Gentlemen, with great respect, I think you are being a bit hard on Ayden here. If, as our next-gen rep here on the group, he were not questioning authority, I might be afraid he had somehow "missed the memo". I think the tone has become a bit accusatory on both sides and we should de-escalate. I agree that we must be exceedingly careful about putting words in each others mouths. However, questioning the efficacy of oversight of police data protection compliance is fair game in my view and in the view of most privacy scholars (Korff, Brown, Bennett and Raab, Anderson etc.). Diana Alonso Blass (who came to ICANN in 2003 or 04 representing the Article 29 Working Party) and now of Eurojust speaks regularly on some of these issues at the data protection commissioners' annual conference and at CPDP and there can be heated debate. Oversight of law enforcement, particularly cross border law enforcement, is difficult just as the actual law enforcement is difficult. There are many reasons for this: * law enforcement authorities have (legitimate) exemptions under data protection law for collection use and disclosure, making it easy to accidently abuse that discretion * Data protection authorities frequently choose to direct enforcement actions in other areas, given the constant shortage of resources and the publicity (reaching political uproar at times) that can come with enforcement against police * governments often take a dim view of data protection commissioners who go after the police (I can cite examples if you wish but I realize noone wants to read an article on the difficulties of dp oversight of law enforcement Some of the European DP authorities testified in the 2014 inquiry into NSA surveillance....I realize this is about intelligence, but certainly Europol and cybercrime were mentioned. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A.... Given the global nature of law enforcement in our subject area, and the perceived failure of certain instruments such as the Cybercrime treaty, and the general shock and outrage expressed during the inquiry I just cited, particularly over cross border data sharing, I think it is reasonable to question assertions of compliance with data protection law. You will find the list of witnesses in the appendix. Jacob Kohnstamm was one of them, as was Peter Hustinx, and let me finally remind you of my favorite quote from Kohnstamm 's 2012 letter to Crocker: “The Working Party strongly objects to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on civil and Political rights”. (Kohnstamm to Crocker and Atallah, 26 September 2012). The bottom line here is that civil society correctly has questions about the efficacy of oversight. Please don't take it personally, it is not meant that way. It is our job to question. I would agree that Europol has an excellent oversight regime, in comparative terms, (I wish we had it in North America) but that does not mean it works all the time. While we are not here to criticize particular countries or regions, please admit the idea of criticism in general. It is important. Stephanie Perrin On 2016-08-18 18:55, Gomes, Chuck wrote:

Ayden,

I appreciate your frequent contributions because you share some important concerns. But I want to communicate some concerns I have about how you are doing that. Please see my comments below.

Chuck

*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Ayden Férdeline *Sent:* Thursday, August 18, 2016 4:48 PM *To:* Mounier, Grégory *Cc:* RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Hi Greg,

I don’t mean to sound provocative, however I would like to make sure I am interpreting your comments correctly. Please see inline below.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 7:00 PM

UTC Time: August 18, 2016 6:00 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>

icann@ferdeline.com,gnso-rds-pdp-wg@icann.org <mailto:icann@ferdeline.com,gnso-rds-pdp-wg@icann.org>

Yes Greg: unlike what Ayden seems to imply:

·Europol is not advocating that personal information be processed in a manner inconsistent with European law;

I am pleased to hear this. However, it the opinion <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Co...> of the European Commission’s own Data Protection Supervisor that the data retention requirements contained with the 2013 RAA and the Draft Specification “continue to fall short of compliance with European data protection law.” You have built a use case around how the WHOIS protocol operates today, which itself contains data sourced from registrars through practices which are inconsistent with the privacy laws of many (all?) EU Member States.

*/[Chuck Gomes] Greg did not say that the 2013 RAA is compliant with European law; he only said Europol is./*

·Europol access and processing of WHOIS information is in line with European Data protection rules;

I am glad that this is the case. Could you please expand upon how, under what circumstances, and how frequently Europol currently retrieves WHOIS records?

*/[Chuck Gomes] This is a terribly broad request and one that I suspect may be very difficult to respond to. Europol is not the topic of discussion . Insight they can provide will be helpful when we deliberate just like your insights. In all cases we will do our best to validate information we use./*

·Europol does not “trawl” the WHOIS;

Are you saying, then, that you do not find the WHOIS protocol useful in solving crime? If you are not collecting its records in bulk, I would suggest that we revise your use case of 25 July to reflect this reality.

*/[Chuck Gomes] He did not say that. I encourage you to avoid adding to what he said./*

We should remove the reference to “Python DNS scripts or domain tool API” being utilised to identify connections between DNS information and potentially troublesome websites, and replace it with something which respects the right to, say, due process.

*/[Chuck Gomes] Please remember that our objective is not to create perfect use cases./*

After all, illegal content like child abuse material (which you flagged in your use case) is just that – illegal. Illegal material should be dealt with in a legal manner. You should not be advocating for the circumvention of the rule of law; to do so is a direct violation of the human rights standards that Europol has committed itself to upholding.

*/[Chuck Gomes] Who is advocating for the “/*the circumvention of the rule of law*/”? I think that the implication you make here is inappropriate./*

·Europol is indeed subject to one of the most stringent data protection framework in the LEA world.

Whether that is reality or rhetoric, I do not know. My gut feeling is that Europol’s data protection provisions are comprehensive in theory, but critically undermined by procedural weakness. One example that comes to mind: the Europol Joint Supervisory Body is the independent body which supposedly monitors your adherence to data protection rules. However, it has no powers of enforcement, it can only “make any complaints it deems necessary to the Director” of Europol.

*/[Chuck Gomes] I think it best if you avoid criticizing specific organizations and stick to issues./*

I’ll stop here because this is only partially relevant to this PDP.

My understanding has been that some politicians in the EU have been reluctant to expand Europol’s remit/mandate, given concerns around effectiveness and a perceived democratic deficit, so it is fascinating to me to see Europol working to expand its powers and data collection abilities in working groups such as this one.

*/[Chuck Gomes] Once again I think you are concluding more than is reasonable and also don’t find you comment here constructive./*

Best

Greg

*From:*Greg Shatan [mailto:gregshatanipc@gmail.com] *Sent:* 18 August 2016 19:49 *To:* Mounier, Grégory *Cc:* Ayden Férdeline; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

For the rest of us who may not be so well informed, is there something more we should understand and take into account in considering this particular back-and-forth?

Thanks!

Greg Shatan

On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>> wrote:

Dear Ayden,

I objected because some of your statements were misinformed so I thought that I should help and clarify. But it seems that you are very well informed and that you don’t need further explanations J

Best regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com <mailto:icann@ferdeline.com>] *Sent:* 18 August 2016 19:27 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Thank you for the response, Greg. I did not mean to suggest that Europol was *wholly*exempt from European data protection regulations, because it is not. In my original message, I wrote:

/"...your agency is exempt from *some* of the general provisions on data processing." /

I have bolded the word ‘some’ on this occasion for emphasis. When I wrote that Europol had exemptions from *some*of the general provisions on data processing, I was referring to the Europol Council Decision as published in the Official Journal of the European Union on 15 May 2009. I am sure you are intimately familiar with this document, as you cited it in your email to me today as providing the “basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.”

Aside from this, this decision contains data processing rules which were, to quote you again in your email, "tailor-made" for Europol, and is complemented by a set of implementation guidelines which privilege Europol with the ability to process personal data “for the purpose of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties” in a manner that would not be permitted of other stakeholders.

Given this, I'm unsure as to why you found my comments so objectionable, but I hope this email has brought about some more clarity. If not, I am happy to expand upon my thoughts.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 5:54 PM

UTC Time: August 18, 2016 4:54 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: icann@ferdeline.com <mailto:icann@ferdeline.com>

rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org <mailto:rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org>

Dear Ayden,

Thank you very much for sharing your concerns and apologies for the late response, I was away from the office.

I am not sure how you got the perception that Europol was “trawling” through WHOIS records or that Europol was “exempt from some of the general provisions on data processing” or even that our legal framework limited the ability of Europol staff to process data from publicly available sources related to “terror manuals” or “criminals claiming credit for attacks”.

In fact, I can assure you that _Europol is not exempted from the general provisions on data protection_. European data protection legislation has been implemented in the organisation with the aim of creating a legal framework which balances the fundamental interests of freedom and security. The tailor-made set of rules provides Europol with one of the strongest, most robust data protection framework in the world of law enforcement.

As far as data exchange inside the EU is concerned, Art.22-25 of Europol Council Decision (ECD) provides a basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.

Europol exchanges personal data only with third parties which have an adequate level of data protection. The prior data protection assessment of the third party involves a check on the necessary data protection legislation and confidentiality rules in place and in practice. The list of the third countries with which Europol has established an operational agreement is published on our website.

In addition, Europol can receive information from private parties such as companies, business associations or non-profit organisations. As with any transfer of personal data, this process is subject to data protection controls.

Last but not least, in line with the respective provisions of the ECD, Europol can also retrieve and process data, including personal data, from publicly available sources, such as media and public data and commercial intelligence providers, in accordance with the data protection framework.

I hope that I could clarify some of the issues you raised.

Kind regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com] *Sent:* 08 August 2016 14:11 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

I am disappointed that Europol seems to be advocating that personal information be processed in a manner inconsistent with European law.

