[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP
theo geurts
gtheo at xs4all.nl
Fri Feb 16 21:07:09 UTC 2018
John,
As a registrar who provides registrar as a service and services
resellers, we need to make sure everyone and anyone can comply with
whatever applicable law they need to deal with.
So while the GDPR is "one" guidance, this guides us more:
https://www.cnil.fr/en/data-protection-around-the-world
And it does not stop there.
https://www.linkedin.com/pulse/turkeys-regulation-data-controllers-registry-affect-based-yaz%C4%B1c%C4%B1o%C4%9Flu/
Now consider this and imagine the massive consequences here.
IF ICANN, Registries, and Registrars are considered joint controllers,
and this is not a far-fetched scenario. That means for Turkey:
ICANN has to appoint and authorize a representative in Turkey.
So does a Registry
So do Registrars
Please re-read this till it sinks in.
We can only assume as a WG that this trend will continue.
I think we will reach a tipping point soon (1 or 2 years) and more
countries will require this.
So the slogan of one world one internet, that might not be applicable
for domain names depending on how this group moves. The defragmentation
of the internet is happening on a vertical and horizontal level, and
this has been going on for some time now.
This group needs to understand that WE have the means to shape the
future here. If we can take the lead and work together, with DPA's and
the article 29 WP we will shape that future, it will not be easy; it
will be complicated as hell, but we are in that position to shape it.
If not, defragmentation will be a fact, and all of us have to deal with
whatever problem on a country level. So far a particular part of this WG
is pushing for that scenario by this desire to remain the current status
quo of WHOIS.
Which I understand, better to deal with the devil you know, but it is
not sustainable for the future.
To put it very blunt John, I think you and others can shape the future
by being part of the solution.
If this WG fails, you going to have much more significant problems then
just the GDPR.
And personally, I would hate it to see rogue pharmacy scum bags hide
behind country borders and become untouchable. I rather see a gated RDAP
solution not just on a registrar but also a reseller level......
Theo
On 16-2-2018 21:50, Michele Neylon - Blacknight wrote:
>
> John
>
> Article 3, as referenced by Tapani, makes it very clear to me:
>
> “1. This Regulation applies to the processing of personal data in the
> context of the activities of an establishment of a controller or a
> processor in the Union, regardless of whether the processing takes
> place in the Union or not”
>
> Regards
>
> Michele
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com
>
> https://blacknight.blog /
>
> http://ceo.hosting/
>
> Intl. +353 (0) 59 9183072
>
> Direct Dial: +353 (0)59 9183090
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
> Park,Sleaty
>
> Road,Graiguecullen,Carlow,R93 X265
>
> ,Ireland Company No.: 370845
>
> *From: *John Horton <john.horton at legitscript.com>
> *Date: *Friday 16 February 2018 at 20:02
> *To: *Michele Neylon <michele at blacknight.com>
> *Cc: *"benny at nordreg.se" <benny at nordreg.se>, RDS PDP WG
> <gnso-rds-pdp-wg at icann.org>
> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois
> and GDRP
>
> Ha, thanks Michele, and sorry for the timing! (Hope your answer was
> written over a bottle of red wine, preferably an Oregon pinot.)
>
> Let me clarify my question, and feel free to defer the answer if next
> week is better. I'm asking if registrars have received specific
> guidance, or can point to anything specific in the GDPR or any written
> document, indicating that you have to provide GDPR protections to all
> of your customers, even if they aren't in scope. In other words, I'm
> looking for a very clear statement along these lines from a DPA:
>
> As an EU company, even if your customer is a natural person in the
> US, you must provide them the same rights under the GDPR that an
> EU natural person would receive. Failure to do so is non-compliant
> with the GDPR.
>
> Obviously, the exact wording my differ, but I'm trying to challenge
> your statement that "As an Irish company all our clients have to be
> handled under GDPR." If that's true as a legal requirement, I think
> it's important for the security/compliance community to be aware of
> that...if it's not, perhaps that opens up some more granular
> approaches that can satisfy both sides.
>
>
> John Horton
> President and CEO, LegitScript
>
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ
>
> *Follow****Legit**Script*:
> LinkedIn<http://www.linkedin.com/company/legitscript-com> |
> Facebook<https://www.facebook.com/LegitScript> |
> Twitter<https://twitter.com/legitscript> |
> Blog<http://blog.legitscript.com/> |Newsletter<http://go.legitscript.com/Subscription-Management.html>
>
> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.pnghttps://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ
>
> On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight
> <michele at blacknight.com<mailto:michele at blacknight.com>> wrote:
>
> John
>
> Of course you would wait until a Friday evening to ask me this ..
>
> Anyway ..
>
> As a company in the EU we have to do everything through the lens
> of GDPR.
>
>
> That does not mean that a company will get the same treatment as a
> private individual.
