If you read all the comments, and not just the one from the person with the pseudonym “WHOIS” you will see that the comments run somewhat in favor of keeping Whois information public. As for Mr. WHOIS, the pseudonym nicely provides him the privacy to confess to doxxing people and remain unidentifiable. So the comments are indeed worthwhile, both as an example of the range and distribution of views on the subject and the use of a form of “privacy” to hide from detection. (Unless someone is advocating a “right to doxx”, that would seem to be a Bad Thing.) of course, he could be fibbing, and never doxxed anyone, but no way to know that.... Finally, I think reading the article is much more worthwhile than reading the comments, just as I think the views of Brian Krebs are much more worthwhile than those of Mr. WHOIS-who-mightormightnot-be-a-doxxer. I suppose everyone is entitled to their sources of information, but I still ascribe to the caveat “consider the source”. Greg On Thu, Feb 15, 2018 at 9:18 PM Ayden Férdeline <icann@ferdeline.com> wrote:

The comments are certainly worth a read. I have observed one commenter note that they use WHOIS to dox others. Very troubling, and in line with this comment <https://www.icann.org/en/system/files/files/gdpr-comments-apc-icann-proposed...> submitted by Anriette Esterhuysen of APC to ICANN last month, where she noted that, "These are not just hypothetical or trivial risks. An APC staff member whose address was included in the WHOIS database received a death threat directed at herself and her family."

— Ayden

-------- Original Message -------- On 16 February 2018 1:07 AM, Dotzero <dotzero@gmail.com> wrote:

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

And there are security researchers who have filed abuse complaints with registries or hosting providers who have had those complaints forwards whole and entire to criminals. And those researchers have had their lives threatened. No one is saying their aren’t privacy risks in whois. Making whois privacy for free for individuals mitigates that risk. It seems there are some who basically want a global whois blackout not realizing there are a great deal of privacy risks MITIGATED with access to whois. Our participation in this list has been one of consistent ignoring of this ground truth. -- John Bambenek

On Feb 15, 2018, at 20:17, Ayden Férdeline <icann@ferdeline.com> wrote:

The comments are certainly worth a read. I have observed one commenter note that they use WHOIS to dox others. Very troubling, and in line with this comment submitted by Anriette Esterhuysen of APC to ICANN last month, where she noted that, "These are not just hypothetical or trivial risks. An APC staff member whose address was included in the WHOIS database received a death threat directed at herself and her family."

— Ayden

-------- Original Message --------

...

On 16 February 2018 1:07 AM, Dotzero <dotzero@gmail.com> wrote:

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

How do you guys expect to have privacy without security? On Fri, Feb 16, 2018 at 7:09 AM, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european- court-of-justice-rules-ip-addresses-are-personal-data-1.2835704

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> *Date: *Friday 16 February 2018 at 00:07 *To: *RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject: *[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law- may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

I addressed "you guys", not you specifically. I'm addressing the list as a whole. WHOIS is a critical component in security. You guys claim to care about privacy. Yet quite a number of you guys do not give any credence to the importance of securing one's own networks from the onslaught of malicious domains in use. So please explain to me how we can have one without the other. On Fri, Feb 16, 2018 at 2:20 PM, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

Allison

Have I ever advocated that?

I’ve always felt that security and privacy go hand in hand.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow, R93 X265

,Ireland Company No.: 370845

*From: *allison nixon <elsakoo@gmail.com> *Date: *Friday 16 February 2018 at 17:54 *To: *Michele Neylon <michele@blacknight.com> *Cc: *Dotzero <dotzero@gmail.com>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

How do you guys expect to have privacy without security?

On Fri, Feb 16, 2018 at 7:09 AM, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european- court-of-justice-rules-ip-addresses-are-personal-data-1.2835704

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> *Date: *Friday 16 February 2018 at 00:07 *To: *RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject: *[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law- may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

--

_________________________________ Note to self: Pillage BEFORE burning.

-- _________________________________ Note to self: Pillage BEFORE burning.

Often when we send in abuse reports to registries, those abuse reports are forwarded to criminals whole and entire with our names and contact information. That has lead to immediate attacks on the complaintant. For instance, some have been swatted (spoofed calls to police to generate and armed response where they kick in doors guns drawn). This has become so common place, many people either have stopped abuse complaints all together or use aliases to talk to registries. In a gated RDS, you will need to know exactly who we are and inherently know what we are looking at. Considering the history of the exact class of people who will have access to that information, what will YOU do to protect OUR privacy and security? Or can we expect now even our RDS queries will be forwarded to criminals also? The problem with “you people will figure it out” is that often, registries will take a hostile approach to “us”. If you (as a class) were willing to partner with us, genuinely, I bet we COULD accomplish the mission without RDS. The problem is the history is that at best we get neutrality, but far too often providers have instead, in effect, partnered with the criminals and that has resorted in far worse attacks on OUR privacy and security. J -- John Bambenek

On Feb 21, 2018, at 00:54, Volker Greimann <vgreimann@key-systems.net> wrote:

We expect there will be privacy AND security. You are clever people, you will figure something out on how to deliver your services without requiring the violation of the privacy of all registrants. Volker

...

Am 16.02.2018 um 18:53 schrieb allison nixon: How do you guys expect to have privacy without security?

...

On Fri, Feb 16, 2018 at 7:09 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Em 21 de fev de 2018, à(s) 11:22:000, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> escreveu:

Often when we send in abuse reports to registries, those abuse reports are forwarded to criminals whole and entire with our names and contact information. That has lead to immediate attacks on the complaintant. For instance, some have been swatted (spoofed calls to police to generate and armed response where they kick in doors guns drawn). This has become so common place, many people either have stopped abuse complaints all together or use aliases to talk to registries.

In a gated RDS, you will need to know exactly who we are and inherently know what we are looking at. Considering the history of the exact class of people who will have access to that information, what will YOU do to protect OUR privacy and security? Or can we expect now even our RDS queries will be forwarded to criminals also?

The problem with “you people will figure it out” is that often, registries will take a hostile approach to “us”. If you (as a class) were willing to partner with us, genuinely, I bet we COULD accomplish the mission without RDS. The problem is the history is that at best we get neutrality, but far too often providers have instead, in effect, partnered with the criminals and that has resorted in far worse attacks on OUR privacy and security.

John, Isn't your description a good advocacy piece for having privacy instead of ditching it ? The same privacy you would like to have, registrants would like to have, and currently they don't. Rubens

We agree here John. Privacy is about control over your data. Do you want to post all your personal information on a forum? Sure, include photos if you want too. Put your cell phone number in a public directory? Sure. Or advertise it on a billboard if you want. Privacy for registrants? Sure, by default and not the other way around, as they would lose control and that is indeed not for this WG to decide. But it is for this WG to come up with solutions to make sure that privacy does not end up where registrants are not accountable for their actions. That would be backwards and rather silly. Theo On 21-2-2018 23:16, John Bambenek via gnso-rds-pdp-wg wrote:

Privacy is having the ability to control what is known about you. You can find my cell phone number. That’s because I have chosen that. I don’t think a bunch of mostly white mostly upper middle class mostly north american and european people should decide for almost 7 billion people what choices THEY have with their own data.

I am ok with a free privacy option for registrants.

-- John Bambenek

...

On Feb 21, 2018, at 08:31, Rubens Kuhl <rubensk@nic.br> wrote:

...

Em 21 de fev de 2018, à(s) 11:22:000, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> escreveu:

Often when we send in abuse reports to registries, those abuse reports are forwarded to criminals whole and entire with our names and contact information. That has lead to immediate attacks on the complaintant. For instance, some have been swatted (spoofed calls to police to generate and armed response where they kick in doors guns drawn). This has become so common place, many people either have stopped abuse complaints all together or use aliases to talk to registries.

In a gated RDS, you will need to know exactly who we are and inherently know what we are looking at. Considering the history of the exact class of people who will have access to that information, what will YOU do to protect OUR privacy and security? Or can we expect now even our RDS queries will be forwarded to criminals also?

The problem with “you people will figure it out” is that often, registries will take a hostile approach to “us”. If you (as a class) were willing to partner with us, genuinely, I bet we COULD accomplish the mission without RDS. The problem is the history is that at best we get neutrality, but far too often providers have instead, in effect, partnered with the criminals and that has resorted in far worse attacks on OUR privacy and security. John,

Isn't your description a good advocacy piece for having privacy instead of ditching it ? The same privacy you would like to have, registrants would like to have, and currently they don't.

Rubens

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european- court-of-justice-rules-ip-addresses-are-personal-data-1.2835704

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> *Date: *Friday 16 February 2018 at 00:07 *To: *RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject: *[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law- may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that. I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy. I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote:

Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european- court-of-justice-rules-ip-addresses-are-personal-data-1.2835704

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law- may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

On Fri, Feb 16, 2018 at 02:01:42PM -0500, Ayden Férdeline wrote:

Such a distinction sounds complex for a registrar to make, and even more burdensome for a registrar to implement. Who could afford to do this?

It seems it'd be pretty trivial to do on the basis of the country code that's required in the postal address, no?

I would also worry that such costs would be passed on to domain name registrants.

The costs of the EU privacy rules _are_ going to be passed on to consumers. I know that there are apparently rules that that is not to happen, but that's the sort of absurd desire that King Canute was trying to illustrate. Conformance to the regulation imposes costs, and they're going to have to be recoverd somehow. A -- Andrew Sullivan ajs@anvilwalrusden.com

Such a distinction sounds complex for a registrar to make, and even more burdensome for a registrar to implement.

And is against the advice some Registrars are being given by their DPAs who are saying that the company being in Europe means it applies to all our customers Rob --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

We are also thinking about what is right for registrants and their right to data privacy that have been violated for too long. Volker If LEAs and governments want publicly accessible whois databases, they should legislate it, just like they have legislated imprints on websites, land registries, company registers, car registration registries and many more. But they have not and seem to be disinclined to do so. That in and of itself should tell you something. Why do they legislate what has to be on a website but not what has to be in whois? Take a guess! Volker

On 16. Feb 2018, at 20:11, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

And herein lies the exact problem: too many people on this group are thinking about what's right for registrars and registries, not internet users as a whole. (Which, obviously, is more than just registrants.)

ICANN policy isn't supposed to serve the interests of registrars. It's supposed to serve the broader public interest.

Benny, sorry -- I don't understand your email. :)

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Fri, Feb 16, 2018 at 11:01 AM, Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote: Such a distinction sounds complex for a registrar to make, and even more burdensome for a registrar to implement. Who could afford to do this? I would also worry that such costs would be passed on to domain name registrants.