I fully appreciate that, in order to allow Europol to collect sensitive information from the Member States in the pursuit of investigations, your agency is exempt from some of the general provisions on data processing. You are permitted to directly retrieve and process information obtained from publicly-available sources, but the promotional literature on the Europol website suggests Europol agents searching for publicly-available ‘terror manuals’ or criminals claiming credit for attacks. There is no indication that this includes Europol trawling through things like WHOIS records to identify the administrator of a website, something far less sinister. And if the RDS evolves into something very different from what it is today – perhaps not open to any and everyone to query, or federated into a single data store – my understanding is that the routing of information from a private party to Europol would be subject to European data protection controls and safeguards.

The very specific exemptions that Europol has received in order to carry out its work simply do not call for Europol to advocate for a lower standard of privacy protection for European residents in privately-owned or publicly-accessible sources of information.

There is no doubt that effective police work requires top intelligence, but equally as important is the employment of sound data protection safeguards which strike an appropriate balance between the interests of freedom and security.

Just my $0.02.

- Ayden

On Thu, Aug 4, 2016 1:59 PM, wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).

It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message-----

From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Rob Golding

Sent: 04 August 2016 01:46

To: RDS PDP WG

Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

>> Theoretical

>> ===========

>> We have seen a couple of proposed use cases that seem to be ideas

>> that people have for useful or harmful ways that RDS can be used, but

>> that do not exist today (at least not that anyone can fully

>> document).

>>

>> For example, there seems to be a desire to use the RDS as a way to

>> issue warrants for information about registrants. While this may be

>> useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob

--

Rob Golding rob.golding@astutium.com <mailto:rob.golding@astutium.com>

Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Ayden Férdeline

Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I beg your pardon, I was referring to the discussion between Greg and Ayden, not Chuck's intervention. this is of course a comment on the comment.....but not on the other comment. Stephanie On 2016-08-19 19:20, Greg Shatan wrote:

I did not find Chuck's comments in any way "accusatory." If anything, I found them well-considered and admirable in their restraint.

If anything, Chuck's intervention may have prevented "accusatory" comments from making their way to the list. As such, I would suggest that Chuck's comments were an exercise in "de-escalation."

In that vein, I will refrain from commenting on comments, or commenting on comments about comments or commenting on comments about comments about comments, though if I wanted to comment on comments or comments on comments or comments on comments on comments, I would have comments to make. But I won't.

Greg

On Fri, Aug 19, 2016 at 7:08 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

Gentlemen, with great respect, I think you are being a bit hard on Ayden here. If, as our next-gen rep here on the group, he were not questioning authority, I might be afraid he had somehow "missed the memo". I think the tone has become a bit accusatory on both sides and we should de-escalate. I agree that we must be exceedingly careful about putting words in each others mouths. However, questioning the efficacy of oversight of police data protection compliance is fair game in my view and in the view of most privacy scholars (Korff, Brown, Bennett and Raab, Anderson etc.). Diana Alonso Blass (who came to ICANN in 2003 or 04 representing the Article 29 Working Party) and now of Eurojust speaks regularly on some of these issues at the data protection commissioners' annual conference and at CPDP and there can be heated debate. Oversight of law enforcement, particularly cross border law enforcement, is difficult just as the actual law enforcement is difficult. There are many reasons for this:

* law enforcement authorities have (legitimate) exemptions under data protection law for collection use and disclosure, making it easy to accidently abuse that discretion * Data protection authorities frequently choose to direct enforcement actions in other areas, given the constant shortage of resources and the publicity (reaching political uproar at times) that can come with enforcement against police * governments often take a dim view of data protection commissioners who go after the police (I can cite examples if you wish but I realize noone wants to read an article on the difficulties of dp oversight of law enforcement

Some of the European DP authorities testified in the 2014 inquiry into NSA surveillance....I realize this is about intelligence, but certainly Europol and cybercrime were mentioned. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A... <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A...>. Given the global nature of law enforcement in our subject area, and the perceived failure of certain instruments such as the Cybercrime treaty, and the general shock and outrage expressed during the inquiry I just cited, particularly over cross border data sharing, I think it is reasonable to question assertions of compliance with data protection law. You will find the list of witnesses in the appendix. Jacob Kohnstamm was one of them, as was Peter Hustinx, and let me finally remind you of my favorite quote from Kohnstamm 's 2012 letter to Crocker:

“The Working Party strongly objects to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on civil and Political rights”. (Kohnstamm to Crocker and Atallah, 26 September 2012).

The bottom line here is that civil society correctly has questions about the efficacy of oversight. Please don't take it personally, it is not meant that way. It is our job to question. I would agree that Europol has an excellent oversight regime, in comparative terms, (I wish we had it in North America) but that does not mean it works all the time. While we are not here to criticize particular countries or regions, please admit the idea of criticism in general. It is important.

Stephanie Perrin

On 2016-08-18 18:55, Gomes, Chuck wrote:

...

Ayden,

I appreciate your frequent contributions because you share some important concerns. But I want to communicate some concerns I have about how you are doing that. Please see my comments below.

Chuck

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Ayden Férdeline *Sent:* Thursday, August 18, 2016 4:48 PM *To:* Mounier, Grégory *Cc:* RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Hi Greg,

I don’t mean to sound provocative, however I would like to make sure I am interpreting your comments correctly. Please see inline below.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 7:00 PM

UTC Time: August 18, 2016 6:00 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>

icann@ferdeline.com,gnso-rds-pdp-wg@icann.org <mailto:icann@ferdeline.com,gnso-rds-pdp-wg@icann.org>

Yes Greg: unlike what Ayden seems to imply:

·Europol is not advocating that personal information be processed in a manner inconsistent with European law;

I am pleased to hear this. However, it the opinion <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Co...> of the European Commission’s own Data Protection Supervisor that the data retention requirements contained with the 2013 RAA and the Draft Specification “continue to fall short of compliance with European data protection law.” You have built a use case around how the WHOIS protocol operates today, which itself contains data sourced from registrars through practices which are inconsistent with the privacy laws of many (all?) EU Member States.

*/[Chuck Gomes] Greg did not say that the 2013 RAA is compliant with European law; he only said Europol is./*

·Europol access and processing of WHOIS information is in line with European Data protection rules;

I am glad that this is the case. Could you please expand upon how, under what circumstances, and how frequently Europol currently retrieves WHOIS records?

*/[Chuck Gomes] This is a terribly broad request and one that I suspect may be very difficult to respond to. Europol is not the topic of discussion . Insight they can provide will be helpful when we deliberate just like your insights. In all cases we will do our best to validate information we use./*

·Europol does not “trawl” the WHOIS;

Are you saying, then, that you do not find the WHOIS protocol useful in solving crime? If you are not collecting its records in bulk, I would suggest that we revise your use case of 25 July to reflect this reality.

*/[Chuck Gomes] He did not say that. I encourage you to avoid adding to what he said./*

We should remove the reference to “Python DNS scripts or domain tool API” being utilised to identify connections between DNS information and potentially troublesome websites, and replace it with something which respects the right to, say, due process.

*/[Chuck Gomes] Please remember that our objective is not to create perfect use cases./*

After all, illegal content like child abuse material (which you flagged in your use case) is just that – illegal. Illegal material should be dealt with in a legal manner. You should not be advocating for the circumvention of the rule of law; to do so is a direct violation of the human rights standards that Europol has committed itself to upholding.

*/[Chuck Gomes] Who is advocating for the “/*the circumvention of the rule of law*/”? I think that the implication you make here is inappropriate./*

·Europol is indeed subject to one of the most stringent data protection framework in the LEA world.

Whether that is reality or rhetoric, I do not know. My gut feeling is that Europol’s data protection provisions are comprehensive in theory, but critically undermined by procedural weakness. One example that comes to mind: the Europol Joint Supervisory Body is the independent body which supposedly monitors your adherence to data protection rules. However, it has no powers of enforcement, it can only “make any complaints it deems necessary to the Director” of Europol.

*/[Chuck Gomes] I think it best if you avoid criticizing specific organizations and stick to issues./*

I’ll stop here because this is only partially relevant to this PDP.

My understanding has been that some politicians in the EU have been reluctant to expand Europol’s remit/mandate, given concerns around effectiveness and a perceived democratic deficit, so it is fascinating to me to see Europol working to expand its powers and data collection abilities in working groups such as this one.

*/[Chuck Gomes] Once again I think you are concluding more than is reasonable and also don’t find you comment here constructive./*

Best

Greg

*From:*Greg Shatan [mailto:gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>] *Sent:* 18 August 2016 19:49 *To:* Mounier, Grégory *Cc:* Ayden Férdeline; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

For the rest of us who may not be so well informed, is there something more we should understand and take into account in considering this particular back-and-forth?

Thanks!

Greg Shatan

On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>> wrote:

Dear Ayden,

I objected because some of your statements were misinformed so I thought that I should help and clarify. But it seems that you are very well informed and that you don’t need further explanations J

Best regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com <mailto:icann@ferdeline.com>] *Sent:* 18 August 2016 19:27 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Thank you for the response, Greg. I did not mean to suggest that Europol was *wholly*exempt from European data protection regulations, because it is not. In my original message, I wrote:

/"...your agency is exempt from *some* of the general provisions on data processing." /

I have bolded the word ‘some’ on this occasion for emphasis. When I wrote that Europol had exemptions from *some*of the general provisions on data processing, I was referring to the Europol Council Decision as published in the Official Journal of the European Union on 15 May 2009. I am sure you are intimately familiar with this document, as you cited it in your email to me today as providing the “basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.”

Aside from this, this decision contains data processing rules which were, to quote you again in your email, "tailor-made" for Europol, and is complemented by a set of implementation guidelines which privilege Europol with the ability to process personal data “for the purpose of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties” in a manner that would not be permitted of other stakeholders.

