[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Paul Keating Paul at law.es
Thu Feb 15 15:47:03 UTC 2018 

Paraphrasing a person I know.

The more data input the better as long as it is carefully considered.

I do NOT like the idea of relying on ICANN to receive input provided via
their interacting with a third party.  I would prefer to obtain the
unfiltered data.

Paul

From:  Chuck <consult at cgomes.com> on behalf of Chuck <consult at cgomes.com>
Date:  Thursday, February 15, 2018 at 3:56 PM
To:  Paul Keating <paul at law.es>, 'Volker Greimann'
<vgreimann at key-systems.net>, <gnso-rds-pdp-wg at icann.org>
Subject:  RE: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
backwards

> Apparently, ICANN org has been interacting with DPAs regarding a possible
> interim solution, so maybe we will get some helpful input from those efforts.
> Note Stephanie¹s suggestion that we could submit questions to the DP experts
> that participated in our public meeting last year.
>  
> Chuck
>  
> 
> From: Paul Keating [mailto:Paul at law.es]
> Sent: Thursday, February 15, 2018 6:10 AM
> To: Chuck <consult at cgomes.com>; 'Volker Greimann' <vgreimann at key-systems.net>;
> gnso-rds-pdp-wg at icann.org
> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
> backwards
>  
> 
> Chuck,
> 
>  
> 
> That said I really do like the idea of having interaction and participation by
> the DPAs and even someone from Article 29 or other GDPR official groups.
> Otherwise we continue to work in a vacuum.
> 
>  
> 
> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of Chuck
> <consult at cgomes.com>
> Date: Thursday, February 15, 2018 at 2:57 PM
> To: 'Volker Greimann' <vgreimann at key-systems.net>, <gnso-rds-pdp-wg at icann.org>
> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
> backwards
> 
>  
>> 
>> I¹d like to think that the ICANN community effort going on outside this WG
>> will take note of the cybersecurity concerns that Allison raises as they try
>> to finalize an interim solution to deal with the GDPR in the near term.  Note
>> this quote from Goren¹s latest blog that ICANN org is trying to find a
>> balanced approach:  ³This single, common interim model that is informed by
>> input from across the ICANN community would seek to obtain compliance with
>> both the GDPR and ICANN's contractual requirements related to registration
>> directory services.²  Here¹s the blog:
>> https://www.icann.org/news/blog/data-protection-privacy-update-latest-develop
>> ments 
>>  
>> Chuck
>>  
>> 
>> From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of
>> Volker Greimann
>> Sent: Thursday, February 15, 2018 1:02 AM
>> To: gnso-rds-pdp-wg at icann.org
>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
>> backwards
>>  
>> DPAs are law enforcement and will enforce the law of the land. They do not
>> have the option to pick and choose after May 25.
>> 
>> Maybe it is time for you and your colleagues to start looking at other
>> sources of information to ensure you can continue operation efficiently once
>> your currently chosen method becomes illegal. Remember, you are a data
>> processor too and what you do with that data could very well paint a target
>> on your backs that DPS may have to deal with.
>> 
>> Best,
>> 
>> Volker
>> 
>>  
>> 
>>  
>> 
>> Am 15.02.2018 um 02:36 schrieb allison nixon:
>>> 
>>> Hi everyone, 
>>> 
>>>  
>>> 
>>> I have already begun to hear unrest from my colleagues who work in infosec
>>> and network operations about the degradation of WHOIS, as registrars have
>>> already begun to act on their own, stripping everything and blocking bulk
>>> queriers on domains frequently used for attacks. Every day of additional
>>> uncertainty equals an additional day of victimization.
>>> 
>>>  
>>> 
>>> Why has no one approached the DPAs with the evidence of security purposes
>>> for WHOIS? How much network degradation will we tolerate before someone
>>> bothers to give them a little hint? How many more judgments from the DPAs
>>> are we going to read that display clear ignorance of all legitimate
>>> cybersecurity purposes? Did no one see this coming?
>>> 
>>>  
>>> 
>>> Since we are talking about cost benefit analysis, here is a quick one I just
>>> did that I would like to share with the group. I did a quick look for the
>>> value of the domain registration industry as a whole. Seems to be ~$4
>>> billion. The losses incurred by the WanaCry malware are estimated to be at
>>> ~$8 billion. A single security incident destroying value equal to double
>>> your entire industry.
>>> 
>>>  
>>> 
>>> In May 2017, the FBI stated that over three years the "business email
>>> compromise" scams have topped ~$5 billion in losses, which would be slightly
>>> more than one domain-industry unit of value, and WHOIS is crucial to
>>> fighting it.
>>> 
>>>  
>>> 
>>> source: 
>>> https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-c
>>> ould-spur-53-billion-in-losses-lloyds-of-london-idUSKBN1A20AB
>>> 
>>> source: 
>>> https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/d
>>> omain-name-industry
>>> 
>>> source: 
>>> https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thou
>>> sands-top-5-billion-in-losses-globally.html
>>> 
>>>  
>>> 
>>> Remember, the whole point of GDPR is to force companies to act with more
>>> social responsibility.
>>> 
>>>  
>>> 
>>> On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>>>> 
>>>>  
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On 14 Feb 2018, at 20:49, John Horton <john.horton at legitscript.com> wrote:
>>>>>  
>>>>> 
>>>>> Hmm, well, perhaps it's because I work for a company that processes quite
>>>>> a bit of data with a combination of algorithms and some human review, but
>>>>> I feel pretty confident that there are ways to simplify that with magic
>>>>> algorithms and forms.
>>>>  
>>>> 
>>>>  
>>>> 
>>>> Magic algorithms are fine in pattern detection because there is always a
>>>> human review at some point or the cost of error is low, like in raising an
>>>> abuse case that contains wording like supposedly", "allegedly" etc. In this
>>>> case, every false negative comes with a tremendous liability.
>>>> 
>>>>  
>>>> 
>>>> Also, if machine-learning technology and deep pockets for lawsuits become a
>>>> requirement for being a registrar, you can count on the number of
>>>> registrars dropping to single digits.
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>> Rubens
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> 
>>> 
>>>  
>>> -- 
>>> 
>>> _________________________________
>>> Note to self: Pillage BEFORE burning.
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>  
>> _______________________________________________ gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/38d2b6e9/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list