— Ayden

-------- Original Message -------- On 16 February 2018 7:52 PM, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

...

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote: Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <tel:%2B46.42197000> Direct: +47.32260201 <tel:%2B47.32260201> Mobile: +47.40410200 <tel:%2B47.40410200>

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul... <https://www.irishtimes.com/business/technology/european-court-of-justice-rul...>

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/ <https://www.blacknight.com/>

http://blacknight.blog/ <http://blacknight.blog/>

Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%20%209183072>

Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090>

Personal blog: https://michele.blog/ <https://michele.blog/>

Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com>> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ <https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/>

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

I am aware it is not a universal requirement, yet it is still a valid example of governments takeing action and legislating a requirement to publish certain information in a certain format. While they did so for content, they did not do so for domain name registrations even though they could have. If governments feel they this information should be public, they have the option of legislating it. Until they do, the general rules on the protection of personal information apply. Best, Volker Am 20.02.2018 um 18:51 schrieb John Horton:

Uh...that's not a universal requirement. I know a lot of EU (some? a lot? not sure) of EU countries have that for commercial websites, and Japan does too (something we actually monitor for) but it's not like that's a requirement in the majority of countries. It's a minority approach, actually.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Tue, Feb 20, 2018 at 9:45 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

We are also thinking about what is right for registrants and their right to data privacy that have been violated for too long.

Volker

If LEAs and governments want publicly accessible whois databases, they should legislate it, just like they have legislated imprints on websites, land registries, company registers, car registration registries and many more.

But they have not and seem to be disinclined to do so. That in and of itself should tell you something.

Why do they legislate what has to be on a website but not what has to be in whois? Take a guess!

Volker

...

On 16. Feb 2018, at 20:11, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

And herein lies the exact problem: too many people on this group are thinking about what's right for registrars and registries, not internet users as a whole. (Which, obviously, is more than just registrants.)

ICANN policy isn't supposed to serve the interests of registrars. It's supposed to serve the broader public interest.

Benny, sorry -- I don't understand your email. :)

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com>  | Facebook <https://www.facebook.com/LegitScript>  | Twitter <https://twitter.com/legitscript>  | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Fri, Feb 16, 2018 at 11:01 AM, Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote:

Such a distinction sounds complex for a registrar to make, and even more burdensome for a registrar to implement. Who could afford to do this? I would also worry that such costs would be passed on to domain name registrants.

— Ayden

-------- Original Message -------- On 16 February 2018 7:52 PM, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

...

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com>  | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote:

Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <tel:%2B46.42197000> Direct: +47.32260201 <tel:%2B47.32260201> Mobile: +47.40410200 <tel:%2B47.40410200>

> On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote: > > Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction. > > John Horton > President and CEO, LegitScript > > > Follow LegitScript: LinkedIn  |  Facebook |  Twitter  |  Blog  | Newsletter > > > > On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote: > GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right? > > Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor. > > -- > John Bambenek > > On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote: > >> It’s an interesting read, but it has several flaws. >> >> It refers to registrars solely and ignores registries. >> >> It also makes it sound like issues around whois are “new”, which we all know isn’t true. >> >> The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg: >> >> https://www.irishtimes.com/business/technology/european-court-of-justice-rul... <https://www.irishtimes.com/business/technology/european-court-of-justice-rul...> >> >> >> >> >> >> >> >> -- >> >> Mr Michele Neylon >> >> Blacknight Solutions >> >> Hosting, Colocation & Domains >> >> https://www.blacknight.com/ >> >> http://blacknight.blog/ >> >> Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%20%209183072> >> >> Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090> >> >> Personal blog: https://michele.blog/ >> >> Some thoughts: https://ceo.hosting/ >> >> ------------------------------- >> >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty >> >> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 >> >> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com>> >> Date: Friday 16 February 2018 at 00:07 >> To: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> >> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP >> >> >> >> >> https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ <https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/> >> >> Michael Hammer >> >> _______________________________________________ >> gnso-rds-pdp-wg mailing list >> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+66386+St.+Ingbert&entry=gmail&so...> 66386 St. Ingbert <https://maps.google.com/?q=Im+Oberen+Werk+1+66386+St.+Ingbert&entry=gmail&so...> Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+66386+St.+Ingbert&entry=gmail&so...> 66386 St. Ingbert <https://maps.google.com/?q=Im+Oberen+Werk+1+66386+St.+Ingbert&entry=gmail&so...> Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

CHALLENGE ACCEPTED -- John Bambenek

On Feb 20, 2018, at 11:45, Volker Greimann <vgreimann@key-systems.net> wrote:

We are also thinking about what is right for registrants and their right to data privacy that have been violated for too long.

Volker

If LEAs and governments want publicly accessible whois databases, they should legislate it, just like they have legislated imprints on websites, land registries, company registers, car registration registries and many more.

But they have not and seem to be disinclined to do so. That in and of itself should tell you something.

Why do they legislate what has to be on a website but not what has to be in whois? Take a guess!

Volker

...

On 16. Feb 2018, at 20:11, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

And herein lies the exact problem: too many people on this group are thinking about what's right for registrars and registries, not internet users as a whole. (Which, obviously, is more than just registrants.)

ICANN policy isn't supposed to serve the interests of registrars. It's supposed to serve the broader public interest.

Benny, sorry -- I don't understand your email. :)

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

...

On Fri, Feb 16, 2018 at 11:01 AM, Ayden Férdeline <icann@ferdeline.com> wrote: Such a distinction sounds complex for a registrar to make, and even more burdensome for a registrar to implement. Who could afford to do this? I would also worry that such costs would be passed on to domain name registrants.

— Ayden

-------- Original Message --------

...

On 16 February 2018 7:52 PM, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

...

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote: Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

> It’s an interesting read, but it has several flaws. > > It refers to registrars solely and ignores registries. > > It also makes it sound like issues around whois are “new”, which we all know isn’t true. > > The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg: > > https://www.irishtimes.com/business/technology/european-court-of-justice-rul... > > > > > > > > -- > > Mr Michele Neylon > > Blacknight Solutions > > Hosting, Colocation & Domains > > https://www.blacknight.com/ > > http://blacknight.blog/ > > Intl. +353 (0) 59 9183072 > > Direct Dial: +353 (0)59 9183090 > > Personal blog: https://michele.blog/ > > Some thoughts: https://ceo.hosting/ > > ------------------------------- > > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > > Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > > From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> > Date: Friday 16 February 2018 at 00:07 > To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP > > > > > https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ > > Michael Hammer > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

John There are two distinct discussions here which seem to be getting mixed together. During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy. The discussions here and elsewhere around collection and publication of data in light of GDPR are very different. Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work. Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU. I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se" <benny@nordreg.se> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that. I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy. I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se<mailto:benny@nordreg.se> <benny@nordreg.se<mailto:benny@nordreg.se>> wrote: Please refer to where registrars have been unwilling to explore this option? -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000<tel:%2B46.42197000> Direct: +47.32260201<tel:%2B47.32260201> Mobile: +47.40410200<tel:%2B47.40410200>

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072<tel:%2B353%20%280%29%2059%20%209183072>

Direct Dial: +353 (0)59 9183090<tel:%2B353%20%280%2959%209183090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com<mailto:dotzero@gmail.com>> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

John Of course you would wait until a Friday evening to ask me this .. Anyway .. As a company in the EU we have to do everything through the lens of GDPR. That does not mean that a company will get the same treatment as a private individual. What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP Michele, Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote: John There are two distinct discussions here which seem to be getting mixed together. During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy. The discussions here and elsewhere around collection and publication of data in light of GDPR are very different. Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work. Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU. I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072<tel:+353%2059%20918%203072> Direct Dial: +353 (0)59 9183090<tel:+353%2059%20918%203090> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Reply-To: John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se<mailto:benny@nordreg.se>" <benny@nordreg.se<mailto:benny@nordreg.se>> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that. I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy. I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se<mailto:benny@nordreg.se> <benny@nordreg.se<mailto:benny@nordreg.se>> wrote: Please refer to where registrars have been unwilling to explore this option? -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000<tel:%2B46.42197000> Direct: +47.32260201<tel:%2B47.32260201> Mobile: +47.40410200<tel:%2B47.40410200>

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072<tel:%2B353%20%280%29%2059%20%209183072>

Direct Dial: +353 (0)59 9183090<tel:%2B353%20%280%2959%209183090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com<mailto:dotzero@gmail.com>> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

John, Given that the GDPR only applies to private data of private individuals residing in the EU, i dount you will ever see such a statement. Sent from my iPad

On 16 Feb 2018, at 21:02, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

...

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow, R93 X265

,Ireland Company No.: 370845

From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Michele,

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work.

Where there is a clear difference is between treatment of registrants based on geography.

As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow, R93 X265

,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se" <benny@nordreg.se> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote:

Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

...

