Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ *Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. *Contradictory* "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
The law does not differentiate. Personal data is personal data and the only one to decide what happens to it is the data subject. (And we are talking about names, addresses, telephone numbers and email addresses, thank you very much) Volker Am 13.02.2018 um 17:48 schrieb John Bambenek via gnso-rds-pdp-wg:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I know full well what data we are talking about. And you know full well I know it to. But your pattern of bullying, sexism, condescension and abuse CONTINUES to derail any meaningful discussion on these issues. On 2/13/2018 10:51 AM, Volker Greimann wrote:
The law does not differentiate. Personal data is personal data and the only one to decide what happens to it is the data subject.
(And we are talking about names, addresses, telephone numbers and email addresses, thank you very much)
Volker
Am 13.02.2018 um 17:48 schrieb John Bambenek via gnso-rds-pdp-wg:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
With respect, John, I think you'd do well to reflect on how you communicate on this list. I think the same comment you just made to Volker could apply equally to a large number of the posts you have sent to this mailing list. Kind regards, Ayden -------- Original Message -------- On 13 February 2018 5:53 PM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:
I know full well what data we are talking about. And you know full well I know it to. But your pattern of bullying, sexism, condescension and abuse CONTINUES to derail any meaningful discussion on these issues.
On 2/13/2018 10:51 AM, Volker Greimann wrote:
The law does not differentiate. Personal data is personal data and the only one to decide what happens to it is the data subject.
(And we are talking about names, addresses, telephone numbers and email addresses, thank you very much)
Volker
Am 13.02.2018 um 17:48 schrieb John Bambenek via gnso-rds-pdp-wg:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
Contradictory
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org
-- --
John Bambenek
Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA) , https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote:
Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune.
Kind regards,
Chris
------------------------------------------------------------------------ *From: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *To: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Tuesday, 13 February, 2018 16:48:27 *Subject: *Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
So was mine in the UK, and ICANN keeping or requiring ANY retention of data for long periods of time IMHO is dangerous. Equifax dropped the ball here, and a lot (you and I both plus god know really how many others) have had their personal data stolen. I dont want my telephone number to be out in the wild, nor any of my other details quite frankly. Kind regards, Chris From: "John Bambenek" <jcb@bambenekconsulting.com> To: "Chris Pelling" <chris@netearth.net>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:54:29 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote: Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: BQ_BEGIN Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA) , https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END -- -- John Bambenek
Which is why I have stated repeatedly, vigorsly, and consistently whois privacy SHOULD be FREE. Let the CONSUMER make that choice, not a bunch of mostly American and European guys telling the world how they need to do business. I don't care if MY number is out there. So the question is, why create a system that prevents me from sharing MY OWN information as I see fit? On 2/13/2018 11:01 AM, Chris Pelling wrote:
So was mine in the UK, and ICANN keeping or requiring ANY retention of data for long periods of time IMHO is dangerous. Equifax dropped the ball here, and a lot (you and I both plus god know really how many others) have had their personal data stolen. I dont want my telephone number to be out in the wild, nor any of my other details quite frankly.
Kind regards,
Chris
------------------------------------------------------------------------ *From: *"John Bambenek" <jcb@bambenekconsulting.com> *To: *"Chris Pelling" <chris@netearth.net>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Tuesday, 13 February, 2018 16:54:29 *Subject: *Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making.
On 2/13/2018 10:52 AM, Chris Pelling wrote:
Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune.
Kind regards,
Chris
------------------------------------------------------------------------ *From: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *To: *"gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Tuesday, 13 February, 2018 16:48:27 *Subject: *Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
-- -- John Bambenek
John’s point is a fair one: the risk levels are very different. Comparing social security numbers to phone numbers is an apples-to-oranges comparison. A logical conclusion is that folks should be very concerned about the information security practices at their registrars, which is where the most sensitive data is collected and stored. Anyone up for inserting better security requirements into the RAA? ;-) From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Bambenek via gnso-rds-pdp-wg Sent: Tuesday, February 13, 2018 11:54 AM To: Chris Pelling <chris@netearth.net>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote: Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris ________________________________ From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek
Greg I assume you’re referring to this? https://www.icann.org/en/system/files/files/resolutions-implementation-recs-... Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Greg Aaron <gca@icginc.com> Date: Tuesday 13 February 2018 at 17:06 To: John Bambenek <jcb@bambenekconsulting.com>, Chris Pelling <chris@netearth.net>, 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc John’s point is a fair one: the risk levels are very different. Comparing social security numbers to phone numbers is an apples-to-oranges comparison. A logical conclusion is that folks should be very concerned about the information security practices at their registrars, which is where the most sensitive data is collected and stored. Anyone up for inserting better security requirements into the RAA? ;-) From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Bambenek via gnso-rds-pdp-wg Sent: Tuesday, February 13, 2018 11:54 AM To: Chris Pelling <chris@netearth.net>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote: Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek
Nope. Those don’t recommend any new RAA requirements that will protect the data collected and stored by registrars. They recommend discussion of such. I’m sure folks could imagine a variety of information security requirements that could be incorporated into the RAA. From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Tuesday, February 13, 2018 12:28 PM To: Greg Aaron <gca@icginc.com>; John Bambenek <jcb@bambenekconsulting.com>; Chris Pelling <chris@netearth.net>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Greg I assume you’re referring to this? https://www.icann.org/en/system/files/files/resolutions-implementation-recs-... Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Date: Tuesday 13 February 2018 at 17:06 To: John Bambenek <jcb@bambenekconsulting.com<mailto:jcb@bambenekconsulting.com>>, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>>, 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc John’s point is a fair one: the risk levels are very different. Comparing social security numbers to phone numbers is an apples-to-oranges comparison. A logical conclusion is that folks should be very concerned about the information security practices at their registrars, which is where the most sensitive data is collected and stored. Anyone up for inserting better security requirements into the RAA? ;-) From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Bambenek via gnso-rds-pdp-wg Sent: Tuesday, February 13, 2018 11:54 AM To: Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote: Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek
Sorry Greg, Totally disagree based on the requirements of the RAA and data retention requirements. Sending data to Icann for audits etc, to iron mountain for data escrow. Way too much data in my opinion
From Chris on the move!
On Tue, Feb 13, 2018 at 5:07 PM +0000, "Greg Aaron" <gca@icginc.com> wrote: John’s point is a fair one: the risk levels are very different. Comparing social security numbers to phone numbers is an apples-to-oranges comparison. A logical conclusion is that folks should be very concerned about the information security practices at their registrars, which is where the most sensitive data is collected and stored. Anyone up for inserting better security requirements into the RAA? ;-) From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Bambenek via gnso-rds-pdp-wg Sent: Tuesday, February 13, 2018 11:54 AM To: Chris Pelling <chris@netearth.net>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote: Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek John’s point is a fair one: the risk levels are very different. Comparing social security numbers to phone numbers is an apples-to-oranges comparison. A logical conclusion is that folks should be very concerned about the information security practices at their registrars, which is where the most sensitive data is collected and stored. Anyone up for inserting better security requirements into the RAA? ;-) From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Bambenek via gnso-rds-pdp-wg Sent: Tuesday, February 13, 2018 11:54 AM To: Chris Pelling <chris@netearth.net>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My personal data WAS stolen in the Equifax breach. People can do real fraud with that. My point is that having my address, phone number and email his radically different risks than financial information. That is the only point I was making. On 2/13/2018 10:52 AM, Chris Pelling wrote: Please don't diss valid points John - I am sure if your personal information was stolen in this attack and they had your SSN/TIN, credit card number and expiry date, you would be singing a different tune. Kind regards, Chris ________________________________ From: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> To: "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Sent: Tuesday, 13 February, 2018 16:48:27 Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek
On 13 Feb 2018, at 15:29, Chris Pelling <chris@netearth.net> wrote:
Sorry Greg,
Totally disagree based on the requirements of the RAA and data retention requirements. Sending data to Icann for audits etc, to iron mountain for data escrow.
Way too much data in my opinion
During audits data is sent to auditors, not to ICANN. I wouldn't trust ICANN InfoSec with such data and I think most contracted parties wouldn't either. As for data escrow, it only contains registration data; while some information there is sensitive (like physical address), registrants would rather keep their domains in case of a registrar or registry collapse. Different from WHOIS publication, when the possible legitimate uses under discussions are of 3rd parties, escrow is a legitimate interest of the registrant. While I would like to see DPAs signing on that thinking to be sure we are on the safe side, it's not a balance, it is in place towards registrant benefit. The only grey area here is "right to be forgotten" after a domain is deleted or transferred; will a registrant be able to ask for such data removal, or is a domain registry like a land registry where the ownership history belongs to society not to individual owners of that piece of land ? Rubens
Hi Rubens, My understanding from doing these audit twice is that hte data is sent to an ICANN managed and controlled system, this is then sent onto the auditor KPMG in these cases. That or KPMG has access to the data on the ICANN system. Kind regards, Chris From: "Rubens Kuhl" <rubensk@nic.br> To: "Chris Pelling" <chris@netearth.net> Cc: "John Bambenek" <jcb@bambenekconsulting.com>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org>, "Greg Aaron" <gca@icginc.com> Sent: Tuesday, 13 February, 2018 17:40:25 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc On 13 Feb 2018, at 15:29, Chris Pelling < chris@netearth.net > wrote: Sorry Greg, Totally disagree based on the requirements of the RAA and data retention requirements. Sending data to Icann for audits etc, to iron mountain for data escrow. Way too much data in my opinion During audits data is sent to auditors, not to ICANN. I wouldn't trust ICANN InfoSec with such data and I think most contracted parties wouldn't either. As for data escrow, it only contains registration data; while some information there is sensitive (like physical address), registrants would rather keep their domains in case of a registrar or registry collapse. Different from WHOIS publication, when the possible legitimate uses under discussions are of 3rd parties, escrow is a legitimate interest of the registrant. While I would like to see DPAs signing on that thinking to be sure we are on the safe side, it's not a balance, it is in place towards registrant benefit. The only grey area here is "right to be forgotten" after a domain is deleted or transferred; will a registrant be able to ask for such data removal, or is a domain registry like a land registry where the ownership history belongs to society not to individual owners of that piece of land ? Rubens
Chris, When I found two vulnerabilities at the website in question, https://compliance.icann.org, ICANN informed that KPMG was in charge of that server. This was corroborated by OU field in the certificate indicating KPMG. Since then, compliance.icann.org now redirects to https://mft.us.kpmg.com/ <https://mft.us.kpmg.com/> , making clearer that the data is being sent to KPMG. From an ICANN message of the time (February 2016): "(name) is on top of this and working with IT and KPMG to address it." Rubens
On 13 Feb 2018, at 17:11, Chris Pelling <chris@netearth.net> wrote:
Hi Rubens,
My understanding from doing these audit twice is that hte data is sent to an ICANN managed and controlled system, this is then sent onto the auditor KPMG in these cases. That or KPMG has access to the data on the ICANN system.
