Christopher, A great deal of the work in both the EWG and the RDS PDP consisted of identifying these parties and use cases. I invite you to peruse both for answers. It's not hard to find -- no begging needed. Best regards, Greg
On Wed, Aug 8, 2018 at 6:30 AM wilkinson christopher < cw@christopherwilkinson.eu> wrote:
3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access.
This argument begs the questions as to who are the 'third parties', what are the 'use cases' and what happens to the data after it has been used.
Regards
CW
El 7 de agosto de 2018 a las 22:17 Greg Shatan <greg@isoc-ny.org> escribió:
I’ve been watching this conversation unfold for awhile. A few observations:
1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up.
2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors.
3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data.
4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing.
5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data.
6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service.
7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR.
8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users.
Best regards,
Greg Shatan
On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch < evanleibovitch@gmail.com> wrote:
I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.
___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56
On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net> wrote:
With respect Evan, saying I am missing the point is not really respectful. No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring.
Marita
On 8/7/2018 7:08 PM, Evan Leibovitch wrote:
Hi Marita,
I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.
Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.
In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.
- Evan
PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.
On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:
Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.
It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?
http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/
Marita
On 8/7/2018 5:09 AM, Alan Greenberg wrote:
Marita, you cannot take one phrase out of context. If you
go
back in the thread (which was not fully copied here) I
believe
that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR,
but
in fact compliance with GDPR is (to use a Startrek
expression)
"the prime directive". It is not a simple matter of
security
vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge
in
deciding which was more important and I am pretty sure we would not even try in the general case. But that is not
what
we are taking about here. We are talking about gTLD
REGISTRANT
privacy vs USER security. And the ALAC's position has previously been that although we care about registrants
(and
their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants,
the
shear number of users makes their security and ability to
use
the Internet with relative safety and trust takes
precedence
over the privacy of the relative handful of gTLD
registrants.
That is why ICANN has (and continues to) support the
existing
WHOIS system to the extent possible. That is the entire
gist
of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with
some
amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:
I am in agreement with Tijani, Holly, Bastian and
Michele.
Perhaps it is unintentional, but the language does
send
the message that we are looking more carefully at
security
than privacy. I am also not convinced that end-users
would
want us to do that. Marita On 8/3/2018 10:30 AM,
Tijani
BEN JEMAA wrote:
Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the
remaining
users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all:
contracted
parties, business, registrants, governments, etc.
We
are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook?
They
requested to have access to these data for
research,
and the result was the American election result impacted. So, I agree with Bastiaan that we need
to be
careful and care about the protection of personal
data
as well as the prevention of any harmful use of
the
domain names, both together.
*Tijani BEN JEMAA* Executive Director
Mediterranean
Federation of Internet Associations (*FMAI*)
Phone:
+216 98 330 114 +216 52 385 114
Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a
écrit :
Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele.
While
I think I understand the good intent of what
you
are saying, your earlier responses almost
sound to
me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users)
that
care about security as opposed to those (registrants) that want their privacy
protected to
the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean
to. In
this particular EPDP case though I am
convinced
that we can find a common ground on what the
ALAC
members and alternates should bring to the
table.
In terms of perceived registrants’ and
general
Internet end-users’ interests. As you
rightly
state, it is about being GDPR compliant. So
we do
not have to be philosophical about a rather
broad
term like ‘privacy’ and argue about
whether it
is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’.
However,
‘due process’ is a(nother) no brainer, not just because it might be a legal requirement.
From
what I understand the work being done on
defining
Access and Accreditation criteria is keeping
that
principle in mind, and within in the MS
context of
the EPDP we can together see to it that it
does
end up properly enshrined in policy and
contracts.
-Bastiaan
On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>>
wrote:
Holly, the original statement ends with
"All
within the constraints of GDPR of
course." I
don't know how to make that clearer. We
would
be absolutely FOOLISH to argue for
anything
else, since it will not be implementable.