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

As one who is trying to understand the GDPR, the key condition for these recitals is ‘processed within the legal boundaries of the European Union’. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Friday, February 16, 2018 12:27 PM To: Paul Keating <paul@law.es> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I interpret the GDPR as applying to anyone, residing anywhere, regardless of his or her citizenship, whose data is processed within the legal boundaries of the European Union. Recital 2 <http://www.privacy-regulation.eu/en/recital-2-GDPR.htm> (emphasis added) states: "The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data." Recital 4 <http://www.privacy-regulation.eu/en/recital-4-GDPR.htm> (emphasis added) states: "The processing of personal data should be designed to serve mankind." Recital 14 <http://www.privacy-regulation.eu/en/recital-14-GDPR.htm> (emphasis added) states: "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data." Ayden -------- Original Message -------- On 16 February 2018 9:07 PM, Paul Keating <paul@law.es <mailto:paul@law.es> > wrote: John, Given that the GDPR only applies to private data of private individuals residing in the EU, i dount you will ever see such a statement. Sent from my iPad On 16 Feb 2018, at 21:02, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote: Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.) Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA: As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR. Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote: John Of course you would wait until a Friday evening to ask me this .. Anyway .. As a company in the EU we have to do everything through the lens of GDPR. That does not mean that a company will get the same treatment as a private individual. What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 <tel:+353%2059%20918%203072> 9183072 Direct Dial: +353 (0)59 9183090 <tel:+353%2059%20918%203090> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com> > Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com> > Cc: "benny@nordreg.se <mailto:benny@nordreg.se> " <benny@nordreg.se <mailto:benny@nordreg.se> >, RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP Michele, Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote: John There are two distinct discussions here which seem to be getting mixed together. During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy. The discussions here and elsewhere around collection and publication of data in light of GDPR are very different. Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work. Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU. I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains <https://www.blacknight.com> https://www.blacknight.com <https://blacknight.blog> https://blacknight.blog / <http://ceo.hosting/> http://ceo.hosting/ Intl. <tel:+353%2059%20918%203072> +353 (0) 59 9183072 Direct Dial: <tel:+353%2059%20918%203090> +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg < <mailto:gnso-rds-pdp-wg-bounces@icann.org> gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg < <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org> Reply-To: John Horton < <mailto:john.horton@legitscript.com> john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: " <mailto:benny@nordreg.se> benny@nordreg.se" < <mailto:benny@nordreg.se> benny@nordreg.se> Cc: RDS PDP WG < <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that. I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy. I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se> > wrote: Please refer to where registrars have been unwilling to explore this option? -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <tel:%2B46.42197000> Direct: +47.32260201 <tel:%2B47.32260201> Mobile: +47.40410200 <tel:%2B47.40410200>

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%20%209183072>

Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> > on behalf of Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com> > Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Thanks Raoul. So you think that a non-European registrar or registry could be fined if it violated the GDPR for a non-European natural person? Chuck From: Raoul Plommer [mailto:plommer@gmail.com] Sent: Saturday, February 17, 2018 10:57 AM To: consult@cgomes.com Cc: Ayden Férdeline <icann@ferdeline.com>; Paul Keating <paul@law.es>; RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I don't understand how the GDPR could protect non-European natural persons dealing with non-European companies. Unfortunately, not all laws can be that well enforced, but they are nevertheless in place. In this particular example, I think there's the massive threat of getting fined, that will give the companies the right incentive to comply. Banks and financial services in tax-havens didn't expect to get caught either. If a non-European company complies with the GDPR because of its European customers, then its non-European are extended the same protections through interfaces and access. -Raoul On 17 February 2018 at 20:20, <consult@cgomes.com <mailto:consult@cgomes.com> > wrote: As one who is trying to understand the GDPR, the key condition for these recitals is ‘processed within the legal boundaries of the European Union’. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> ] On Behalf Of Ayden Férdeline Sent: Friday, February 16, 2018 12:27 PM To: Paul Keating <paul@law.es <mailto:paul@law.es> > Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I interpret the GDPR as applying to anyone, residing anywhere, regardless of his or her citizenship, whose data is processed within the legal boundaries of the European Union. Recital 2 <http://www.privacy-regulation.eu/en/recital-2-GDPR.htm> (emphasis added) states: "The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data." Recital 4 <http://www.privacy-regulation.eu/en/recital-4-GDPR.htm> (emphasis added) states: "The processing of personal data should be designed to serve mankind." Recital 14 <http://www.privacy-regulation.eu/en/recital-14-GDPR.htm> (emphasis added) states: "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data." Ayden -------- Original Message -------- On 16 February 2018 9:07 PM, Paul Keating <paul@law.es <mailto:paul@law.es> > wrote: John, Given that the GDPR only applies to private data of private individuals residing in the EU, i dount you will ever see such a statement. Sent from my iPad On 16 Feb 2018, at 21:02, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote: Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.) Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA: As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR. Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides. John Horton President and CEO, LegitScript Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote: John Of course you would wait until a Friday evening to ask me this .. Anyway .. As a company in the EU we have to do everything through the lens of GDPR. That does not mean that a company will get the same treatment as a private individual. What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 <tel:+353%2059%20918%203072> 9183072 Direct Dial: +353 (0)59 9183090 <tel:+353%2059%20918%203090> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com> > Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com> > Cc: "benny@nordreg.se <mailto:benny@nordreg.se> " <benny@nordreg.se <mailto:benny@nordreg.se> >, RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP Michele, Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense. John Horton President and CEO, LegitScript Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote: John There are two distinct discussions here which seem to be getting mixed together. During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy. The discussions here and elsewhere around collection and publication of data in light of GDPR are very different. Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work. Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU. I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains <https://www.blacknight.com> https://www.blacknight.com <https://blacknight.blog> https://blacknight.blog / <http://ceo.hosting/> http://ceo.hosting/ Intl. <tel:+353%2059%20918%203072> +353 (0) 59 9183072 Direct Dial: <tel:+353%2059%20918%203090> +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg < <mailto:gnso-rds-pdp-wg-bounces@icann.org> gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg < <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org> Reply-To: John Horton < <mailto:john.horton@legitscript.com> john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: " <mailto:benny@nordreg.se> benny@nordreg.se" < <mailto:benny@nordreg.se> benny@nordreg.se> Cc: RDS PDP WG < <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that. I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy. I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy. John Horton President and CEO, LegitScript Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se> > wrote: Please refer to where registrars have been unwilling to explore this option? -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <tel:%2B46.42197000> Direct: +47.32260201 <tel:%2B47.32260201> Mobile: +47.40410200 <tel:%2B47.40410200>

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%20%209183072>

Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090>

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> > on behalf of Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com> > Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Chuck, The part 2 of the Hamilton paper suggested that exact risk. But regardless of that scenario, for registries specifically it would be very challenging to do something for its EU-based registrars and something different for its non-EU registrars and also be compliant with the non-discriminatory access clause in registry agreements. So I see less registries taking EU origin as an aspect than registrars, since registrars don't have non-discriminatory access rules to follow. Rubens

On 17 Feb 2018, at 17:03, <consult@cgomes.com> <consult@cgomes.com> wrote:

Thanks Raoul. So you think that a non-European registrar or registry could be fined if it violated the GDPR for a non-European natural person?

Chuck

From: Raoul Plommer [mailto:plommer@gmail.com <mailto:plommer@gmail.com>] Sent: Saturday, February 17, 2018 10:57 AM To: consult@cgomes.com <mailto:consult@cgomes.com> Cc: Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>>; Paul Keating <paul@law.es <mailto:paul@law.es>>; RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

...

I don't understand how the GDPR could protect non-European natural persons dealing with non-European companies.

Unfortunately, not all laws can be that well enforced, but they are nevertheless in place. In this particular example, I think there's the massive threat of getting fined, that will give the companies the right incentive to comply. Banks and financial services in tax-havens didn't expect to get caught either.

If a non-European company complies with the GDPR because of its European customers, then its non-European are extended the same protections through interfaces and access.

-Raoul

On 17 February 2018 at 20:20, <consult@cgomes.com <mailto:consult@cgomes.com>> wrote:

...

As one who is trying to understand the GDPR, the key condition for these recitals is ‘processed within the legal boundaries of the European Union’.

Chuck

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Ayden Férdeline Sent: Friday, February 16, 2018 12:27 PM To: Paul Keating <paul@law.es <mailto:paul@law.es>>

Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I interpret the GDPR as applying to anyone, residing anywhere, regardless of his or her citizenship, whose data is processed within the legal boundaries of the European Union.

Recital 2 <http://www.privacy-regulation.eu/en/recital-2-GDPR.htm> (emphasis added) states: "The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data."

Recital 4 <http://www.privacy-regulation.eu/en/recital-4-GDPR.htm> (emphasis added) states: "The processing of personal data should be designed to serve mankind."

Recital 14 <http://www.privacy-regulation.eu/en/recital-14-GDPR.htm> (emphasis added) states: "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."

Ayden

-------- Original Message -------- On 16 February 2018 9:07 PM, Paul Keating <paul@law.es <mailto:paul@law.es>> wrote:

...

John,

Given that the GDPR only applies to private data of private individuals residing in the EU, i dount you will ever see such a statement.

Sent from my iPad

On 16 Feb 2018, at 21:02, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote:

...

Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

...

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript <image001.jpg>

Follow LegitScript: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

<image002.jpg><image003.jpg>

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

...

John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com <https://www.blacknight.com/> https://blacknight.blog <https://blacknight.blog/> / http://ceo.hosting/ <http://ceo.hosting/> Intl. +353 (0) 59  9183072 <tel:+353%2059%20918%203072> Direct Dial: +353 (0)59 9183090 <tel:+353%2059%20918%203090> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com>> Cc: "benny@nordreg.se <mailto:benny@nordreg.se>" <benny@nordreg.se <mailto:benny@nordreg.se>>, RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Michele,

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript <image001.jpg>

Follow LegitScript: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

<image002.jpg><image003.jpg>

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

...

John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work.

Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com <https://www.blacknight.com/> https://blacknight.blog <https://blacknight.blog/> / http://ceo.hosting/ <http://ceo.hosting/> Intl. +353 (0) 59  9183072 <tel:+353%2059%20918%203072> Direct Dial: +353 (0)59 9183090 <tel:+353%2059%20918%203090> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Reply-To: John Horton <john.horton@legitscript.com <mailto:john.horton@legitscript.com>> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se <mailto:benny@nordreg.se>" <benny@nordreg.se <mailto:benny@nordreg.se>> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.  <>

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript <image001.jpg>

Follow LegitScript: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

<image002.jpg><image003.jpg>

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <mailto:benny@nordreg.se> <benny@nordreg.se <mailto:benny@nordreg.se>> wrote: > Please refer to where registrars have been unwilling to explore this option? > > > > -- > Med vänliga hälsningar / Kind Regards / Med vennlig hilsen > > Benny Samuelsen > Registry Manager - Domainexpert > > Nordreg AB - ICANN accredited registrar > IANA-ID: 638 > Phone: +46.42197000 <tel:%2B46.42197000> > Direct: +47.32260201 <tel:%2B47.32260201> > Mobile: +47.40410200 <tel:%2B47.40410200> > > > On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote: > > > > Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction. > > > > John Horton > > President and CEO, LegitScript > > > > > > Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter > > > > > > > > On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> wrote: > > GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right? > > > > Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor. > > > > -- > > John Bambenek > > > > On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote: > > > >> It’s an interesting read, but it has several flaws. > >> > >> It refers to registrars solely and ignores registries. > >> > >> It also makes it sound like issues around whois are “new”, which we all know isn’t true. > >> > >> The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg: > >> > >> https://www.irishtimes.com/business/technology/european-court-of-justice-rul... <https://www.irishtimes.com/business/technology/european-court-of-justice-rul...> > >> > >> > >> > >> > >> > >> > >> > >> -- > >> > >> Mr Michele Neylon > >> > >> Blacknight Solutions > >> > >> Hosting, Colocation & Domains > >> > >> https://www.blacknight.com/ <https://www.blacknight.com/> > >> > >> http://blacknight.blog/ <http://blacknight.blog/> > >> > >> Intl. +353 (0) 59 9183072 <tel:%2B353%20%280%29%2059%20%209183072> > >> > >> Direct Dial: +353 (0)59 9183090 <tel:%2B353%20%280%2959%209183090> > >> > >> Personal blog: https://michele.blog/ <https://michele.blog/> > >> > >> Some thoughts: https://ceo.hosting/ <https://ceo.hosting/> > >> > >> ------------------------------- > >> > >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > >> > >> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > >> > >> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com>> > >> Date: Friday 16 February 2018 at 00:07 > >> To: RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> > >> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP > >> > >> > >> > >> > >> https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ <https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/> > >> > >> Michael Hammer > >> > >> _______________________________________________ > >> gnso-rds-pdp-wg mailing list > >> gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > > > _______________________________________________ > > gnso-rds-pdp-wg mailing list > > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > > > _______________________________________________ > > gnso-rds-pdp-wg mailing list > > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

Hi Sam, When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars? I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'. Tim On Sun, Feb 18, 2018 at 6:20 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

And the beat goes on:

“Facebook ordered to stop collecting user data by Belgian court. Social network instructed to delete illegally collected data or face €100m in fines after it loses case over consent and tracking.” https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop- collecting-user-data-fines-belgian-court

Richard Allan, Facebook’s vice president of public policy for EMEA, said the company was disappointed with the verdict and intended to appeal: “The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU.

