[NCAP-Discuss] Honeypot refresher

[Jeff Schmidt]

On 4/30/20, 11:23 AM, "Danny McPherson" <danny at tcb.net> wrote:

>    Thanks Jeff, I understand this.
>    Per Patrik's response and the SAC066 request specifically about this, do 
>    you have any materials that can be shared with the DG on this?  Should 
>    this be a Capital 'O' opinion?

I am not a lawyer; perhaps lawyers on this list can chime in.  My understanding is that a (Capital O) Opinion could be obtained by a party given a specific legal question/situation.  For example, ICANN could request an Opinion from their counsel regarding the issues/liabilities ICANN would face if it contractually required Registries to implement a technical honeypot as described.  Verisign/Other Registries could request an Opinion from their counsel regarding the issues/liabilities if it were to direct data to such a honeypot or run such a honeypot.  Etc.

Of note, the discussions JAS had on this were pre-GDPR and its global friends.  I'm sure the legal/privacy issues have not gotten any better since then.  :-(  From my understanding of GDPR and friends, since the honeypot would solicit and collect PII from covered jurisdictions, it would be covered and subject to associated obligations and liabilities.  Which, at minimum, would create a bunch of (expensive) operational requirements like being able to query the data, delete myself, etc.  It gets really icky.

Jeff