That
being said, if through the EPDP or
otherwise
we can help make the legal argument for
why
good access for the folks we list at the
end
is within GDPR, more power to us. GDPR
(and
eventually similar legislation/regulation elsewhere) is the overall constraint. It
is
equivalent to the laws of physics which
for
the moment we need to consider inviolate.
So
my statement that "other issues trump
privacy"
is within that context. But just as proportionality governs what GDPR will
decree
as private in any given case, so it will govern what is not private. It all
depends on
making the legal argument and ultimately
in
needed convincing the courts. They are the arbiters, not me or anyone else in ICANN.
In
the US, there is the constitutional right
to
freedom of speech, but it is not
unconstrained
and there are limits to what you are
allowed
and not allowed to say. And from time to
time,
the courts and legislatures weigh in and decide where the line is. Alan At
02/08/2018
06:42 PM, Holly Raiche wrote:
Hi Alan I have concerns with your statement - and since your reply
below,
with our statement of principles for
the
EPDP. As I suggested in my email of 1 August, we need to be VERY clear that
we
are NOT arguing against
implementation a
policy that is compliant with the
GDPR. Â
We are arguing for other issues that impact on users - WITHIN the umbrella
of
the GDPR. Â And if we do not make that very clear, then we look as if we are
not
prepared to operate within the bounds
of
the EPDP - which is all about
developing a
new policy to replace the RDS
requirements
that will allow registries/registrars
to
comply with their ICANN contracts and operate within the GDPR framework. So
your
statement below that ‘yes, other
issues
trump privacyÂ’ - misstates that. Â
What
we are (or should be) arguing for is a balance of rights of access that - to
the
greatest extend possible - recognises
the
value of RDS to some constituencies
with
legitimate purposes - WITHIN the GDPR framework. That implicitly accepts
that
people/organisations that once had
free
and unrestricted access to the data
will
no longer have that open access. And
for
ALAC generally, I will repeat what I
said
in my 1 August email - our statement
of
principles must be VERY clear that we
are
NOT arguing for a new RDS policy that
goes
outside of the GDPR. Holly On 3 Aug
2018,
at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> >
wrote:
At 02/08/2018 10:37 AM, Michele
Neylon
- Blacknight wrote:
Jonathan / Alan Thanks for the clarifications. 3 - I don't
know
how you can know what the interests of a user are. The assumption you seem to be
making
is that due process and
privacy
should take a backseat to
access
to data
Privacy is not absolute but based
on
various other issues. So yes, we
are
saying that in some cases, the
other
issues trump privacy. Perhaps we differ on where the dividing line
is.
4 - Same as 3. Plenty of
ccTLDs
never offered PII in their
public
whois and there weren't any
issues
with security or stability. Skipping due process for
"ease of
access" is a very slippery and dangerous slope.
Both here and in reply to #3, the
term
"due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to
unlocking
otherwise private information. A
major
aspect of the GDPR implementation
will
be identifying other less
cumbersome
and restricted processes for
accessing
WHOIS data by a variety of
partners.
It will not be unconstrained nor
will
it be as cumbersome as going to
court
(hopefully). Alan
Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/>
Intl.
+353 (0) 59 Â 9183072 Direct
Dial:
+353 (0)59 9183090 Personal
blog:
https://michele.blog/ Some thoughts:
Related to 3. This is simply
an
affirmation of the interests
of
end users in a stable and
secure
internet and it is those
interests
we'll be representing. We've included law enforcement
because
efficiencies regarding their access may come up. Just
because
there's always a way for them
to
get to data doesn't mean it's
the
best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <
gtld-wg-bounces@atlarge-lists.icann.org>
On Behalf Of Michele Neylon - Blacknight   Sent:
Wednesday,
August 1, 2018 12:34 PM Â Â
To:
Alan Greenberg <alan.greenberg@mcgill.ca>;
CPWG
<cpwg@icann.org> Â Â
Subject: Re:
[GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP Â Â
Alan
  1 - good   2 - good  Â
3 -
I don't understand what that
means
  4 - Why are you combining
law
enforcement and private
parties?