*Important point: *For the social media companies the harvesting of personal data is more than a privacy issue. It is central to their business plans and their market valuations. To quote a Canadian litigation law firm, companies will litigate "...until hell freezes over", and when hell freezes over "...they will strap on ice skates and continue to litigate".

As we work with RDS/WhoIS policy it is worth remembering that these are hundred million dollar issues for the companies. They view tens of millions a year in litigation as a "good investment".

Sam L.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off> None of us know where and what they will prioritise, remember that it only take 1 complaint to a DPA to get the snowball moving. I am sure your statement have noe value then. -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen Benny Samuelsen Registry Manager - Domainexpert Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200 On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net<mailto:sam@lanfranco.net>> wrote: Hi Tim, No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing. As a brief aside: This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there. Sam L. On 2/18/2018 5:43 PM, Chen, Tim wrote: Hi Sam, When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars? I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'. Tim _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers. Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records. I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS. Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here. On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "*The Post*" where when *Washington Post* owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise,* remember that it only take 1 complaint to a DPA to get the snowball moving.* [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <+46%2042%2019%2070%2000> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim,

No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing.

*As a brief aside:* This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there.

Sam L.

On 2/18/2018 5:43 PM, Chen, Tim wrote:

Hi Sam,

When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars?

I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'.

Tim

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 <(613)%20476-0429> cell: +1 416-816-2852 <(416)%20816-2852>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

Domain names, hostnames, and IP addresses in so far as they are personally identifiable are PII. Courts have ruled on IP addresses already and DPAs have said much the same. So the same logic on why we can’t have a system that lets people advertise who owns the domain is the same argument why DNS must be gated. Has any registrar done a PIA on publishing my nameservers? How do I control who gets that information? How do we enforce its for authorized purposes only? -- John Bambenek

On Feb 20, 2018, at 10:50, Steve Crocker <steve@shinkuro.com> wrote:

I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

...

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote: 1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

...

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote: Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "The Post" where when Washington Post owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

...

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise, remember that it only take 1 complaint to a DPA to get the snowball moving. [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim, No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing. As a brief aside: This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there. Sam L.

...

On 2/18/2018 5:43 PM, Chen, Tim wrote: Hi Sam,

When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars?

I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'.

Tim

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

We have no idea how to determine nationality, so we just assume GDPR applies. We have no idea how to determine natural vs legal person, so we assume natural person. We assume the user is too stupid to use a role-based email address or any other mitigations, so that’s not an option. We assume the user is too stupid to know why to do with voluntary fields, so putting data in whois is too risky even in an opt-in scenario. But now we are talking about acceptable levels of risk with nameservers? How are we going to control to make sure only the types of data processing on this sensitive information is limited to what is authorized? What if I don’t want you to have my nameservers? What are you registrars going to do to make that possible? -- John Bambenek

On Feb 20, 2018, at 11:11, Ayden Férdeline <icann@ferdeline.com> wrote:

Domain names and name servers can comprise personal information. However, this does not mean we cannot use them. It just means we need to complete a privacy impact assessment and understand the risks involved. And I suspect the risks to a name server or domain name itself being public are incredibly low. The risk profile is nowhere near that of WHOIS or RDS being open for all to see, filled with sensitive data like addresses and phone numbers.

Ayden

-------- Original Message --------

...

On 20 February 2018 5:55 PM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Domain names, hostnames, and IP addresses in so far as they are personally identifiable are PII. Courts have ruled on IP addresses already and DPAs have said much the same.

So the same logic on why we can’t have a system that lets people advertise who owns the domain is the same argument why DNS must be gated.

Has any registrar done a PIA on publishing my nameservers? How do I control who gets that information? How do we enforce its for authorized purposes only?

-- John Bambenek

...

On Feb 20, 2018, at 10:50, Steve Crocker <steve@shinkuro.com> wrote: I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

...

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote: 1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

...

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote: Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "The Post" where when Washington Post owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

...

On 2/19/2018 10:02 AM, benny@nordreg.se wrote: <ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise, remember that it only take 1 complaint to a DPA to get the snowball moving. [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

> On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote: > > Hi Tim, > > No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing. > > As a brief aside: This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there. > > Sam L. > > >> On 2/18/2018 5:43 PM, Chen, Tim wrote: >> Hi Sam, >> >> When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars? >> >> I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'. >> >> Tim >> > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I’ve been advocating letting the consumer choose what gets published in whois but that’s a nonstarter so now people don’t get to pick and choose which PII matters. Emails are PII. So are hostnames and IPs in many cases. Since you can’t distinguish programmatically which cases those are, gated dns is requires so users can authenticate who they are and their purpose for making the request. -- John Bambenek

On Feb 20, 2018, at 11:31, Steve Crocker <steve@shinkuro.com> wrote:

John,

I think you're making the implicit assumption that access to name server (NS), address (A and AAAA) and related MX and DS records should be gated simply because someone can claim there might be personally identifiable information associated with these records. This is a very large assumption with very large consequences.

The DNS was designed to provide unfettered access to these records. The implication, therefore, is that anyone who publishes these records necessarily expects these records to be publicly available.

If you think there's a need for a system that makes the address information about a site accessible to only a selected set of people, design and build a system that provides that functionality. The Domain Name System, however, is not designed and not built that way. Anyone who publishes information in the DNS has necessarily chosen to make that information public. That's the end of the privacy issue with respect to the Domain Name System.

Discussion about how much information about the registrant is a separate matter, of course.

Steve

...

On Tue, Feb 20, 2018 at 12:17 PM, John Bambenek <jcb@bambenekconsulting.com> wrote: We have no idea how to determine nationality, so we just assume GDPR applies.

We have no idea how to determine natural vs legal person, so we assume natural person.

We assume the user is too stupid to use a role-based email address or any other mitigations, so that’s not an option.

We assume the user is too stupid to know why to do with voluntary fields, so putting data in whois is too risky even in an opt-in scenario.

But now we are talking about acceptable levels of risk with nameservers?

How are we going to control to make sure only the types of data processing on this sensitive information is limited to what is authorized? What if I don’t want you to have my nameservers? What are you registrars going to do to make that possible?

-- John Bambenek

...

On Feb 20, 2018, at 11:11, Ayden Férdeline <icann@ferdeline.com> wrote:

Domain names and name servers can comprise personal information. However, this does not mean we cannot use them. It just means we need to complete a privacy impact assessment and understand the risks involved. And I suspect the risks to a name server or domain name itself being public are incredibly low. The risk profile is nowhere near that of WHOIS or RDS being open for all to see, filled with sensitive data like addresses and phone numbers.

Ayden

-------- Original Message --------

...

On 20 February 2018 5:55 PM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Domain names, hostnames, and IP addresses in so far as they are personally identifiable are PII. Courts have ruled on IP addresses already and DPAs have said much the same.

So the same logic on why we can’t have a system that lets people advertise who owns the domain is the same argument why DNS must be gated.

Has any registrar done a PIA on publishing my nameservers? How do I control who gets that information? How do we enforce its for authorized purposes only?

-- John Bambenek

...

On Feb 20, 2018, at 10:50, Steve Crocker <steve@shinkuro.com> wrote: I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

...

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote: 1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

> On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote: > Benny, > > This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "The Post" where when Washington Post owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides. > > Sam L. > > >> On 2/19/2018 10:02 AM, benny@nordreg.se wrote: >> <ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off> >> >> None of us know where and what they will prioritise, remember that it only take 1 complaint to a DPA to get the snowball moving. [emphasis added] I am sure your statement have noe value then. >> >> -- >> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen >> >> >> Benny Samuelsen >> Registry Manager - Domainexpert >> >> Nordreg AB - ICANN accredited registrar >> IANA-ID: 638 >> Phone: +46.42197000 >> Direct: +47.32260201 >> Mobile: +47.40410200 >> >>> On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote: >>> >>> Hi Tim, >>> >>> No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing. >>> >>> As a brief aside: This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there. >>> >>> Sam L. >>> >>> >>>> On 2/18/2018 5:43 PM, Chen, Tim wrote: >>>> Hi Sam, >>>> >>>> When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars? >>>> >>>> I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'. >>>> >>>> Tim >>>> >>> >>> _______________________________________________ >>> gnso-rds-pdp-wg mailing list >>> gnso-rds-pdp-wg@icann.org >>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg >> >> > > -- > ------------------------------------------------ > "It is a disgrace to be rich and honoured > in an unjust state" -Confucius > 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 > ------------------------------------------------ > Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China > Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) > Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 > email: sam@lanfranco.net Skype: slanfranco > blog: https://samlanfranco.blogspot.com > Phone: +1 613-476-0429 cell: +1 416-816-2852 > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Yes. Even though IP addresses &c can be personally identifiable information, that doesn't mean they can't ever be published. It does mean GDPR applies, but it's clear GDPR would allow DNS records to be published just as they've always been. Seriously. GDPR is not insane. Tapani On Tue, Feb 20, 2018 at 12:31:57PM -0500, Steve Crocker (steve@shinkuro.com) wrote:

John,

I think you're making the implicit assumption that access to name server (NS), address (A and AAAA) and related MX and DS records should be gated simply because someone can claim there might be personally identifiable information associated with these records. This is a very large assumption with very large consequences.

