[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Thu Feb 15 14:09:42 UTC 2018

Chuck,

That said I really do like the idea of having interaction and participation
by the DPAs and even someone from Article 29 or other GDPR official groups.
Otherwise we continue to work in a vacuum.

From:  gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of
Chuck <consult at cgomes.com>
Date:  Thursday, February 15, 2018 at 2:57 PM
To:  'Volker Greimann' <vgreimann at key-systems.net>,
<gnso-rds-pdp-wg at icann.org>
Subject:  Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
backwards

> I¹d like to think that the ICANN community effort going on outside this WG
> will take note of the cybersecurity concerns that Allison raises as they try
> to finalize an interim solution to deal with the GDPR in the near term.  Note
> this quote from Goren¹s latest blog that ICANN org is trying to find a
> balanced approach:  ³This single, common interim model that is informed by
> input from across the ICANN community would seek to obtain compliance with
> both the GDPR and ICANN's contractual requirements related to registration
> directory services.²  Here¹s the blog:
> https://www.icann.org/news/blog/data-protection-privacy-update-latest-developm
> ents 
>  
> Chuck
>  
> 
> From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of
> Volker Greimann
> Sent: Thursday, February 15, 2018 1:02 AM
> To: gnso-rds-pdp-wg at icann.org
> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
> backwards
>  
> DPAs are law enforcement and will enforce the law of the land. They do not
> have the option to pick and choose after May 25.
> 
> Maybe it is time for you and your colleagues to start looking at other sources
> of information to ensure you can continue operation efficiently once your
> currently chosen method becomes illegal. Remember, you are a data processor
> too and what you do with that data could very well paint a target on your
> backs that DPS may have to deal with.
> 
> Best,
> 
> Volker
> 
>  
> 
>  
> 
> Am 15.02.2018 um 02:36 schrieb allison nixon:
>> 
>> Hi everyone, 
>> 
>>  
>> 
>> I have already begun to hear unrest from my colleagues who work in infosec
>> and network operations about the degradation of WHOIS, as registrars have
>> already begun to act on their own, stripping everything and blocking bulk
>> queriers on domains frequently used for attacks. Every day of additional
>> uncertainty equals an additional day of victimization.
>> 
>>  
>> 
>> Why has no one approached the DPAs with the evidence of security purposes for
>> WHOIS? How much network degradation will we tolerate before someone bothers
>> to give them a little hint? How many more judgments from the DPAs are we
>> going to read that display clear ignorance of all legitimate cybersecurity
>> purposes? Did no one see this coming?
>> 
>>  
>> 
>> Since we are talking about cost benefit analysis, here is a quick one I just
>> did that I would like to share with the group. I did a quick look for the
>> value of the domain registration industry as a whole. Seems to be ~$4
>> billion. The losses incurred by the WanaCry malware are estimated to be at
>> ~$8 billion. A single security incident destroying value equal to double your
>> entire industry.
>> 
>>  
>> 
>> In May 2017, the FBI stated that over three years the "business email
>> compromise" scams have topped ~$5 billion in losses, which would be slightly
>> more than one domain-industry unit of value, and WHOIS is crucial to fighting
>> it.
>> 
>>  
>> 
>> source: 
>> https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-co
>> uld-spur-53-billion-in-losses-lloyds-of-london-idUSKBN1A20AB
>> 
>> source: 
>> https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/do
>> main-name-industry
>> 
>> source: 
>> https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thous
>> ands-top-5-billion-in-losses-globally.html
>> 
>>  
>> 
>> Remember, the whole point of GDPR is to force companies to act with more
>> social responsibility.
>> 
>>  
>> 
>> On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>>> 
>>>  
>>> 
>>> 
>>> 
>>>> On 14 Feb 2018, at 20:49, John Horton <john.horton at legitscript.com> wrote:
>>>>  
>>>> 
>>>> Hmm, well, perhaps it's because I work for a company that processes quite a
>>>> bit of data with a combination of algorithms and some human review, but I
>>>> feel pretty confident that there are ways to simplify that with magic
>>>> algorithms and forms.
>>>  
>>> 
>>>  
>>> 
>>> Magic algorithms are fine in pattern detection because there is always a
>>> human review at some point or the cost of error is low, like in raising an
>>> abuse case that contains wording like supposedly", "allegedly" etc. In this
>>> case, every false negative comes with a tremendous liability.
>>> 
>>>  
>>> 
>>> Also, if machine-learning technology and deep pockets for lawsuits become a
>>> requirement for being a registrar, you can count on the number of registrars
>>> dropping to single digits.
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> Rubens
>>> 
>>>  
>>> 
>>>  
>>> 
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> 
>> 
>>  
>> -- 
>> 
>> _________________________________
>> Note to self: Pillage BEFORE burning.
>> 
>> 
>> 
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>  
> _______________________________________________ gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/0115aa2a/attachment-0001.html>