the domain name, which (due to the nature of abuse and crime being mostly money-motivated) chiefly plays out with registrants acting as legal, not natural persons. Hence, the need for the registrar community, in my view, to consider a bifurcated solution. You make a totally credible argument as to the obvious need to comply with the GDPR. Many of us simply object to the notion that this is supposed to become the new global standard.
> 
> Why not just add a question to the registration form as to whether the registrant is in the EU or is a EU citizen, and whether they are a legal or natural person (or plan to use the domain name for commercial purposes)? If they are in the EU or a citizen, and are natural persons not using the domain name commercially, give them free privacy/proxy, and keep Whois the same for anyone for which the answers to the above aren't "TRUE". I know that's inconvenient for registrars to update their forms, but that's not a good reason not to implement that solution. (What's convenient about the GDPR in the first place?) And let me be clear -- I want to make sure registrars are protected from liability here, but it's not a credible argument to say that the only way to protect you from liability is a blanket global solution.

As explained in part 2 of the Hamilton memo, picking by EU registrant/citizenship doesn't cut it regarding GDPR.
The commercial use is also not a factor in GDPR, so also can't be used; being a legal or natural person is something that GDPR contemplates, but only applies to registrant legal name. All other data, even on domains registered by legal persons, refer to private individuals, like contact information, so for those fields GDPR is in full-force.

Registrar forms currently have a lot of required information and implicit consents; the problem is not adding one or two more, but effectively shielding from liability of not complying with GDPR.

Rubens

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/ad2979a3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/ad2979a3/signature.asc>