Is there anyone in this WG who disagrees with Sara’s statement that ‘RDS must change’, understanding that we still have large differences of opinion regarding how to change it? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Sara Bockey Sent: Wednesday, February 14, 2018 9:22 AM To: Steve Crocker <steve@shinkuro.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards I agree with Steve and look forward to additional feedback from him. RDS must change. Discussions to the contrary are a waste of time. Sara sara bockey sr. policy manager | GoDaddy™ <mailto:sbockey@godaddy.com> sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> > on behalf of Steve Crocker <steve@shinkuro.com <mailto:steve@shinkuro.com> > Date: Wednesday, February 14, 2018 at 9:27 AM To: "gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> " <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards I am only partially up to speed on the state of discussion within this WG, but I have been following the RDS situation for several years. In my view, the current focus on GDPR, while understandable because of the looming deadline, is logically backwards. The challenge, which we tried to address forcefully in 2012, is to rethink the RDS from the ground up. In my view, this is: o necessary o feasible o will lead to a much cleaner model o will make it relatively straightforward to satisfy the GDPR and all similar regulations around the world. There are also some issues such as the relationship of name server operators that also need to be addressed. There is obviously much more that needs to be said. I will contribute as much and as quickly as I can. Steve

John, You said ‘no’ but your qualification says it needs to change, albeit in what you think is a minor change. Do you believe that changing the RDS to accommodate the GDPR is Europe is a minor tweak? If so, please tell me what that minor tweak is. Chuck From: John Horton [mailto:john.horton@legitscript.com] Sent: Wednesday, February 14, 2018 11:26 AM To: Chuck <consult@cgomes.com> Cc: Sara Bockey <sbockey@godaddy.com>; Steve Crocker <steve@shinkuro.com>; RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards Yes, I respectfully disagree with Sara's statement, Chuck. (With a small qualification.) I don't think you have consensus around that point, in my view. The qualification I'd make is: where there are specific regulatory reasons to either require or permit a change to existing Whois/RDS policy, provided that it's done in the most conservative way possible, I think that's reasonable to discuss. (The obvious example here is the GDPR.) Beyond that, I believe that one of the best alternatives that's (implicitly) presented so far is no change, as many (all?) of the proposed changes I've heard so far would be worse than the status quo. So do I believe it "must" change? No, aside from a very limited tweak due to some specific regulatory issues. Do I believe it could be improved, and that improvements are worth discussing? Yes. But the answer to your question is: Yes, there is someone on this working group who respectfully disagrees with Sara's statement. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Wed, Feb 14, 2018 at 11:08 AM, Chuck <consult@cgomes.com <mailto:consult@cgomes.com> > wrote: Is there anyone in this WG who disagrees with Sara’s statement that ‘RDS must change’, understanding that we still have large differences of opinion regarding how to change it? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> ] On Behalf Of Sara Bockey Sent: Wednesday, February 14, 2018 9:22 AM To: Steve Crocker <steve@shinkuro.com <mailto:steve@shinkuro.com> >; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards I agree with Steve and look forward to additional feedback from him. RDS must change. Discussions to the contrary are a waste of time. Sara sara bockey sr. policy manager | GoDaddy™ <mailto:sbockey@godaddy.com> sbockey@godaddy.com 480-366-3616 <tel:(480)%20366-3616> skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> > on behalf of Steve Crocker <steve@shinkuro.com <mailto:steve@shinkuro.com> > Date: Wednesday, February 14, 2018 at 9:27 AM To: "gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> " <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards I am only partially up to speed on the state of discussion within this WG, but I have been following the RDS situation for several years. In my view, the current focus on GDPR, while understandable because of the looming deadline, is logically backwards. The challenge, which we tried to address forcefully in 2012, is to rethink the RDS from the ground up. In my view, this is: o necessary o feasible o will lead to a much cleaner model o will make it relatively straightforward to satisfy the GDPR and all similar regulations around the world. There are also some issues such as the relationship of name server operators that also need to be addressed. There is obviously much more that needs to be said. I will contribute as much and as quickly as I can. Steve _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Perhaps I should clarify what at least I meant by change. Look at Steve’s words - he is emphasising the need to do much of what we have been doing already: looking at what information is necessary to be gathered for the system to work - and we have made lots of progress on that looking at what is feasible - we have had lots of discussion on what is/is not possible working towards his ‘cleaner model’ that will not only satisfy the GDPR but other data protection regimes globally. You are right to question whether we need to ‘trash’ a lot of what we have done. I don’t think that is what is being asked. I think what must change is any frame of mind that thinks that the old WHOIS regime can remain as is. Holly On 15 Feb 2018, at 6:52 am, DANIEL NANGHAKA <dndannang@gmail.com> wrote:

I dont think that it can totally change based on the strong milestones that we have achieved over period of time. Critical reviews have been made and discussions have come to consensus.

With the remarks from Steve, Bottom up approach work and we can not dispute the fact that the twist has come from the rise of GDPR. The Deliberations have been working and we cannot trash the recommendation in the discussion. I still stand for compliance and building a benchmark regulation that meets all standards. It will take time to achieve global uniformity but what I know is that we shall get there.

We have been consistent with the discussions apart from some minor issues like the Status Quo. Putting that aside, I will pose the question what must change, if we are derive consensus with basis on GDPR, the timeline is critical which we all know. In the System Requirements, all these issues, MUST and WILL be addressed. ᐧ

On Wed, Feb 14, 2018 at 10:35 PM, Chuck <consult@cgomes.com> wrote: John,

You said ‘no’ but your qualification says it needs to change, albeit in what you think is a minor change.

Do you believe that changing the RDS to accommodate the GDPR is Europe is a minor tweak? If so, please tell me what that minor tweak is.