Given this, I'm unsure as to why you found my comments so objectionable, but I hope this email has brought about some more clarity. If not, I am happy to expand upon my thoughts.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 5:54 PM

UTC Time: August 18, 2016 4:54 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: icann@ferdeline.com <mailto:icann@ferdeline.com>

rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org <mailto:rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org>

Dear Ayden,

Thank you very much for sharing your concerns and apologies for the late response, I was away from the office.

I am not sure how you got the perception that Europol was “trawling” through WHOIS records or that Europol was “exempt from some of the general provisions on data processing” or even that our legal framework limited the ability of Europol staff to process data from publicly available sources related to “terror manuals” or “criminals claiming credit for attacks”.

In fact, I can assure you that _Europol is not exempted from the general provisions on data protection_. European data protection legislation has been implemented in the organisation with the aim of creating a legal framework which balances the fundamental interests of freedom and security. The tailor-made set of rules provides Europol with one of the strongest, most robust data protection framework in the world of law enforcement.

As far as data exchange inside the EU is concerned, Art.22-25 of Europol Council Decision (ECD) provides a basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.

Europol exchanges personal data only with third parties which have an adequate level of data protection. The prior data protection assessment of the third party involves a check on the necessary data protection legislation and confidentiality rules in place and in practice. The list of the third countries with which Europol has established an operational agreement is published on our website.

In addition, Europol can receive information from private parties such as companies, business associations or non-profit organisations. As with any transfer of personal data, this process is subject to data protection controls.

Last but not least, in line with the respective provisions of the ECD, Europol can also retrieve and process data, including personal data, from publicly available sources, such as media and public data and commercial intelligence providers, in accordance with the data protection framework.

I hope that I could clarify some of the issues you raised.

Kind regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com] *Sent:* 08 August 2016 14:11 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

I am disappointed that Europol seems to be advocating that personal information be processed in a manner inconsistent with European law.

I fully appreciate that, in order to allow Europol to collect sensitive information from the Member States in the pursuit of investigations, your agency is exempt from some of the general provisions on data processing. You are permitted to directly retrieve and process information obtained from publicly-available sources, but the promotional literature on the Europol website suggests Europol agents searching for publicly-available ‘terror manuals’ or criminals claiming credit for attacks. There is no indication that this includes Europol trawling through things like WHOIS records to identify the administrator of a website, something far less sinister. And if the RDS evolves into something very different from what it is today – perhaps not open to any and everyone to query, or federated into a single data store – my understanding is that the routing of information from a private party to Europol would be subject to European data protection controls and safeguards.

The very specific exemptions that Europol has received in order to carry out its work simply do not call for Europol to advocate for a lower standard of privacy protection for European residents in privately-owned or publicly-accessible sources of information.

There is no doubt that effective police work requires top intelligence, but equally as important is the employment of sound data protection safeguards which strike an appropriate balance between the interests of freedom and security.

Just my $0.02.

- Ayden

On Thu, Aug 4, 2016 1:59 PM, wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).

It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message-----

From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Rob Golding

Sent: 04 August 2016 01:46

To: RDS PDP WG

Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

>> Theoretical

>> ===========

>> We have seen a couple of proposed use cases that seem to be ideas

>> that people have for useful or harmful ways that RDS can be used, but

>> that do not exist today (at least not that anyone can fully

>> document).

>>

>> For example, there seems to be a desire to use the RDS as a way to

>> issue warrants for information about registrants. While this may be

>> useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob

--

Rob Golding rob.golding@astutium.com <mailto:rob.golding@astutium.com>

Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

Ayden Férdeline

Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

I have a hunch you have been in one too many CWG meetings Greg....take the weekend off! Before you start typing in caps. possibly in pink font....(not to be taken as an accusatory comment, of course....) cheers Stephanie On 2016-08-19 20:05, Greg Shatan wrote:

Stephanie,

Thank you for clarifying upon what you were commenting. Since your comment came as a reply to Chuck's comment, I thought you were commenting on that comment, and not on the underlying exchange of comments.

That said, I did not find (the other) Greg's (not to be confused with the other other Greg) comments accusatory, either. Just wanted to clarify that.

To be consistent with my prior statement that I would not comment on comments, etc., I will refrain from any further comments on comments, etc., in this thread at this time (reserving the right to revert at some future time and comment on comments, etc., in the event that commenting on comments, etc., becomes so prevalent that I need not eschew commenting on comments, etc., as my attempt to staunch an infinite comment-loop will have been for naught and thus rendered moot; having not reached such point (thankfully) I will go on mute).

Greg (S.)

On Fri, Aug 19, 2016 at 7:23 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

I beg your pardon, I was referring to the discussion between Greg and Ayden, not Chuck's intervention.

this is of course a comment on the comment.....but not on the other comment.

Stephanie

On 2016-08-19 19:20, Greg Shatan wrote:

...

I did not find Chuck's comments in any way "accusatory." If anything, I found them well-considered and admirable in their restraint.

If anything, Chuck's intervention may have prevented "accusatory" comments from making their way to the list. As such, I would suggest that Chuck's comments were an exercise in "de-escalation."

In that vein, I will refrain from commenting on comments, or commenting on comments about comments or commenting on comments about comments about comments, though if I wanted to comment on comments or comments on comments or comments on comments on comments, I would have comments to make. But I won't.

Greg

On Fri, Aug 19, 2016 at 7:08 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

Gentlemen, with great respect, I think you are being a bit hard on Ayden here. If, as our next-gen rep here on the group, he were not questioning authority, I might be afraid he had somehow "missed the memo". I think the tone has become a bit accusatory on both sides and we should de-escalate. I agree that we must be exceedingly careful about putting words in each others mouths. However, questioning the efficacy of oversight of police data protection compliance is fair game in my view and in the view of most privacy scholars (Korff, Brown, Bennett and Raab, Anderson etc.). Diana Alonso Blass (who came to ICANN in 2003 or 04 representing the Article 29 Working Party) and now of Eurojust speaks regularly on some of these issues at the data protection commissioners' annual conference and at CPDP and there can be heated debate. Oversight of law enforcement, particularly cross border law enforcement, is difficult just as the actual law enforcement is difficult. There are many reasons for this:

* law enforcement authorities have (legitimate) exemptions under data protection law for collection use and disclosure, making it easy to accidently abuse that discretion * Data protection authorities frequently choose to direct enforcement actions in other areas, given the constant shortage of resources and the publicity (reaching political uproar at times) that can come with enforcement against police * governments often take a dim view of data protection commissioners who go after the police (I can cite examples if you wish but I realize noone wants to read an article on the difficulties of dp oversight of law enforcement

Some of the European DP authorities testified in the 2014 inquiry into NSA surveillance....I realize this is about intelligence, but certainly Europol and cybercrime were mentioned. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A... <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A...>. Given the global nature of law enforcement in our subject area, and the perceived failure of certain instruments such as the Cybercrime treaty, and the general shock and outrage expressed during the inquiry I just cited, particularly over cross border data sharing, I think it is reasonable to question assertions of compliance with data protection law. You will find the list of witnesses in the appendix. Jacob Kohnstamm was one of them, as was Peter Hustinx, and let me finally remind you of my favorite quote from Kohnstamm 's 2012 letter to Crocker:

“The Working Party strongly objects to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on civil and Political rights”. (Kohnstamm to Crocker and Atallah, 26 September 2012).

The bottom line here is that civil society correctly has questions about the efficacy of oversight. Please don't take it personally, it is not meant that way. It is our job to question. I would agree that Europol has an excellent oversight regime, in comparative terms, (I wish we had it in North America) but that does not mean it works all the time. While we are not here to criticize particular countries or regions, please admit the idea of criticism in general. It is important.

Stephanie Perrin

On 2016-08-18 18:55, Gomes, Chuck wrote:

...

Ayden,

I appreciate your frequent contributions because you share some important concerns. But I want to communicate some concerns I have about how you are doing that. Please see my comments below.

Chuck

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Ayden Férdeline *Sent:* Thursday, August 18, 2016 4:48 PM *To:* Mounier, Grégory *Cc:* RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Hi Greg,

I don’t mean to sound provocative, however I would like to make sure I am interpreting your comments correctly. Please see inline below.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 7:00 PM

UTC Time: August 18, 2016 6:00 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>

icann@ferdeline.com,gnso-rds-pdp-wg@icann.org <mailto:icann@ferdeline.com,gnso-rds-pdp-wg@icann.org>

Yes Greg: unlike what Ayden seems to imply:

·Europol is not advocating that personal information be processed in a manner inconsistent with European law;

I am pleased to hear this. However, it the opinion <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Co...> of the European Commission’s own Data Protection Supervisor that the data retention requirements contained with the 2013 RAA and the Draft Specification “continue to fall short of compliance with European data protection law.” You have built a use case around how the WHOIS protocol operates today, which itself contains data sourced from registrars through practices which are inconsistent with the privacy laws of many (all?) EU Member States.

*/[Chuck Gomes] Greg did not say that the 2013 RAA is compliant with European law; he only said Europol is./*

·Europol access and processing of WHOIS information is in line with European Data protection rules;

I am glad that this is the case. Could you please expand upon how, under what circumstances, and how frequently Europol currently retrieves WHOIS records?

