[gnso-rds-pdp-wg] Facebook loses Belgian court case over consent and tracking
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Wed Feb 21 13:51:13 UTC 2018
Thanks Theo, that is a helpful cheatsheet. I would just add that
privacy advocates and DPAs have been fighting machine identifiers for
years...Remember the Big Brother Inside campaign against the Intel chip?
cheers Stephanie
On 2018-02-21 08:38, theo geurts wrote:
>
> Perhaps this clarifies it more.
>
> https://piwik.pro/blog/what-is-pii-personal-data/
>
> Theo
>
>
> On 21-2-2018 14:26, Stephanie Perrin wrote:
>>
>> Sorry not to have answered this last night Steve, I was having the
>> usual multi-tasking challenges which overtake the 1 AM calls. There
>> is a fundamental problem here in my view, and that is the difference
>> between people's understanding of "personally identifying
>> information" or PII, and "personal information", which is silent on
>> the matter of whether it can be identified. For example, your
>> medical data may have all the identifiers removed (name, address,
>> phone number, health numbers, etc.) but that does not mean that
>> people could not figure out it was you, particularly these days when
>> even DNA data is up on the net. We generally continue to call that
>> personal data (people can reasonably understand, for instance, that
>> an x-ray of my lungs is still my personal information, even if it has
>> been securely anonymized). I argue that all data associated with
>> your registration including the assigned data is personal data (for
>> the purposes of ICANN's treatment of it as a data controller), but
>> that does not mean it cannot be processed. It is not usually PII,
>> but that is irrelevant for GDPR discussions because that is an
>> expression not used in the GDPR, PII that has been popularized by the
>> US, and that in the absence of general data protection law. We had a
>> lengthy discussion of this about a year ago, and I am sure I was
>> unsuccessful in persuading some folks that a name server could be
>> personal data. The name of a city is not personally identifiable
>> information, but if it is the one data element that distinguishes
>> John Smith of Main street US, among six John Smiths on Main Street,
>> then it is personal data.
>>
>> Given the ubiquity of data and data analytics these days, this is an
>> active area of privacy scholarship, with plenty of practical
>> implications. We have over many years regularly removed a few data
>> elements to mask data sufficiently for public processing purposes;
>> increasingly this does not work anymore and the field is changing too
>> fast to keep up. This of course does not mean that name servers,
>> e.g., should not be published.
>>
>> Stephanie
>>
>> On 2018-02-20 23:14, Steve Crocker wrote:
>>> Stephanie,
>>>
>>> Some folks are saying address records, names of name servers and
>>> perhaps other records might have personally identifying information.
>>> I would not argue these records do not ever have personally
>>> identifying information, I do argue it’s immaterial. It’s essential
>>> these records are universally accessible and because this is well
>>> known, anyone who chooses to publish these records has implicitly
>>> granted permission for others to access this information. Policy
>>> people, legislators, regulators cannot impose a new requirement on
>>> the design and operation of the DNS as if the possibility of
>>> mediating access were an available option.
>>>
>>> Steve
>>>
>>> Sent from my iPhone
>>>
>>> On Feb 20, 2018, at 11:02 PM, Stephanie Perrin
>>> <stephanie.perrin at mail.utoronto.ca
>>> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>>>
>>>> Actually no, Steve, we sorted this out a few months ago....Andrew
>>>> Sullivan explained all of this patiently and in great detail, as I
>>>> recall. I tried to explain the difference between data elements
>>>> constituting PI, because of their association with an individual,
>>>> and the requirements to protect. I think I failed dismally in that
>>>> effort, because I see we are re-arguing those issues.
>>>>
>>>> cheers Stephanie
>>>>
>>>> On 2018-02-20 11:50, Steve Crocker wrote:
>>>>> I'm puzzled by the reference to name servers and A records. These
>>>>> are necessarily public else the domain name system won't
>>>>> function. Is there confusion or misunderstanding about the role
>>>>> of these records?
>>>>>
>>>>> Steve
>>>>>
>>>>>
>>>>> On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo at gmail.com
>>>>> <mailto:elsakoo at gmail.com>> wrote:
>>>>>
>>>>> 1,000,000% agreed. Registrars cannot eliminate all their risk
>>>>> by masking WHOIS into oblivion. The DPAs can still ask why
>>>>> they are exposing A records, nameservers, etc, to anyone who
>>>>> asks for them, without valid reasons or authentication. Why do
>>>>> they expose zone files, etc. The DPAs can ask why customer
>>>>> support can sometimes so easily be social engineered into
>>>>> handing over accounts to account takeover scammers.
>>>>>
>>>>> Since most registrars are also hosting providers/mail
>>>>> providers, would criminals storing stolen PII on your servers
>>>>> be a GDPR issue? After all, the ultimate owner of the server
>>>>> is also considered a "processor", which has interesting
>>>>> implications if one's customers include phishers, or sell
>>>>> stolen credit cards, and one's already been notified. I have
>>>>> even seen miscreants putting doxes in TXT records.
>>>>>
>>>>> I already know of quite a few incidents where people would
>>>>> have had standing to file a GDPR complaint against
>>>>> registrars/hosters, unrelated to WHOIS.
>>>>>
>>>>> Eventually the issue is going to impact the core business
>>>>> model of registrars. This isn't going to stop at WHOIS. An
>>>>> open dialog with the DPAs at an early stage is of utmost
>>>>> importance for all parties involved here.
>>>>>
>>>>>
>>>>> On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco
>>>>> <sam at lanfranco.net <mailto:sam at lanfranco.net>> wrote:
>>>>>
>>>>> Benny,
>>>>>
>>>>> This is why I support multi-venue multi-stakholder
>>>>> dialogue with the DPA's so that they are appraised of the
>>>>> issues on all sides of the data protection issue. They are
>>>>> then more likely to act in a judicious manner, and less
>>>>> like an attack dog. Watch the new movie "*/The Post/*"
>>>>> where when /Washington Post/ owner Katharine Graham
>>>>> decided to publish the Vietnam War Pentagon Papers, with
>>>>> the downside risk that she could be jailed for treason.
>>>>> The court ruled in favor of freedom of the press. It is
>>>>> not what the DPA can do, but what they are likely to do,
>>>>> and dialogue goes a long way to mitigating risk and
>>>>> shaping appropriate positions and behavior (with
>>>>> integrity) on all sides.
>>>>>
>>>>> Sam L.
>>>>>
>>>>>
>>>>> On 2/19/2018 10:02 AM, benny at nordreg.se
>>>>> <mailto:benny at nordreg.se> wrote:
>>>>>> <ironi on> Now I am relieved, we as registrars will not
>>>>>> be subject for anything… </ironi off>
>>>>>>
>>>>>> None of us know where and what they will
>>>>>> prioritise,*/remember that it only take 1 complaint to a
>>>>>> DPA to get the snowball moving./* [emphasis added] I am
>>>>>> sure your statement have noe value then.
>>>>>>
>>>>>> --
>>>>>> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>>>>>>
>>>>>> Benny Samuelsen
>>>>>> Registry Manager - Domainexpert
>>>>>>
>>>>>> Nordreg AB - ICANN accredited registrar
>>>>>> IANA-ID: 638
>>>>>> Phone: +46.42197000 <tel:+46%2042%2019%2070%2000>
>>>>>> Direct: +47.32260201 <tel:+47%2032%2026%2002%2001>
>>>>>> Mobile: +47.40410200 <tel:+47%20404%2010%20200>
>>>>>>
>>>>>>> On 19 Feb 2018, at 15:29, Sam Lanfranco
>>>>>>> <sam at lanfranco.net <mailto:sam at lanfranco.net>> wrote:
>>>>>>>
>>>>>>> Hi Tim,
>>>>>>>
>>>>>>> No, completely to the contrary. My point with that
>>>>>>> dollars reference was that in some cases litigation is
>>>>>>> the preferred business response, rather than compliance
>>>>>>> and paying fines. Also, the big revenues in mining big
>>>>>>> data are outside the DNS sphere, and outside the abuses
>>>>>>> and "bad things" that websites do to people. The big EU
>>>>>>> fines are more likely to hit social media than
>>>>>>> Registrars, although they are risks there as well. The
>>>>>>> revenues, and privacy violations, will come from
>>>>>>> profiling users by mining big data for scraps of
>>>>>>> personal date to individualize target marketing.
>>>>>>>
>>>>>>> */As a brief aside:/* This goes well beyond the remit of
>>>>>>> ICANN and is actually worse than just being inundated by
>>>>>>> adverts base on personal online behavior. Artificial
>>>>>>> Intelligence mining apps are increasingly customizing
>>>>>>> the "news" one gets from news feeds, to help "glue the
>>>>>>> eyeballs" to the adverts, creating a news silo of one.
>>>>>>> (That is amusing for me since I virtually live in two
>>>>>>> towns in two countries). Even more worrisome is the
>>>>>>> growing practice for A.I. companies where A.I. "writes"
>>>>>>> the news releases, now mainly in sports and finance, for
>>>>>>> thousands of print and online news outlets. I know all
>>>>>>> of this is outside the ICANN remit so I will stop there.
>>>>>>>
>>>>>>> Sam L.
>>>>>>>
>>>>>>>
>>>>>>> On 2/18/2018 5:43 PM, Chen, Tim wrote:
>>>>>>>> Hi Sam,
>>>>>>>>
>>>>>>>> When you say these are hundred million dollar issues
>>>>>>>> for "the companies",which companies are you talking
>>>>>>>> about? Large Registrars?
>>>>>>>>
>>>>>>>> I hope you are not comparing cybersecurity
>>>>>>>> professionals and the good work they are trying to
>>>>>>>> enable, to a completely separate privacy issue around
>>>>>>>> data used for ad tracking or behavior tracking across
>>>>>>>> websites. If I spent my days trying to protect people
>>>>>>>> on the internet from bad things, I would certainly not
>>>>>>>> appreciate any allusion that I was engaged on the whois
>>>>>>>> data issue 'for the money'.
>>>>>>>>
>>>>>>>> Tim
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>
>>>>>
>>>>> --
>>>>> ------------------------------------------------
>>>>> "It is a disgrace to be rich and honoured
>>>>> in an unjust state" -Confucius
>>>>> 邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也
>>>>> ------------------------------------------------
>>>>> Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China
>>>>> Dr Sam Lanfranco (Prof Emeritus & Senior Scholar)
>>>>> Econ, York U., Toronto, Ontario, CANADA - M3J 1P3
>>>>> email:sam at lanfranco.net <mailto:sam at lanfranco.net> Skype: slanfranco
>>>>> blog:https://samlanfranco.blogspot.com <https://samlanfranco.blogspot.com>
>>>>> Phone:+1 613-476-0429 <tel:%28613%29%20476-0429> cell:+1 416-816-2852 <tel:%28416%29%20816-2852>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> _________________________________
>>>>> Note to self: Pillage BEFORE burning.
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180221/50092644/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list