Chuck

From: John Horton [mailto:john.horton@legitscript.com] Sent: Wednesday, February 14, 2018 11:26 AM To: Chuck <consult@cgomes.com> Cc: Sara Bockey <sbockey@godaddy.com>; Steve Crocker <steve@shinkuro.com>; RDS PDP WG <gnso-rds-pdp-wg@icann.org>

Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Yes, I respectfully disagree with Sara's statement, Chuck. (With a small qualification.) I don't think you have consensus around that point, in my view. The qualification I'd make is: where there are specific regulatory reasons to either require or permit a change to existing Whois/RDS policy, provided that it's done in the most conservative way possible, I think that's reasonable to discuss. (The obvious example here is the GDPR.) Beyond that, I believe that one of the best alternatives that's (implicitly) presented so far is no change, as many (all?) of the proposed changes I've heard so far would be worse than the status quo.

So do I believe it "must" change? No, aside from a very limited tweak due to some specific regulatory issues. Do I believe it could be improved, and that improvements are worth discussing? Yes. But the answer to your question is: Yes, there is someone on this working group who respectfully disagrees with Sara's statement.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Wed, Feb 14, 2018 at 11:08 AM, Chuck <consult@cgomes.com> wrote:

Is there anyone in this WG who disagrees with Sara’s statement that ‘RDS must change’, understanding that we still have large differences of opinion regarding how to change it?

Chuck

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Sara Bockey Sent: Wednesday, February 14, 2018 9:22 AM To: Steve Crocker <steve@shinkuro.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I agree with Steve and look forward to additional feedback from him.

RDS must change. Discussions to the contrary are a waste of time.

Sara

sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Steve Crocker <steve@shinkuro.com> Date: Wednesday, February 14, 2018 at 9:27 AM To: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I am only partially up to speed on the state of discussion within this WG, but I have been following the RDS situation for several years. In my view, the current focus on GDPR, while understandable because of the looming deadline, is logically backwards. The challenge, which we tried to address forcefully in 2012, is to rethink the RDS from the ground up. In my view, this is:

o necessary

o feasible

o will lead to a much cleaner model

o will make it relatively straightforward to satisfy the GDPR and all similar regulations around the world.

There are also some issues such as the relationship of name server operators that also need to be addressed.

There is obviously much more that needs to be said. I will contribute as much and as quickly as I can.

Steve

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

--

Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka

----------------------------------------- "Working for Africa" -----------------------------------------

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question: There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer.

Nope, GDPR applies to all domain services provided by a party that does business targeting EEA. So there is no agreement in limiting to whom GDPR applies to. You know what is in the Hamilton memo that you disagree with, and while it's your right to disagree, you can't define things as having agreement when there is no such thing.

It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing).

Nope, that would only be valid for publishing of data. For collection and processing of data, private WHOIS as we know it might not be enough to achieve compliance, depending on TLD and ICANN requirements.

Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information. Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on. I guess I would turn around and ask you and others if everyone agrees with these two statements: The GDPR applies to, and is intended to benefit, a limited set of registrants.

No, no agreement with that statement.

Registrar convenience or business objectives is not a valid basis to support a policy change.

That depends on level. If by business objectives you mean deny service for whole Europe, that's a pretty hard business hit. It's something like 20% of world's GDP. Rubens

On 14 Feb 2018, at 19:12, Greg Aaron <gca@icginc.com> wrote:

Reubens, you said that “GDPR applies to all domain services provided by a party that does business targeting EEA.” That statement has multiple possible implications. I want to understand: what exactly are you saying here about the publication of personal data in an RDS?

Collection, processing and eventual publication. GDPR looks at the full lifecycle of all data, not limited to RDS data; but even the RDS PDP has to look at the full lifecycle of data that ends up in RDS, not only at publishing them. How they are collected, processed and stored has to be part of the policy for it to be implementable.

Are you saying that any registrar outside the EU that does business with EU registrants must extend GDPR protection to all its registrants regarding RDS, no matter where the registrants live? For example, GoDaddy is a U.S. company but has some registrants in the EU. Are you saying that GoDaddy must extend GDRP-level protection to me, a U.S. registrant, so that my contact details (or some set of contact data fields) should not show up in WHOIS/RDS?

I would say GDPR compliance, not GDPR protection. And yes, I am saying that GoDaddy should extend its compliance for all registrants, but if that means omitting contact details in WHOIS is a totally different matter; for instance, part 3 of the Hamilton memos hinted at the possibility of convincing European DPAs that publishing all information, or most of it, is a legitimate use. So that would open the possible publishing of data and still be compliant with GDPR, provided that written binding assurances from DPAs are obtained by ICANN or further legislation is approved by the EU, which is the long term road suggested by eco.

If your answer is “yes”: please quote the section of the GDPR regulation that you are referring to. Also specifically the page and paragraph of which Hamilton memo; I tried to look up your previous reference but was unsure what exactly you were pointing at. Generally, it is appreciated when members provide references we can all look at.

The reference in the Hamilton memo can be found at: https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en... <https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en...> 3.2 Territorial Application - 3.2.1 and 3.2.2 I'll let Hamilton answer from where in GDPR (and other applicable law like directive 2016/680 regarding law enforcement) they based that, but looks like GDRP articles 1 to 4 to me. Rubens

On 14 Feb 2018, at 20:36, John Horton <john.horton@legitscript.com> wrote:

Rubens,

I think I see where the disconnect might be. Section 3.2.2 says "Extraterritorial reach as described in section 3.2.1 above will apply, for instance, when registrars and registries established outside the EU provide their domain name registration services to natural persons in the EU."