*/[Chuck Gomes] This is a terribly broad request and one that I suspect may be very difficult to respond to. Europol is not the topic of discussion . Insight they can provide will be helpful when we deliberate just like your insights. In all cases we will do our best to validate information we use./*

·Europol does not “trawl” the WHOIS;

Are you saying, then, that you do not find the WHOIS protocol useful in solving crime? If you are not collecting its records in bulk, I would suggest that we revise your use case of 25 July to reflect this reality.

*/[Chuck Gomes] He did not say that. I encourage you to avoid adding to what he said./*

We should remove the reference to “Python DNS scripts or domain tool API” being utilised to identify connections between DNS information and potentially troublesome websites, and replace it with something which respects the right to, say, due process.

*/[Chuck Gomes] Please remember that our objective is not to create perfect use cases./*

After all, illegal content like child abuse material (which you flagged in your use case) is just that – illegal. Illegal material should be dealt with in a legal manner. You should not be advocating for the circumvention of the rule of law; to do so is a direct violation of the human rights standards that Europol has committed itself to upholding.

*/[Chuck Gomes] Who is advocating for the “/*the circumvention of the rule of law*/”? I think that the implication you make here is inappropriate./*

·Europol is indeed subject to one of the most stringent data protection framework in the LEA world.

Whether that is reality or rhetoric, I do not know. My gut feeling is that Europol’s data protection provisions are comprehensive in theory, but critically undermined by procedural weakness. One example that comes to mind: the Europol Joint Supervisory Body is the independent body which supposedly monitors your adherence to data protection rules. However, it has no powers of enforcement, it can only “make any complaints it deems necessary to the Director” of Europol.

*/[Chuck Gomes] I think it best if you avoid criticizing specific organizations and stick to issues./*

I’ll stop here because this is only partially relevant to this PDP.

My understanding has been that some politicians in the EU have been reluctant to expand Europol’s remit/mandate, given concerns around effectiveness and a perceived democratic deficit, so it is fascinating to me to see Europol working to expand its powers and data collection abilities in working groups such as this one.

*/[Chuck Gomes] Once again I think you are concluding more than is reasonable and also don’t find you comment here constructive./*

Best

Greg

*From:*Greg Shatan [mailto:gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>] *Sent:* 18 August 2016 19:49 *To:* Mounier, Grégory *Cc:* Ayden Férdeline; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

For the rest of us who may not be so well informed, is there something more we should understand and take into account in considering this particular back-and-forth?

Thanks!

Greg Shatan

On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>> wrote:

Dear Ayden,

I objected because some of your statements were misinformed so I thought that I should help and clarify. But it seems that you are very well informed and that you don’t need further explanations J

Best regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com <mailto:icann@ferdeline.com>] *Sent:* 18 August 2016 19:27 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Thank you for the response, Greg. I did not mean to suggest that Europol was *wholly*exempt from European data protection regulations, because it is not. In my original message, I wrote:

/"...your agency is exempt from *some* of the general provisions on data processing." /

I have bolded the word ‘some’ on this occasion for emphasis. When I wrote that Europol had exemptions from *some*of the general provisions on data processing, I was referring to the Europol Council Decision as published in the Official Journal of the European Union on 15 May 2009. I am sure you are intimately familiar with this document, as you cited it in your email to me today as providing the “basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.”

Aside from this, this decision contains data processing rules which were, to quote you again in your email, "tailor-made" for Europol, and is complemented by a set of implementation guidelines which privilege Europol with the ability to process personal data “for the purpose of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties” in a manner that would not be permitted of other stakeholders.

Given this, I'm unsure as to why you found my comments so objectionable, but I hope this email has brought about some more clarity. If not, I am happy to expand upon my thoughts.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 5:54 PM

UTC Time: August 18, 2016 4:54 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: icann@ferdeline.com <mailto:icann@ferdeline.com>

rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org <mailto:rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org>

Dear Ayden,

Thank you very much for sharing your concerns and apologies for the late response, I was away from the office.

I am not sure how you got the perception that Europol was “trawling” through WHOIS records or that Europol was “exempt from some of the general provisions on data processing” or even that our legal framework limited the ability of Europol staff to process data from publicly available sources related to “terror manuals” or “criminals claiming credit for attacks”.

In fact, I can assure you that _Europol is not exempted from the general provisions on data protection_. European data protection legislation has been implemented in the organisation with the aim of creating a legal framework which balances the fundamental interests of freedom and security. The tailor-made set of rules provides Europol with one of the strongest, most robust data protection framework in the world of law enforcement.

As far as data exchange inside the EU is concerned, Art.22-25 of Europol Council Decision (ECD) provides a basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.

Europol exchanges personal data only with third parties which have an adequate level of data protection. The prior data protection assessment of the third party involves a check on the necessary data protection legislation and confidentiality rules in place and in practice. The list of the third countries with which Europol has established an operational agreement is published on our website.

In addition, Europol can receive information from private parties such as companies, business associations or non-profit organisations. As with any transfer of personal data, this process is subject to data protection controls.

Last but not least, in line with the respective provisions of the ECD, Europol can also retrieve and process data, including personal data, from publicly available sources, such as media and public data and commercial intelligence providers, in accordance with the data protection framework.

I hope that I could clarify some of the issues you raised.

Kind regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com] *Sent:* 08 August 2016 14:11 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

I am disappointed that Europol seems to be advocating that personal information be processed in a manner inconsistent with European law.

I fully appreciate that, in order to allow Europol to collect sensitive information from the Member States in the pursuit of investigations, your agency is exempt from some of the general provisions on data processing. You are permitted to directly retrieve and process information obtained from publicly-available sources, but the promotional literature on the Europol website suggests Europol agents searching for publicly-available ‘terror manuals’ or criminals claiming credit for attacks. There is no indication that this includes Europol trawling through things like WHOIS records to identify the administrator of a website, something far less sinister. And if the RDS evolves into something very different from what it is today – perhaps not open to any and everyone to query, or federated into a single data store – my understanding is that the routing of information from a private party to Europol would be subject to European data protection controls and safeguards.

The very specific exemptions that Europol has received in order to carry out its work simply do not call for Europol to advocate for a lower standard of privacy protection for European residents in privately-owned or publicly-accessible sources of information.

There is no doubt that effective police work requires top intelligence, but equally as important is the employment of sound data protection safeguards which strike an appropriate balance between the interests of freedom and security.

Just my $0.02.

- Ayden

On Thu, Aug 4, 2016 1:59 PM, wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).

It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message-----

From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Rob Golding

Sent: 04 August 2016 01:46

To: RDS PDP WG

Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

>> Theoretical

>> ===========

>> We have seen a couple of proposed use cases that seem to be ideas

>> that people have for useful or harmful ways that RDS can be used, but

>> that do not exist today (at least not that anyone can fully

>> document).

>>

>> For example, there seems to be a desire to use the RDS as a way to

>> issue warrants for information about registrants. While this may be

>> useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob

--

Rob Golding rob.golding@astutium.com <mailto:rob.golding@astutium.com>

Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

Ayden Férdeline

Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

For me the issue looks different: Even if we trusted "our friendly neighborhood LEAs" with all the data they can carry, we probably do not feels the same about the LEAs operated by other states. Data they I might be glad to hand over to interpol or German LEAs, I would rather see deleted than accept the slightest risk of it falling into the hands of Turkish LEAs or worse, like of a fully fledged torture state. So we cannot look at the best possible cases, where LEAs are so well regulated that the risk of abuse is minimized. Our approach (once we get to it) has to be resilient enough to prevent access bad anyone who would abuse it, while using the access routes we create for the good guys. So while I appreciate the discussions of how well regulated some LEAs are, this is not the standard we need to consider. Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best. Best, Volker Am 20.08.2016 um 01:08 schrieb Stephanie Perrin:

Gentlemen, with great respect, I think you are being a bit hard on Ayden here. If, as our next-gen rep here on the group, he were not questioning authority, I might be afraid he had somehow "missed the memo". I think the tone has become a bit accusatory on both sides and we should de-escalate. I agree that we must be exceedingly careful about putting words in each others mouths. However, questioning the efficacy of oversight of police data protection compliance is fair game in my view and in the view of most privacy scholars (Korff, Brown, Bennett and Raab, Anderson etc.). Diana Alonso Blass (who came to ICANN in 2003 or 04 representing the Article 29 Working Party) and now of Eurojust speaks regularly on some of these issues at the data protection commissioners' annual conference and at CPDP and there can be heated debate. Oversight of law enforcement, particularly cross border law enforcement, is difficult just as the actual law enforcement is difficult. There are many reasons for this:

* law enforcement authorities have (legitimate) exemptions under data protection law for collection use and disclosure, making it easy to accidently abuse that discretion * Data protection authorities frequently choose to direct enforcement actions in other areas, given the constant shortage of resources and the publicity (reaching political uproar at times) that can come with enforcement against police * governments often take a dim view of data protection commissioners who go after the police (I can cite examples if you wish but I realize noone wants to read an article on the difficulties of dp oversight of law enforcement

Some of the European DP authorities testified in the 2014 inquiry into NSA surveillance....I realize this is about intelligence, but certainly Europol and cybercrime were mentioned. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A.... Given the global nature of law enforcement in our subject area, and the perceived failure of certain instruments such as the Cybercrime treaty, and the general shock and outrage expressed during the inquiry I just cited, particularly over cross border data sharing, I think it is reasonable to question assertions of compliance with data protection law. You will find the list of witnesses in the appendix. Jacob Kohnstamm was one of them, as was Peter Hustinx, and let me finally remind you of my favorite quote from Kohnstamm 's 2012 letter to Crocker:

“The Working Party strongly objects to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on civil and Political rights”. (Kohnstamm to Crocker and Atallah, 26 September 2012).

