Those exposed 1.2 billion people are the Internet end users whom the ALAC is trying to protect. Who is accountable for this exposure, who is responsible for the server which is causing the damage? From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Volker Greimann Sent: Tuesday, December 10, 2019 8:00 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Data enrichment companies Still waiting for Facebook to publish a verified whois of their account holders ;-) Best, Volker Am 09.12.2019 um 09:46 schrieb Ayden Férdeline: I don't want to disagree with someone from my own stakeholder group, but I don't understand how this is a "quick solution to the SSAD problem"? These services contain names, emails, and LinkedIn URLs - I don't see how these are substitutes for the data elements in Whois. And how are you even meant to know who to search for in one of these third-party services, absent the name of a registrant? These third-party services that pull in random data sets should be reigned in, not what we recommend others turn to locate/trace a registrant. Ayden Férdeline ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, December 9, 2019 3:44 AM, Mueller, Milton L <milton@gatech.edu><mailto:milton@gatech.edu> wrote: I am wondering how many of the people involved in EPDP are familiar with data enrichment companies such as People Data Labs. If you're not you may be amazed at how vast is the number of people encompassed in their records, and how many data points are aggregated in them. As we battle mightily over how much disclosure of measly Whois records we will allow and under what circumstances, it might be useful to take a look at this article, https://www.dataviper.io/blog/2019/pdl-data-exposure-billion-people/ There you will see a storehouse of names, email addresses, phone numbers, social media profile information and physical addresses for 1.2 billion people, all available for subscribers to this service and - in this bizarre case - all of it exposed to anyone with the right IP address due to a configuration error of an Elasticsearch server. Based on my exposure to these data enrichment services, I think we may have found a quick solution to the SSAD problem. One could conclude that we don't need one at all, because any serious requestor can get a ton of data about virtually anyone on the internet - automatically, instantly - by using one of these services. [https://www.dataviper.io/wp-content/uploads/2019/11/data_viper_blog_v3.jpg]<https://www.dataviper.io/blog/2019/pdl-data-exposure-billion-people/> 1.2 billion people exposed in data leak includes personal info, LinkedIN, Facebook<https://www.dataviper.io/blog/2019/pdl-data-exposure-billion-people/> On October 16, 2019 Bob Diachenko and Vinny Troia discovered a wide-open Elasticsearch server containing an unprecedented 4 billion user accounts spanning more than 4 terabytes of data.. A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. www.dataviper.io<http://www.dataviper.io> I'll leave you all with that thought. See you Tuesday. Dr Milton L Mueller, Professor School of Public Policy Georgia Institute of Technology Internet Governance Project<https://internetgovernance.org> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.