Kind regards,
Chris
From: "Rubens Kuhl" <rubensk@nic.br> To: "Chris Pelling" <chris@netearth.net> Cc: "John Bambenek" <jcb@bambenekconsulting.com>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org>, "Greg Aaron" <gca@icginc.com> Sent: Tuesday, 13 February, 2018 17:40:25 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
On 13 Feb 2018, at 15:29, Chris Pelling <chris@netearth.net <mailto:chris@netearth.net>> wrote:
Sorry Greg,
Totally disagree based on the requirements of the RAA and data retention requirements. Sending data to Icann for audits etc, to iron mountain for data escrow.
Way too much data in my opinion
During audits data is sent to auditors, not to ICANN. I wouldn't trust ICANN InfoSec with such data and I think most contracted parties wouldn't either.
As for data escrow, it only contains registration data; while some information there is sensitive (like physical address), registrants would rather keep their domains in case of a registrar or registry collapse. Different from WHOIS publication, when the possible legitimate uses under discussions are of 3rd parties, escrow is a legitimate interest of the registrant. While I would like to see DPAs signing on that thinking to be sure we are on the safe side, it's not a balance, it is in place towards registrant benefit. The only grey area here is "right to be forgotten" after a domain is deleted or transferred; will a registrant be able to ask for such data removal, or is a domain registry like a land registry where the ownership history belongs to society not to individual owners of that piece of land ?
Rubens
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification. This takes us to issue of consent. On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_ equifax_customers_exposed/ hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and *revealed this month by Senator Elizabeth Warren (D-MA)*, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the *proposed Data Breach Prevention and Compensation Act, * https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax% 20Letter%202-7-18.pdf from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
-- Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka ----------------------------------------- *"Working for Africa" * -----------------------------------------
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem. People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law. On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 <https://www.warren.senate.gov/?p=press_release&id=2317>
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
-- Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- -- John Bambenek
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice. Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 <https://www.warren.senate.gov/?p=press_release&id=2317>
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward. So let's do that. When can we implement? On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 <https://www.warren.senate.gov/?p=press_release&id=2317>
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
-- Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
I am not sure you want that, because that means completely dark whois. I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent. Consent is not the solution. Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 <https://www.warren.senate.gov/?p=press_release&id=2317>
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed. If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data? On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and _revealed this month by Senator Elizabeth Warren (D-MA)_, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 <https://www.warren.senate.gov/?p=press_release&id=2317>
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the _proposed Data Breach Prevention and Compensation Act, _ https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
-- Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
Exactly, ICANN should have never mandated registrant data to register a domain name in the first place, a big mistake. Technically it is not required anyways. On 13-2-2018 18:07, John Bambenek via gnso-rds-pdp-wg wrote:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote: > > Undeterred by the fact that noone has responded to my last > post, I offer the following update to the Equifax breach to > further illustrate my point. As many companies have found > out, you don't find out what you've got till it's gone.....a > further reason for data minimization and short retention > periods. > > > > > > > > > > To: > > > http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ > <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/> > > > *Equifax hack worse than previously thought: Biz kissed > goodbye to card expiry dates, tax IDs etc* > Pwned credit-score biz quietly admits more info lost > By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 > > Last year, Equifax admitted > https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... > <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> > hackers stole sensitive personal records on 145 million > Americans and hundreds of thousands in the UK > https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ > <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> > and Canada. > > The outfit already said cyber-crooks "primarily" took names, > social security numbers, birth dates, home addresses, > credit-score dispute forms, and, in some instances, credit > card numbers and driver license numbers. Now the > credit-checking giant reckons the intruders snatched even > more information from its databases. > > According to documents provided by Equifax to the US Senate > Banking Committee, > and _revealed this month by Senator Elizabeth Warren (D-MA)_, > https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc > <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> > the attackers also grabbed taxpayer identification numbers, > phone numbers, email addresses, and credit card expiry dates > belonging to some Equifax customers. > > Like social security numbers, taxpayer ID numbers are useful > for fraudsters seeking to steal people's identities or their > tax rebates, and the expiry dates are similarly useful for > online crooks when linked with credit card numbers and other > personal information. > > > *Contradictory* > > "As your company continues to issue incomplete, confusing > and contradictory statements and hide information from > Congress and the public, it is clear that five months after > the breach was publicly announced, Equifax has yet to answer > this simple question in full: what was the precise extent of > the breach?" Warren fumed in a missive late last week. > https://www.warren.senate.gov/?p=press_release&id=2317 > <https://www.warren.senate.gov/?p=press_release&id=2317> > > Equifax spokeswoman Meredith Griffanti stressed to The > Register today that the extra information snatched by > hackers, as revealed by Senator Warren, belonged to "some" > Equifax customers. In other words, not everyone had their > phone numbers, email addresses, and so on, slurped by crooks > just some. How much is some? Equifax isn't saying, hence > Warren's (and everyone else's) growing frustration. > > The senator is a cosponsor of the _proposed Data Breach > Prevention and Compensation Act, _ > https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ > <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> > which, if passed, would impose computer security regulations > on credit reporting agencies, with mandatory fines that > would have led to Equifax coughing up $1.5bn for its IT blunder. > > Some regulation or punishment is obviously needed. > > No senior Equifax executives were fired over the attack > instead the CEO, CSO and CIO were all allowed to retire with > multi-million dollar golden parachutes. The US government's > Consumer Financial Protection Bureau promised a full > investigation into the Equifax affair, and then gave up. On > February 7, an open letter [PDF] > https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... > <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> > from 32 senators to the bureau asked why the probe was > dropped, and the gang has yet to receive a response. ® > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Correct, you CAN have DNS without WHOIS. What you can't have is voluntarily interconnection of networks. You can't have providers working with each other to resolve problems. You can't have victim notification. You can't have investigations that proactively block much more serious privacy and security risks. j On 2/13/2018 11:13 AM, Theo Geurts wrote:
Exactly, ICANN should have never mandated registrant data to register a domain name in the first place, a big mistake. Technically it is not required anyways.
On 13-2-2018 18:07, John Bambenek via gnso-rds-pdp-wg wrote:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote: > This is just an example but there is a lot of damage that can be > caused with data being exposed. In our case we have phone > numbers, addresses, emails which is required to verification. > > This takes us to issue of consent. > > On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg > <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> > wrote: > > Let's be honest here, we're talking about phone numbers and > email addresses. The threat model is RADICALLY different > with the data we are talking about. > > > On 2/13/2018 10:45 AM, Stephanie Perrin wrote: >> >> Undeterred by the fact that noone has responded to my last >> post, I offer the following update to the Equifax breach to >> further illustrate my point. As many companies have found >> out, you don't find out what you've got till it's >> gone.....a further reason for data minimization and short >> retention periods. >> >> >> >> >> >> >> >> >> >> To: >> >> >> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ >> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/> >> >> >> *Equifax hack worse than previously thought: Biz kissed >> goodbye to card expiry dates, tax IDs etc* >> Pwned credit-score biz quietly admits more info lost >> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 >> >> Last year, Equifax admitted >> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... >> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> >> hackers stole sensitive personal records on 145 million >> Americans and hundreds of thousands in the UK >> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ >> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> >> and Canada. >> >> The outfit already said cyber-crooks "primarily" took >> names, social security numbers, birth dates, home >> addresses, credit-score dispute forms, and, in some >> instances, credit card numbers and driver license numbers. >> Now the credit-checking giant reckons the intruders >> snatched even more information from its databases. >> >> According to documents provided by Equifax to the US Senate >> Banking Committee, >> and _revealed this month by Senator Elizabeth Warren (D-MA)_, >> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc >> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> >> the attackers also grabbed taxpayer identification numbers, >> phone numbers, email addresses, and credit card expiry >> dates belonging to some Equifax customers. >> >> Like social security numbers, taxpayer ID numbers are >> useful for fraudsters seeking to steal people's identities >> or their tax rebates, and the expiry dates are similarly >> useful for online crooks when linked with credit card >> numbers and other personal information. >> >> >> *Contradictory* >> >> "As your company continues to issue incomplete, confusing >> and contradictory statements and hide information from >> Congress and the public, it is clear that five months after >> the breach was publicly announced, Equifax has yet to >> answer this simple question in full: what was the precise >> extent of the breach?" Warren fumed in a missive late last >> week. >> https://www.warren.senate.gov/?p=press_release&id=2317 >> <https://www.warren.senate.gov/?p=press_release&id=2317> >> >> Equifax spokeswoman Meredith Griffanti stressed to The >> Register today that the extra information snatched by >> hackers, as revealed by Senator Warren, belonged to "some" >> Equifax customers. In other words, not everyone had their >> phone numbers, email addresses, and so on, slurped by >> crooks just some. How much is some? Equifax isn't saying, >> hence Warren's (and everyone else's) growing frustration. >> >> The senator is a cosponsor of the _proposed Data Breach >> Prevention and Compensation Act, _ >> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ >> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> >> which, if passed, would impose computer security >> regulations on credit reporting agencies, with mandatory >> fines that would have led to Equifax coughing up $1.5bn for >> its IT blunder. >> >> Some regulation or punishment is obviously needed. >> >> No senior Equifax executives were fired over the attack >> instead the CEO, CSO and CIO were all allowed to retire >> with multi-million dollar golden parachutes. The US >> government's Consumer Financial Protection Bureau promised >> a full investigation into the Equifax affair, and then gave >> up. On February 7, an open letter [PDF] >> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... >> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> >> from 32 senators to the bureau asked why the probe was >> dropped, and the gang has yet to receive a response. ® >> >> >> _______________________________________________ >> gnso-rds-pdp-wg mailing list >> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg >> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > -- > -- > > John Bambenek > > > > -- > > Regards > Nanghaka Daniel K. > Executive Director - ILICIT Africa / Chair - FOSSFA / Community > Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - > FOSS4G2018 > Mobile +256 772 898298 (Uganda) > Skype: daniel.nanghaka > > ----------------------------------------- /"Working for Africa" > /----------------------------------------- > > >
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
On Tue, Feb 13, 2018 at 11:27:02AM -0600, John Bambenek via gnso-rds-pdp-wg wrote:
Correct, you CAN have DNS without WHOIS. What you can't have is voluntarily interconnection of networks.
Right. You can have DNS without some kind of RDS, but you can't make the Internet that way. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
John While we can agree that businesses do want to be contacted very few of them would expect their clients or customers to resort to whois records for that. Thousands of our clients use .ie domain names. There are no contact details available in the .ie whois. Here’s one for one of our domains: http://paste.ie/view/3e3f31bb We also often see clients using obfuscated whois, or simply a TLD with minimal to no whois, happily publishing their details on their websites or in their emails. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Bambenek <jcb@bambenekconsulting.com> Date: Tuesday 13 February 2018 at 17:07 To: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed. If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data? On 2/13/2018 11:04 AM, Volker Greimann wrote: I am not sure you want that, because that means completely dark whois. I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent. Consent is not the solution. Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg: Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward. So let's do that. When can we implement? On 2/13/2018 10:58 AM, Volker Greimann wrote: You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice. Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg: Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem. People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law. On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote: This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification. This takes us to issue of consent. On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about. On 2/13/2018 10:45 AM, Stephanie Perrin wrote: Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods. To: http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada. The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases. According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information. Contradictory "As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317 Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration. The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder. Some regulation or punishment is obviously needed. No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek -- Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka ----------------------------------------- "Working for Africa" ----------------------------------------- -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- -- John Bambenek
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already. Volker Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote: > > Undeterred by the fact that noone has responded to my last > post, I offer the following update to the Equifax breach to > further illustrate my point. As many companies have found > out, you don't find out what you've got till it's gone.....a > further reason for data minimization and short retention > periods. > > > > > > > > > > To: > > > http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ > <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/> > > > *Equifax hack worse than previously thought: Biz kissed > goodbye to card expiry dates, tax IDs etc* > Pwned credit-score biz quietly admits more info lost > By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 > > Last year, Equifax admitted > https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... > <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> > hackers stole sensitive personal records on 145 million > Americans and hundreds of thousands in the UK > https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ > <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> > and Canada. > > The outfit already said cyber-crooks "primarily" took names, > social security numbers, birth dates, home addresses, > credit-score dispute forms, and, in some instances, credit > card numbers and driver license numbers. Now the > credit-checking giant reckons the intruders snatched even > more information from its databases. > > According to documents provided by Equifax to the US Senate > Banking Committee, > and _revealed this month by Senator Elizabeth Warren (D-MA)_, > https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc > <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> > the attackers also grabbed taxpayer identification numbers, > phone numbers, email addresses, and credit card expiry dates > belonging to some Equifax customers. > > Like social security numbers, taxpayer ID numbers are useful > for fraudsters seeking to steal people's identities or their > tax rebates, and the expiry dates are similarly useful for > online crooks when linked with credit card numbers and other > personal information. > > > *Contradictory* > > "As your company continues to issue incomplete, confusing > and contradictory statements and hide information from > Congress and the public, it is clear that five months after > the breach was publicly announced, Equifax has yet to answer > this simple question in full: what was the precise extent of > the breach?" Warren fumed in a missive late last week. > https://www.warren.senate.gov/?p=press_release&id=2317 > <https://www.warren.senate.gov/?p=press_release&id=2317> > > Equifax spokeswoman Meredith Griffanti stressed to The > Register today that the extra information snatched by > hackers, as revealed by Senator Warren, belonged to "some" > Equifax customers. In other words, not everyone had their > phone numbers, email addresses, and so on, slurped by crooks > just some. How much is some? Equifax isn't saying, hence > Warren's (and everyone else's) growing frustration. > > The senator is a cosponsor of the _proposed Data Breach > Prevention and Compensation Act, _ > https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ > <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> > which, if passed, would impose computer security regulations > on credit reporting agencies, with mandatory fines that > would have led to Equifax coughing up $1.5bn for its IT blunder. > > Some regulation or punishment is obviously needed. > > No senior Equifax executives were fired over the attack > instead the CEO, CSO and CIO were all allowed to retire with > multi-million dollar golden parachutes. The US government's > Consumer Financial Protection Bureau promised a full > investigation into the Equifax affair, and then gave up. On > February 7, an open letter [PDF] > https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... > <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> > from 32 senators to the bureau asked why the probe was > dropped, and the gang has yet to receive a response. ® > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka
----------------------------------------- /"Working for Africa" /-----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Except if the technical problem is the website which is inaccessible due to routing issues, security issues, website compromise, etc.... That's one of the major reasons an INDEPENDENT system was created, to allow for out-of-band communication to resolve problems when the underlying infrastructure facing problems ALSO prevents getting to things like websites. For instance, if there are problems with DNS, you can't get to the website. There are very strong reasons why this system was created in the first place. On 2/13/2018 11:33 AM, Volker Greimann wrote:
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already.
Volker
Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote: > This is just an example but there is a lot of damage that can be > caused with data being exposed. In our case we have phone > numbers, addresses, emails which is required to verification. > > This takes us to issue of consent. > > On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg > <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> > wrote: > > Let's be honest here, we're talking about phone numbers and > email addresses. The threat model is RADICALLY different > with the data we are talking about. > > > On 2/13/2018 10:45 AM, Stephanie Perrin wrote: >> >> Undeterred by the fact that noone has responded to my last >> post, I offer the following update to the Equifax breach to >> further illustrate my point. As many companies have found >> out, you don't find out what you've got till it's >> gone.....a further reason for data minimization and short >> retention periods. >> >> >> >> >> >> >> >> >> >> To: >> >> >> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ >> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/> >> >> >> *Equifax hack worse than previously thought: Biz kissed >> goodbye to card expiry dates, tax IDs etc* >> Pwned credit-score biz quietly admits more info lost >> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 >> >> Last year, Equifax admitted >> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... >> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> >> hackers stole sensitive personal records on 145 million >> Americans and hundreds of thousands in the UK >> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ >> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> >> and Canada. >> >> The outfit already said cyber-crooks "primarily" took >> names, social security numbers, birth dates, home >> addresses, credit-score dispute forms, and, in some >> instances, credit card numbers and driver license numbers. >> Now the credit-checking giant reckons the intruders >> snatched even more information from its databases. >> >> According to documents provided by Equifax to the US Senate >> Banking Committee, >> and _revealed this month by Senator Elizabeth Warren (D-MA)_, >> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc >> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> >> the attackers also grabbed taxpayer identification numbers, >> phone numbers, email addresses, and credit card expiry >> dates belonging to some Equifax customers. >> >> Like social security numbers, taxpayer ID numbers are >> useful for fraudsters seeking to steal people's identities >> or their tax rebates, and the expiry dates are similarly >> useful for online crooks when linked with credit card >> numbers and other personal information. >> >> >> *Contradictory* >> >> "As your company continues to issue incomplete, confusing >> and contradictory statements and hide information from >> Congress and the public, it is clear that five months after >> the breach was publicly announced, Equifax has yet to >> answer this simple question in full: what was the precise >> extent of the breach?" Warren fumed in a missive late last >> week. >> https://www.warren.senate.gov/?p=press_release&id=2317 >> <https://www.warren.senate.gov/?p=press_release&id=2317> >> >> Equifax spokeswoman Meredith Griffanti stressed to The >> Register today that the extra information snatched by >> hackers, as revealed by Senator Warren, belonged to "some" >> Equifax customers. In other words, not everyone had their >> phone numbers, email addresses, and so on, slurped by >> crooks just some. How much is some? Equifax isn't saying, >> hence Warren's (and everyone else's) growing frustration. >> >> The senator is a cosponsor of the _proposed Data Breach >> Prevention and Compensation Act, _ >> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ >> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> >> which, if passed, would impose computer security >> regulations on credit reporting agencies, with mandatory >> fines that would have led to Equifax coughing up $1.5bn for >> its IT blunder. >> >> Some regulation or punishment is obviously needed. >> >> No senior Equifax executives were fired over the attack >> instead the CEO, CSO and CIO were all allowed to retire >> with multi-million dollar golden parachutes. The US >> government's Consumer Financial Protection Bureau promised >> a full investigation into the Equifax affair, and then gave >> up. On February 7, an open letter [PDF] >> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... >> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> >> from 32 senators to the bureau asked why the probe was >> dropped, and the gang has yet to receive a response. ® >> >> >> _______________________________________________ >> gnso-rds-pdp-wg mailing list >> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg >> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > -- > -- > > John Bambenek > > > > -- > > Regards > Nanghaka Daniel K. > Executive Director - ILICIT Africa / Chair - FOSSFA / Community > Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - > FOSS4G2018 > Mobile +256 772 898298 (Uganda) > Skype: daniel.nanghaka > > ----------------------------------------- /"Working for Africa" > /----------------------------------------- > > >
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- -- John Bambenek
I am mystified as to why some people in this group don't recognize that while (that's US for "whilst," for my European friends!) legitimate business may do that -- and indeed, may be required to in Ireland and Japan and a few other countries, a) there is no requirement in other locations to do so, and b) the bad actors either don't publish it or put falsified information on their website...but the Whois record, whether accurate or falsified (and sometimes even with privacy protection) is helpful in anti-money laundering, consumer protection, certification, anti abuse and trust and safety. Let's all acknowledge that we live in a world where there are many, many legitimate e-commerce businesses but many illicit ones as well! Our solutions have to accommodate for all of the above. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann <vgreimann@key-systems.net> wrote:
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already.
Volker
Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equif ax_customers_exposed/ hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and *revealed this month by Senator Elizabeth Warren (D-MA)*, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the *proposed Data Breach Prevention and Compensation Act, * https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%2 0Letter%202-7-18.pdf from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 <+256%20772%20898298> (Uganda) Skype: daniel.nanghaka
----------------------------------------- *"Working for Africa" * -----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
John, I think some of us are still mystified that there are no "huge" issues in 147 million ccTLDs while there seems to be "huge" issues with 181 million gTLDs ,25% of them using privacy proxy services. Personally I am more mystified why we keep on relying on WHOIS to combat such issues while the abuse rate goes up in the gTLD space each year. Perhaps time to come up with something better? It looks like we rather patch up the boat sinking deeper down each year, as opposed to create a new sea worthy vessel. Theo On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
I am mystified as to why some people in this group don't recognize that while (that's US for "whilst," for my European friends!) legitimate business may do that -- and indeed, may be required to in Ireland and Japan and a few other countries, a) there is no requirement in other locations to do so, and b) the bad actors either don't publish it or put falsified information on their website...but the Whois record, whether accurate or falsified (and sometimes even with privacy protection) is helpful in anti-money laundering, consumer protection, certification, anti abuse and trust and safety. Let's all acknowledge that we live in a world where there are many, many legitimate e-commerce businesses but many illicit ones as well! Our solutions have to accommodate for all of the above.
John Horton President and CEO, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_ |Newsletter <http://go.legitscript.com/Subscription-Management.html>
On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already.
Volker
Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote: > This is just an example but there is a lot of damage that > can be caused with data being exposed. In our case we have > phone numbers, addresses, emails which is required to > verification. > > This takes us to issue of consent. > > On Tuesday, February 13, 2018, John Bambenek via > gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org > <mailto:gnso-rds-pdp-wg@icann.org>> wrote: > > Let's be honest here, we're talking about phone numbers > and email addresses. The threat model is RADICALLY > different with the data we are talking about. > > > On 2/13/2018 10:45 AM, Stephanie Perrin wrote: >> >> Undeterred by the fact that noone has responded to my >> last post, I offer the following update to the Equifax >> breach to further illustrate my point. As many >> companies have found out, you don't find out what >> you've got till it's gone.....a further reason for data >> minimization and short retention periods. >> >> >> >> >> >> >> >> >> >> To: >> >> >> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ >> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/> >> >> >> *Equifax hack worse than previously thought: Biz kissed >> goodbye to card expiry dates, tax IDs etc* >> Pwned credit-score biz quietly admits more info lost >> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 >> >> Last year, Equifax admitted >> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... >> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> >> hackers stole sensitive personal records on 145 million >> Americans and hundreds of thousands in the UK >> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ >> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> >> and Canada. >> >> The outfit already said cyber-crooks "primarily" took >> names, social security numbers, birth dates, home >> addresses, credit-score dispute forms, and, in some >> instances, credit card numbers and driver license >> numbers. Now the credit-checking giant reckons the >> intruders snatched even more information from its >> databases. >> >> According to documents provided by Equifax to the US >> Senate Banking Committee, >> and _revealed this month by Senator Elizabeth Warren >> (D-MA)_, >> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc >> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> >> the attackers also grabbed taxpayer identification >> numbers, phone numbers, email addresses, and credit >> card expiry dates belonging to some Equifax customers. >> >> Like social security numbers, taxpayer ID numbers are >> useful for fraudsters seeking to steal people's >> identities or their tax rebates, and the expiry dates >> are similarly useful for online crooks when linked with >> credit card numbers and other personal information. >> >> >> *Contradictory* >> >> "As your company continues to issue incomplete, >> confusing and contradictory statements and hide >> information from Congress and the public, it is clear >> that five months after the breach was publicly >> announced, Equifax has yet to answer this simple >> question in full: what was the precise extent of the >> breach?" Warren fumed in a missive late last week. >> https://www.warren.senate.gov/?p=press_release&id=2317 >> <https://www.warren.senate.gov/?p=press_release&id=2317> >> >> Equifax spokeswoman Meredith Griffanti stressed to The >> Register today that the extra information snatched by >> hackers, as revealed by Senator Warren, belonged to >> "some" Equifax customers. In other words, not everyone >> had their phone numbers, email addresses, and so on, >> slurped by crooks just some. How much is some? Equifax >> isn't saying, hence Warren's (and everyone else's) >> growing frustration. >> >> The senator is a cosponsor of the _proposed Data Breach >> Prevention and Compensation Act, _ >> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ >> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> >> which, if passed, would impose computer security >> regulations on credit reporting agencies, with >> mandatory fines that would have led to Equifax coughing >> up $1.5bn for its IT blunder. >> >> Some regulation or punishment is obviously needed. >> >> No senior Equifax executives were fired over the attack >> instead the CEO, CSO and CIO were all allowed to retire >> with multi-million dollar golden parachutes. The US >> government's Consumer Financial Protection Bureau >> promised a full investigation into the Equifax affair, >> and then gave up. On February 7, an open letter [PDF] >> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... >> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> >> from 32 senators to the bureau asked why the probe was >> dropped, and the gang has yet to receive a response. ® >> >> >> _______________________________________________ >> gnso-rds-pdp-wg mailing list >> gnso-rds-pdp-wg@icann.org >> <mailto:gnso-rds-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg >> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > -- > -- > > John Bambenek > > > > -- > > Regards > Nanghaka Daniel K. > Executive Director - ILICIT Africa / Chair - FOSSFA / > Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / > Organising Team - FOSS4G2018 > Mobile +256 772 898298 <tel:+256%20772%20898298> (Uganda) > Skype: daniel.nanghaka > > ----------------------------------------- /"Working for > Africa" /----------------------------------------- > > >
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Theo - this comment is off target on many levels and takes us well outside of Whois. The #1 abuse-driving issue is cheap domains, due to pricing schemes and business models of registrars and registries. Bad actors target COM bc it's popular and well-known. Lots of tools we need to fight abuse, Whois is but one. But a powerful one. On Tue, Feb 13, 2018 at 9:56 AM, Theo Geurts <gtheo@xs4all.nl> wrote:
John,
I think some of us are still mystified that there are no "huge" issues in 147 million ccTLDs while there seems to be "huge" issues with 181 million gTLDs ,25% of them using privacy proxy services.
Personally I am more mystified why we keep on relying on WHOIS to combat such issues while the abuse rate goes up in the gTLD space each year. Perhaps time to come up with something better? It looks like we rather patch up the boat sinking deeper down each year, as opposed to create a new sea worthy vessel.
Theo
On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
I am mystified as to why some people in this group don't recognize that while (that's US for "whilst," for my European friends!) legitimate business may do that -- and indeed, may be required to in Ireland and Japan and a few other countries, a) there is no requirement in other locations to do so, and b) the bad actors either don't publish it or put falsified information on their website...but the Whois record, whether accurate or falsified (and sometimes even with privacy protection) is helpful in anti-money laundering, consumer protection, certification, anti abuse and trust and safety. Let's all acknowledge that we live in a world where there are many, many legitimate e-commerce businesses but many illicit ones as well! Our solutions have to accommodate for all of the above.
John Horton President and CEO, LegitScript
*Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>
On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann < vgreimann@key-systems.net> wrote:
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already.
Volker
Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equif ax_customers_exposed/ hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and *revealed this month by Senator Elizabeth Warren (D-MA)*, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the *proposed Data Breach Prevention and Compensation Act, * https://www.theregister.co.uk/2018/01/10/credit_reporting_ag encies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%2 0Letter%202-7-18.pdf from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 <+256%20772%20898298> (Uganda) Skype: daniel.nanghaka
----------------------------------------- *"Working for Africa" * -----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I am off target? I think I am very on target since the very start of this WG trying to bridge data protection and fighting abuse. Theo On 13-2-2018 21:56, Chen, Tim wrote:
Theo - this comment is off target on many levels and takes us well outside of Whois. The #1 abuse-driving issue is cheap domains, due to pricing schemes and business models of registrars and registries. Bad actors target COM bc it's popular and well-known. Lots of tools we need to fight abuse, Whois is but one. But a powerful one.
On Tue, Feb 13, 2018 at 9:56 AM, Theo Geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> wrote:
John,
I think some of us are still mystified that there are no "huge" issues in 147 million ccTLDs while there seems to be "huge" issues with 181 million gTLDs ,25% of them using privacy proxy services.
Personally I am more mystified why we keep on relying on WHOIS to combat such issues while the abuse rate goes up in the gTLD space each year. Perhaps time to come up with something better? It looks like we rather patch up the boat sinking deeper down each year, as opposed to create a new sea worthy vessel.
Theo
On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
I am mystified as to why some people in this group don't recognize that while (that's US for "whilst," for my European friends!) legitimate business may do that -- and indeed, may be required to in Ireland and Japan and a few other countries, a) there is no requirement in other locations to do so, and b) the bad actors either don't publish it or put falsified information on their website...but the Whois record, whether accurate or falsified (and sometimes even with privacy protection) is helpful in anti-money laundering, consumer protection, certification, anti abuse and trust and safety. Let's all acknowledge that we live in a world where there are many, many legitimate e-commerce businesses but many illicit ones as well! Our solutions have to accommodate for all of the above.
John Horton President and CEO, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_ |Newsletter <http://go.legitscript.com/Subscription-Management.html>
On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already.
Volker
Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg: > > Exactly right. As far as I'm concerned if we made > privacy a free choice, make the fields optional for all > I care, and whatever they do make is public... we have > solved this problem. > > People who ACTUALLY protect society against privacy > threats have the data to do their jobs, consumers who > want privacy have a free option for it, and registrars > can be in compliance with the law. > > > On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote: >> This is just an example but there is a lot of damage >> that can be caused with data being exposed. In our case >> we have phone numbers, addresses, emails which is >> required to verification. >> >> This takes us to issue of consent. >> >> On Tuesday, February 13, 2018, John Bambenek via >> gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org >> <mailto:gnso-rds-pdp-wg@icann.org>> wrote: >> >> Let's be honest here, we're talking about phone >> numbers and email addresses. The threat model is >> RADICALLY different with the data we are talking about. >> >> >> On 2/13/2018 10:45 AM, Stephanie Perrin wrote: >>> >>> Undeterred by the fact that noone has responded to >>> my last post, I offer the following update to the >>> Equifax breach to further illustrate my point. As >>> many companies have found out, you don't find out >>> what you've got till it's gone.....a further >>> reason for data minimization and short retention >>> periods. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> To: >>> >>> >>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/ >>> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/> >>> >>> >>> *Equifax hack worse than previously thought: Biz >>> kissed goodbye to card expiry dates, tax IDs etc* >>> Pwned credit-score biz quietly admits more info lost >>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13 >>> >>> Last year, Equifax admitted >>> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... >>> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp...> >>> hackers stole sensitive personal records on 145 >>> million Americans and hundreds of thousands in the UK >>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ >>> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/> >>> and Canada. >>> >>> The outfit already said cyber-crooks "primarily" >>> took names, social security numbers, birth dates, >>> home addresses, credit-score dispute forms, and, >>> in some instances, credit card numbers and driver >>> license numbers. Now the credit-checking giant >>> reckons the intruders snatched even more >>> information from its databases. >>> >>> According to documents provided by Equifax to the >>> US Senate Banking Committee, >>> and _revealed this month by Senator Elizabeth >>> Warren (D-MA)_, >>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc >>> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc> >>> the attackers also grabbed taxpayer identification >>> numbers, phone numbers, email addresses, and >>> credit card expiry dates belonging to some Equifax >>> customers. >>> >>> Like social security numbers, taxpayer ID numbers >>> are useful for fraudsters seeking to steal >>> people's identities or their tax rebates, and the >>> expiry dates are similarly useful for online >>> crooks when linked with credit card numbers and >>> other personal information. >>> >>> >>> *Contradictory* >>> >>> "As your company continues to issue incomplete, >>> confusing and contradictory statements and hide >>> information from Congress and the public, it is >>> clear that five months after the breach was >>> publicly announced, Equifax has yet to answer this >>> simple question in full: what was the precise >>> extent of the breach?" Warren fumed in a missive >>> late last week. >>> https://www.warren.senate.gov/?p=press_release&id=2317 >>> <https://www.warren.senate.gov/?p=press_release&id=2317> >>> >>> Equifax spokeswoman Meredith Griffanti stressed to >>> The Register today that the extra information >>> snatched by hackers, as revealed by Senator >>> Warren, belonged to "some" Equifax customers. In >>> other words, not everyone had their phone numbers, >>> email addresses, and so on, slurped by crooks just >>> some. How much is some? Equifax isn't saying, >>> hence Warren's (and everyone else's) growing >>> frustration. >>> >>> The senator is a cosponsor of the _proposed Data >>> Breach Prevention and Compensation Act, _ >>> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ >>> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/> >>> which, if passed, would impose computer security >>> regulations on credit reporting agencies, with >>> mandatory fines that would have led to Equifax >>> coughing up $1.5bn for its IT blunder. >>> >>> Some regulation or punishment is obviously needed. >>> >>> No senior Equifax executives were fired over the >>> attack instead the CEO, CSO and CIO were all >>> allowed to retire with multi-million dollar golden >>> parachutes. The US government's Consumer Financial >>> Protection Bureau promised a full investigation >>> into the Equifax affair, and then gave up. On >>> February 7, an open letter [PDF] >>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... >>> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18...> >>> from 32 senators to the bureau asked why the probe >>> was dropped, and the gang has yet to receive a >>> response. ® >>> >>> >>> _______________________________________________ >>> gnso-rds-pdp-wg mailing list >>> gnso-rds-pdp-wg@icann.org >>> <mailto:gnso-rds-pdp-wg@icann.org> >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg >>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> >> >> -- >> -- >> >> John Bambenek >> >> >> >> -- >> >> Regards >> Nanghaka Daniel K. >> Executive Director - ILICIT Africa / Chair - FOSSFA / >> Community Lead - ISOC Uganda Chapter / Geo4Africa Lead >> / Organising Team - FOSS4G2018 >> Mobile +256 772 898298 <tel:+256%20772%20898298> (Uganda) >> Skype: daniel.nanghaka >> >> ----------------------------------------- /"Working for >> Africa" /----------------------------------------- >> >> >> > > -- > -- > > John Bambenek > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
Theo, as to your earlier question re: ccTLDs -- all I can offer is my own experience and analysis (but we've got a lot of data, so here goes). There is quite a bit of abuse there as well, but to the extent it's less or more than .COM or other gTLDs, it's often a result of some policy directly related to Whois. - .US, with a nexus requirement and no privacy/proxy (historically, at least, can't remember if that went away) was easier from our perspective to address abuse on. In my world, if you want to sell Vicodin without a prescription online and can't hide behind p/p, have to have a US nexus and know that there's a Whois validity requirement...you aren't going to use .US. :) Those that did were pretty easy to address -- you didn't even necessarily have to address content, but could just show that the Whois was inaccurate in many cases. - Unless there's a lot of pre-validation of meeting a nexus requirement, there's more abuse we see where a ccTLD has unavailable Whois. Who knows if they are really meeting the nexus requirement or not! So yeah, there's abuse in ccTLDs, some more than others, largely depending on Whois policy and nexus requirements, in my view. I agree with Tim's larger point. You simply can't, in my view, have accountability and prevent certain types of abuse without transparency as to the right to operate the domain name, which (due to the nature of abuse and crime being mostly money-motivated) chiefly plays out with registrants acting as legal, not natural persons. Hence, the need for the registrar community, in my view, to consider a bifurcated solution. You make a totally credible argument as to the obvious need to comply with the GDPR. Many of us simply object to the notion that this is supposed to become the new global standard. Why not just add a question to the registration form as to whether the registrant is in the EU or is a EU citizen, and whether they are a legal or natural person (or plan to use the domain name for commercial purposes)? If they are in the EU or a citizen, and are natural persons not using the domain name commercially, give them free privacy/proxy, and keep Whois the same for anyone for which the answers to the above aren't "TRUE". I know that's inconvenient for registrars to update their forms, but that's not a good reason not to implement that solution. (What's convenient about the GDPR in the first place?) And let me be clear -- I want to make sure registrars are protected from liability here, but it's not a credible argument to say that the only way to protect you from liability is a blanket global solution. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Tue, Feb 13, 2018 at 1:14 PM, theo geurts <gtheo@xs4all.nl> wrote:
I am off target? I think I am very on target since the very start of this WG trying to bridge data protection and fighting abuse.
Theo On 13-2-2018 21:56, Chen, Tim wrote:
Theo - this comment is off target on many levels and takes us well outside of Whois. The #1 abuse-driving issue is cheap domains, due to pricing schemes and business models of registrars and registries. Bad actors target COM bc it's popular and well-known. Lots of tools we need to fight abuse, Whois is but one. But a powerful one.
On Tue, Feb 13, 2018 at 9:56 AM, Theo Geurts <gtheo@xs4all.nl> wrote:
John,
I think some of us are still mystified that there are no "huge" issues in 147 million ccTLDs while there seems to be "huge" issues with 181 million gTLDs ,25% of them using privacy proxy services.
Personally I am more mystified why we keep on relying on WHOIS to combat such issues while the abuse rate goes up in the gTLD space each year. Perhaps time to come up with something better? It looks like we rather patch up the boat sinking deeper down each year, as opposed to create a new sea worthy vessel.
Theo
On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
I am mystified as to why some people in this group don't recognize that while (that's US for "whilst," for my European friends!) legitimate business may do that -- and indeed, may be required to in Ireland and Japan and a few other countries, a) there is no requirement in other locations to do so, and b) the bad actors either don't publish it or put falsified information on their website...but the Whois record, whether accurate or falsified (and sometimes even with privacy protection) is helpful in anti-money laundering, consumer protection, certification, anti abuse and trust and safety. Let's all acknowledge that we live in a world where there are many, many legitimate e-commerce businesses but many illicit ones as well! Our solutions have to accommodate for all of the above.
John Horton President and CEO, LegitScript
*Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>
On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann < vgreimann@key-systems.net> wrote:
John, if businesses want to publish their information, they should do it on their website, as they are legally required to (at least over here). No need for whois for that. So that purpose is out the window already.
Volker
Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
No it doesn't because there are large incentives for institution and individuals to continue to publish information. Businesses, for instance, WANT to be contacted. If you want mail delivered, certain best practices are imposed.
If consent is not the solution, YOU are deciding what the rest of the world can and cannot do with their data. Who exactly made ICANN the arbiter of what I can do with my data?
On 2/13/2018 11:04 AM, Volker Greimann wrote:
I am not sure you want that, because that means completely dark whois.
I'd prefer an approach where we do not need to rely on consent (but can still offer it as an option). The hard bit is finding the right principles of who gets access to what and how even when there is no consent.
Consent is not the solution.
Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
Ok, so you agree with my in principle and we're just haggling over the details now. Flip a coin for all I care, opt-in/opt-out and move forward.
So let's do that. When can we implement?
On 2/13/2018 10:58 AM, Volker Greimann wrote:
You are still looking at the wrong end of the horse. Privacy is not the choice, it is the default. Divulging data is the choice.
Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
Exactly right. As far as I'm concerned if we made privacy a free choice, make the fields optional for all I care, and whatever they do make is public... we have solved this problem.
People who ACTUALLY protect society against privacy threats have the data to do their jobs, consumers who want privacy have a free option for it, and registrars can be in compliance with the law.
On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
This is just an example but there is a lot of damage that can be caused with data being exposed. In our case we have phone numbers, addresses, emails which is required to verification.
This takes us to issue of consent.
On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
Let's be honest here, we're talking about phone numbers and email addresses. The threat model is RADICALLY different with the data we are talking about.
On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
*Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc* Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equif ax_customers_exposed/ hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and *revealed this month by Senator Elizabeth Warren (D-MA)*, https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
*Contradictory*
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the *proposed Data Breach Prevention and Compensation Act, * https://www.theregister.co.uk/2018/01/10/credit_reporting_ag encies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%2 0Letter%202-7-18.pdf from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ®
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
--
Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 <+256%20772%20898298> (Uganda) Skype: daniel.nanghaka
----------------------------------------- *"Working for Africa" * -----------------------------------------
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- --
John Bambenek
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
On 13 Feb 2018, at 19:49, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:
Theo, as to your earlier question re: ccTLDs -- all I can offer is my own experience and analysis (but we've got a lot of data, so here goes). There is quite a bit of abuse there as well, but to the extent it's less or more than .COM or other gTLDs, it's often a result of some policy directly related to Whois. .US, with a nexus requirement and no privacy/proxy (historically, at least, can't remember if that went away) was easier from our perspective to address abuse on. In my world, if you want to sell Vicodin without a prescription online and can't hide behind p/p, have to have a US nexus and know that there's a Whois validity requirement...you aren't going to use .US. :) Those that did were pretty easy to address -- you didn't even necessarily have to address content, but could just show that the Whois was inaccurate in many cases. Unless there's a lot of pre-validation of meeting a nexus requirement, there's more abuse we see where a ccTLD has unavailable Whois. Who knows if they are really meeting the nexus requirement or not! So yeah, there's abuse in ccTLDs, some more than others, largely depending on Whois policy and nexus requirements, in my view. I agree with Tim's larger point. You simply can't, in my view, have accountability and prevent certain types of abuse without transparency as to the right to operate the domain name, which (due to the nature of abuse and crime being mostly money-motivated) chiefly plays out with registrants acting as legal, not natural persons. Hence, the need for the registrar community, in my view, to consider a bifurcated solution. You make a totally credible argument as to the obvious need to comply with the GDPR. Many of us simply object to the notion that this is supposed to become the new global standard.
Why not just add a question to the registration form as to whether the registrant is in the EU or is a EU citizen, and whether they are a legal or natural person (or plan to use the domain name for commercial purposes)? If they are in the EU or a citizen, and are natural persons not using the domain name commercially, give them free privacy/proxy, and keep Whois the same for anyone for which the answers to the above aren't "TRUE". I know that's inconvenient for registrars to update their forms, but that's not a good reason not to implement that solution. (What's convenient about the GDPR in the first place?) And let me be clear -- I want to make sure registrars are protected from liability here, but it's not a credible argument to say that the only way to protect you from liability is a blanket global solution.
As explained in part 2 of the Hamilton memo, picking by EU registrant/citizenship doesn't cut it regarding GDPR. The commercial use is also not a factor in GDPR, so also can't be used; being a legal or natural person is something that GDPR contemplates, but only applies to registrant legal name. All other data, even on domains registered by legal persons, refer to private individuals, like contact information, so for those fields GDPR is in full-force. Registrar forms currently have a lot of required information and implicit consents; the problem is not adding one or two more, but effectively shielding from liability of not complying with GDPR. Rubens
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Tue, Feb 13, 2018 at 2:06 PM, Rubens Kuhl <rubensk@nic.br> wrote:
On 13 Feb 2018, at 19:49, John Horton via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
Theo, as to your earlier question re: ccTLDs -- all I can offer is my own experience and analysis (but we've got a lot of data, so here goes). There is quite a bit of abuse there as well, but to the extent it's less or more than .COM or other gTLDs, it's often a result of some policy directly related to Whois.
- .US, with a nexus requirement and no privacy/proxy (historically, at least, can't remember if that went away) was easier from our perspective to address abuse on. In my world, if you want to sell Vicodin without a prescription online and can't hide behind p/p, have to have a US nexus and know that there's a Whois validity requirement...you aren't going to use .US. :) Those that did were pretty easy to address -- you didn't even necessarily have to address content, but could just show that the Whois was inaccurate in many cases. - Unless there's a lot of pre-validation of meeting a nexus requirement, there's more abuse we see where a ccTLD has unavailable Whois. Who knows if they are really meeting the nexus requirement or not! So yeah, there's abuse in ccTLDs, some more than others, largely depending on Whois policy and nexus requirements, in my view.
I agree with Tim's larger point. You simply can't, in my view, have accountability and prevent certain types of abuse without transparency as to the right to operate the domain name, which (due to the nature of abuse and crime being mostly money-motivated) chiefly plays out with registrants acting as legal, not natural persons. Hence, the need for the registrar community, in my view, to consider a bifurcated solution. You make a totally credible argument as to the obvious need to comply with the GDPR. Many of us simply object to the notion that this is supposed to become the new global standard.
Why not just add a question to the registration form as to whether the registrant is in the EU or is a EU citizen, and whether they are a legal or natural person (or plan to use the domain name for commercial purposes)? If they are in the EU or a citizen, and are natural persons not using the domain name commercially, give them free privacy/proxy, and keep Whois the same for anyone for which the answers to the above aren't "TRUE". I know that's inconvenient for registrars to update their forms, but that's not a good reason not to implement that solution. (What's convenient about the GDPR in the first place?) And let me be clear -- I want to make sure registrars are protected from liability here, but it's not a credible argument to say that the only way to protect you from liability is a blanket global solution.
As explained in part 2 of the Hamilton memo, picking by EU registrant/citizenship doesn't cut it regarding GDPR. The commercial use is also not a factor in GDPR, so also can't be used; being a legal or natural person is something that GDPR contemplates, but only applies to registrant legal name. All other data, even on domains registered by legal persons, refer to private individuals, like contact information, so for those fields GDPR is in full-force.
Registrar forms currently have a lot of required information and implicit consents; the problem is not adding one or two more, but effectively shielding from liability of not complying with GDPR.
Rubens
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens
Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Maybe you are hitting on something here.
ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.
Best,
Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Maybe you are hitting on something here.
ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.
Best,
Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <gregshatanipc@gmail.com> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here<https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP _forward_, you are part of the problem.
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> *Date: *Thursday, February 15, 2018 at 4:30 AM *To: *Greg Shatan <gregshatanipc@gmail.com> *Cc: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions.
I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws.
Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change.
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote:
Maybe you are hitting on something here.
ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.
Best,
Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here<https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo.
Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
+ 1 Stephanie Our time are also running short…...
On Feb 15, 2018, at 21:44, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit.
Stephanie Perrin
On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem.
Sara
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> <mailto:vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <gregshatanipc@gmail.com> <mailto:gregshatanipc@gmail.com> Cc: "gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. <> I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws.
Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change.
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote: Maybe you are hitting on something here.
ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.
Best,
Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
Kris Seeburn seeburn.k@gmail.com www.linkedin.com/in/kseeburn/ <http://www.linkedin.com/in/kseeburn/> "Life is a Beach, it all depends at how you look at it"
Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem. Sara sara bockey sr. policy manager | GoDaddy™ <mailto:sbockey@godaddy.com> sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <mailto:gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <mailto:vgreimann@key-systems.net> <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <mailto:gregshatanipc@gmail.com> <gregshatanipc@gmail.com> Cc: <mailto:gnso-rds-pdp-wg@icann.org> "gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann < <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net> wrote: Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: On 13 Feb 2018, at 20:32, John Horton < <mailto:john.horton@legitscript.com> john.horton@legitscript.com> wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...> here. Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi Everyone, could someone explain the difference between A and B? a) Domain Name Certification is an OPT-IN purpose for collecting registration data (that is, registries/registrars are required to support collection, but data is collected for this purpose at the registrant's choice). b) Registrants may opt-in to the collection of registration data for the purpose of Domain Name Certification. In this case, registries/registrars are required to support collection of this optional data, but any data collected for this purpose is done at the choice of the registrant. Many thanks and have a good weekend. Thomas -- * * * Friendly geek in Amsterdam, happy FSFE and EFF member https://wiki.techinc.nl/index.php/User:Thomascovenant
Choice a) was the possible agreement as proposed during the WG call. Choice b) is a rewording intended to express the same concept with greater clarity. But instead of assuming equivalence, the poll includes both variants to give all WG members an opportunity to express preference (if any) between the two. Regards Lisa At 11:25 AM 2/15/2018, Dina Solveig Jalkanen wrote:
Hi Everyone,
could someone explain the difference between A and B?
a) Domain Name Certification is an OPT-IN purpose for collecting registration data (that is, registries/registrars are required to support collection, but data is collected for this purpose at the registrant's choice).
b) Registrants may opt-in to the collection of registration data for the purpose of Domain Name Certification. In this case, registries/registrars are required to support collection of this optional data, but any data collected for this purpose is done at the choice of the registrant.
Many thanks and have a good weekend.
Thomas -- * * * Friendly geek in Amsterdam, happy FSFE and EFF member https://wiki.techinc.nl/index.php/User:Thomascovenant
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi everyone, First of all, I haven’t myself noticed any clear sexism, bullying on this particular thread, but I emplore everyone to keep the discussion, whilst undoubtedly passionate (which is fine) polite at all times. Email, like text messages, can be a difficult medium for expressive prose, but acknowledging respectful disagreement is always a winner. We’ve talked on other threads about further questions / explanations from lawyers / DPAs on privacy issues, which I think is always helpful and support this. I think from what I understand that Stephanie suggests below a similar thing from the cyber security side too. I also think this is also an excellent idea, so please count this as my support. I personally feel there are many misperceptions around LEAs, cyber security, the law, that such a discussion would enlighten all of us on all sides of the debate. I’ve got a quite a few thoughts on this, which I will try to share over the weekend, but right now I’ve got a date with a Guinness. =) Kind regards, Nick Nick Shorey Phone: +44 (0) 7552 455 988 Email: lists@nickshorey.com Skype: nick.shorey Twitter: @nickshorey LinkedIn: www.linkedin.com/in/nicklinkedin Web: www.nickshorey.com On 15 Feb 2018, at 19:39, Lisa Phifer <lisa@corecom.com> wrote: Choice a) was the possible agreement as proposed during the WG call. Choice b) is a rewording intended to express the same concept with greater clarity. But instead of assuming equivalence, the poll includes both variants to give all WG members an opportunity to express preference (if any) between the two. Regards Lisa At 11:25 AM 2/15/2018, Dina Solveig Jalkanen wrote:
Hi Everyone,
could someone explain the difference between A and B?
a) Domain Name Certification is an OPT-IN purpose for collecting registration data (that is, registries/registrars are required to support collection, but data is collected for this purpose at the registrant's choice).
b) Registrants may opt-in to the collection of registration data for the purpose of Domain Name Certification. In this case, registries/registrars are required to support collection of this optional data, but any data collected for this purpose is done at the choice of the registrant.
Many thanks and have a good weekend.
Thomas -- * * * Friendly geek in Amsterdam, happy FSFE and EFF member https://wiki.techinc.nl/index.php/User:Thomascovenant
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi Chuck, Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta= Kind regards, Chris From: "Chuck" <consult@cgomes.com> To: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward , you are part of the problem. Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <gregshatanipc@gmail.com> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: BQ_BEGIN In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann < vgreimann@key-systems.net > wrote: BQ_BEGIN Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: BQ_BEGIN BQ_BEGIN On 13 Feb 2018, at 20:32, John Horton < john.horton@legitscript.com > wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here . Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END BQ_END _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:10 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Hi Chuck, Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en <https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta> &q=icann+meetings+2018&meta= Kind regards, Chris _____ From: "Chuck" <consult@cgomes.com <mailto:consult@cgomes.com> > To: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca> >, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem. Sara sara bockey sr. policy manager | GoDaddy™ <mailto:sbockey@godaddy.com> sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <mailto:gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <mailto:vgreimann@key-systems.net> <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <mailto:gregshatanipc@gmail.com> <gregshatanipc@gmail.com> Cc: <mailto:gnso-rds-pdp-wg@icann.org> "gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann < <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net> wrote: Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: On 13 Feb 2018, at 20:32, John Horton < <mailto:john.horton@legitscript.com> john.horton@legitscript.com> wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...> here. Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :) Kind regards, Chris From: "Chuck" <consult@cgomes.com> To: "Chris Pelling" <chris@netearth.net> Cc: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Thursday, 15 February, 2018 21:12:23 Subject: RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:10 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Hi Chuck, Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta = Kind regards, Chris From: "Chuck" < consult@cgomes.com > To: "Stephanie Perrin" < stephanie.perrin@mail.utoronto.ca >, "gnso-rds-pdp-wg" < gnso-rds-pdp-wg@icann.org > Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [ mailto:gnso-rds-pdp-wg-bounces@icann.org ] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward , you are part of the problem. Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <gregshatanipc@gmail.com> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: BQ_BEGIN In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann < vgreimann@key-systems.net > wrote: BQ_BEGIN Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: BQ_BEGIN BQ_BEGIN On 13 Feb 2018, at 20:32, John Horton < john.horton@legitscript.com > wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here . Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END BQ_END _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg BQ_END _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
This was certainly part of my reasoning....I would like those involved in ISO privacy standards, who happen to be in Germany and Austria, to be able to attend. Also a variety of interested DPAs, who I expect are likely to come from Europe. cheers Stephanie On 2018-02-15 16:15, Chris Pelling wrote:
No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :)
Kind regards,
Chris
------------------------------------------------------------------------ *From: *"Chuck" <consult@cgomes.com> *To: *"Chris Pelling" <chris@netearth.net> *Cc: *"Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Thursday, 15 February, 2018 21:12:23 *Subject: *RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June.
Chuck
*From:*Chris Pelling [mailto:chris@netearth.net] *Sent:* Thursday, February 15, 2018 1:10 PM *To:* Chuck <consult@cgomes.com> *Cc:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Hi Chuck,
Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta=
Kind regards,
Chris
------------------------------------------------------------------------
*From: *"Chuck" <consult@cgomes.com <mailto:consult@cgomes.com>> *To: *"Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Sent: *Thursday, 15 February, 2018 18:14:24 *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible.
Chuck
*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Stephanie Perrin *Sent:* Thursday, February 15, 2018 9:45 AM *To:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit.
Stephanie Perrin
On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem.
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> <mailto:vgreimann@key-systems.net> *Date: *Thursday, February 15, 2018 at 4:30 AM *To: *Greg Shatan <gregshatanipc@gmail.com> <mailto:gregshatanipc@gmail.com> *Cc: *"gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions.
I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws.
Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change.
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote:
Maybe you are hitting on something here.
ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.
Best,
Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here<https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo.
Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Good points Chris. Thanks again. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:16 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :) Kind regards, Chris _____ From: "Chuck" <consult@cgomes.com <mailto:consult@cgomes.com> > To: "Chris Pelling" <chris@netearth.net <mailto:chris@netearth.net> > Cc: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca> >, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Sent: Thursday, 15 February, 2018 21:12:23 Subject: RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:10 PM To: Chuck <consult@cgomes.com <mailto:consult@cgomes.com> > Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca> >; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Hi Chuck, Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en <https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta> &q=icann+meetings+2018&meta= Kind regards, Chris _____ From: "Chuck" <consult@cgomes.com <mailto:consult@cgomes.com> > To: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca> >, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem. Sara sara bockey sr. policy manager | GoDaddy™ <mailto:sbockey@godaddy.com> sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <mailto:gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <mailto:vgreimann@key-systems.net> <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <mailto:gregshatanipc@gmail.com> <gregshatanipc@gmail.com> Cc: <mailto:gnso-rds-pdp-wg@icann.org> "gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann < <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net> wrote: Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: On 13 Feb 2018, at 20:32, John Horton < <mailto:john.horton@legitscript.com> john.horton@legitscript.com> wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...> here. Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi, On Thu, Feb 15, 2018 at 12:44:32PM -0500, Stephanie Perrin wrote:
Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution.
What do you mean by "accreditation"? It seems to me there are two models. One is that ICANN is a gate-keeper, and makes decisions about everyone who wants access to these things. Another is that ICANN relies on various sector- or industry-related bodies to do that work, and ICANN just acts as a clearing house. So, for instance, ICANN could decide that INTERPOL gets to decide what a police officer is, and ICANN simply accepts that definition. It strikes me that quite possibly both mechanisms could be needed, with the first providing a fallback when someone has a legitimate need but doesn't have a relevant approved community group to rely on. A nice thing about option (2) is that ICANN then doesn't need to be in the business of making a lot of decisions. If there's already some international or treaty body that governments accept, then ICANN can just incorporate that acceptance all on its own. (This is similar to how ICANN doesn't need to decide who a country is.) Even better, the mechanism for such accreditation is for the "accrediting organization" to run an OAuth server. That way, the org in question could change its membership all it wanted without informing or even having anything to do with ICANN. An OAuth profile would identify that kind of account, and the user would get the appropriate access. This is just how it works when you "use Google" to long into a non-Google site. It's an already-invented technology that is ready to go for RDAP today. You can see it working IIRC in Scott Hollenbeck's testbed/demo system. We have the technology today, ready to go and waiting, to make this easy. Let's please not design a new accreditation system that gets ICANN into the business of evaluating every professional claim on the Internet. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
Andrew, Couple things. One, couldn’t agree with you more on model two with a little bit of model one thrown in on some overall accreditation requirements. Hence I refer you to what the EWG report says about this in sections IV b & IV c Amazingly, despite this document being nearly four years old now, almost every point you raise here we hit as well. Great minds and all that… Two, I think Stephanie here is basically assuming the technical side of this but would like there to be widely accepted standards for various fields to meet in order to be accredited by whatever body is doing it. So assuming the scissors accreditors exist, what standards about people being able to cut properly do those accreditors all use? Cheers, Rod
On Feb 15, 2018, at 12:35 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
Hi,
On Thu, Feb 15, 2018 at 12:44:32PM -0500, Stephanie Perrin wrote:
Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution.
What do you mean by "accreditation"?
It seems to me there are two models.
One is that ICANN is a gate-keeper, and makes decisions about everyone who wants access to these things.
Another is that ICANN relies on various sector- or industry-related bodies to do that work, and ICANN just acts as a clearing house. So, for instance, ICANN could decide that INTERPOL gets to decide what a police officer is, and ICANN simply accepts that definition.
It strikes me that quite possibly both mechanisms could be needed, with the first providing a fallback when someone has a legitimate need but doesn't have a relevant approved community group to rely on.
A nice thing about option (2) is that ICANN then doesn't need to be in the business of making a lot of decisions. If there's already some international or treaty body that governments accept, then ICANN can just incorporate that acceptance all on its own. (This is similar to how ICANN doesn't need to decide who a country is.) Even better, the mechanism for such accreditation is for the "accrediting organization" to run an OAuth server. That way, the org in question could change its membership all it wanted without informing or even having anything to do with ICANN. An OAuth profile would identify that kind of account, and the user would get the appropriate access. This is just how it works when you "use Google" to long into a non-Google site. It's an already-invented technology that is ready to go for RDAP today. You can see it working IIRC in Scott Hollenbeck's testbed/demo system.
We have the technology today, ready to go and waiting, to make this easy. Let's please not design a new accreditation system that gets ICANN into the business of evaluating every professional claim on the Internet.
Best regards,
A
-- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
On Thu, Feb 15, 2018 at 12:58:20PM -0800, Rod Rasmussen wrote:
One, couldn’t agree with you more on model two with a little bit of model one thrown in on some overall accreditation requirements. Hence I refer you to what the EWG report says about this in sections IV b & IV c
Yes, thanks for the reference. I should indeed have mentioned that this approximately what the EWG report says.
Two, I think Stephanie here is basically assuming the technical side of this but would like there to be widely accepted standards for various fields to meet in order to be accredited by whatever body is doing it. So assuming the scissors accreditors exist, what standards about people being able to cut properly do those accreditors all use?
This is, I think, what I am trying to avoid. ICANN doesn't decide how ISO picks the 3166 entries. They might consult chicken entrails, for all ICANN cares: it's an external authority that other people recognise, so ICANN doesn't need to choose or evaluate or anything. Similarly, ICANN doesn't need to decide who is a country. The UN can do that. This model, which is really down to Jon Postel, is a good idea because it prevents ICANN from having to make decisions that are way beyond its authority or competence. I think the more of that we can shed to other plausibly competent bodies who are _already_ doing such jobs, the better. I don't know how INTERPOL decides who is LE and who isn't, and I don't want to have to care. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
On Feb 15, 2018, at 1:08 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
Two, I think Stephanie here is basically assuming the technical side of this but would like there to be widely accepted standards for various fields to meet in order to be accredited by whatever body is doing it. So assuming the scissors accreditors exist, what standards about people being able to cut properly do those accreditors all use?
This is, I think, what I am trying to avoid. ICANN doesn't decide how ISO picks the 3166 entries. They might consult chicken entrails, for all ICANN cares: it's an external authority that other people recognise, so ICANN doesn't need to choose or evaluate or anything. Similarly, ICANN doesn't need to decide who is a country. The UN can do that. This model, which is really down to Jon Postel, is a good idea because it prevents ICANN from having to make decisions that are way beyond its authority or competence.
I think the more of that we can shed to other plausibly competent bodies who are _already_ doing such jobs, the better. I don't know how INTERPOL decides who is LE and who isn't, and I don't want to have to care.
Agree with you here personally, but that said, we use ISO country codes for example since they are well established, published, and nearly universally accepted in many fields. Also, someone at “ICANN” had to make the decision that that’s what we do (I do think we can blame one particular Internet founder for that decision that we’ve just followed ever since). I think Stephanie is looking at some fields as not having similarly accepted standards which would be applicable. I don’t think she’s advocating for ICANN to DO that work, but rather that ICANN encourage appropriate bodies in those fields to undertake such work to produce standards that could be widely accepted. There may already be standards in some fields that could be used of course, it then becomes a matter of ensuring that those fit, and someone has to make that evaluation in the end. The checklist for such an evaluation is probably an ICANN implementation thing based on policy principles we develop, and execution of said evaluation is probably some independent examiner, but I’m getting way out into implementation land here - just wanted to make it clear where this concept may lead us. Cheers, Rod
On Thu, Feb 15, 2018 at 01:28:50PM -0800, Rod Rasmussen wrote:
Agree with you here personally, but that said, we use ISO country codes for example since they are well established, published, and nearly universally accepted in many fields.
I think we use them because Jon Postel said so in RFC 1591, with the explicit reasoning, "The IANA is not in the business of deciding what is and what is not a country." The same RFC says that the selection was made knowing that there is a procedure, but without any comment on whether the procedure is any good. I think, in fact, that ICANN gets itself in trouble when it deviates from the principle, "Let someone else make that decision." We see this, for instance, in the rather tortured handling of IDN ccTLDs, which do not follow any particular standard and which have given the community a certain amount of (sometimes poorly-informed) grief as a result.
that decision that we’ve just followed ever since). I think Stephanie is looking at some fields as not having similarly accepted standards which would be applicable. I don’t think she’s advocating
I can certainly imagine fields where we'll have that problem ("Internet security professional" comes to mind, for instance: just about nobody competent in the area is going to accept the accdreditation rules likely to be invented by international treaties). But there are plenty of cases where there are bodies who seem to be treated by the affected parties as legitmate. All I am trying to argue is that we should have a strong preference for flipping each hot potato onto anyone who seems likely to catch it, without coming up with a lot of rules for whether they get to play in the game.
becomes a matter of ensuring that those fit, and someone has to make that evaluation in the end.
No, I am claiming quite explicitly that ICANN _should not_ make that evaluation. That's what RFC 1591 quite explicitly does not do. "Someone else has a rule, and it seems to be accepted, so we'll use that." And we don't even have the problem that 1591 had, which was that you needed exactly one authority. Maybe you have _two_ bodies who each claim to represent fly fishers, and their interests in the RDS. Each seems to have a critical mass, and neither seems to be overwhelmingly preferred. They both have criteria for membership. So, they both get to run a credential service for fly fishers, and the Fly Fishers' Association and the New Association of Fly Fishers each can run an OAuth service and accredit their members. They'll get whatever special treatment fly fishers are supposed to get (I hope none). Maybe -- maybe -- I can see an argument for requiring stronger consensus around the legitimacy of these credentialling bodies as the quantity of data thereby exposed gets greater. But I am sceptical that the ICANN community is in any position to develop realistic criteria here: we can't even come to any kind of conclusion in a reasonable time about something we do know about (RDS), so the potential to come to any kind of conclusion about accreditation criteria seems pretty low to me. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
I agree that ICANN should have no role in this matter. I was intrigued by the suggestion of a clearinghouse in the ECO model, but it is lean on details. I want to hear more. I agree that existing bodies (eg. Cybercrime treaty signatories, Interpol) have methods already to accredit their members. they just need to get on with it. The standard I am thinking of would be similar to 1) ISO 17024:2012 Conformity assessment – general requirements for bodies operating certification of persons. ISO/IEC 17024:2012 contains principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons; and 2) ISO 27021:2017 Information technology – Security techniques – Competence requirements for information security management system professionals. ISO/IEC 27021:2017 specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conforms to ISO/IEC 27001 Basically, the addition to these security requirements would be compliance with data protection principles, which could be assured by meeting CAN/CSA-Q830. Accreditation to the potential standard which would be developed, drawing extensively from experts present in the stakeholder community at ICANN, could then be achieved totally independently from ICANN, in a global manner, with the possibility of independent audit of the quality standards the individual or organization claims to follow. I would suggest that the APWG already has procedural and policy documents that would be good inputs to such a standards development process. cheers Stephanie Perrin On 2018-02-15 15:35, Andrew Sullivan wrote:
Hi,
On Thu, Feb 15, 2018 at 12:44:32PM -0500, Stephanie Perrin wrote:
Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. What do you mean by "accreditation"?
It seems to me there are two models.
One is that ICANN is a gate-keeper, and makes decisions about everyone who wants access to these things.
Another is that ICANN relies on various sector- or industry-related bodies to do that work, and ICANN just acts as a clearing house. So, for instance, ICANN could decide that INTERPOL gets to decide what a police officer is, and ICANN simply accepts that definition.
It strikes me that quite possibly both mechanisms could be needed, with the first providing a fallback when someone has a legitimate need but doesn't have a relevant approved community group to rely on.
A nice thing about option (2) is that ICANN then doesn't need to be in the business of making a lot of decisions. If there's already some international or treaty body that governments accept, then ICANN can just incorporate that acceptance all on its own. (This is similar to how ICANN doesn't need to decide who a country is.) Even better, the mechanism for such accreditation is for the "accrediting organization" to run an OAuth server. That way, the org in question could change its membership all it wanted without informing or even having anything to do with ICANN. An OAuth profile would identify that kind of account, and the user would get the appropriate access. This is just how it works when you "use Google" to long into a non-Google site. It's an already-invented technology that is ready to go for RDAP today. You can see it working IIRC in Scott Hollenbeck's testbed/demo system.
We have the technology today, ready to go and waiting, to make this easy. Let's please not design a new accreditation system that gets ICANN into the business of evaluating every professional claim on the Internet.
Best regards,
A
+1 -Carlton ============================== *Carlton A Samuels* *Mobile: 876-818-1799Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Thu, Feb 15, 2018 at 12:44 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit.
Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP *forward*, you are part of the problem.
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy™*
*sbockey@godaddy.com <sbockey@godaddy.com> 480-366-3616 <(480)%20366-3616>*
*skype: sbockey*
*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*
*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> <vgreimann@key-systems.net> *Date: *Thursday, February 15, 2018 at 4:30 AM *To: *Greg Shatan <gregshatanipc@gmail.com> <gregshatanipc@gmail.com> *Cc: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions.
I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws.
Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change.
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Maybe you are hitting on something here.
ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.
Best,
Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo.
Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
On Tue, Feb 13, 2018 at 06:56:24PM +0100, Theo Geurts wrote:
I think some of us are still mystified that there are no "huge" issues in 147 million ccTLDs while there seems to be "huge" issues with 181 million gTLDs ,25% of them using privacy proxy services.
Nobody said that there are going to be _huge_ issues with any of this. Mostly, Internet protocols work, and work properly, and one rarely needs to contact people out of band. The _problem_ is when you _do_ need to contact people. Those cases, which represent a tiny minority of cases, can nevertheless be very bad. And I am sorry to note that the number of Internet-scale domains that appear in a single ccTLD is small, with a couple exceptions among the ccTLDs. And, as I've now said so often that I can barely care enough to say it again, the Internet is a distributed-operation system that does not depend on all the parties being in any contractual relationship with each other. The cost of having a network built that way -- one that has turned out to take over every other kind of network it has touched -- is that people who don't already know each other need to be able to get in touch. And to do that, the data has to be available _somewhere_ such that someone who happens to need it can get to it. I am pretty sceptical that this includes mailing and street addresses. I am pretty confident that phone numbers might well be in the list of stuff that is critical.
Personally I am more mystified why we keep on relying on WHOIS to combat such issues while the abuse rate goes up in the gTLD space each year. Perhaps time to come up with something better?
Given that the IETF has now produced _four_ differnet better answers, for various meanings of "better", than whois, it is even more mystifying to those of us who did some of that work. IRIS, indeed, was done explicitly at the behest of ICANN (when the IETF was still the protocol supporting organization), and was deployed by very close to nobody. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
@all I can as at now tell you that for mauritius for example it’s a copy of GDPR modified slightly that has been resented to parliament and will take effect. Same date as GDPR and as soon as the president signs off we will be operating the same way as EU. The same will to our citizens and organizations. Am working with the DP commissioner and PMoffice to entrust regulatory and compliance. South African POPI looks quite same. Kris
On 13 Feb 2018, at 20:45, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:
Undeterred by the fact that noone has responded to my last post, I offer the following update to the Equifax breach to further illustrate my point. As many companies have found out, you don't find out what you've got till it's gone.....a further reason for data minimization and short retention periods.
To:
http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Pwned credit-score biz quietly admits more info lost By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
Last year, Equifax admitted https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exp... hackers stole sensitive personal records on 145 million Americans and hundreds of thousands in the UK https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ and Canada.
The outfit already said cyber-crooks "primarily" took names, social security numbers, birth dates, home addresses, credit-score dispute forms, and, in some instances, credit card numbers and driver license numbers. Now the credit-checking giant reckons the intruders snatched even more information from its databases.
According to documents provided by Equifax to the US Senate Banking Committee, and revealed this month by Senator Elizabeth Warren (D-MA), https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc the attackers also grabbed taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Like social security numbers, taxpayer ID numbers are useful for fraudsters seeking to steal people's identities or their tax rebates, and the expiry dates are similarly useful for online crooks when linked with credit card numbers and other personal information.
Contradictory
"As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" Warren fumed in a missive late last week. https://www.warren.senate.gov/?p=press_release&id=2317
Equifax spokeswoman Meredith Griffanti stressed to The Register today that the extra information snatched by hackers, as revealed by Senator Warren, belonged to "some" Equifax customers. In other words, not everyone had their phone numbers, email addresses, and so on, slurped by crooks just some. How much is some? Equifax isn't saying, hence Warren's (and everyone else's) growing frustration.
The senator is a cosponsor of the proposed Data Breach Prevention and Compensation Act, https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/ which, if passed, would impose computer security regulations on credit reporting agencies, with mandatory fines that would have led to Equifax coughing up $1.5bn for its IT blunder.
Some regulation or punishment is obviously needed.
No senior Equifax executives were fired over the attack instead the CEO, CSO and CIO were all allowed to retire with multi-million dollar golden parachutes. The US government's Consumer Financial Protection Bureau promised a full investigation into the Equifax affair, and then gave up. On February 7, an open letter [PDF] https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18... from 32 senators to the bureau asked why the probe was dropped, and the gang has yet to receive a response. ® _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
participants (22)
-
Andrew Sullivan -
Ayden Férdeline -
Carlton Samuels -
Chen, Tim -
Chris Pelling -
Chuck -
DANIEL NANGHAKA -
Dina Solveig Jalkanen -
Greg Aaron -
Greg Shatan -
John Bambenek -
John Horton -
Kris Seeburn -
Lisa Phifer -
Michele Neylon - Blacknight -
Nick Shorey Lists -
Rod Rasmussen -
Rubens Kuhl -
Sara Bockey -
Stephanie Perrin -
Theo Geurts -
Volker Greimann