The bottom line here is that civil society correctly has questions about the efficacy of oversight. Please don't take it personally, it is not meant that way. It is our job to question. I would agree that Europol has an excellent oversight regime, in comparative terms, (I wish we had it in North America) but that does not mean it works all the time. While we are not here to criticize particular countries or regions, please admit the idea of criticism in general. It is important.

Stephanie Perrin

On 2016-08-18 18:55, Gomes, Chuck wrote:

...

Ayden,

I appreciate your frequent contributions because you share some important concerns. But I want to communicate some concerns I have about how you are doing that. Please see my comments below.

Chuck

*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Ayden Férdeline *Sent:* Thursday, August 18, 2016 4:48 PM *To:* Mounier, Grégory *Cc:* RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Hi Greg,

I don’t mean to sound provocative, however I would like to make sure I am interpreting your comments correctly. Please see inline below.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 7:00 PM

UTC Time: August 18, 2016 6:00 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>

icann@ferdeline.com,gnso-rds-pdp-wg@icann.org <mailto:icann@ferdeline.com,gnso-rds-pdp-wg@icann.org>

Yes Greg: unlike what Ayden seems to imply:

·Europol is not advocating that personal information be processed in a manner inconsistent with European law;

I am pleased to hear this. However, it the opinion <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Co...> of the European Commission’s own Data Protection Supervisor that the data retention requirements contained with the 2013 RAA and the Draft Specification “continue to fall short of compliance with European data protection law.” You have built a use case around how the WHOIS protocol operates today, which itself contains data sourced from registrars through practices which are inconsistent with the privacy laws of many (all?) EU Member States.

*/[Chuck Gomes] Greg did not say that the 2013 RAA is compliant with European law; he only said Europol is./*

·Europol access and processing of WHOIS information is in line with European Data protection rules;

I am glad that this is the case. Could you please expand upon how, under what circumstances, and how frequently Europol currently retrieves WHOIS records?

*/[Chuck Gomes] This is a terribly broad request and one that I suspect may be very difficult to respond to. Europol is not the topic of discussion . Insight they can provide will be helpful when we deliberate just like your insights. In all cases we will do our best to validate information we use./*

·Europol does not “trawl” the WHOIS;

Are you saying, then, that you do not find the WHOIS protocol useful in solving crime? If you are not collecting its records in bulk, I would suggest that we revise your use case of 25 July to reflect this reality.

*/[Chuck Gomes] He did not say that. I encourage you to avoid adding to what he said./*

We should remove the reference to “Python DNS scripts or domain tool API” being utilised to identify connections between DNS information and potentially troublesome websites, and replace it with something which respects the right to, say, due process.

*/[Chuck Gomes] Please remember that our objective is not to create perfect use cases./*

After all, illegal content like child abuse material (which you flagged in your use case) is just that – illegal. Illegal material should be dealt with in a legal manner. You should not be advocating for the circumvention of the rule of law; to do so is a direct violation of the human rights standards that Europol has committed itself to upholding.

*/[Chuck Gomes] Who is advocating for the “/*the circumvention of the rule of law*/”? I think that the implication you make here is inappropriate./*

·Europol is indeed subject to one of the most stringent data protection framework in the LEA world.

Whether that is reality or rhetoric, I do not know. My gut feeling is that Europol’s data protection provisions are comprehensive in theory, but critically undermined by procedural weakness. One example that comes to mind: the Europol Joint Supervisory Body is the independent body which supposedly monitors your adherence to data protection rules. However, it has no powers of enforcement, it can only “make any complaints it deems necessary to the Director” of Europol.

*/[Chuck Gomes] I think it best if you avoid criticizing specific organizations and stick to issues./*

I’ll stop here because this is only partially relevant to this PDP.

My understanding has been that some politicians in the EU have been reluctant to expand Europol’s remit/mandate, given concerns around effectiveness and a perceived democratic deficit, so it is fascinating to me to see Europol working to expand its powers and data collection abilities in working groups such as this one.

*/[Chuck Gomes] Once again I think you are concluding more than is reasonable and also don’t find you comment here constructive./*

Best

Greg

*From:*Greg Shatan [mailto:gregshatanipc@gmail.com] *Sent:* 18 August 2016 19:49 *To:* Mounier, Grégory *Cc:* Ayden Férdeline; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

For the rest of us who may not be so well informed, is there something more we should understand and take into account in considering this particular back-and-forth?

Thanks!

Greg Shatan

On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>> wrote:

Dear Ayden,

I objected because some of your statements were misinformed so I thought that I should help and clarify. But it seems that you are very well informed and that you don’t need further explanations J

Best regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com <mailto:icann@ferdeline.com>] *Sent:* 18 August 2016 19:27 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Thank you for the response, Greg. I did not mean to suggest that Europol was *wholly*exempt from European data protection regulations, because it is not. In my original message, I wrote:

/"...your agency is exempt from *some* of the general provisions on data processing." /

I have bolded the word ‘some’ on this occasion for emphasis. When I wrote that Europol had exemptions from *some*of the general provisions on data processing, I was referring to the Europol Council Decision as published in the Official Journal of the European Union on 15 May 2009. I am sure you are intimately familiar with this document, as you cited it in your email to me today as providing the “basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.”

Aside from this, this decision contains data processing rules which were, to quote you again in your email, "tailor-made" for Europol, and is complemented by a set of implementation guidelines which privilege Europol with the ability to process personal data “for the purpose of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties” in a manner that would not be permitted of other stakeholders.

Given this, I'm unsure as to why you found my comments so objectionable, but I hope this email has brought about some more clarity. If not, I am happy to expand upon my thoughts.

Thanks,

Ayden

-------- Original Message --------

Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 18, 2016 5:54 PM

UTC Time: August 18, 2016 4:54 PM

From: gregory.mounier@europol.europa.eu <mailto:gregory.mounier@europol.europa.eu>

To: icann@ferdeline.com <mailto:icann@ferdeline.com>

rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org <mailto:rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org>

Dear Ayden,

Thank you very much for sharing your concerns and apologies for the late response, I was away from the office.

I am not sure how you got the perception that Europol was “trawling” through WHOIS records or that Europol was “exempt from some of the general provisions on data processing” or even that our legal framework limited the ability of Europol staff to process data from publicly available sources related to “terror manuals” or “criminals claiming credit for attacks”.

In fact, I can assure you that _Europol is not exempted from the general provisions on data protection_. European data protection legislation has been implemented in the organisation with the aim of creating a legal framework which balances the fundamental interests of freedom and security. The tailor-made set of rules provides Europol with one of the strongest, most robust data protection framework in the world of law enforcement.

As far as data exchange inside the EU is concerned, Art.22-25 of Europol Council Decision (ECD) provides a basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.

Europol exchanges personal data only with third parties which have an adequate level of data protection. The prior data protection assessment of the third party involves a check on the necessary data protection legislation and confidentiality rules in place and in practice. The list of the third countries with which Europol has established an operational agreement is published on our website.

In addition, Europol can receive information from private parties such as companies, business associations or non-profit organisations. As with any transfer of personal data, this process is subject to data protection controls.

Last but not least, in line with the respective provisions of the ECD, Europol can also retrieve and process data, including personal data, from publicly available sources, such as media and public data and commercial intelligence providers, in accordance with the data protection framework.

I hope that I could clarify some of the issues you raised.

Kind regards,

Greg

*From:*Ayden Férdeline [mailto:icann@ferdeline.com] *Sent:* 08 August 2016 14:11 *To:* Mounier, Grégory *Cc:* Rob Golding; RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Greg,

I am disappointed that Europol seems to be advocating that personal information be processed in a manner inconsistent with European law.

I fully appreciate that, in order to allow Europol to collect sensitive information from the Member States in the pursuit of investigations, your agency is exempt from some of the general provisions on data processing. You are permitted to directly retrieve and process information obtained from publicly-available sources, but the promotional literature on the Europol website suggests Europol agents searching for publicly-available ‘terror manuals’ or criminals claiming credit for attacks. There is no indication that this includes Europol trawling through things like WHOIS records to identify the administrator of a website, something far less sinister. And if the RDS evolves into something very different from what it is today – perhaps not open to any and everyone to query, or federated into a single data store – my understanding is that the routing of information from a private party to Europol would be subject to European data protection controls and safeguards.

The very specific exemptions that Europol has received in order to carry out its work simply do not call for Europol to advocate for a lower standard of privacy protection for European residents in privately-owned or publicly-accessible sources of information.

There is no doubt that effective police work requires top intelligence, but equally as important is the employment of sound data protection safeguards which strike an appropriate balance between the interests of freedom and security.

Just my $0.02.

- Ayden

On Thu, Aug 4, 2016 1:59 PM, wrote:

Dear Rob,

Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions.

If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step.

Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call.

Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads).

It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes.

In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement.

Best,

Greg

-----Original Message-----

From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Rob Golding

Sent: 04 August 2016 01:46

To: RDS PDP WG

Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

>> Theoretical

>> ===========

>> We have seen a couple of proposed use cases that seem to be ideas

>> that people have for useful or harmful ways that RDS can be used, but

>> that do not exist today (at least not that anyone can fully

>> document).

>>

>> For example, there seems to be a desire to use the RDS as a way to

>> issue warrants for information about registrants. While this may be

>> useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent)

Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar.

I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it"

Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on.

Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ?