The DNS was designed to provide unfettered access to these records. The implication, therefore, is that anyone who publishes these records necessarily expects these records to be publicly available.

If you think there's a need for a system that makes the address information about a site accessible to only a selected set of people, design and build a system that provides that functionality. The Domain Name System, however, is not designed and not built that way. Anyone who publishes information in the DNS has necessarily chosen to make that information public. That's the end of the privacy issue with respect to the Domain Name System.

Discussion about how much information about the registrant is a separate matter, of course.

Steve

On Tue, Feb 20, 2018 at 12:17 PM, John Bambenek <jcb@bambenekconsulting.com> wrote:

...

We have no idea how to determine nationality, so we just assume GDPR applies.

We have no idea how to determine natural vs legal person, so we assume natural person.

We assume the user is too stupid to use a role-based email address or any other mitigations, so that’s not an option.

We assume the user is too stupid to know why to do with voluntary fields, so putting data in whois is too risky even in an opt-in scenario.

But now we are talking about acceptable levels of risk with nameservers?

How are we going to control to make sure only the types of data processing on this sensitive information is limited to what is authorized? What if I don’t want you to have my nameservers? What are you registrars going to do to make that possible?

-- John Bambenek

On Feb 20, 2018, at 11:11, Ayden Férdeline <icann@ferdeline.com> wrote:

Domain names and name servers can comprise personal information. However, this does not mean we cannot use them. It just means we need to complete a privacy impact assessment and understand the risks involved. And I suspect the risks to a name server or domain name itself being public are incredibly low. The risk profile is nowhere near that of WHOIS or RDS being open for all to see, filled with sensitive data like addresses and phone numbers.

Ayden

-------- Original Message -------- On 20 February 2018 5:55 PM, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

Domain names, hostnames, and IP addresses in so far as they are personally identifiable are PII. Courts have ruled on IP addresses already and DPAs have said much the same.

So the same logic on why we can’t have a system that lets people advertise who owns the domain is the same argument why DNS must be gated.

Has any registrar done a PIA on publishing my nameservers? How do I control who gets that information? How do we enforce its for authorized purposes only?

-- John Bambenek

On Feb 20, 2018, at 10:50, Steve Crocker <steve@shinkuro.com> wrote:

I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote:

...

1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

...

Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "*The Post*" where when *Washington Post* owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise,* remember that it only take 1 complaint to a DPA to get the snowball moving.* [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <+46%2042%2019%2070%2000> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim,

No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing.

*As a brief aside:* This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there.

Sam L.

On 2/18/2018 5:43 PM, Chen, Tim wrote:

Hi Sam,

When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars?

I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'.

Tim

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 <(613)%20476-0429> cell: +1 416-816-2852 <(416)%20816-2852>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

To try to bridge this gap a little bit... and hopefully clarify my point to Steve. Shutting down public access to A records degrades the network in a very immediate, obvious way. Therefore, even if they are PII, they still can be published. While WHOIS details are materially different, and shutting down WHOIS entirely probably won't have an immediate effect, there is an entire ecosystem of anti-spam, anti-ddos, anti-hack measures in place that allow Internet users to successfully access their mailboxes, communicate with remote IP addresses, and so on, without the inundation of spam and DDOS that would make the entire network unusable if there weren't active efforts to stop this stuff. The Internet is a band-aid on top of a band-aid on top of a band-aid. This WHOIS band-aid turns out to be holding a lot of things together, even though it was never intended to be originally. There are uncountable public incidents where abuse caused widespread Internet shutdown, and was only remediated by active efforts on the part of network/server operators and anti-abuse professionals. And we are arguing that WHOIS has often been a critical, and irreplaceable component of many of those incident responses. We care less about the format of the data, but we care very deeply that we should still be able to process this data to respond to future incidents at the same level of effectiveness. We also argue that our roles cannot be replaced by police that get warrants and court orders for WHOIS data, for so many reasons, not the least of which is that no one wants NOCs, SOCs, etc, staffed by cops! Therefore quite a lot of us are arguing that even though the effect is not immediate and obvious, the loss of WHOIS will cause secondary effects that end up degrading the Internet, just like the loss of A records would, albeit slower and more indirectly. Shut down WHOIS, and you might not reliably get your A records, your e-mail, or your favorite website. I think if you spoke to people at large networks, large mailbox operators, etc, you would find a lot of agreement on the critical importance that WHOIS has accidentally gained. On Tue, Feb 20, 2018 at 1:12 PM, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

Which brings me back full circle to my point. An A records exists because a registrant put it there. If the system was slightly modified to provide a free privacy option, then whois data is there because the registrant put it there. And thus the problem is solved.

-- John Bambenek

...

On Feb 20, 2018, at 12:07, Tapani Tarvainen <ncsg@tapani.tarvainen.info> wrote:

Yes. Even though IP addresses &c can be personally identifiable information, that doesn't mean they can't ever be published. It does mean GDPR applies, but it's clear GDPR would allow DNS records to be published just as they've always been.

Seriously. GDPR is not insane.

Tapani

...

On Tue, Feb 20, 2018 at 12:31:57PM -0500, Steve Crocker ( steve@shinkuro.com) wrote:

John,

I think you're making the implicit assumption that access to name server (NS), address (A and AAAA) and related MX and DS records should be gated simply because someone can claim there might be personally identifiable information associated with these records. This is a very large assumption with very large consequences.

The DNS was designed to provide unfettered access to these records. The implication, therefore, is that anyone who publishes these records necessarily expects these records to be publicly available.

If you think there's a need for a system that makes the address information about a site accessible to only a selected set of people, design and build a system that provides that functionality. The Domain Name System, however, is not designed and not built that way. Anyone who publishes information in the DNS has necessarily chosen to make that information public. That's the end of the privacy issue with respect to the Domain Name System.

Discussion about how much information about the registrant is a separate matter, of course.

Steve

On Tue, Feb 20, 2018 at 12:17 PM, John Bambenek < jcb@bambenekconsulting.com> wrote:

...

We have no idea how to determine nationality, so we just assume GDPR applies.

We have no idea how to determine natural vs legal person, so we assume natural person.

We assume the user is too stupid to use a role-based email address or any other mitigations, so that’s not an option.

We assume the user is too stupid to know why to do with voluntary fields, so putting data in whois is too risky even in an opt-in scenario.

But now we are talking about acceptable levels of risk with nameservers?

How are we going to control to make sure only the types of data processing on this sensitive information is limited to what is authorized? What if I don’t want you to have my nameservers? What are you registrars going to do to make that possible?

-- John Bambenek

On Feb 20, 2018, at 11:11, Ayden Férdeline <icann@ferdeline.com> wrote:

Domain names and name servers can comprise personal information. However, this does not mean we cannot use them. It just means we need to complete a privacy impact assessment and understand the risks involved. And I suspect the risks to a name server or domain name itself being public are incredibly low. The risk profile is nowhere near that of WHOIS or RDS being open for all to see, filled with sensitive data like addresses and phone numbers.

Ayden

-------- Original Message -------- On 20 February 2018 5:55 PM, John Bambenek via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:

Domain names, hostnames, and IP addresses in so far as they are personally identifiable are PII. Courts have ruled on IP addresses already and DPAs have said much the same.

So the same logic on why we can’t have a system that lets people advertise who owns the domain is the same argument why DNS must be gated.

Has any registrar done a PIA on publishing my nameservers? How do I control who gets that information? How do we enforce its for authorized purposes only?

-- John Bambenek

On Feb 20, 2018, at 10:50, Steve Crocker <steve@shinkuro.com> wrote:

I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

...

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote:

1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

...

Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "*The Post*" where when *Washington Post* owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise,* remember that it only take 1 complaint to a DPA to get the snowball moving.* [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <+46%2042%2019%2070%2000> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim,

No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing.

*As a brief aside:* This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there.

Sam L.

On 2/18/2018 5:43 PM, Chen, Tim wrote:

Hi Sam,

When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars?

I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'.

Tim

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 <(613)%20476-0429> cell: +1 416-816-2852 <(416)%20816-2852>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

I'm truly puzzled. Are we seriously discussing the possibility that resolution of a domain name lookup will depend on who I am and what credentials I have? It is, of course, common practice to have split views to distinguish between lookups originating from inside an organization versus lookups originating outside of an organization, and it is also common practice to have different responses based on geography. The only other forms of restriction regarding who can look up particular domain names that I'm aware of are country-level restrictions, e.g. the Chinese firewall, and attempts to limit access to sites that are deemed to be serving copyright infringing material. These sorts of restrictions play havoc with the domain name system and are generally ineffective. If the scope of this WG includes a serious consideration of this sort of filtering, we're talking about rethinking the DNS from the ground up, not just a discussion about who access to the name of the registrant. Steve On Tue, Feb 20, 2018 at 11:55 AM, John Bambenek <jcb@bambenekconsulting.com> wrote:

Domain names, hostnames, and IP addresses in so far as they are personally identifiable are PII. Courts have ruled on IP addresses already and DPAs have said much the same.

So the same logic on why we can’t have a system that lets people advertise who owns the domain is the same argument why DNS must be gated.

Has any registrar done a PIA on publishing my nameservers? How do I control who gets that information? How do we enforce its for authorized purposes only?

-- John Bambenek

On Feb 20, 2018, at 10:50, Steve Crocker <steve@shinkuro.com> wrote:

I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote:

...

1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

...

Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "*The Post*" where when *Washington Post* owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise,* remember that it only take 1 complaint to a DPA to get the snowball moving.* [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <+46%2042%2019%2070%2000> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim,

No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing.

*As a brief aside:* This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there.

Sam L.

On 2/18/2018 5:43 PM, Chen, Tim wrote:

Hi Sam,

When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars?

I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'.

Tim

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 <(613)%20476-0429> cell: +1 416-816-2852 <(416)%20816-2852>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Tapani, Thanks. I think your analysis is spot on. Steve On Tue, Feb 20, 2018 at 1:47 PM, Tapani Tarvainen < ncsg@tapani.tarvainen.info> wrote:

On Tue, Feb 20, 2018 at 01:38:44PM -0500, Steve Crocker ( steve@shinkuro.com) wrote:

...

I'm truly puzzled. Are we seriously discussing the possibility that resolution of a domain name lookup will depend on who I am and what credentials I have?

Of course not.

It's an attempt to make a reductio ad absurdum argument, like this:

If we accept the idea that GDPR can restrict publication of WHOIS data, it will necessarily also restrict publication of DNS data. As the latter is obviously intolerable, it follows the former must be, too.

The argument is of course bogus. The reasons GDPR restricts WHOIS publication do not apply to DNS.

-- Tapani Tarvainen _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Hi Steve, There were a series of debates/discussion on the list a while back about what pieces of info constitute PII, with regards to GDPR implications. We all understand and agree that the DNS can't function without these A/NS/AAAA/MX etc elements being publicly exposed. But they are also information collected from the end customer just like WHOIS data is, and apparently qualify as PII under the new rules. Especially with registrars' dynamic DNS services where the domain almost always points to the user's current home IP address, with no authentication protecting the A record. None of us believe there should be "gated" A access, but some of us argue that the loss of WHOIS will degrade the functioning of networks, and that this justifies the exposure of the data, in the same way that cutting off A record access will degrade the functioning of networks, therefore it should be exposed even if the law thinks it's PII. It's, of course, a matter of debate here. On Tue, Feb 20, 2018 at 11:50 AM, Steve Crocker <steve@shinkuro.com> wrote:

I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote:

...

1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

...

Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "*The Post*" where when *Washington Post* owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise,* remember that it only take 1 complaint to a DPA to get the snowball moving.* [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <+46%2042%2019%2070%2000> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim,

No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing.

*As a brief aside:* This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there.

Sam L.

On 2/18/2018 5:43 PM, Chen, Tim wrote:

Hi Sam,

When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars?

I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'.

Tim

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 <(613)%20476-0429> cell: +1 416-816-2852 <(416)%20816-2852>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

Stephanie, Some folks are saying address records, names of name servers and perhaps other records might have personally identifying information. I would not argue these records do not ever have personally identifying information, I do argue it’s immaterial. It’s essential these records are universally accessible and because this is well known, anyone who chooses to publish these records has implicitly granted permission for others to access this information. Policy people, legislators, regulators cannot impose a new requirement on the design and operation of the DNS as if the possibility of mediating access were an available option. Steve Sent from my iPhone

On Feb 20, 2018, at 11:02 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:

Actually no, Steve, we sorted this out a few months ago....Andrew Sullivan explained all of this patiently and in great detail, as I recall. I tried to explain the difference between data elements constituting PI, because of their association with an individual, and the requirements to protect. I think I failed dismally in that effort, because I see we are re-arguing those issues.

cheers Stephanie

...

On 2018-02-20 11:50, Steve Crocker wrote: I'm puzzled by the reference to name servers and A records. These are necessarily public else the domain name system won't function. Is there confusion or misunderstanding about the role of these records?

Steve

...

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com> wrote: 1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

...

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net> wrote: Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "The Post" where when Washington Post owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se wrote:

...

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise, remember that it only take 1 complaint to a DPA to get the snowball moving. [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net> wrote:

Hi Tim, No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing. As a brief aside: This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there. Sam L.

> On 2/18/2018 5:43 PM, Chen, Tim wrote: > Hi Sam, > > When you say these are hundred million dollar issues for "the companies",which companies are you talking about? Large Registrars? > > I hope you are not comparing cybersecurity professionals and the good work they are trying to enable, to a completely separate privacy issue around data used for ad tracking or behavior tracking across websites. If I spent my days trying to protect people on the internet from bad things, I would certainly not appreciate any allusion that I was engaged on the whois data issue 'for the money'. > > Tim >

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Perhaps this clarifies it more. https://piwik.pro/blog/what-is-pii-personal-data/ Theo On 21-2-2018 14:26, Stephanie Perrin wrote:

Sorry not to have answered this last night Steve, I was having the usual multi-tasking challenges which overtake the 1 AM calls. There is a fundamental problem here in my view, and that is the difference between people's understanding of "personally identifying information" or PII, and "personal information", which is silent on the matter of whether it can be identified.  For example, your medical data may have all the identifiers removed (name, address, phone number, health numbers, etc.) but that does not mean that people could not figure out it was you, particularly these days when even DNA data is up on the net. We generally continue to call that personal data (people can reasonably understand, for instance, that an x-ray of my lungs is still my personal information, even if it has been securely anonymized).  I argue that all data associated with your registration including the assigned data is personal data (for the purposes of ICANN's treatment of it as a data controller), but that does not mean it cannot be processed.  It is not usually PII, but that is irrelevant for GDPR discussions because that is an expression not used in the GDPR, PII that has been popularized by the US, and that in the absence of general data protection law.  We had a  lengthy discussion of this about a year ago, and I am sure I was unsuccessful in persuading some folks that a name server could be personal data.  The name of a city is not personally identifiable information, but if it is the one data element that distinguishes John Smith of Main street US, among six John Smiths on Main Street, then it is personal data.

Given the ubiquity of data and data analytics these days, this is an active area of privacy scholarship, with plenty of practical implications.  We have over many years regularly removed a few data elements to mask data sufficiently for public processing purposes; increasingly this does not work anymore and the field is changing too fast to keep up.  This of course does not mean that name servers, e.g., should not be published.

Stephanie

On 2018-02-20 23:14, Steve Crocker wrote:

...

Stephanie,

Some folks are saying address records, names of name servers and perhaps other records might have personally identifying information.  I would not argue these records do not ever have personally identifying information, I do argue it’s immaterial.  It’s essential these records are universally accessible and because this is well known, anyone who chooses to publish these records has implicitly granted permission for others to access this information.  Policy people, legislators, regulators cannot impose a new requirement on the design and operation of the DNS as if the possibility of mediating access were an available option.

Steve

Sent from my iPhone

On Feb 20, 2018, at 11:02 PM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

...

Actually no, Steve, we sorted this out a few months ago....Andrew Sullivan explained all of this patiently and in great detail, as I recall.  I tried to explain the difference between data elements constituting PI, because of their association with an individual, and the requirements to protect.  I think I failed dismally in that effort, because I see we are re-arguing those issues.

cheers Stephanie

On 2018-02-20 11:50, Steve Crocker wrote:

...

I'm puzzled by the reference to name servers and A records.  These are necessarily public else the domain name system won't function.  Is there confusion or misunderstanding about the role of these records?

Steve

On Tue, Feb 20, 2018 at 11:47 AM, allison nixon <elsakoo@gmail.com <mailto:elsakoo@gmail.com>> wrote:

1,000,000% agreed. Registrars cannot eliminate all their risk by masking WHOIS into oblivion. The DPAs can still ask why they are exposing A records, nameservers, etc, to anyone who asks for them, without valid reasons or authentication. Why do they expose zone files, etc. The DPAs can ask why customer support can sometimes so easily be social engineered into handing over accounts to account takeover scammers.

Since most registrars are also hosting providers/mail providers, would criminals storing stolen PII on your servers be a GDPR issue? After all, the ultimate owner of the server is also considered a "processor", which has interesting implications if one's customers include phishers, or sell stolen credit cards, and one's already been notified. I have even seen miscreants putting doxes in TXT records.

I already know of quite a few incidents where people would have had standing to file a GDPR complaint against registrars/hosters, unrelated to WHOIS.

Eventually the issue is going to impact the core business model of registrars. This isn't going to stop at WHOIS. An open dialog with the DPAs at an early stage is of utmost importance for all parties involved here.

On Mon, Feb 19, 2018 at 10:16 AM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote:

Benny,

This is why I support multi-venue multi-stakholder dialogue with the DPA's so that they are appraised of the issues on all sides of the data protection issue. They are then more likely to act in a judicious manner, and less like an attack dog. Watch the new movie "*/The Post/*" where when /Washington Post/ owner Katharine Graham decided to publish the Vietnam War Pentagon Papers, with the downside risk that she could be jailed for treason. The court ruled in favor of freedom of the press. It is not what the DPA can do, but what they are likely to do, and dialogue goes a long way to mitigating risk and shaping appropriate positions and behavior (with integrity) on all sides.

Sam L.

On 2/19/2018 10:02 AM, benny@nordreg.se <mailto:benny@nordreg.se> wrote:

...

<ironi on> Now I am relieved, we as registrars will not be subject for anything… </ironi off>

None of us know where and what they will prioritise,*/remember that it only take 1 complaint to a DPA to get the snowball moving./* [emphasis added] I am sure your statement have noe value then.

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <tel:+46%2042%2019%2070%2000> Direct: +47.32260201 <tel:+47%2032%2026%2002%2001> Mobile: +47.40410200 <tel:+47%20404%2010%20200>

...

On 19 Feb 2018, at 15:29, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>> wrote:

Hi Tim,

No, completely to the contrary. My point with that dollars reference was that in some cases litigation is the preferred business response, rather than compliance and paying fines. Also, the big revenues in mining big data are outside the DNS sphere, and outside the abuses and "bad things" that websites do to people. The big EU fines are more likely to hit social media than Registrars, although they are risks there as well. The revenues, and privacy violations, will come from profiling users by mining big data for scraps of personal date to individualize target marketing.

*/As a brief aside:/* This goes well beyond the remit of ICANN and is actually worse than just being inundated by adverts base on personal online behavior. Artificial Intelligence mining apps are increasingly customizing the "news" one gets from news feeds, to help "glue the eyeballs" to the adverts, creating a news silo of one. (That is amusing for me since I virtually live in two towns in two countries). Even more worrisome is the growing practice for A.I. companies where A.I. "writes" the news releases, now mainly in sports and finance, for thousands of print and online news outlets. I know all of this is outside the ICANN remit so I will stop there.

Sam L.

On 2/18/2018 5:43 PM, Chen, Tim wrote: > Hi Sam, > > When you say these are hundred million dollar issues for > "the companies",which companies are you talking about? > Large Registrars? > > I hope you are not comparing cybersecurity professionals > and the good work they are trying to enable, to a > completely separate privacy issue around data used for > ad tracking or behavior tracking across websites. If I > spent my days trying to protect people on the internet > from bad things, I would certainly not appreciate any > allusion that I was engaged on the whois data issue 'for > the money'. > > Tim >

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jaiotong-Liverpool Univ, Suzhou, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email:sam@lanfranco.net <mailto:sam@lanfranco.net> Skype: slanfranco blog:https://samlanfranco.blogspot.com <https://samlanfranco.blogspot.com> Phone:+1 613-476-0429 <tel:%28613%29%20476-0429> cell:+1 416-816-2852 <tel:%28416%29%20816-2852>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- _________________________________ Note to self: Pillage BEFORE burning.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Em 21 de fev de 2018, à(s) 01:14:000, Steve Crocker <steve@shinkuro.com> escreveu:

Stephanie,

Some folks are saying address records, names of name servers and perhaps other records might have personally identifying information. I would not argue these records do not ever have personally identifying information, I do argue it’s immaterial. It’s essential these records are universally accessible and because this is well known, anyone who chooses to publish these records has implicitly granted permission for others to access this information. Policy people, legislators, regulators cannot impose a new requirement on the design and operation of the DNS as if the possibility of mediating access were an available option.