Are you interpreting that to mean: "If a registrar/registry outside of the EU markets/offers their services to natural persons in the EU (that is, you either have some customers in the EU or you potentially could), then they are fully subject to the GDPR for all of their registrations."? Because I think that's a misreading of it. I think it means "with respect to the actual provision of services to a natural person in the EU." In other words, taking it to an extreme, I think you might be interpreting the Hamilton language in 3.2.2 to mean that all of a non-EU registrar's registrants are entitled to full GDPR protection if that registrar has even a single potential customer in the EU. However, I think they mean that even a non-EU registrar has to ensure that any natural person in the EU is afforded GDPR protections (and I'd agree with you on that -- my own company has been deep into GDPR compliance even though we aren't in the EU).

I am interpreting that way, but I am not the only one as the GDPR implementations will show in a few months. We should note that both US and EU courts routinely take cases of non-citizens/non-residents based in their own law, so as long as someone has a cause of action, there is legal risk. One just needs to find one jurisdiction among the many in the EU that is willing to bring a case on behalf a non-EU citizen/resident, and when a single lawsuit can make for the margin of selling 100,000 domains, you can be sure that a good number of companies won't take that risk. I will gladly take any written/binding European DPAs guidance that it's not the case in order to advise for discriminating EU/non-EU residents/citizens as registrants, but for now the perceived risk doesn't allow that. And I will add a grain of salt to that concern: let's say you are sure that the registrant is not afforded GDPR data privacy; what can be said of the other contacts ? Since those contacts are data subjects that a registrar doesn't have a contract with, how to determine their eligibility ? Send them all e-mails so they can enter into a non-paying agreement confirming their lack of eligibility ? Rubens

Regardless of whom the GDPR applies to, we need to ask ourselves the question whether the system we will be designing should make that differentiation. It may be beneficial and reduce user confusion if they do not have to use two different methods  to access registration data depending on where in the world the registrant is based, but only one universal system. And if they have to jump through certain hoops (for example pre-certification of the requester) anyways to get at EU data subject data, where is the harm in using that same hoop for all data? Best, Volker Am 15.02.2018 um 15:56 schrieb Paul Keating:

Rubens,

You stated:

...

* There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer."

And,

...

1. The GDPR applies to, and is intended to benefit, a limited set of registrants.

No, no agreement with that state

I completely disagree.  The GDPR does in fact act only to bind Data Collectors and Processors as to data concerning a specific and limited set of people (EU residents).  That registrars may seek to apply it across the board to all registrants is a matter of convenience and risk avoidance given the potential issues of properly identifying whether the registrant is in fact one of the protected class.  While I cannot fault the registrars for wanting to limit risk, I do object to the objective miss-statement of the law.

Paul Keating.

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Rubens Kuhl <rubensk@nic.br <mailto:rubensk@nic.br>> Date: Wednesday, February 14, 2018 at 9:41 PM To: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

...

On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question:

* There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer.

Nope, GDPR applies to all domain services provided by a party that does business targeting EEA. So there is no agreement in limiting to whom GDPR applies to. You know what is in the Hamilton memo that you disagree with, and while it's your right to disagree, you can't define things as having agreement when there is no such thing.

...

* It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing).

Nope, that would only be valid for publishing of data. For collection and processing of data, private WHOIS as we know it might not be enough to achieve compliance, depending on TLD and ICANN requirements.

...

* Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information. * Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on.

I guess I would turn around and ask you and others if everyone agrees with these two statements:

1. The GDPR applies to, and is intended to benefit, a limited set of registrants.

No, no agreement with that statement.

...

2. Registrar convenience or business objectives is not a valid basis to support a policy change.

That depends on level. If by business objectives you mean deny service for whole Europe, that's a pretty hard business hit. It's something like 20% of world's GDP.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

That very much depends on who gets what access how. It may mean less data but it need not. Am 15.02.2018 um 16:42 schrieb Paul Keating:

Volker,

The harm is to all those relying on the data to do other work (like security).  If the DC limits collection based on the limited GDPR subset (individual EU residents), that means less data available.

Paul

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> Date: Thursday, February 15, 2018 at 4:29 PM To: <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Regardless of whom the GDPR applies to, we need to ask ourselves the question whether the system we will be designing should make that differentiation. It may be beneficial and reduce user confusion if they do not have to use two different methods  to access registration data depending on where in the world the registrant is based, but only one universal system. And if they have to jump through certain hoops (for example pre-certification of the requester) anyways to get at EU data subject data, where is the harm in using that same hoop for all data?

Best,

Volker

Am 15.02.2018 um 15:56 schrieb Paul Keating:

...

Rubens,

You stated:

...

* There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer."

And,

...

1. The GDPR applies to, and is intended to benefit, a limited set of registrants.

No, no agreement with that state

I completely disagree.  The GDPR does in fact act only to bind Data Collectors and Processors as to data concerning a specific and limited set of people (EU residents).  That registrars may seek to apply it across the board to all registrants is a matter of convenience and risk avoidance given the potential issues of properly identifying whether the registrant is in fact one of the protected class.  While I cannot fault the registrars for wanting to limit risk, I do object to the objective miss-statement of the law.

Paul Keating.

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Rubens Kuhl <rubensk@nic.br <mailto:rubensk@nic.br>> Date: Wednesday, February 14, 2018 at 9:41 PM To: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

...

On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question:

* There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer.

Nope, GDPR applies to all domain services provided by a party that does business targeting EEA. So there is no agreement in limiting to whom GDPR applies to. You know what is in the Hamilton memo that you disagree with, and while it's your right to disagree, you can't define things as having agreement when there is no such thing.

...

* It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing).

Nope, that would only be valid for publishing of data. For collection and processing of data, private WHOIS as we know it might not be enough to achieve compliance, depending on TLD and ICANN requirements.

...

* Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information. * Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on.

I guess I would turn around and ask you and others if everyone agrees with these two statements:

1. The GDPR applies to, and is intended to benefit, a limited set of registrants.

No, no agreement with that statement.

...

2. Registrar convenience or business objectives is not a valid basis to support a policy change.

That depends on level. If by business objectives you mean deny service for whole Europe, that's a pretty hard business hit. It's something like 20% of world's GDP.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

John I cannot agree with either of your statements. Others have weighed in on the first one, so I won’t repeat what has been said. The second one is a mischaracterisation of what registrars (and registries) are dealing with, unless you consider protecting your business from breaking the law as an “objective”. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Wednesday 14 February 2018 at 20:08 To: Chuck <consult@cgomes.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question: * There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer. * It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing). * Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information. * Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on. I guess I would turn around and ask you and others if everyone agrees with these two statements: 1. The GDPR applies to, and is intended to benefit, a limited set of registrants. 2. Registrar convenience or business objectives is not a valid basis to support a policy change. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Wed, Feb 14, 2018 at 11:35 AM, Chuck <consult@cgomes.com<mailto:consult@cgomes.com>> wrote: John, You said ‘no’ but your qualification says it needs to change, albeit in what you think is a minor change. Do you believe that changing the RDS to accommodate the GDPR is Europe is a minor tweak? If so, please tell me what that minor tweak is. Chuck From: John Horton [mailto:john.horton@legitscript.com<mailto:john.horton@legitscript.com>] Sent: Wednesday, February 14, 2018 11:26 AM To: Chuck <consult@cgomes.com<mailto:consult@cgomes.com>> Cc: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>>; Steve Crocker <steve@shinkuro.com<mailto:steve@shinkuro.com>>; RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards Yes, I respectfully disagree with Sara's statement, Chuck. (With a small qualification.) I don't think you have consensus around that point, in my view. The qualification I'd make is: where there are specific regulatory reasons to either require or permit a change to existing Whois/RDS policy, provided that it's done in the most conservative way possible, I think that's reasonable to discuss. (The obvious example here is the GDPR.) Beyond that, I believe that one of the best alternatives that's (implicitly) presented so far is no change, as many (all?) of the proposed changes I've heard so far would be worse than the status quo. So do I believe it "must" change? No, aside from a very limited tweak due to some specific regulatory issues. Do I believe it could be improved, and that improvements are worth discussing? Yes. But the answer to your question is: Yes, there is someone on this working group who respectfully disagrees with Sara's statement. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Wed, Feb 14, 2018 at 11:08 AM, Chuck <consult@cgomes.com<mailto:consult@cgomes.com>> wrote: Is there anyone in this WG who disagrees with Sara’s statement that ‘RDS must change’, understanding that we still have large differences of opinion regarding how to change it? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Sara Bockey Sent: Wednesday, February 14, 2018 9:22 AM To: Steve Crocker <steve@shinkuro.com<mailto:steve@shinkuro.com>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards I agree with Steve and look forward to additional feedback from him. RDS must change. Discussions to the contrary are a waste of time. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616<tel:(480)%20366-3616> skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Steve Crocker <steve@shinkuro.com<mailto:steve@shinkuro.com>> Date: Wednesday, February 14, 2018 at 9:27 AM To: "gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>" <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards I am only partially up to speed on the state of discussion within this WG, but I have been following the RDS situation for several years. In my view, the current focus on GDPR, while understandable because of the looming deadline, is logically backwards. The challenge, which we tried to address forcefully in 2012, is to rethink the RDS from the ground up. In my view, this is: o necessary o feasible o will lead to a much cleaner model o will make it relatively straightforward to satisfy the GDPR and all similar regulations around the world. There are also some issues such as the relationship of name server operators that also need to be addressed. There is obviously much more that needs to be said. I will contribute as much and as quickly as I can. Steve _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Michele, One leading (US-based) registrar informed me that even though they could be more granular if they wished to, they wanted to just extend the identical (i.e., GDPR-level) protections to all registrants globally simply due to "cost-benefit analysis" -- that it was more convenient for them and less work. I personally do not consider that a valid justification, standing alone. I do not wish any registrar to incur unreasonable costs, but a registrar's profit margin goals should not drive policy. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Wed, Feb 14, 2018 at 12:46 PM, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

John

I cannot agree with either of your statements. Others have weighed in on the first one, so I won’t repeat what has been said.

The second one is a mischaracterisation of what registrars (and registries) are dealing with, unless you consider protecting your business from breaking the law as an “objective”.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow, R93 X265

,Ireland Company No.: 370845

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> *Reply-To: *John Horton <john.horton@legitscript.com> *Date: *Wednesday 14 February 2018 at 20:08 *To: *Chuck <consult@cgomes.com> *Cc: *RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question:

- There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer. - It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing). - Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information. - Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on.

I guess I would turn around and ask you and others if everyone agrees with these two statements:

1. The GDPR applies to, and is intended to benefit, a limited set of registrants. 2. Registrar convenience or business objectives is not a valid basis to support a policy change.

John Horton President and CEO, LegitScript

[image: https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...]

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

[image: https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][image: https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...]

On Wed, Feb 14, 2018 at 11:35 AM, Chuck <consult@cgomes.com> wrote:

John,

You said ‘no’ but your qualification says it needs to change, albeit in what you think is a minor change.

Do you believe that changing the RDS to accommodate the GDPR is Europe is a minor tweak? If so, please tell me what that minor tweak is.