Rob

--

Rob Golding rob.golding@astutium.com <mailto:rob.golding@astutium.com>

Astutium Ltd, Number One Poultry, London. EC2R 8JR

* domains * hosting * vps * servers * cloud * backups * _______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Ayden Férdeline

Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI>

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.

Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

No traditional risk analysis starts with the assumption that the worst-case scenario will determines what will be done. (Otherwise none of us should drive because of the risk of accidents, and none of us should fly, because terrorists.) Risk analysis tends to follow this outline: 1. What can happen? (i.e., what can go wrong?) 2. How likely is it that it will happen? 3. If it does happen, what are the consequences? And then choices are made, balancing the various variables. As we have been discussing, there are various opinions and concerns among the participants and stakeholders. At some point those need to be laid out and quantified where possible, so that fact-based decision-making and balancing can be done. See also SAC061 Recommendation 2: “The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.” That would happen down the line, when things have progressed further and policy options have are coalesced. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Carlton Samuels Sent: Monday, August 22, 2016 12:02 PM To: Volker Greimann <vgreimann@key-systems.net> Cc: RDS WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical On Mon, Aug 22, 2016 at 2:19 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best. ​+1 I cannot see how any other model makes sense in this context. -Carlton​ ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================

Volker, It’s not clear to me that what Greg proposed is the exact opposite of your basic premise but I’ll let Greg comment on that. I do want to remind everyone though that the 11th question in each of the three phases deals with risks. Chuck From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, August 22, 2016 12:58 PM To: Greg Aaron; Carlton Samuels Cc: RDS WG Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Hi Greg, We are trekking ahead of the pack again, but as this is now a topic: Our basic premise, in my humble opinion, should be the exact opposite of your proposal: a) NO data is collected; b) NO ONE has access to any of the collected data; c) collected data may not be requested/used for any purpose. From that basic level (which admittely is so extreme it cannot be our final result) we need to figure out the exceptions to these rules while trying to poke holes into the exceptions to prevent as much abuse as we can think of and then establish mechanisms of review of these exceptions at regular intervals to see if abuse has occurred or additional exceptions may become necessary. This is why we are designing use cases now and that is where your questions would come in. Anything less will be a system doomed to be abused without limit. And this would not even enter into the problem of how/where to store the data, how to design access methods and authorization verifications, etc. To your examples: To drive and/or fly, you need a license and it is regulated how to get one and who may apply for one. Am 22.08.2016 um 18:43 schrieb Greg Aaron: No traditional risk analysis starts with the assumption that the worst-case scenario will determines what will be done. (Otherwise none of us should drive because of the risk of accidents, and none of us should fly, because terrorists.) Risk analysis tends to follow this outline: 1. What can happen? (i.e., what can go wrong?) 2. How likely is it that it will happen? 3. If it does happen, what are the consequences? And then choices are made, balancing the various variables. As we have been discussing, there are various opinions and concerns among the participants and stakeholders. At some point those need to be laid out and quantified where possible, so that fact-based decision-making and balancing can be done. See also SAC061 Recommendation 2: “The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.” That would happen down the line, when things have progressed further and policy options have are coalesced. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Carlton Samuels Sent: Monday, August 22, 2016 12:02 PM To: Volker Greimann <vgreimann@key-systems.net><mailto:vgreimann@key-systems.net> Cc: RDS WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical On Mon, Aug 22, 2016 at 2:19 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best. ​+1 I cannot see how any other model makes sense in this context. -Carlton​ ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround ============================= -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Am 23.08.2016 um 06:39 schrieb Andrew Sullivan:

On Mon, Aug 22, 2016 at 06:57:48PM +0200, Volker Greimann wrote:

...

a) NO data is collected;

b) NO ONE has access to any of the collected data;

c) collected data may not be requested/used for any purpose. A while ago I attempted to offer some drawings about how the RDS works, in an effort to allow us to talk meaningfully about options before us. The above simply ignores a basic point in all of those diagrams: the RDS is a query-only interface to registration data. As we are still designing what the RDS is supposed to do, going a ahead and designing how it is going to work may be premature. If you only have a hammer, everything will start looking like a nail.

I would very much hope that the design of the RDS will follow from the discussions here, not the other way round. If the RDS you describe does not fit our needs, we will need a different solution. If for example we find that RDAP is not the part of the solution that many claim it is (I do not know enough about it yet to have a position) we should be prepared to throw it in the bin and look at better solutions.

Therefore, none of the options a-c above are even logically possibly true. _Some_ data will be collected, however minimal, to support the function of registering names in the DNS.

As I said, that is why we need the use case to determine what data should be collected and why. We start with the basic premise and start adding to it.

Someone will have access to that data. And national authorities can always demand such data of people under their own legal jurisdictions. Which is why I assume (way ahead of the time) that there cannot be one central depository, and no storage of foreign data subject data in countries that allow such access, like the United States. If the data stored in country is not secure from what would be illegal access for foreign data subjects (even if legal in the jurisdiction where the access occurs) that country is eliminated from the running for the location of the depository. If we are actually going to debate this point, then I think this WG is a waste of time. It is just not possible to start from the above premises even in theory, and if people want to debate the states of affairs in the logically possible universe in which the RDS is a mud puddle I will go find something useful to do. I am not suggesting we go that far. I do realize we need to keep this realistic. Yet for any set of data and any level of access we contemplate granting, we should make a reasonable effort of thinking about how this could be abused, and if there is anything we can do to prevent such abuse. If we do not even consider these questions, we have failed in our task. We would be producing a shiny new system that is unworkable in the real world. If, however, we want to start from the plain facts that (1) the existing system exposes everything because it is a broken protocol and (2) at least most of the data currently collected has utility directly relevant to registration of domain names as part of the global DNS, then we can instead talk meaningfully about what that data is, whether it ought to be collected at all, and whether that utility means it needs to be disclosed to anyone. I agree on 1, not fully on 2 as most of the data collected does not necessarily have revelvance to the registration process of the domain name. As a registrar, all we really need to preform a domain name registration is the email address to send the ICANN mandated reminders and notifications to. We technically do not need the address, name or telephone number of the registrant to perform the task. It is helpful data to identify the registrant in certain circumstances, but not strictly necessary. I am btw not advocation that this be the only data collected, I am merely illustrating the technical need.

...

From that basic level (which admittely is so extreme it cannot be our final result) That's not the reason I object, please note.

...

To your examples: To drive and/or fly, you need a license and it is regulated how to get one and who may apply for one. The analogy breaks down immediately, of course, because such regulations are at least bound to nation-states if not subdivisions within them, and sometimes by treaties. Since the Internet does not provide the facilities for such governmental regulation without breaking the basic assumptions of internetworking, there may be a difference that makes a difference here. Any government is free to (and many regularly do) regulate various aspects of the use and even the registration process of domain names within their own borders. It is for example easier for a German citizen to register a gTLD domain name than it is for a Chinese national. So saying there is no or could be no governmental regulation would be a fallacy.

Best, Volker -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Dear Ayden: “Ignoring a potentially catastrophic outcome” is not something I suggested. I said that a worst-case scenario does not necessarily dictate what the solution is. (Otherwise there would be no balancing process needed, and the most restrictive, harsh, and secure solution would automatically be put in place.) Very different from what you said I said. All best, --Greg From: Ayden Férdeline [mailto:icann@ferdeline.com] Sent: Monday, August 22, 2016 4:25 PM To: Greg Aaron <gca@icginc.com> Cc: Carlton Samuels <carlton.samuels@gmail.com>; Volker Greimann <vgreimann@key-systems.net>; RDS WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Greg, A worst case scenario is not a fantasy. It is a real, possible outcome that justifies taking precautions from the onset of our work. We should not under-estimate these scenarios but prepare for them. I tend to think of risk as a seesaw; it is easy to be ambivalent and to see merit on both sides of the issue, or to think something as though it is very unlikely to happen, but if we ignore a potentially catastrophic outcome we are only asking for trouble and could tip the seesaw out of equilibrium. I would encourage the Working Group to consider Volker and Carlton's suggested approach. Best wishes, Ayden -------- Original Message -------- Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Local Time: August 22, 2016 5:43 PM UTC Time: August 22, 2016 4:43 PM From: gca@icginc.com<mailto:gca@icginc.com> To: carlton.samuels@gmail.com,vgreimann@key-systems.net<mailto:carlton.samuels@gmail.com,vgreimann@key-systems.net> gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> No traditional risk analysis starts with the assumption that the worst-case scenario will determines what will be done. (Otherwise none of us should drive because of the risk of accidents, and none of us should fly, because terrorists.) Risk analysis tends to follow this outline: 1. What can happen? (i.e., what can go wrong?) 2. How likely is it that it will happen? 3. If it does happen, what are the consequences? And then choices are made, balancing the various variables. As we have been discussing, there are various opinions and concerns among the participants and stakeholders. At some point those need to be laid out and quantified where possible, so that fact-based decision-making and balancing can be done. See also SAC061 Recommendation 2: “The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.” That would happen down the line, when things have progressed further and policy options have are coalesced. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Carlton Samuels Sent: Monday, August 22, 2016 12:02 PM To: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Cc: RDS WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical On Mon, Aug 22, 2016 at 2:19 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best. +1 I cannot see how any other model makes sense in this context. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround =============================

"We therefore need to model our approach on the worst possible actors, not the best." If this is the prism through which we view the "actors" involved here, that would need to apply to all the actors -- so we need to view registrants as a motley crew of phishers, malware providers, cybersquatters, counterfeiters, child porn purveyors, illegal online pharmacies, and other assorted malfeasors. That would make WHOIS/RDS the rough equivalent of a sex offender registry, and our requirements regarding availability, contactability, accuracy, validation, etc., would need to be ratcheted up very significantly. We may even need a system to track registrants, if we follow this thinking to its logical conclusion. As fascinating as this dystopian worldview might be, I reject the idea that this is an appropriate approach to our work. Greg Shatan On Mon, Aug 22, 2016 at 4:05 PM, Ayden Férdeline <icann@ferdeline.com> wrote:

I share the same view, Carlton. +1 to your comment.