>
> What it does mean is that we (and other EU based registrars and
> registries) have to consider whether or not there is personal
> information in the currently public whois information. I’m not
> 100% sure yet what the best way of dealing with that is.
> While we can ask new clients things during signup, it’s going to
> be significantly harder to get a response from the existing ones.
>
> Regards
>
> Michele
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com
>
> https://blacknight.blog/
>
> http://ceo.hosting/
>
> Intl. +353 (0) 59 9183072<tel:+353%2059%20918%203072>
>
> Direct Dial: +353 (0)59 9183090<tel:+353%2059%20918%203090>
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
> Park,Sleaty
>
> Road,Graiguecullen,Carlow,R93 X265
>
> ,Ireland Company No.: 370845
>
> *From: *John Horton
> <john.horton at legitscript.com<mailto:john.horton at legitscript.com>>
> *Date: *Friday 16 February 2018 at 19:28
> *To: *Michele Neylon
> <michele at blacknight.com<mailto:michele at blacknight.com>>
> *Cc: *"benny at nordreg.se<mailto:benny at nordreg.se>"
> <benny at nordreg.se<mailto:benny at nordreg.se>>, RDS PDP WG
> <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE
> whois and GDRP
>
> Michele,
>
> Let me dig in a bit on one question there -- actually curious
> about this. You indicated "As an Irish company all our clients
> have to be handled under GDPR." So, for example, let's say that I
> transferred my company's domain name (obviously, we're a legal
> person, and we're domiciled in the US and registered here) to
> Blacknight. I think you'd agree we're not the intended beneficiary
> of the GDPR. My specific question for you is: Is there written
> guidance somewhere indicating that you do, in fact, have to
> provide me GDPR protections? That your policies have to apply to
> me? If there's some language out there specifically indicating
> that, it would be helpful to see that. I didn't see that in the
> Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR
> (but again, perhaps I'm missing it). Let me know if my question
> doesn't make sense.
>
>
> John Horton
> President and CEO, LegitScript
>
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ
>
> *Follow****Legit**Script*:
> LinkedIn<http://www.linkedin.com/company/legitscript-com> |
> Facebook<https://www.facebook.com/LegitScript> |
> Twitter<https://twitter.com/legitscript> |
> Blog<http://blog.legitscript.com/> |Newsletter<http://go.legitscript.com/Subscription-Management.html>
>
> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.pnghttps://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ
>
> On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight
> <michele at blacknight.com<mailto:michele at blacknight.com>> wrote:
>
> John
>
> There are two distinct discussions here which seem to be
> getting mixed together.
>
> During the proxy / privacy discussion some people wanted there
> to be a distinction between who could avail of proxy / privacy
> services. Some wanted a prohibition on letting “commercial”
> have the ability to use proxy / privacy.
>
> The discussions here and elsewhere around collection and
> publication of data in light of GDPR are very different.
>
> Nobody is disputing that there is a distinction between
> private individuals and corporations when it comes to GDPR.
> However there are risks associated with the processing of
> personal information, which may be tied into corporate
> information. And the “commercial” vs “non-commercial”
> distinction won’t work.
>
> Where there is a clear difference is between treatment of
> registrants based on geography.
>
> As an Irish company all our clients have to be handled under
> GDPR. The same would be true of any other provider based in
> the EU.
>
> I cannot speak to nor will I get involved in debates around
> what various non-EU based operators may currently be doing or
> plan to do in the future – there are enough of them on this
> list who can do so more ably than I and without my help.
>
> Regards
>
> Michele
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com
>
> https://blacknight.blog/
>
> http://ceo.hosting/
>
> Intl. +353 (0) 59 9183072<tel:+353%2059%20918%203072>
>
> Direct Dial: +353 (0)59 9183090<tel:+353%2059%20918%203090>
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside
> Business Park,Sleaty
>
> Road,Graiguecullen,Carlow,R93 X265
>
> ,Ireland Company No.: 370845
>
> *From: *gnso-rds-pdp-wg
> <gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org>>
> on behalf of John Horton via gnso-rds-pdp-wg
> <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
> *Reply-To: *John Horton
> <john.horton at legitscript.com<mailto:john.horton at legitscript.com>>
> *Date: *Friday 16 February 2018 at 18:54
> *To: *"benny at nordreg.se<mailto:benny at nordreg.se>"
> <benny at nordreg.se<mailto:benny at nordreg.se>>
> *Cc: *RDS PDP WG
> <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE
> whois and GDRP
>
> I think quite a bit in this WG and certainly in the prior
> privacy/proxy PDP, and absolutely what we're seeing with
> GoDaddy. To make sure I'm being clear about what I mean,
> GoDaddy isn't only redacting Whois information (via Port 43)
> where it's an EU natural citizen or natural resident. The
> information is being redacted for....everyone. All
> registrants. There's simply no justification for that.
>
> I predict you'd see (I'm not speaking for anyone here, just
> me) a real willingness on the security and compliance
> community's part to compromise and support a system where, IF
> a registrant is an EU natural person (yes, I know we need to
> define it accurately -- citizen, resident, we can get granular
> later) then...hey, let's set up a system in involving
> redaction of some fields, access to those fields in legitimate
> cases, etc. I want to support registrars' compliance with the
> GDPR. But we're seeing the registrar community say: We want to
> apply this globally. To all domain name registrations. Doesn't
> matter if the registrant is the intended beneficiary of the
> new law, or in scope, or not. We're going to just change
> global policy.
>
> I think that viewpoint has been pretty repeatedly represented
> in this working group, but I'd love to hear from registrars
> that would support a more targeted solution where only the
> intended beneficiaries of the GDPR (that is, in-scope
> registrants) are covered under the policy.
>
>
> John Horton
> President and CEO, LegitScript
>
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ
>
> *Follow****Legit**Script*:
> LinkedIn<http://www.linkedin.com/company/legitscript-com> |
> Facebook<https://www.facebook.com/LegitScript> |
> Twitter<https://twitter.com/legitscript> |
> Blog<http://blog.legitscript.com/> |Newsletter<http://go.legitscript.com/Subscription-Management.html>
>
> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.pnghttps://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ
>
> On Fri, Feb 16, 2018 at 10:44 AM,
> benny at nordreg.se<mailto:benny at nordreg.se><benny at nordreg.se<mailto:benny at nordreg.se>>
> wrote:
>
> Please refer to where registrars have been unwilling to
> explore this option?
>
>
>
> --
> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>
> Benny Samuelsen
> Registry Manager - Domainexpert
>
> Nordreg AB - ICANN accredited registrar
> IANA-ID: 638
> Phone: +46.42197000<tel:%2B46.42197000>
> Direct: +47.32260201<tel:%2B47.32260201>
> Mobile: +47.40410200<tel:%2B47.40410200>
>
> > On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg
> <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
> wrote:
> >
> > Just imagine how much of all of this could be avoided if
> registrars were willing to agree to a
> commercial/individual distinction.
> >
> > John Horton
> > President and CEO, LegitScript
> >
> >
> > Follow LegitScript: LinkedIn | Facebook | Twitter |
> Blog | Newsletter
> >
> >
> >
>
> > On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg
> <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
> wrote:
> > GDPR taken to its logical extreme very well could
> require us to abandon IP reputation and to emptying our
> firewalls. I mean, no consumer authorized me to process
> their IP just by attacking me, right?
> >
> > Privacy absolutism is not the answer unless you
> basically want to mandate the internet backbone be
> converted to tor.
> >
> > --
> > John Bambenek
> >
> > On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight
> <michele at blacknight.com<mailto:michele at blacknight.com>> wrote:
> >
> >> It’s an interesting read, but it has several flaws.
> >>
> >> It refers to registrars solely and ignores registries.
> >>
> >> It also makes it sound like issues around whois are
> “new”, which we all know isn’t true.
> >>
> >> The comments about IP addresses make it sound like it’s
> a theoretical concern, yet there is case law eg:
> >>
> >>
> https://www.irishtimes.com/business/technology/european-court-of-justice-rules-ip-addresses-are-personal-data-1.2835704
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >>
> >> Mr Michele Neylon
> >>
> >> Blacknight Solutions
> >>
> >> Hosting, Colocation & Domains
> >>
> >> https://www.blacknight.com/
> >>
> >> http://blacknight.blog/
> >>
> >> Intl. +353 (0) 59
> 9183072<tel:%2B353%20%280%29%2059%20%209183072>
> >>
> >> Direct Dial: +353 (0)59
> 9183090<tel:%2B353%20%280%2959%209183090>
> >>
> >> Personal blog: https://michele.blog/
> >>
> >> Some thoughts: https://ceo.hosting/
> >>
> >> -------------------------------
> >>
> >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside
> Business Park,Sleaty
> >>
> >> Road,Graiguecullen,Carlow,R93 X265,Ireland Company
> No.: 370845
> >>
> >> From: gnso-rds-pdp-wg
> <gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org>>
> on behalf of Dotzero
> <dotzero at gmail.com<mailto:dotzero at gmail.com>>
> >> Date: Friday 16 February 2018 at 00:07
> >> To: RDS PDP WG
> <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
> >> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE
> whois and GDRP
> >>
> >>
> >>
> >>
> >>
> https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/
> >>
> >> Michael Hammer
> >>
> >> _______________________________________________
> >> gnso-rds-pdp-wg mailing list
> >> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >
> > _______________________________________________
> > gnso-rds-pdp-wg mailing list
> > gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >
> > _______________________________________________
> > gnso-rds-pdp-wg mailing list
> > gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180216/8cf44b20/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list