[gnso-rds-pdp-wg] Facebook loses Belgian court case over consent and tracking
John Bambenek
jcb at bambenekconsulting.com
Tue Feb 20 18:12:11 UTC 2018
Which brings me back full circle to my point. An A records exists because a registrant put it there. If the system was slightly modified to provide a free privacy option, then whois data is there because the registrant put it there. And thus the problem is solved.
--
John Bambenek
> On Feb 20, 2018, at 12:07, Tapani Tarvainen <ncsg at tapani.tarvainen.info> wrote:
>
> Yes. Even though IP addresses &c can be personally identifiable
> information, that doesn't mean they can't ever be published. It does
> mean GDPR applies, but it's clear GDPR would allow DNS records to be
> published just as they've always been.
>
> Seriously. GDPR is not insane.
>
> Tapani
>
>> On Tue, Feb 20, 2018 at 12:31:57PM -0500, Steve Crocker (steve at shinkuro.com) wrote:
>>
>> John,
>>
>> I think you're making the implicit assumption that access to name server
>> (NS), address (A and AAAA) and related MX and DS records should be gated
>> simply because someone can claim there might be personally identifiable
>> information associated with these records. This is a very large assumption
>> with very large consequences.
>>
>> The DNS was designed to provide unfettered access to these records. The
>> implication, therefore, is that anyone who publishes these records
>> necessarily expects these records to be publicly available.
>>
>> If you think there's a need for a system that makes the address information
>> about a site accessible to only a selected set of people, design and build
>> a system that provides that functionality. The Domain Name System,
>> however, is not designed and not built that way. Anyone who publishes
>> information in the DNS has necessarily chosen to make that information
>> public. That's the end of the privacy issue with respect to the Domain
>> Name System.
>>
>> Discussion about how much information about the registrant is a separate
>> matter, of course.
>>
>> Steve
>>
>>
>> On Tue, Feb 20, 2018 at 12:17 PM, John Bambenek <jcb at bambenekconsulting.com>
>> wrote:
>>
>>> We have no idea how to determine nationality, so we just assume GDPR
>>> applies.
>>>
>>> We have no idea how to determine natural vs legal person, so we assume
>>> natural person.
>>>
>>> We assume the user is too stupid to use a role-based email address or any
>>> other mitigations, so that’s not an option.
>>>
>>> We assume the user is too stupid to know why to do with voluntary fields,
>>> so putting data in whois is too risky even in an opt-in scenario.
>>>
>>> But now we are talking about acceptable levels of risk with nameservers?
>>>
>>> How are we going to control to make sure only the types of data processing
>>> on this sensitive information is limited to what is authorized? What if I
>>> don’t want you to have my nameservers? What are you registrars going to do
>>> to make that possible?
>>>
>>> --
>>> John Bambenek
>>>
>>> On Feb 20, 2018, at 11:11, Ayden Férdeline <icann at ferdeline.com> wrote:
>>>
>>> Domain names and name servers can comprise personal information. However,
>>> this does not mean we cannot use them. It just means we need to complete a
>>> privacy impact assessment and understand the risks involved. And I suspect
>>> the risks to a name server or domain name itself being public are
>>> incredibly low. The risk profile is nowhere near that of WHOIS or RDS being
>>> open for all to see, filled with sensitive data like addresses and phone
>>> numbers.
>>>
>>> Ayden
>>>
>>>
>>> -------- Original Message --------
>>> On 20 February 2018 5:55 PM, John Bambenek via gnso-rds-pdp-wg <
>>> gnso-rds-pdp-wg at icann.org> wrote:
>>>
>>> Domain names, hostnames, and IP addresses in so far as they are personally
>>> identifiable are PII. Courts have ruled on IP addresses already and DPAs
>>> have said much the same.
>>>
>>> So the same logic on why we can’t have a system that lets people advertise
>>> who owns the domain is the same argument why DNS must be gated.
>>>
>>> Has any registrar done a PIA on publishing my nameservers? How do I
>>> control who gets that information? How do we enforce its for authorized
>>> purposes only?
>>>
>>> --
>>> John Bambenek
>>>
>>> On Feb 20, 2018, at 10:50, Steve Crocker <steve at shinkuro.com> wrote:
>>>
>>> I'm puzzled by the reference to name servers and A records. These are
>>> necessarily public else the domain name system won't function. Is there
>>> confusion or misunderstanding about the role of these records?
>>>
>>> Steve
>>>
>>>
>>>> On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo at gmail.com> wrote:
>>>>
>>>> 1,000,000% agreed. Registrars cannot eliminate all their risk by masking
>>>> WHOIS into oblivion. The DPAs can still ask why they are exposing A
>>>> records, nameservers, etc, to anyone who asks for them, without valid
>>>> reasons or authentication. Why do they expose zone files, etc. The DPAs can
>>>> ask why customer support can sometimes so easily be social engineered into
>>>> handing over accounts to account takeover scammers.
>>>>
>>>> Since most registrars are also hosting providers/mail providers, would
>>>> criminals storing stolen PII on your servers be a GDPR issue? After all,
>>>> the ultimate owner of the server is also considered a "processor", which
>>>> has interesting implications if one's customers include phishers, or sell
>>>> stolen credit cards, and one's already been notified. I have even seen
>>>> miscreants putting doxes in TXT records.
>>>>
>>>> I already know of quite a few incidents where people would have had
>>>> standing to file a GDPR complaint against registrars/hosters, unrelated to
>>>> WHOIS.
>>>>
>>>> Eventually the issue is going to impact the core business model of
>>>> registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs
>>>> at an early stage is of utmost importance for all parties involved here.
>>>>
>>>>
>>>> On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam at lanfranco.net>
>>>> wrote:
>>>>
>>>>> Benny,
>>>>>
>>>>> This is why I support multi-venue multi-stakholder dialogue with the
>>>>> DPA's so that they are appraised of the issues on all sides of the data
>>>>> protection issue. They are then more likely to act in a judicious manner,
>>>>> and less like an attack dog. Watch the new movie "*The Post*" where
>>>>> when *Washington Post* owner Katharine Graham decided to publish the
>>>>> Vietnam War Pentagon Papers, with the downside risk that she could be
>>>>> jailed for treason. The court ruled in favor of freedom of the press. It is
>>>>> not what the DPA can do, but what they are likely to do, and dialogue goes
>>>>> a long way to mitigating risk and shaping appropriate positions and
>>>>> behavior (with integrity) on all sides.
>>>>>
>>>>> Sam L.
>>>>>
>>>>> On 2/19/2018 10:02 AM, benny at nordreg.se wrote:
>>>>>
>>>>> <ironi on> Now I am relieved, we as registrars will not be subject for
>>>>> anything… </ironi off>
>>>>>
>>>>> None of us know where and what they will prioritise,* remember that it
>>>>> only take 1 complaint to a DPA to get the snowball moving.* [emphasis
>>>>> added] I am sure your statement have noe value then.
>>>>>
>>>>> --
>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>
>>>>>
>>>>> Benny Samuelsen
>>>>> Registry Manager - Domainexpert
>>>>>
>>>>> Nordreg AB - ICANN accredited registrar
>>>>> IANA-ID: 638
>>>>> Phone: +46.42197000 <+46%2042%2019%2070%2000>
>>>>> Direct: +47.32260201 <+47%2032%2026%2002%2001>
>>>>> Mobile: +47.40410200 <+47%20404%2010%20200>
>>>>>
>>>>> On 19 Feb 2018, at 15:29, Sam Lanfranco <sam at lanfranco.net> wrote:
>>>>>
>>>>> Hi Tim,
>>>>>
>>>>> No, completely to the contrary. My point with that dollars reference was
>>>>> that in some cases litigation is the preferred business response, rather
>>>>> than compliance and paying fines. Also, the big revenues in mining big data
>>>>> are outside the DNS sphere, and outside the abuses and "bad things" that
>>>>> websites do to people. The big EU fines are more likely to hit social media
>>>>> than Registrars, although they are risks there as well. The revenues, and
>>>>> privacy violations, will come from profiling users by mining big data for
>>>>> scraps of personal date to individualize target marketing.
>>>>>
>>>>> *As a brief aside:* This goes well beyond the remit of ICANN and is
>>>>> actually worse than just being inundated by adverts base on personal online
>>>>> behavior. Artificial Intelligence mining apps are increasingly customizing
>>>>> the "news" one gets from news feeds, to help "glue the eyeballs" to the
>>>>> adverts, creating a news silo of one. (That is amusing for me since I
>>>>> virtually live in two towns in two countries). Even more worrisome is the
>>>>> growing practice for A.I. companies where A.I. "writes" the news releases,
>>>>> now mainly in sports and finance, for thousands of print and online news
>>>>> outlets. I know all of this is outside the ICANN remit so I will stop
>>>>> there.
>>>>>
>>>>> Sam L.
>>>>>
>>>>> On 2/18/2018 5:43 PM, Chen, Tim wrote:
>>>>>
>>>>> Hi Sam,
>>>>>
>>>>> When you say these are hundred million dollar issues for "the
>>>>> companies",which companies are you talking about? Large Registrars?
>>>>>
>>>>> I hope you are not comparing cybersecurity professionals and the good
>>>>> work they are trying to enable, to a completely separate privacy issue
>>>>> around data used for ad tracking or behavior tracking across websites. If
>>>>> I spent my days trying to protect people on the internet from bad things, I
>>>>> would certainly not appreciate any allusion that I was engaged on the whois
>>>>> data issue 'for the money'.
>>>>>
>>>>> Tim
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ------------------------------------------------
>>>>> "It is a disgrace to be rich and honoured
>>>>> in an unjust state" -Confucius
>>>>> 邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也
>>>>> ------------------------------------------------
>>>>> Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China
>>>>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
>>>>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
>>>>> email: sam at lanfranco.net Skype: slanfranco
>>>>> blog: https://samlanfranco.blogspot.com
>>>>> Phone: +1 613-476-0429 <(613)%20476-0429> cell: +1 416-816-2852 <(416)%20816-2852>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> _________________________________
>>>> Note to self: Pillage BEFORE burning.
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
More information about the gnso-rds-pdp-wg
mailing list