Ayden

-------- Original Message -------- Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Local Time: August 22, 2016 5:02 PM UTC Time: August 22, 2016 4:02 PM From: carlton.samuels@gmail.com To: vgreimann@key-systems.net gnso-rds-pdp-wg@icann.org

On Mon, Aug 22, 2016 at 2:19 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best.

+1

I cannot see how any other model makes sense in this context.

-Carlton

============================== *Carlton A Samuels*

*Mobile: 876-818-1799 <876-818-1799>Strategy, Planning, Governance, Assessment & Turnaround* =============================

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Ayden, You are being far too modest; your capacity for phrasing awful possibilities in emotional language has been amply demonstrated in this group. As for the rest of your email, I'm not entirely sure it responded to my email, since I did not mention "worst case scenarios" at all. I was referring instead to the proposal that we "model our approach on the worst case actors." I merely selected a few types of actual, and not at all improbable, registrant/malfeasors, so that we could consider them as our "worst case actors" for determining how to deal with registrant issues if we were to use the suggested methodology. Which I do not support. Greg On Mon, Aug 22, 2016 at 4:46 PM, Ayden Férdeline <icann@ferdeline.com> wrote:

Greg,

Please forgive me here, as phrasing awful possibilities in emotional language does not come as naturally to me. So I’ll have to bypass a few of your scenarios and instead suggest that you not take the words “worst case scenario” literally. After all, I am sure we can all conjure up a worst case scenario that is entirely improbable; like if aliens from Mars were to penetrate the RDS and to use it as an instrument for finding properties to destroy. We should be placing the worst case scenarios in context by discussing less devastating but more probable outcomes, and by placing both risk probability and risk magnitude at the forefront of our discussions. I think this would serve us better than potentially ignoring the ‘warning signals’ of what could go wrong.

Thanks, Ayden

-------- Original Message -------- Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Local Time: August 22, 2016 9:27 PM UTC Time: August 22, 2016 8:27 PM From: gregshatanipc@gmail.com To: gnso-rds-pdp-wg@icann.org

"We therefore need to model our approach on the worst possible actors, not the best."

If this is the prism through which we view the "actors" involved here, that would need to apply to all the actors -- so we need to view registrants as a motley crew of phishers, malware providers, cybersquatters, counterfeiters, child porn purveyors, illegal online pharmacies, and other assorted malfeasors. That would make WHOIS/RDS the rough equivalent of a sex offender registry, and our requirements regarding availability, contactability, accuracy, validation, etc., would need to be ratcheted up very significantly. We may even need a system to track registrants, if we follow this thinking to its logical conclusion.

As fascinating as this dystopian worldview might be, I reject the idea that this is an appropriate approach to our work.

Greg Shatan

On Mon, Aug 22, 2016 at 4:05 PM, Ayden Férdeline <icann@ferdeline.com> wrote:

...

I share the same view, Carlton. +1 to your comment.

Ayden

-------- Original Message -------- Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical

Local Time: August 22, 2016 5:02 PM UTC Time: August 22, 2016 4:02 PM From: carlton.samuels@gmail.com To: vgreimann@key-systems.net gnso-rds-pdp-wg@icann.org

On Mon, Aug 22, 2016 at 2:19 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best.

+1

I cannot see how any other model makes sense in this context.

-Carlton

============================== *Carlton A Samuels*

*Mobile: 876-818-1799 <876-818-1799>Strategy, Planning, Governance, Assessment & Turnaround* =============================

