[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Chen, Tim tim at domaintools.com
Thu Feb 15 02:00:22 UTC 2018 

Hi Allison,

Some of us have been trying to better socialize the network and
cybersecurity use-cases to the parties in a position to have an impact on
these discussions.  I can only speak for us, citing examples like the white
paper
<https://domaintools.com/resources/white-papers/how-whois-data-ensures-a-safe-and-secure-internet>
we published last week.  But I do see progress in this regard.

Security practitioners are challenged here by not being as well organized
as we could be this regard (everyone is heads down doing work and policy
isn't really our thing).  And we lack the longstanding relationships with
ICANN that create a level of influence and access that matters.  But again,
I see the seeds of effort here as well.

I do believe that nearly everyone on this list, in the RDS process, and
sitting in DPA chairs in the EU have a true appreciation that security work
is already hard and making it harder is not an intent.  I do believe they
know it matters to the very same people they are trying to protect.

But, that does not change the tenor of the baseline response derived from
GDPR:  "yes, but it doesn't matter.  bc the law."   And that is not an
incorrect answer.  it is just an unfortunate one for some of us.

The security perspective still needs to be better socialized outside of
places like this list.  It does matter.  And we need more people and
organizations from your sector involved.



On Wed, Feb 14, 2018 at 5:36 PM, allison nixon <elsakoo at gmail.com> wrote:

> Hi everyone,
>
> I have already begun to hear unrest from my colleagues who work in infosec
> and network operations about the degradation of WHOIS, as registrars have
> already begun to act on their own, stripping everything and blocking bulk
> queriers on domains frequently used for attacks. Every day of additional
> uncertainty equals an additional day of victimization.
>
> Why has no one approached the DPAs with the evidence of security purposes
> for WHOIS? How much network degradation will we tolerate before someone
> bothers to give them a little hint? How many more judgments from the DPAs
> are we going to read that display clear ignorance of all legitimate
> cybersecurity purposes? Did no one see this coming?
>
> Since we are talking about cost benefit analysis, here is a quick one I
> just did that I would like to share with the group. I did a quick look for
> the value of the domain registration industry as a whole. Seems to be ~$4
> billion. The losses incurred by the WanaCry malware are estimated to be at
> ~$8 billion. A single security incident destroying value equal to double
> your entire industry.
>
> In May 2017, the FBI stated that over three years the "business email
> compromise" scams have topped ~$5 billion in losses, which would be
> slightly more than one domain-industry unit of value, and WHOIS is crucial
> to fighting it.
>
> source: https://www.reuters.com/article/us-cyber-lloyds-
> report/global-cyber-attack-could-spur-53-billion-in-
> losses-lloyds-of-london-idUSKBN1A20AB
> source: https://cira.ca/factbook/domain-industry-data-
> and-canadian-Internet-trends/domain-name-industry
> source: https://www.csoonline.com/article/3195010/security/
> bec-attacks-have-hit-thousands-top-5-billion-in-losses-globally.html
>
> Remember, the whole point of GDPR is to force companies to act with more
> social responsibility.
>
> On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>
>>
>>
>> On 14 Feb 2018, at 20:49, John Horton <john.horton at legitscript.com>
>> wrote:
>>
>> Hmm, well, perhaps it's because I work for a company that processes quite
>> a bit of data with a combination of algorithms and some human review, but I
>> feel pretty confident that there are ways to simplify that with magic
>> algorithms and forms.
>>
>>
>>
>> Magic algorithms are fine in pattern detection because there is always a
>> human review at some point or the cost of error is low, like in raising an
>> abuse case that contains wording like supposedly", "allegedly" etc. In this
>> case, every false negative comes with a tremendous liability.
>>
>> Also, if machine-learning technology and deep pockets for lawsuits become
>> a requirement for being a registrar, you can count on the number of
>> registrars dropping to single digits.
>>
>>
>>
>> Rubens
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180214/42d2bbbc/attachment.html>

More information about the gnso-rds-pdp-wg mailing list