Chuck

*From:* John Horton [mailto:john.horton@legitscript.com] *Sent:* Wednesday, February 14, 2018 11:26 AM *To:* Chuck <consult@cgomes.com> *Cc:* Sara Bockey <sbockey@godaddy.com>; Steve Crocker <steve@shinkuro.com>; RDS PDP WG <gnso-rds-pdp-wg@icann.org>

*Subject:* Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Yes, I respectfully disagree with Sara's statement, Chuck. (With a small qualification.) I don't think you have consensus around that point, in my view. The qualification I'd make is: where there are specific regulatory reasons to either require or permit a change to existing Whois/RDS policy, provided that it's done in the most conservative way possible, I think that's reasonable to discuss. (The obvious example here is the GDPR.) Beyond that, I believe that one of the best alternatives that's (implicitly) presented so far is no change, as many (all?) of the proposed changes I've heard so far would be worse than the status quo.

So do I believe it "must" change? No, aside from a very limited tweak due to some specific regulatory issues. Do I believe it could be improved, and that improvements are worth discussing? Yes. But the answer to your question is: Yes, there is someone on this working group who respectfully disagrees with Sara's statement.

John Horton President and CEO, LegitScript

[image: https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...]

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

[image: https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][image: https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...]

On Wed, Feb 14, 2018 at 11:08 AM, Chuck <consult@cgomes.com> wrote:

Is there anyone in this WG who disagrees with Sara’s statement that ‘RDS must change’, understanding that we still have large differences of opinion regarding how to change it?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* Wednesday, February 14, 2018 9:22 AM *To:* Steve Crocker <steve@shinkuro.com>; gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I agree with Steve and look forward to additional feedback from him.

RDS must change. Discussions to the contrary are a waste of time.

Sara

*sara bockey*

*sr. policy manager | **Go**Daddy™*

*sbockey@godaddy.com* <sbockey@godaddy.com> *480-366-3616* <(480)%20366-3616>

*skype: sbockey*

*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Steve Crocker <steve@shinkuro.com> *Date: *Wednesday, February 14, 2018 at 9:27 AM *To: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> *Subject: *[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I am only partially up to speed on the state of discussion within this WG, but I have been following the RDS situation for several years. In my view, the current focus on GDPR, while understandable because of the looming deadline, is logically backwards. The challenge, which we tried to address forcefully in 2012, is to rethink the RDS from the ground up. In my view, this is:

o necessary

o feasible

o will lead to a much cleaner model

o will make it relatively straightforward to satisfy the GDPR and all similar regulations around the world.

There are also some issues such as the relationship of name server operators that also need to be addressed.

There is obviously much more that needs to be said. I will contribute as much and as quickly as I can.

Steve

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Hmm, well, perhaps it's because I work for a company that processes quite a bit of data with a combination of algorithms and some human review, but I feel pretty confident that there are ways to simplify that with magic algorithms and forms. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Wed, Feb 14, 2018 at 2:35 PM, Rubens Kuhl <rubensk@nic.br> wrote:

On 14 Feb 2018, at 19:37, John Horton via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

Michele,

One leading (US-based) registrar informed me that even though they could be more granular if they wished to, they wanted to just extend the identical (i.e., GDPR-level) protections to all registrants globally simply due to "cost-benefit analysis" -- that it was more convenient for them and less work. I personally do not consider that a valid justification, standing alone. I do not wish any registrar to incur unreasonable costs, but a registrar's profit margin goals should not drive policy.

I believe that was most in the context of legal/natural persons. While GDPR clearly doesn't apply to a legal person name/location/phone/role-account-email, manually reviewing data to assert that goes beyond reasonable in cost-benefit for a system that is fully automated today. Answering questions like the ones below require such manual review:

- Is the registrant name of a legal person ? - Is the registrant name of a legal person when an user informed registration by a legal person but incorrectly put his name as registrant ? - Is the location of the business the residence of the owner ? - Is the e-mail address a role-account e-mail like legal@company or a personally identifiable e-mail like johnhorton@legitscript ? - Is the phone number the main line of the company, an unpublished extension number or a mobile number ?

Is manually reviewing all registration a reasonable cost in your opinion ?

Rubens

Hi everyone, I have already begun to hear unrest from my colleagues who work in infosec and network operations about the degradation of WHOIS, as registrars have already begun to act on their own, stripping everything and blocking bulk queriers on domains frequently used for attacks. Every day of additional uncertainty equals an additional day of victimization. Why has no one approached the DPAs with the evidence of security purposes for WHOIS? How much network degradation will we tolerate before someone bothers to give them a little hint? How many more judgments from the DPAs are we going to read that display clear ignorance of all legitimate cybersecurity purposes? Did no one see this coming? Since we are talking about cost benefit analysis, here is a quick one I just did that I would like to share with the group. I did a quick look for the value of the domain registration industry as a whole. Seems to be ~$4 billion. The losses incurred by the WanaCry malware are estimated to be at ~$8 billion. A single security incident destroying value equal to double your entire industry. In May 2017, the FBI stated that over three years the "business email compromise" scams have topped ~$5 billion in losses, which would be slightly more than one domain-industry unit of value, and WHOIS is crucial to fighting it. source: https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-c... source: https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/d... source: https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thou... Remember, the whole point of GDPR is to force companies to act with more social responsibility. On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk@nic.br> wrote:

On 14 Feb 2018, at 20:49, John Horton <john.horton@legitscript.com> wrote:

Hmm, well, perhaps it's because I work for a company that processes quite a bit of data with a combination of algorithms and some human review, but I feel pretty confident that there are ways to simplify that with magic algorithms and forms.

Magic algorithms are fine in pattern detection because there is always a human review at some point or the cost of error is low, like in raising an abuse case that contains wording like supposedly", "allegedly" etc. In this case, every false negative comes with a tremendous liability.

Also, if machine-learning technology and deep pockets for lawsuits become a requirement for being a registrar, you can count on the number of registrars dropping to single digits.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

DPAs are law enforcement and will enforce the law of the land. They do not have the option to pick and choose after May 25. Maybe it is time for you and your colleagues to start looking at other sources of information to ensure you can continue operation efficiently once your currently chosen method becomes illegal. Remember, you are a data processor too and what you do with that data could very well paint a target on your backs that DPS may have to deal with. Best, Volker Am 15.02.2018 um 02:36 schrieb allison nixon:

Hi everyone,

I have already begun to hear unrest from my colleagues who work in infosec and network operations about the degradation of WHOIS, as registrars have already begun to act on their own, stripping everything and blocking bulk queriers on domains frequently used for attacks. Every day of additional uncertainty equals an additional day of victimization.

Why has no one approached the DPAs with the evidence of security purposes for WHOIS? How much network degradation will we tolerate before someone bothers to give them a little hint? How many more judgments from the DPAs are we going to read that display clear ignorance of all legitimate cybersecurity purposes? Did no one see this coming?

Since we are talking about cost benefit analysis, here is a quick one I just did that I would like to share with the group. I did a quick look for the value of the domain registration industry as a whole. Seems to be ~$4 billion. The losses incurred by the WanaCry malware are estimated to be at ~$8 billion. A single security incident destroying value equal to double your entire industry.

In May 2017, the FBI stated that over three years the "business email compromise" scams have topped ~$5 billion in losses, which would be slightly more than one domain-industry unit of value, and WHOIS is crucial to fighting it.

source: https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-c... source: https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/d... source: https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thou...

Remember, the whole point of GDPR is to force companies to act with more social responsibility.

On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk@nic.br <mailto:rubensk@nic.br>> wrote:

...

On 14 Feb 2018, at 20:49, John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> wrote:

Hmm, well, perhaps it's because I work for a company that processes quite a bit of data with a combination of algorithms and some human review, but I feel pretty confident that there are ways to simplify that with magic algorithms and forms.

Magic algorithms are fine in pattern detection because there is always a human review at some point or the cost of error is low, like in raising an abuse case that contains wording like supposedly", "allegedly" etc. In this case, every false negative comes with a tremendous liability.

Also, if machine-learning technology and deep pockets for lawsuits become a requirement for being a registrar, you can count on the number of registrars dropping to single digits.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Chuck, That said I really do like the idea of having interaction and participation by the DPAs and even someone from Article 29 or other GDPR official groups. Otherwise we continue to work in a vacuum. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Chuck <consult@cgomes.com> Date: Thursday, February 15, 2018 at 2:57 PM To: 'Volker Greimann' <vgreimann@key-systems.net>, <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I¹d like to think that the ICANN community effort going on outside this WG will take note of the cybersecurity concerns that Allison raises as they try to finalize an interim solution to deal with the GDPR in the near term. Note this quote from Goren¹s latest blog that ICANN org is trying to find a balanced approach: ³This single, common interim model that is informed by input from across the ICANN community would seek to obtain compliance with both the GDPR and ICANN's contractual requirements related to registration directory services.² Here¹s the blog: https://www.icann.org/news/blog/data-protection-privacy-update-latest-develo... ents

Chuck

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 15, 2018 1:02 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

DPAs are law enforcement and will enforce the law of the land. They do not have the option to pick and choose after May 25.

Maybe it is time for you and your colleagues to start looking at other sources of information to ensure you can continue operation efficiently once your currently chosen method becomes illegal. Remember, you are a data processor too and what you do with that data could very well paint a target on your backs that DPS may have to deal with.

Best,

Volker

Am 15.02.2018 um 02:36 schrieb allison nixon:

...

Hi everyone,

I have already begun to hear unrest from my colleagues who work in infosec and network operations about the degradation of WHOIS, as registrars have already begun to act on their own, stripping everything and blocking bulk queriers on domains frequently used for attacks. Every day of additional uncertainty equals an additional day of victimization.

Why has no one approached the DPAs with the evidence of security purposes for WHOIS? How much network degradation will we tolerate before someone bothers to give them a little hint? How many more judgments from the DPAs are we going to read that display clear ignorance of all legitimate cybersecurity purposes? Did no one see this coming?

Since we are talking about cost benefit analysis, here is a quick one I just did that I would like to share with the group. I did a quick look for the value of the domain registration industry as a whole. Seems to be ~$4 billion. The losses incurred by the WanaCry malware are estimated to be at ~$8 billion. A single security incident destroying value equal to double your entire industry.

In May 2017, the FBI stated that over three years the "business email compromise" scams have topped ~$5 billion in losses, which would be slightly more than one domain-industry unit of value, and WHOIS is crucial to fighting it.

source: https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-c... uld-spur-53-billion-in-losses-lloyds-of-london-idUSKBN1A20AB

source: https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/d... main-name-industry

source: https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thou... ands-top-5-billion-in-losses-globally.html

Remember, the whole point of GDPR is to force companies to act with more social responsibility.

On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk@nic.br> wrote:

...

...

On 14 Feb 2018, at 20:49, John Horton <john.horton@legitscript.com> wrote:

Hmm, well, perhaps it's because I work for a company that processes quite a bit of data with a combination of algorithms and some human review, but I feel pretty confident that there are ways to simplify that with magic algorithms and forms.

Magic algorithms are fine in pattern detection because there is always a human review at some point or the cost of error is low, like in raising an abuse case that contains wording like supposedly", "allegedly" etc. In this case, every false negative comes with a tremendous liability.

Also, if machine-learning technology and deep pockets for lawsuits become a requirement for being a registrar, you can count on the number of registrars dropping to single digits.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

--

_________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Paraphrasing a person I know. The more data input the better as long as it is carefully considered. I do NOT like the idea of relying on ICANN to receive input provided via their interacting with a third party. I would prefer to obtain the unfiltered data. Paul From: Chuck <consult@cgomes.com> on behalf of Chuck <consult@cgomes.com> Date: Thursday, February 15, 2018 at 3:56 PM To: Paul Keating <paul@law.es>, 'Volker Greimann' <vgreimann@key-systems.net>, <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Apparently, ICANN org has been interacting with DPAs regarding a possible interim solution, so maybe we will get some helpful input from those efforts. Note Stephanie¹s suggestion that we could submit questions to the DP experts that participated in our public meeting last year.

Chuck

From: Paul Keating [mailto:Paul@law.es] Sent: Thursday, February 15, 2018 6:10 AM To: Chuck <consult@cgomes.com>; 'Volker Greimann' <vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Chuck,

That said I really do like the idea of having interaction and participation by the DPAs and even someone from Article 29 or other GDPR official groups. Otherwise we continue to work in a vacuum.

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Chuck <consult@cgomes.com> Date: Thursday, February 15, 2018 at 2:57 PM To: 'Volker Greimann' <vgreimann@key-systems.net>, <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

...

I¹d like to think that the ICANN community effort going on outside this WG will take note of the cybersecurity concerns that Allison raises as they try to finalize an interim solution to deal with the GDPR in the near term. Note this quote from Goren¹s latest blog that ICANN org is trying to find a balanced approach: ³This single, common interim model that is informed by input from across the ICANN community would seek to obtain compliance with both the GDPR and ICANN's contractual requirements related to registration directory services.² Here¹s the blog: https://www.icann.org/news/blog/data-protection-privacy-update-latest-develo... ments

Chuck

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 15, 2018 1:02 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

DPAs are law enforcement and will enforce the law of the land. They do not have the option to pick and choose after May 25.

Maybe it is time for you and your colleagues to start looking at other sources of information to ensure you can continue operation efficiently once your currently chosen method becomes illegal. Remember, you are a data processor too and what you do with that data could very well paint a target on your backs that DPS may have to deal with.

Best,

Volker

Am 15.02.2018 um 02:36 schrieb allison nixon:

...

Hi everyone,

I have already begun to hear unrest from my colleagues who work in infosec and network operations about the degradation of WHOIS, as registrars have already begun to act on their own, stripping everything and blocking bulk queriers on domains frequently used for attacks. Every day of additional uncertainty equals an additional day of victimization.

Why has no one approached the DPAs with the evidence of security purposes for WHOIS? How much network degradation will we tolerate before someone bothers to give them a little hint? How many more judgments from the DPAs are we going to read that display clear ignorance of all legitimate cybersecurity purposes? Did no one see this coming?

Since we are talking about cost benefit analysis, here is a quick one I just did that I would like to share with the group. I did a quick look for the value of the domain registration industry as a whole. Seems to be ~$4 billion. The losses incurred by the WanaCry malware are estimated to be at ~$8 billion. A single security incident destroying value equal to double your entire industry.

In May 2017, the FBI stated that over three years the "business email compromise" scams have topped ~$5 billion in losses, which would be slightly more than one domain-industry unit of value, and WHOIS is crucial to fighting it.

source: https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack-c ould-spur-53-billion-in-losses-lloyds-of-london-idUSKBN1A20AB

source: https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends/d omain-name-industry

source: https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-thou sands-top-5-billion-in-losses-globally.html

Remember, the whole point of GDPR is to force companies to act with more social responsibility.

On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk@nic.br> wrote:

...

...

On 14 Feb 2018, at 20:49, John Horton <john.horton@legitscript.com> wrote:

Hmm, well, perhaps it's because I work for a company that processes quite a bit of data with a combination of algorithms and some human review, but I feel pretty confident that there are ways to simplify that with magic algorithms and forms.

Magic algorithms are fine in pattern detection because there is always a human review at some point or the cost of error is low, like in raising an abuse case that contains wording like supposedly", "allegedly" etc. In this case, every false negative comes with a tremendous liability.

Also, if machine-learning technology and deep pockets for lawsuits become a requirement for being a registrar, you can count on the number of registrars dropping to single digits.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

--

_________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Seriously, more personal data is collected by smart TVs and your mobile phone!! Lets get back on topic please. From: Volker Greimann <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:56 PM To: Paul Keating <paul@law.es>, Chuck <consult@cgomes.com>, <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I imagine you would. Anyone who needs big data for their job does. And that is not necessarily a bad thing as big data can be used for wonderful things.

Unless it conflicts with the personal rights of those you are collecting data on. Because they also do not like their data being available for anyone to see, forever.

Volker

Am 15.02.2018 um 16:47 schrieb Paul Keating:

...

Paraphrasing a person I know.

The more data input the better as long as it is carefully considered.

I do NOT like the idea of relying on ICANN to receive input provided via their interacting with a third party. I would prefer to obtain the unfiltered data.

Paul

From: Chuck <consult@cgomes.com> on behalf of Chuck <consult@cgomes.com> Date: Thursday, February 15, 2018 at 3:56 PM To: Paul Keating <paul@law.es>, 'Volker Greimann' <vgreimann@key-systems.net>, <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

...

Apparently, ICANN org has been interacting with DPAs regarding a possible interim solution, so maybe we will get some helpful input from those efforts. Note Stephanie¹s suggestion that we could submit questions to the DP experts that participated in our public meeting last year.

Chuck

From: Paul Keating [mailto:Paul@law.es] Sent: Thursday, February 15, 2018 6:10 AM To: Chuck <consult@cgomes.com>; 'Volker Greimann' <vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Chuck,

That said I really do like the idea of having interaction and participation by the DPAs and even someone from Article 29 or other GDPR official groups. Otherwise we continue to work in a vacuum.

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Chuck <consult@cgomes.com> Date: Thursday, February 15, 2018 at 2:57 PM To: 'Volker Greimann' <vgreimann@key-systems.net>, <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

...

I¹d like to think that the ICANN community effort going on outside this WG will take note of the cybersecurity concerns that Allison raises as they try to finalize an interim solution to deal with the GDPR in the near term. Note this quote from Goren¹s latest blog that ICANN org is trying to find a balanced approach: ³This single, common interim model that is informed by input from across the ICANN community would seek to obtain compliance with both the GDPR and ICANN's contractual requirements related to registration directory services.² Here¹s the blog: https://www.icann.org/news/blog/data-protection-privacy-update-latest-devel opments

Chuck

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, February 15, 2018 1:02 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

DPAs are law enforcement and will enforce the law of the land. They do not have the option to pick and choose after May 25.

Maybe it is time for you and your colleagues to start looking at other sources of information to ensure you can continue operation efficiently once your currently chosen method becomes illegal. Remember, you are a data processor too and what you do with that data could very well paint a target on your backs that DPS may have to deal with.

Best,

Volker

Am 15.02.2018 um 02:36 schrieb allison nixon:

...

Hi everyone,

I have already begun to hear unrest from my colleagues who work in infosec and network operations about the degradation of WHOIS, as registrars have already begun to act on their own, stripping everything and blocking bulk queriers on domains frequently used for attacks. Every day of additional uncertainty equals an additional day of victimization.

Why has no one approached the DPAs with the evidence of security purposes for WHOIS? How much network degradation will we tolerate before someone bothers to give them a little hint? How many more judgments from the DPAs are we going to read that display clear ignorance of all legitimate cybersecurity purposes? Did no one see this coming?

Since we are talking about cost benefit analysis, here is a quick one I just did that I would like to share with the group. I did a quick look for the value of the domain registration industry as a whole. Seems to be ~$4 billion. The losses incurred by the WanaCry malware are estimated to be at ~$8 billion. A single security incident destroying value equal to double your entire industry.

In May 2017, the FBI stated that over three years the "business email compromise" scams have topped ~$5 billion in losses, which would be slightly more than one domain-industry unit of value, and WHOIS is crucial to fighting it.

source: https://www.reuters.com/article/us-cyber-lloyds-report/global-cyber-attack -could-spur-53-billion-in-losses-lloyds-of-london-idUSKBN1A20AB

source: https://cira.ca/factbook/domain-industry-data-and-canadian-Internet-trends /domain-name-industry

source: https://www.csoonline.com/article/3195010/security/bec-attacks-have-hit-th ousands-top-5-billion-in-losses-globally.html

Remember, the whole point of GDPR is to force companies to act with more social responsibility.

On Wed, Feb 14, 2018 at 6:08 PM, Rubens Kuhl <rubensk@nic.br> wrote:

...

> > > > On 14 Feb 2018, at 20:49, John Horton <john.horton@legitscript.com> > wrote: > > > > > > > > > Hmm, well, perhaps it's because I work for a company that processes > quite a bit of data with a combination of algorithms and some human > review, but I feel pretty confident that there are ways to simplify that > with magic algorithms and forms. > > > >

Magic algorithms are fine in pattern detection because there is always a human review at some point or the cost of error is low, like in raising an abuse case that contains wording like supposedly", "allegedly" etc. In this case, every false negative comes with a tremendous liability.

Also, if machine-learning technology and deep pockets for lawsuits become a requirement for being a registrar, you can count on the number of registrars dropping to single digits.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

--

_________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Hi everyone and welcome Steve, In my own view, I think we have actually been using the RDAP protocol as the basis for our discussions thus far, and in the anticipation of the added functionality that RDAP offers, this has subsequently informed a lot of the lengthy debate around the different datasets, purposes, requirements etc. I echo the sentiment expressed by both Steve and Michele that we should continue to design future RDS policy with a fresh mindset, whilst acknowledging and closely scrutinising our ideas in accordance with legal frameworks and operational requirements. Its definitely a very complicated task, but I think we’re doing that, and credit to everyone for their amazing dedication thus far. Whatever the outcome, I think the most important thing is that we work through the process in a spirit of mutual respect and polite attitude at all times. Kind regards, Nick Nick Shorey Phone: +44 (0) 7552 455 988 Email: lists@nickshorey.com Skype: nick.shorey Twitter: @nickshorey LinkedIn: www.linkedin.com/in/nicklinkedin Web: www.nickshorey.com

On 14 Feb 2018, at 17:50, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Steve

Welcome to the WG – so now we know the answer to the question about what happens to ICANN Board Chairs when they step down ..

On a more serious note – I don’t disagree, but unfortunately a lot of our time and energy has been wasted with arguments that cling to the “status quo”. Unless that attitude changes dramatically it’ll be hard to make progress in a timely fashion.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> http://blacknight.blog/ <http://blacknight.blog/> Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ <https://michele.blog/> Some thoughts: https://ceo.hosting/ <https://ceo.hosting/> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Steve Crocker <steve@shinkuro.com> Date: Wednesday 14 February 2018 at 16:27 To: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

I am only partially up to speed on the state of discussion within this WG, but I have been following the RDS situation for several years.  In my view, the current focus on GDPR, while understandable because of the looming deadline, is logically backwards.  The challenge, which we tried to address forcefully in 2012, is to rethink the RDS from the ground up.  In my view, this is: <>

o necessary

o feasible

o will lead to a much cleaner model

o will make it relatively straightforward to satisfy the GDPR and all similar regulations around the world.

There are also some issues such as the relationship of name server operators that also need to be addressed.

There is obviously much more that needs to be said. I will contribute as much and as quickly as I can.

Steve

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg