[gnso-rds-pdp-wg] Facebook loses Belgian court case over consent and tracking
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Wed Feb 21 13:26:56 UTC 2018
Sorry not to have answered this last night Steve, I was having the usual
multi-tasking challenges which overtake the 1 AM calls. There is a
fundamental problem here in my view, and that is the difference between
people's understanding of "personally identifying information" or PII,
and "personal information", which is silent on the matter of whether it
can be identified. For example, your medical data may have all the
identifiers removed (name, address, phone number, health numbers, etc.)
but that does not mean that people could not figure out it was you,
particularly these days when even DNA data is up on the net. We
generally continue to call that personal data (people can reasonably
understand, for instance, that an x-ray of my lungs is still my personal
information, even if it has been securely anonymized). I argue that all
data associated with your registration including the assigned data is
personal data (for the purposes of ICANN's treatment of it as a data
controller), but that does not mean it cannot be processed. It is not
usually PII, but that is irrelevant for GDPR discussions because that is
an expression not used in the GDPR, PII that has been popularized by the
US, and that in the absence of general data protection law. We had a
lengthy discussion of this about a year ago, and I am sure I was
unsuccessful in persuading some folks that a name server could be
personal data. The name of a city is not personally identifiable
information, but if it is the one data element that distinguishes John
Smith of Main street US, among six John Smiths on Main Street, then it
is personal data.
Given the ubiquity of data and data analytics these days, this is an
active area of privacy scholarship, with plenty of practical
implications. We have over many years regularly removed a few data
elements to mask data sufficiently for public processing purposes;
increasingly this does not work anymore and the field is changing too
fast to keep up. This of course does not mean that name servers, e.g.,
should not be published.
Stephanie
On 2018-02-20 23:14, Steve Crocker wrote:
> Stephanie,
>
> Some folks are saying address records, names of name servers and
> perhaps other records might have personally identifying information.
> I would not argue these records do not ever have personally
> identifying information, I do argue it’s immaterial. It’s essential
> these records are universally accessible and because this is well
> known, anyone who chooses to publish these records has implicitly
> granted permission for others to access this information. Policy
> people, legislators, regulators cannot impose a new requirement on the
> design and operation of the DNS as if the possibility of mediating
> access were an available option.
>
> Steve
>
> Sent from my iPhone
>
> On Feb 20, 2018, at 11:02 PM, Stephanie Perrin
> <stephanie.perrin at mail.utoronto.ca
> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>
>> Actually no, Steve, we sorted this out a few months ago....Andrew
>> Sullivan explained all of this patiently and in great detail, as I
>> recall. I tried to explain the difference between data elements
>> constituting PI, because of their association with an individual, and
>> the requirements to protect. I think I failed dismally in that
>> effort, because I see we are re-arguing those issues.
>>
>> cheers Stephanie
>>
>> On 2018-02-20 11:50, Steve Crocker wrote:
>>> I'm puzzled by the reference to name servers and A records. These
>>> are necessarily public else the domain name system won't function.
>>> Is there confusion or misunderstanding about the role of these records?
>>>
>>> Steve
>>>
>>>
>>> On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo at gmail.com
>>> <mailto:elsakoo at gmail.com>> wrote:
>>>
>>> 1,000,000% agreed. Registrars cannot eliminate all their risk by
>>> masking WHOIS into oblivion. The DPAs can still ask why they are
>>> exposing A records, nameservers, etc, to anyone who asks for
>>> them, without valid reasons or authentication. Why do they
>>> expose zone files, etc. The DPAs can ask why customer support
>>> can sometimes so easily be social engineered into handing over
>>> accounts to account takeover scammers.
>>>
>>> Since most registrars are also hosting providers/mail providers,
>>> would criminals storing stolen PII on your servers be a GDPR
>>> issue? After all, the ultimate owner of the server is also
>>> considered a "processor", which has interesting implications if
>>> one's customers include phishers, or sell stolen credit cards,
>>> and one's already been notified. I have even seen miscreants
>>> putting doxes in TXT records.
>>>
>>> I already know of quite a few incidents where people would have
>>> had standing to file a GDPR complaint against
>>> registrars/hosters, unrelated to WHOIS.
>>>
>>> Eventually the issue is going to impact the core business model
>>> of registrars. This isn't going to stop at WHOIS. An open dialog
>>> with the DPAs at an early stage is of utmost importance for all
>>> parties involved here.
>>>
>>>
>>> On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco
>>> <sam at lanfranco.net <mailto:sam at lanfranco.net>> wrote:
>>>
>>> Benny,
>>>
>>> This is why I support multi-venue multi-stakholder dialogue
>>> with the DPA's so that they are appraised of the issues on
>>> all sides of the data protection issue. They are then more
>>> likely to act in a judicious manner, and less like an attack
>>> dog. Watch the new movie "*/The Post/*" where when
>>> /Washington Post/ owner Katharine Graham decided to publish
>>> the Vietnam War Pentagon Papers, with the downside risk that
>>> she could be jailed for treason. The court ruled in favor of
>>> freedom of the press. It is not what the DPA can do, but
>>> what they are likely to do, and dialogue goes a long way to
>>> mitigating risk and shaping appropriate positions and
>>> behavior (with integrity) on all sides.
>>>
>>> Sam L.
>>>
>>>
>>> On 2/19/2018 10:02 AM, benny at nordreg.se
>>> <mailto:benny at nordreg.se> wrote:
>>>> <ironi on> Now I am relieved, we as registrars will not be
>>>> subject for anything… </ironi off>
>>>>
>>>> None of us know where and what they will
>>>> prioritise,*/remember that it only take 1 complaint to a
>>>> DPA to get the snowball moving./* [emphasis added] I am
>>>> sure your statement have noe value then.
>>>>
>>>> --
>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>
>>>> Benny Samuelsen
>>>> Registry Manager - Domainexpert
>>>>
>>>> Nordreg AB - ICANN accredited registrar
>>>> IANA-ID: 638
>>>> Phone: +46.42197000 <tel:+46%2042%2019%2070%2000>
>>>> Direct: +47.32260201 <tel:+47%2032%2026%2002%2001>
>>>> Mobile: +47.40410200 <tel:+47%20404%2010%20200>
>>>>
>>>>> On 19 Feb 2018, at 15:29, Sam Lanfranco <sam at lanfranco.net
>>>>> <mailto:sam at lanfranco.net>> wrote:
>>>>>
>>>>> Hi Tim,
>>>>>
>>>>> No, completely to the contrary. My point with that dollars
>>>>> reference was that in some cases litigation is the
>>>>> preferred business response, rather than compliance and
>>>>> paying fines. Also, the big revenues in mining big data
>>>>> are outside the DNS sphere, and outside the abuses and
>>>>> "bad things" that websites do to people. The big EU fines
>>>>> are more likely to hit social media than Registrars,
>>>>> although they are risks there as well. The revenues, and
>>>>> privacy violations, will come from profiling users by
>>>>> mining big data for scraps of personal date to
>>>>> individualize target marketing.
>>>>>
>>>>> */As a brief aside:/* This goes well beyond the remit of
>>>>> ICANN and is actually worse than just being inundated by
>>>>> adverts base on personal online behavior. Artificial
>>>>> Intelligence mining apps are increasingly customizing the
>>>>> "news" one gets from news feeds, to help "glue the
>>>>> eyeballs" to the adverts, creating a news silo of one.
>>>>> (That is amusing for me since I virtually live in two
>>>>> towns in two countries). Even more worrisome is the
>>>>> growing practice for A.I. companies where A.I. "writes"
>>>>> the news releases, now mainly in sports and finance, for
>>>>> thousands of print and online news outlets. I know all of
>>>>> this is outside the ICANN remit so I will stop there.
>>>>>
>>>>> Sam L.
>>>>>
>>>>>
>>>>> On 2/18/2018 5:43 PM, Chen, Tim wrote:
>>>>>> Hi Sam,
>>>>>>
>>>>>> When you say these are hundred million dollar issues for
>>>>>> "the companies",which companies are you talking about?
>>>>>> Large Registrars?
>>>>>>
>>>>>> I hope you are not comparing cybersecurity professionals
>>>>>> and the good work they are trying to enable, to a
>>>>>> completely separate privacy issue around data used for ad
>>>>>> tracking or behavior tracking across websites. If I
>>>>>> spent my days trying to protect people on the internet
>>>>>> from bad things, I would certainly not appreciate any
>>>>>> allusion that I was engaged on the whois data issue 'for
>>>>>> the money'.
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>
>>>
>>> --
>>> ------------------------------------------------
>>> "It is a disgrace to be rich and honoured
>>> in an unjust state" -Confucius
>>> 邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也
>>> ------------------------------------------------
>>> Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China
>>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
>>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
>>> email:sam at lanfranco.net <mailto:sam at lanfranco.net> Skype: slanfranco
>>> blog:https://samlanfranco.blogspot.com <https://samlanfranco.blogspot.com>
>>> Phone:+1 613-476-0429 <tel:(613)%20476-0429> cell:+1 416-816-2852 <tel:(416)%20816-2852>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>
>>>
>>>
>>>
>>> --
>>> _________________________________
>>> Note to self: Pillage BEFORE burning.
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180221/fec62b60/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list