Steve, Just a small repair: name servers are only public if the domain statuses do not contain clientHold or serverHold, and if the domain actually has name servers. So the question is whether RDS should publish future servers (WHOWILLBE ?); and even when the domain is currently published in the TLD zone, the information on RDS is redundant and subject to being outdated (current RA allows a delay of 60 minutes). On IP addresses, there might be difference between in-bailwick addresses and those that are not, if allowed by that TLD. So considering computer systems design principle of not duplicating data unless there is a compelling reason to do it and the data minimization principle, I think it's just easier to get name servers and their IP addresses out of RDS... we save time discussing those data fields and considering their implications. They will still be public information in the situations they are public, and any data privacy impact should make clear that there is no expectation of privacy to it. We would just list them at their native habitat, the DNS system. Rubens

On Fri, Feb 16, 2018 at 12:01:12PM -0800, John Horton via gnso-rds-pdp-wg (gnso-rds-pdp-wg@icann.org) wrote:

I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Article 3 of the GDPR: "1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not." I read that to mean that if you are a company established in the EU, GDPR applies regardless of where your customers are from. -- Tapani Tarvainen

John, As a registrar who provides registrar as a service and  services resellers, we need to make sure everyone and anyone can comply with whatever applicable law they need to deal with. So while the GDPR is "one" guidance, this guides us more: https://www.cnil.fr/en/data-protection-around-the-world And it does not stop there. https://www.linkedin.com/pulse/turkeys-regulation-data-controllers-registry-... Now consider this and imagine the massive consequences here. IF ICANN, Registries, and Registrars are considered joint controllers, and this is not a far-fetched scenario. That means for Turkey: ICANN has to appoint and authorize a representative in Turkey. So does a Registry So do Registrars Please re-read this till it sinks in. We can only assume as a WG that this trend will continue. I think we will reach a tipping point soon (1 or 2 years) and more countries will require this. So the slogan of one world one internet, that might not be applicable for domain names depending on how this group moves. The defragmentation of the internet is happening on a vertical and horizontal level, and this has been going on for some time now. This group needs to understand that WE have the means to shape the future here. If we can take the lead and work together, with DPA's and the article 29 WP we will shape that future, it will not be easy; it will be complicated as hell, but we are in that position to shape it. If not, defragmentation will be a fact, and all of us have to deal with whatever problem on a country level. So far a particular part of this WG is pushing for that scenario by this desire to remain the current status quo of WHOIS. Which I understand, better to deal with the devil you know, but it is not sustainable for the future. To put it very blunt John, I think you and others can shape the future by being part of the solution. If this WG fails, you going to have much more significant problems then just the GDPR. And personally, I would hate it to see rogue pharmacy scum bags hide behind country borders and become untouchable. I rather see a gated RDAP solution not just on a registrar but also a reseller level...... Theo On 16-2-2018 21:50, Michele Neylon - Blacknight wrote:

John

Article 3, as referenced by Tapani, makes it very clear to me:

“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265

,Ireland  Company No.: 370845

*From: *John Horton <john.horton@legitscript.com> *Date: *Friday 16 February 2018 at 20:02 *To: *Michele Neylon <michele@blacknight.com> *Cc: *"benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript

https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...

*Follow****Legit**Script*: LinkedIn<http://www.linkedin.com/company/legitscript-com>  | Facebook<https://www.facebook.com/LegitScript>  | Twitter<https://twitter.com/legitscript>  | Blog<http://blog.legitscript.com/>  |Newsletter<http://go.legitscript.com/Subscription-Management.html>

https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote:

John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog/

http://ceo.hosting/

Intl. +353 (0) 59  9183072<tel:+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090<tel:+353%2059%20918%203090>

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265

,Ireland  Company No.: 370845

*From: *John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> *Date: *Friday 16 February 2018 at 19:28 *To: *Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> *Cc: *"benny@nordreg.se<mailto:benny@nordreg.se>" <benny@nordreg.se<mailto:benny@nordreg.se>>, RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Michele,

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript

https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...

*Follow****Legit**Script*: LinkedIn<http://www.linkedin.com/company/legitscript-com>  | Facebook<https://www.facebook.com/LegitScript>  | Twitter<https://twitter.com/legitscript>  | Blog<http://blog.legitscript.com/>  |Newsletter<http://go.legitscript.com/Subscription-Management.html>

https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote:

John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work.

Where there is a clear difference is between treatment of registrants based on geography.

As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog/

http://ceo.hosting/

Intl. +353 (0) 59  9183072<tel:+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090<tel:+353%2059%20918%203090>

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265

,Ireland  Company No.: 370845

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> *Reply-To: *John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> *Date: *Friday 16 February 2018 at 18:54 *To: *"benny@nordreg.se<mailto:benny@nordreg.se>" <benny@nordreg.se<mailto:benny@nordreg.se>> *Cc: *RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...

*Follow****Legit**Script*: LinkedIn<http://www.linkedin.com/company/legitscript-com>  | Facebook<https://www.facebook.com/LegitScript>  | Twitter<https://twitter.com/legitscript>  | Blog<http://blog.legitscript.com/>  |Newsletter<http://go.legitscript.com/Subscription-Management.html>

https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se<mailto:benny@nordreg.se><benny@nordreg.se<mailto:benny@nordreg.se>> wrote:

Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000<tel:%2B46.42197000> Direct: +47.32260201<tel:%2B47.32260201> Mobile: +47.40410200<tel:%2B47.40410200>

> On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: > > Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction. > > John Horton > President and CEO, LegitScript > > > Follow LegitScript: LinkedIn  |  Facebook |  Twitter  |  Blog  | Newsletter > > >

> On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: > GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right? > > Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor. > > -- > John Bambenek > > On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote: > >> It’s an interesting read, but it has several flaws. >> >> It refers to registrars solely and ignores registries. >> >> It also makes it sound like issues around whois are “new”, which we all know isn’t true. >> >> The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg: >> >> https://www.irishtimes.com/business/technology/european-court-of-justice-rul... >> >> >> >> >> >> >> >> -- >> >> Mr Michele Neylon >> >> Blacknight Solutions >> >> Hosting, Colocation & Domains >> >> https://www.blacknight.com/ >> >> http://blacknight.blog/ >> >> Intl. +353 (0) 59 9183072<tel:%2B353%20%280%29%2059%20%209183072> >> >> Direct Dial: +353 (0)59 9183090<tel:%2B353%20%280%2959%209183090> >> >> Personal blog: https://michele.blog/ >> >> Some thoughts: https://ceo.hosting/ >> >> ------------------------------- >> >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty >> >> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 >> >> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com<mailto:dotzero@gmail.com>> >> Date: Friday 16 February 2018 at 00:07 >> To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> >> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP >> >> >> >> >> https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ >> >> Michael Hammer >> >> _______________________________________________ >> gnso-rds-pdp-wg mailing list >> gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

That is not correct. The three parts of Article 3 in GDPR don't have AND between them: GDPR applies if any of them is satisfied. So it applies if EITHER the data subject resides in the EU OR the data processor/controller is established in the EU. In the latter case also if the data subject is outside EU and even if the actual processing takes places outside EU. Tapani On Fri, Feb 16, 2018 at 09:10:02PM +0000, Paul Keating (paul@law.es) wrote:

Yes BUT it applies ONLY to the collection and processing of the PDI of individuals residing in the EU.

Sent from my iPad

...

On 16 Feb 2018, at 21:51, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

John

Article 3, as referenced by Tapani, makes it very clear to me: “1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 20:02 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Michele,

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work.

Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se" <benny@nordreg.se> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote: Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of-justice-rul...

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Tapani Tarvainen

On Sat, Feb 17, 2018 at 09:34:04AM -0800, consult@cgomes.com (consult@cgomes.com) wrote:

As you all know, I am not an attorney, but I am curious how a European regulation can have jurisdiction over me as a non-European subject and over a processor outside of Europe that is not processing data for a European subject.

It can't. But if either of those conditions is fulfilled, that is, either the processor or the subject is European, then GDPR applies. If both are non-European, then it doesn't. But the processor being European is sufficient even if the actual processing is done outside Europe (EU). Tapani

-----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Tapani Tarvainen Sent: Friday, February 16, 2018 1:15 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

That is not correct. The three parts of Article 3 in GDPR don't have AND between them: GDPR applies if any of them is satisfied.

So it applies if EITHER the data subject resides in the EU OR the data processor/controller is established in the EU.

In the latter case also if the data subject is outside EU and even if the actual processing takes places outside EU.

Tapani

On Fri, Feb 16, 2018 at 09:10:02PM +0000, Paul Keating (paul@law.es) wrote:

...

Yes BUT it applies ONLY to the collection and processing of the PDI of individuals residing in the EU.

Sent from my iPad

...

On 16 Feb 2018, at 21:51, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

John

Article 3, as referenced by Tapani, makes it very clear to me: “1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 20:02 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Michele,

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work.

Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se" <benny@nordreg.se> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote: Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

It’s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are “new”, which we all know isn’t true.

The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of- justice-rules-ip-addresses-are-personal-data-1.2835704

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken -security/

Michael Hammer

Chuck, Jurisdiction can be found (basically) in 2 instances: 1. You are physically present in the jurisdiction (using the Kind¹s roads means the king can arrest you). Physical presence means ³general² jurisdiction - you are subject to jurisdiction for any and all purposes. 2. Effective presence in the Jurisdiction. In US jurisprudence this is referred to as ³minimum contacts². Grossly stated that means you have taken advantage of what the jurisdiction has to offer in terms of benefits. So, for example, you sell to customers inside the jurisdiction, you market your goods/services to people resident in the jurisdiction, etc. I tis a facts and circumstances test. However just because you satisfy "Minimum contacts² does not mean the courts can exercise jurisdiction over you for all purposes. However, they certainly can exercise jurisdiction as to matters arising from your minimum contacts. So, having sold lots of goods/services to EU customers, you would be subject to jurisdiction for issues related to such sales/marketing. However, you may not be subject to jurisdiction for a separate matter such as failure to pay an unrelated debt. Does this help? On 2/17/18, 6:34 PM, "gnso-rds-pdp-wg-bounces@icann.org on behalf of consult@cgomes.com" <gnso-rds-pdp-wg-bounces@icann.org on behalf of consult@cgomes.com> wrote:

As you all know, I am not an attorney, but I am curious how a European regulation can have jurisdiction over me as a non-European subject and over a processor outside of Europe that is not processing data for a European subject.