Law enforcement can always get access to data when they
follow
due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight
Solutions Â
 Hosting, Colocation &
Domains Â
 Â
Â
Intl. +353 (0) 59 Â 9183072 Â
Â
Direct Dial: +353 (0)59
9183090 Â
 Personal blog: https://michele.blog/  Â
Some
thoughts:
Blacknight Internet Solutions
Ltd,
Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:
370845
On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:   Thanks Michele! Â
 3.
Where there appears to be a conflict of interest between a registrant and non-registrant
end
user, we'll be endeavoring to represent the interests of the non-registrant end user. Â Â
  Blacknight Internet
Solutions
Ltd, Unit 12A,Barrowside
Business
Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:
370845
  On 01/08/2018, 17:27, "registration-issues-wg on
behalf
of Alan Greenberg" <
registration-issues-wg-bounces@atlarge-lists.icann.org
on behalf of alan.greenberg@mcgill.ca>
wrote: Â
     Yesterday, the EPDP Members were asked to present
a
1-3 minute      Â
summary of
their groups position in
regard to
the EPDP. The following   Â
 Â
 is the statement agreed to
by
me, Hadia, Holly and Seun. Â
  Â
  1.   The ALAC believes
that
the EPDP MUST succeed and
will be
working       toward
that
end. Â Â Â Â Â Â 2. Â Â We
have a
support structure that we are organizing to ensure    Â
 Â
that what we present here is understood by our community
and
has       their input
and
support. Â Â Â Â Â Â 3. Â Â
The
ALAC believes that individual registrants are users and we
  Â
   have regularly worked on their behalf (as in the PDP
that
we       initiated to protect registrant rights when their domains expire), if  Â
 Â
  registrant needs differ
from
those of the 4 billion
Internet
users       who are not registrants, those latter
needs
take precedence. We     Â
Â
believe that GDPR and this
EPDP
are such a situation. Â Â Â Â
 Â
4. Â Â Although some Internet users consult WHOIS and will
not
be able       to do so
in
some cases going forward, our
main
concern is access for    Â
 Â
those third parties who work
to
ensure that the Internet is a
safe
      and secure place
for
users and that means that law enforcement, Â Â Â Â Â Â cybersecurity researchers,
those
combatting fraud in domain
names,
      and others who
help
protect users from phishing, malware, spam, Â Â Â Â Â Â
fraud,
DDoS attacks and such can work with minimal reduction in  Â
 Â
  access to WHOIS data. All within the constraints of
GDPR of
course. Â Â Â Â Â Â
      CPWG mailing list
 Â
    CPWG@icann.org   Â
  Â
https://mm.icann.org/mailman/listinfo/cpwg
<
https://mm.icann.org/mailman/listinfo/cpwg>
     Â
     Â
registration-issues-wg
mailing list      Â
registration-issues-wg@atlarge-lists.icann.org
     Â
https://mm.icann.org/mailman/listinfo/registration-issues-wg
 Â
  CPWG mailing list   CPWG@icann.org  Â
https://mm.icann.org/mailman/listinfo/cpwg
<
https://mm.icann.org/mailman/listinfo/cpwg>
 Â
  GTLD-WG mailing list  Â
GTLD-WG@atlarge-lists.icann.org Â
Â
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
  Working Group direct URL:
CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>
https://mm.icann.org/mailman/listinfo/cpwg
<
registration-issues-wg mailing
list
registration-issues-wg@atlarge-lists.icann.org
https://mm.icann.org/mailman/listinfo/registration-issues-wg
CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>
https://mm.icann.org/mailman/listinfo/cpwg
<
CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>
CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>
CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>
GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
<
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>
Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <
CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
Working Group direct URL:
https://community.icann.org/display/atlarge/New+GTLDs
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs
CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs
CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg
CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg
-- Greg Shatan greg@isoc-ny.org "The Internet is for everyone"