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Thanks for this input, Volker. I agree. Making the RDS vulnerable to one group means making it vulnerable to all. It is not going to fly to have gated access to data only for law enforcement from country X, Y, or Z — and it is not possible to, say, limit access to law enforcement in general. Limiting access to data is a policy requirement; it requires designing a system which is not secure in the first place and then overlaying some kind of policy on top of it to limit access to authorised parties. Anyone who has read a newspaper over the last year will know that data breaches are not unheard of. - Ayden -------- Original Message -------- Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Local Time: August 22, 2016 8:19 AM UTC Time: August 22, 2016 7:19 AM From: vgreimann@key-systems.net To: gnso-rds-pdp-wg@icann.org For me the issue looks different: Even if we trusted "our friendly neighborhood LEAs" with all the data they can carry, we probably do not feels the same about the LEAs operated by other states. Data they I might be glad to hand over to interpol or German LEAs, I would rather see deleted than accept the slightest risk of it falling into the hands of Turkish LEAs or worse, like of a fully fledged torture state. So we cannot look at the best possible cases, where LEAs are so well regulated that the risk of abuse is minimized. Our approach (once we get to it) has to be resilient enough to prevent access bad anyone who would abuse it, while using the access routes we create for the good guys. So while I appreciate the discussions of how well regulated some LEAs are, this is not the standard we need to consider. Simply put: Anything that can be abused, will be abuse. We therefore need to model our approach on the worst possible actors, not the best. Best, Volker Am 20.08.2016 um 01:08 schrieb Stephanie Perrin: Gentlemen, with great respect, I think you are being a bit hard on Ayden here. If, as our next-gen rep here on the group, he were not questioning authority, I might be afraid he had somehow "missed the memo". I think the tone has become a bit accusatory on both sides and we should de-escalate. I agree that we must be exceedingly careful about putting words in each others mouths. However, questioning the efficacy of oversight of police data protection compliance is fair game in my view and in the view of most privacy scholars (Korff, Brown, Bennett and Raab, Anderson etc.). Diana Alonso Blass (who came to ICANN in 2003 or 04 representing the Article 29 Working Party) and now of Eurojust speaks regularly on some of these issues at the data protection commissioners' annual conference and at CPDP and there can be heated debate. Oversight of law enforcement, particularly cross border law enforcement, is difficult just as the actual law enforcement is difficult. There are many reasons for this: - law enforcement authorities have (legitimate) exemptions under data protection law for collection use and disclosure, making it easy to accidently abuse that discretion - Data protection authorities frequently choose to direct enforcement actions in other areas, given the constant shortage of resources and the publicity (reaching political uproar at times) that can come with enforcement against police - governments often take a dim view of data protection commissioners who go after the police (I can cite examples if you wish but I realize noone wants to read an article on the difficulties of dp oversight of law enforcement Some of the European DP authorities testified in the 2014 inquiry into NSA surveillance....I realize this is about intelligence, but certainly Europol and cybercrime were mentioned. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A.... Given the global nature of law enforcement in our subject area, and the perceived failure of certain instruments such as the Cybercrime treaty, and the general shock and outrage expressed during the inquiry I just cited, particularly over cross border data sharing, I think it is reasonable to question assertions of compliance with data protection law. You will find the list of witnesses in the appendix. Jacob Kohnstamm was one of them, as was Peter Hustinx, and let me finally remind you of my favorite quote from Kohnstamm 's 2012 letter to Crocker: “The Working Party strongly objects to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement. If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on civil and Political rights”. (Kohnstamm to Crocker and Atallah, 26 September 2012). The bottom line here is that civil society correctly has questions about the efficacy of oversight. Please don't take it personally, it is not meant that way. It is our job to question. I would agree that Europol has an excellent oversight regime, in comparative terms, (I wish we had it in North America) but that does not mean it works all the time. While we are not here to criticize particular countries or regions, please admit the idea of criticism in general. It is important. Stephanie Perrin On 2016-08-18 18:55, Gomes, Chuck wrote: Ayden, I appreciate your frequent contributions because you share some important concerns. But I want to communicate some concerns I have about how you are doing that. Please see my comments below. Chuck From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Thursday, August 18, 2016 4:48 PM To: Mounier, Grégory Cc: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Hi Greg, I don’t mean to sound provocative, however I would like to make sure I am interpreting your comments correctly. Please see inline below. Thanks, Ayden -------- Original Message -------- Subject: @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Local Time: August 18, 2016 7:00 PM UTC Time: August 18, 2016 6:00 PM From: gregory.mounier@europol.europa.eu To: gregshatanipc@gmail.com icann@ferdeline.com,gnso-rds-pdp-wg@icann.org Yes Greg: unlike what Ayden seems to imply: · Europol is not advocating that personal information be processed in a manner inconsistent with European law; I am pleased to hear this. However, it the [ opinion](https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Co...) of the European Commission’s own Data Protection Supervisor that the data retention requirements contained with the 2013 RAA and the Draft Specification “continue to fall short of compliance with European data protection law.” You have built a use case around how the WHOIS protocol operates today, which itself contains data sourced from registrars through practices which are inconsistent with the privacy laws of many (all?) EU Member States. [Chuck Gomes] Greg did not say that the 2013 RAA is compliant with European law; he only said Europol is. · Europol access and processing of WHOIS information is in line with European Data protection rules; I am glad that this is the case. Could you please expand upon how, under what circumstances, and how frequently Europol currently retrieves WHOIS records? [Chuck Gomes] This is a terribly broad request and one that I suspect may be very difficult to respond to. Europol is not the topic of discussion . Insight they can provide will be helpful when we deliberate just like your insights. In all cases we will do our best to validate information we use. · Europol does not “trawl” the WHOIS; Are you saying, then, that you do not find the WHOIS protocol useful in solving crime? If you are not collecting its records in bulk, I would suggest that we revise your use case of 25 July to reflect this reality. [Chuck Gomes] He did not say that. I encourage you to avoid adding to what he said. We should remove the reference to “Python DNS scripts or domain tool API” being utilised to identify connections between DNS information and potentially troublesome websites, and replace it with something which respects the right to, say, due process. [Chuck Gomes] Please remember that our objective is not to create perfect use cases. After all, illegal content like child abuse material (which you flagged in your use case) is just that – illegal. Illegal material should be dealt with in a legal manner. You should not be advocating for the circumvention of the rule of law; to do so is a direct violation of the human rights standards that Europol has committed itself to upholding. [Chuck Gomes] Who is advocating for the “the circumvention of the rule of law”? I think that the implication you make here is inappropriate. · Europol is indeed subject to one of the most stringent data protection framework in the LEA world. Whether that is reality or rhetoric, I do not know. My gut feeling is that Europol’s data protection provisions are comprehensive in theory, but critically undermined by procedural weakness. One example that comes to mind: the Europol Joint Supervisory Body is the independent body which supposedly monitors your adherence to data protection rules. However, it has no powers of enforcement, it can only “make any complaints it deems necessary to the Director” of Europol. [Chuck Gomes] I think it best if you avoid criticizing specific organizations and stick to issues. I’ll stop here because this is only partially relevant to this PDP. My understanding has been that some politicians in the EU have been reluctant to expand Europol’s remit/mandate, given concerns around effectiveness and a perceived democratic deficit, so it is fascinating to me to see Europol working to expand its powers and data collection abilities in working groups such as this one. [Chuck Gomes] Once again I think you are concluding more than is reasonable and also don’t find you comment here constructive. Best Greg From: Greg Shatan [mailto:gregshatanipc@gmail.com] Sent: 18 August 2016 19:49 To: Mounier, Grégory Cc: Ayden Férdeline; RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Greg, For the rest of us who may not be so well informed, is there something more we should understand and take into account in considering this particular back-and-forth? Thanks! Greg Shatan On Thu, Aug 18, 2016 at 1:45 PM, Mounier, Grégory <gregory.mounier@europol.europa.eu> wrote: Dear Ayden, I objected because some of your statements were misinformed so I thought that I should help and clarify. But it seems that you are very well informed and that you don’t need further explanations J Best regards, Greg From: Ayden Férdeline [mailto:icann@ferdeline.com] Sent: 18 August 2016 19:27 To: Mounier, Grégory Cc: Rob Golding; RDS PDP WG Subject: Re: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical Thank you for the response, Greg. I did not mean to suggest that Europol was whollyexempt from European data protection regulations, because it is not. In my original message, I wrote: "...your agency is exempt from some of the general provisions on data processing." I have bolded the word ‘some’ on this occasion for emphasis. When I wrote that Europol had exemptions from someof the general provisions on data processing, I was referring to the Europol Council Decision as published in the Official Journal of the European Union on 15 May 2009. I am sure you are intimately familiar with this document, as you cited it in your email to me today as providing the “basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks.” Aside from this, this decision contains data processing rules which were, to quote you again in your email, "tailor-made" for Europol, and is complemented by a set of implementation guidelines which privilege Europol with the ability to process personal data “for the purpose of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties” in a manner that would not be permitted of other stakeholders. Given this, I'm unsure as to why you found my comments so objectionable, but I hope this email has brought about some more clarity. If not, I am happy to expand upon my thoughts. Thanks, Ayden -------- Original Message -------- Subject: @EXT: RE: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical Local Time: August 18, 2016 5:54 PM UTC Time: August 18, 2016 4:54 PM From: gregory.mounier@europol.europa.eu To: icann@ferdeline.com rob.golding@astutium.com,gnso-rds-pdp-wg@icann.org Dear Ayden, Thank you very much for sharing your concerns and apologies for the late response, I was away from the office. I am not sure how you got the perception that Europol was “trawling” through WHOIS records or that Europol was “exempt from some of the general provisions on data processing” or even that our legal framework limited the ability of Europol staff to process data from publicly available sources related to “terror manuals” or “criminals claiming credit for attacks”. In fact, I can assure you that Europol is not exempted from the general provisions on data protection. European data protection legislation has been implemented in the organisation with the aim of creating a legal framework which balances the fundamental interests of freedom and security. The tailor-made set of rules provides Europol with one of the strongest, most robust data protection framework in the world of law enforcement. As far as data exchange inside the EU is concerned, Art.22-25 of Europol Council Decision (ECD) provides a basis for Europol to establish and maintain cooperative relations with Union or Community institutions, bodies, offices and agencies; third States and organisations; private parties and private persons in so far as it is relevant to the performance of its tasks. Europol exchanges personal data only with third parties which have an adequate level of data protection. The prior data protection assessment of the third party involves a check on the necessary data protection legislation and confidentiality rules in place and in practice. The list of the third countries with which Europol has established an operational agreement is published on our website. In addition, Europol can receive information from private parties such as companies, business associations or non-profit organisations. As with any transfer of personal data, this process is subject to data protection controls. Last but not least, in line with the respective provisions of the ECD, Europol can also retrieve and process data, including personal data, from publicly available sources, such as media and public data and commercial intelligence providers, in accordance with the data protection framework. I hope that I could clarify some of the issues you raised. Kind regards, Greg From: Ayden Férdeline [mailto:icann@ferdeline.com] Sent: 08 August 2016 14:11 To: Mounier, Grégory Cc: Rob Golding; RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: Use cases: Fundamental, Incidental, and Theoretical Greg, I am disappointed that Europol seems to be advocating that personal information be processed in a manner inconsistent with European law. I fully appreciate that, in order to allow Europol to collect sensitive information from the Member States in the pursuit of investigations, your agency is exempt from some of the general provisions on data processing. You are permitted to directly retrieve and process information obtained from publicly-available sources, but the promotional literature on the Europol website suggests Europol agents searching for publicly-available ‘terror manuals’ or criminals claiming credit for attacks. There is no indication that this includes Europol trawling through things like WHOIS records to identify the administrator of a website, something far less sinister. And if the RDS evolves into something very different from what it is today – perhaps not open to any and everyone to query, or federated into a single data store – my understanding is that the routing of information from a private party to Europol would be subject to European data protection controls and safeguards. The very specific exemptions that Europol has received in order to carry out its work simply do not call for Europol to advocate for a lower standard of privacy protection for European residents in privately-owned or publicly-accessible sources of information. There is no doubt that effective police work requires top intelligence, but equally as important is the employment of sound data protection safeguards which strike an appropriate balance between the interests of freedom and security. Just my $0.02. - Ayden On Thu, Aug 4, 2016 1:59 PM, wrote: Dear Rob, Thanks for sharing the outcome of your chat with ex-FBI and UK LEA agents. I feel that I need to step in to provide a different perspective than the one you just gave on the law enforcement use of the WHOIS. It might be a matter of interpretation but the views expressed by your interlocutors are not shared by my colleagues working throughout European police cyber divisions. If European cyber investigators are obviously all aware of the fact that WHOIS registration data can sometime be inaccurate and not up-to-date (ICANN compliance reported that for the first quarter of 2015, WHOIS inaccuracy comprised 74.0 % of complaints), in 90% of cases they will start their investigations with a WHOIS lookup. This is really the first step. Despite the lack of accuracy, WHOIS information is useful in so many different ways. One of the first them is to make correlations and link pieces of information obtained through other means than from the WHOIS. This was the point I tried to make on Tuesday during the conference call. Accurate and reliable WHOIS data helps crime attribution and can save precious investigation time (you can rule out wrong investigative leads). It raises the bar and makes it more difficult for criminals to abuse domain names. It pushes them to resort to more complex techniques such as ID theft to register domains for malicious purposes. In short, for LEA WHOIS is certainly not the silver bullet to attribute crime on line but it is an essential tool in the tool box of law enforcement. Best, Greg -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Rob Golding Sent: 04 August 2016 01:46 To: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Use cases: Fundamental, Incidental, and Theoretical

...

Theoretical

...

===========

...

We have seen a couple of proposed use cases that seem to be ideas

...

that people have for useful or harmful ways that RDS can be used, but

...

that do not exist today (at least not that anyone can fully

...

document).

...

...

For example, there seems to be a desire to use the RDS as a way to

...

issue warrants for information about registrants. While this may be

...

useful, this is not possible today (even with RDAP, I note).

It not only is possible today, it's also "common" (although thankfully not frequent) Registrars get served warrants for details about registrants, and the _only_ information from WHOIS that's "needed" or used for such cases is the name of the Registrar. I had the pleasure of meeting Chris Tarbell, ex-FBI Cyber Crime, at HostingCon last week - asked about WHOIS/domain data he said "we dont use it" Last year at the UKNOF event in Sheffield I spent quite some time talking with some amazing people from the UK CyberCrime departments - asked the same questions, they confirmed that although whois _might_ be looked at to see if it matches _data they already have_ for confirmation, it's not used or relied on. Which beggars the question, should "LawEnforcement" use cases even be part of the discussions ? Rob -- Rob Golding rob.golding@astutium.com Astutium Ltd, Number One Poultry, London. EC2R 8JR * domains * hosting * vps * servers * cloud * backups * _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg Ayden Férdeline [Statement of Interest](https://community.icann.org/display/gnsosoi/Ayden+F%E9rdeline+SOI) ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.luThis e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.