Chuck

-----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Tapani Tarvainen Sent: Friday, February 16, 2018 1:15 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

That is not correct. The three parts of Article 3 in GDPR don't have AND between them: GDPR applies if any of them is satisfied.

So it applies if EITHER the data subject resides in the EU OR the data processor/controller is established in the EU.

In the latter case also if the data subject is outside EU and even if the actual processing takes places outside EU.

Tapani

On Fri, Feb 16, 2018 at 09:10:02PM +0000, Paul Keating (paul@law.es) wrote:

...

Yes BUT it applies ONLY to the collection and processing of the PDI of individuals residing in the EU.

Sent from my iPad

...

On 16 Feb 2018, at 21:51, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

John

Article 3, as referenced by Tapani, makes it very clear to me: ³1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not²

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 20:02 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I¹m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it¹s going to be significantly harder to get a response from the existing ones.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Michele,

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting ³commercial² have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the ³commercial² vs ³non-commercial² distinction won¹t work.

Where there is a clear difference is between treatment of registrants based on geography. As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future ­ there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow, R93 X265 ,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se" <benny@nordreg.se> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that.

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote: Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 Direct: +47.32260201 Mobile: +47.40410200

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

It¹s an interesting read, but it has several flaws.

It refers to registrars solely and ignores registries.

It also makes it sound like issues around whois are ³new², which we all know isn¹t true.

The comments about IP addresses make it sound like it¹s a theoretical concern, yet there is case law eg:

https://www.irishtimes.com/business/technology/european-court-of- justice-rules-ip-addresses-are-personal-data-1.2835704

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Friday 16 February 2018 at 00:07 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken -security/

Michael Hammer

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Tapani Tarvainen _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Hi Paul, As best I am aware, the GDPR refers to "data subjects" and "natural persons". Where does it define these persons as only being individuals who reside in the EU? Ayden -------- Original Message -------- On 16 February 2018 10:10 PM, Paul Keating <paul@law.es> wrote:

Yes BUT it applies ONLY to the collection and processing of the PDI of individuals residing in the EU.

Sent from my iPad

On 16 Feb 2018, at 21:51, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

John

Article 3, as referenced by Tapani, makes it very clear to me:

“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265

,Ireland Company No.: 370845

From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 20:02 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

[Ha, thanks Michele, and sorry for the timing! (Hope your answer was written over a bottle of red wine, preferably an Oregon pinot.)]

Let me clarify my question, and feel free to defer the answer if next week is better. I'm asking if registrars have received specific guidance, or can point to anything specific in the GDPR or any written document, indicating that you have to provide GDPR protections to all of your customers, even if they aren't in scope. In other words, I'm looking for a very clear statement along these lines from a DPA:

...

As an EU company, even if your customer is a natural person in the US, you must provide them the same rights under the GDPR that an EU natural person would receive. Failure to do so is non-compliant with the GDPR.

Obviously, the exact wording my differ, but I'm trying to challenge your statement that "As an Irish company all our clients have to be handled under GDPR." If that's true as a legal requirement, I think it's important for the security/compliance community to be aware of that...if it's not, perhaps that opens up some more granular approaches that can satisfy both sides.

John Horton President and CEO, LegitScript

[https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...]

Follow LegitScript: [LinkedIn](http://www.linkedin.com/company/legitscript-com) | [Facebook](https://www.facebook.com/LegitScript) | [Twitter](https://twitter.com/legitscript) | [Blog](http://blog.legitscript.com/) | [Newsletter](http://go.legitscript.com/Subscription-Management.html)

[https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ]

On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

John

Of course you would wait until a Friday evening to ask me this ..

Anyway ..

As a company in the EU we have to do everything through the lens of GDPR.

That does not mean that a company will get the same treatment as a private individual.

What it does mean is that we (and other EU based registrars and registries) have to consider whether or not there is personal information in the currently public whois information. I’m not 100% sure yet what the best way of dealing with that is. While we can ask new clients things during signup, it’s going to be significantly harder to get a response from the existing ones.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. [+353 (0) 59 9183072](tel:+353%2059%20918%203072)

Direct Dial: [+353 (0)59 9183090](tel:+353%2059%20918%203090)

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265

,Ireland Company No.: 370845

From: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 19:28 To: Michele Neylon <michele@blacknight.com> Cc: "benny@nordreg.se" <benny@nordreg.se>, RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

[Michele,]

Let me dig in a bit on one question there -- actually curious about this. You indicated "As an Irish company all our clients have to be handled under GDPR." So, for example, let's say that I transferred my company's domain name (obviously, we're a legal person, and we're domiciled in the US and registered here) to Blacknight. I think you'd agree we're not the intended beneficiary of the GDPR. My specific question for you is: Is there written guidance somewhere indicating that you do, in fact, have to provide me GDPR protections? That your policies have to apply to me? If there's some language out there specifically indicating that, it would be helpful to see that. I didn't see that in the Hamilton memo (perhaps I'm missing it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me know if my question doesn't make sense.

John Horton President and CEO, LegitScript

[https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...]

Follow LegitScript: [LinkedIn](http://www.linkedin.com/company/legitscript-com) | [Facebook](https://www.facebook.com/LegitScript) | [Twitter](https://twitter.com/legitscript) | [Blog](http://blog.legitscript.com/) | [Newsletter](http://go.legitscript.com/Subscription-Management.html)

[https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ]

On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

...

John

There are two distinct discussions here which seem to be getting mixed together.

During the proxy / privacy discussion some people wanted there to be a distinction between who could avail of proxy / privacy services. Some wanted a prohibition on letting “commercial” have the ability to use proxy / privacy.

The discussions here and elsewhere around collection and publication of data in light of GDPR are very different.

Nobody is disputing that there is a distinction between private individuals and corporations when it comes to GDPR. However there are risks associated with the processing of personal information, which may be tied into corporate information. And the “commercial” vs “non-commercial” distinction won’t work.

Where there is a clear difference is between treatment of registrants based on geography.

As an Irish company all our clients have to be handled under GDPR. The same would be true of any other provider based in the EU.

I cannot speak to nor will I get involved in debates around what various non-EU based operators may currently be doing or plan to do in the future – there are enough of them on this list who can do so more ably than I and without my help.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com

https://blacknight.blog /

http://ceo.hosting/

Intl. [+353 (0) 59 9183072](tel:+353%2059%20918%203072)

Direct Dial: [+353 (0)59 9183090](tel:+353%2059%20918%203090)

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265

,Ireland Company No.: 370845

From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Reply-To: John Horton <john.horton@legitscript.com> Date: Friday 16 February 2018 at 18:54 To: "benny@nordreg.se" <benny@nordreg.se> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

[I think quite a bit in this WG and certainly in the prior privacy/proxy PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being clear about what I mean, GoDaddy isn't only redacting Whois information (via Port 43) where it's an EU natural citizen or natural resident. The information is being redacted for....everyone. All registrants. There's simply no justification for that. ]

I predict you'd see (I'm not speaking for anyone here, just me) a real willingness on the security and compliance community's part to compromise and support a system where, IF a registrant is an EU natural person (yes, I know we need to define it accurately -- citizen, resident, we can get granular later) then...hey, let's set up a system in involving redaction of some fields, access to those fields in legitimate cases, etc. I want to support registrars' compliance with the GDPR. But we're seeing the registrar community say: We want to apply this globally. To all domain name registrations. Doesn't matter if the registrant is the intended beneficiary of the new law, or in scope, or not. We're going to just change global policy.

I think that viewpoint has been pretty repeatedly represented in this working group, but I'd love to hear from registrars that would support a more targeted solution where only the intended beneficiaries of the GDPR (that is, in-scope registrants) are covered under the policy.

John Horton President and CEO, LegitScript

[https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...]

Follow LegitScript: [LinkedIn](http://www.linkedin.com/company/legitscript-com) | [Facebook](https://www.facebook.com/LegitScript) | [Twitter](https://twitter.com/legitscript) | [Blog](http://blog.legitscript.com/) | [Newsletter](http://go.legitscript.com/Subscription-Management.html)

[https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ]

On Fri, Feb 16, 2018 at 10:44 AM, benny@nordreg.se <benny@nordreg.se> wrote:

...

Please refer to where registrars have been unwilling to explore this option?

-- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: [+46.42197000](tel:%2B46.42197000) Direct: [+47.32260201](tel:%2B47.32260201) Mobile: [+47.40410200](tel:%2B47.40410200)

...

On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Just imagine how much of all of this could be avoided if registrars were willing to agree to a commercial/individual distinction.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

...

On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote: GDPR taken to its logical extreme very well could require us to abandon IP reputation and to emptying our firewalls. I mean, no consumer authorized me to process their IP just by attacking me, right?

Privacy absolutism is not the answer unless you basically want to mandate the internet backbone be converted to tor.

-- John Bambenek

On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

> It’s an interesting read, but it has several flaws. > > It refers to registrars solely and ignores registries. > > It also makes it sound like issues around whois are “new”, which we all know isn’t true. > > The comments about IP addresses make it sound like it’s a theoretical concern, yet there is case law eg: > > https://www.irishtimes.com/business/technology/european-court-of-justice-rul... > > > > > > > > -- > > Mr Michele Neylon > > Blacknight Solutions > > Hosting, Colocation & Domains > > https://www.blacknight.com/ > > http://blacknight.blog/ > > Intl. [+353 (0) 59 9183072](tel:%2B353%20%280%29%2059%20%209183072) > > Direct Dial: [+353 (0)59 9183090](tel:%2B353%20%280%2959%209183090) > > Personal blog: https://michele.blog/ > > Some thoughts: https://ceo.hosting/ > > ------------------------------- > > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > > Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > > From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> > Date: Friday 16 February 2018 at 00:07 > To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP > > > > > https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/ > > Michael Hammer > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg