[gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

John Horton john.horton at legitscript.com
Tue Feb 13 22:32:16 UTC 2018 

Thanks, Rubens -- I don't agree with that interpretation. (I think you mean
the Q&A memo Section 2, right?) See memo here
<https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en.pdf>.
Let me know if you meant the first or a different one.

John Horton
President and CEO, LegitScript


*Follow LegitScript*: LinkedIn
<http://www.linkedin.com/company/legitscript-com>  |  Facebook
<https://www.facebook.com/LegitScript>  |  Twitter
<https://twitter.com/legitscript>  |  *Blog <http://blog.legitscript.com/>*
  |  Newsletter <http://go.legitscript.com/Subscription-Management.html>




On Tue, Feb 13, 2018 at 2:06 PM, Rubens Kuhl <rubensk at nic.br> wrote:

>
>
> On 13 Feb 2018, at 19:49, John Horton via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
> Theo, as to your earlier question re: ccTLDs -- all I can offer is my own
> experience and analysis (but we've got a lot of data, so here goes). There
> is quite a bit of abuse there as well, but to the extent it's less or more
> than .COM or other gTLDs, it's often a result of some policy directly
> related to Whois.
>
>    - .US, with a nexus requirement and no privacy/proxy (historically, at
>    least, can't remember if that went away) was easier from our perspective to
>    address abuse on. In my world, if you want to sell Vicodin without a
>    prescription online and can't hide behind p/p, have to have a US nexus and
>    know that there's a Whois validity requirement...you aren't going to use
>    .US. :) Those that did were pretty easy to address -- you didn't even
>    necessarily have to address content, but could just show that the Whois was
>    inaccurate in many cases.
>    - Unless there's a lot of pre-validation of meeting a nexus
>    requirement, there's more abuse we see where a ccTLD has unavailable Whois.
>    Who knows if they are really meeting the nexus requirement or not! So yeah,
>    there's abuse in ccTLDs, some more than others, largely depending on Whois
>    policy and nexus requirements, in my view.
>
> I agree with Tim's larger point. You simply can't, in my view, have
> accountability and prevent certain types of abuse without transparency as
> to the right to operate the domain name, which (due to the nature of abuse
> and crime being mostly money-motivated) chiefly plays out with registrants
> acting as legal, not natural persons. Hence, the need for the registrar
> community, in my view, to consider a bifurcated solution. You make a
> totally credible argument as to the obvious need to comply with the GDPR.
> Many of us simply object to the notion that this is supposed to become the
> new global standard.
>
> Why not just add a question to the registration form as to whether the
> registrant is in the EU or is a EU citizen, and whether they are a legal or
> natural person (or plan to use the domain name for commercial purposes)? If
> they are in the EU or a citizen, and are natural persons not using the
> domain name commercially, give them free privacy/proxy, and keep Whois the
> same for anyone for which the answers to the above aren't "TRUE". I know
> that's inconvenient for registrars to update their forms, but that's not a
> good reason not to implement that solution. (What's convenient about the
> GDPR in the first place?) And let me be clear -- I want to make sure
> registrars are protected from liability here, but it's not a credible
> argument to say that the only way to protect you from liability is a
> blanket global solution.
>
>
> As explained in part 2 of the Hamilton memo, picking by EU
> registrant/citizenship doesn't cut it regarding GDPR.
> The commercial use is also not a factor in GDPR, so also can't be used;
> being a legal or natural person is something that GDPR contemplates, but
> only applies to registrant legal name. All other data, even on domains
> registered by legal persons, refer to private individuals, like contact
> information, so for those fields GDPR is in full-force.
>
> Registrar forms currently have a lot of required information and implicit
> consents; the problem is not adding one or two more, but effectively
> shielding from liability of not complying with GDPR.
>
>
>
> Rubens
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/e4fea28f/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list