Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
To technical people on this list:In a tiered-system with authenticated access, how could the general public satisfy authentication requirements and what would those be, in order to have access to information about the trustworthiness of a website (what would this data be)? Would it be possible to mandate someone who is duly authorized within the registrar to look up the data on her behest? Is there a way to automatize this process? Personal thought: I keep on thinking we will find a silver bullet in the principles set by the law of the sea, the mechanisms of the EEZ or natural law. Still looking. Thanks, Nathalie On Thursday, February 15, 2018 7:59 PM, Chuck <consult@cgomes.com> wrote: #yiv1356810958 -- filtered {panose-1:2 4 5 3 5 4 6 3 2 4;}#yiv1356810958 filtered {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv1356810958 filtered {panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv1356810958 filtered {font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;}#yiv1356810958 filtered {}#yiv1356810958 filtered {font-family:-webkit-standard;}#yiv1356810958 filtered {}#yiv1356810958 filtered {}#yiv1356810958 p.yiv1356810958MsoNormal, #yiv1356810958 li.yiv1356810958MsoNormal, #yiv1356810958 div.yiv1356810958MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}#yiv1356810958 a:link, #yiv1356810958 span.yiv1356810958MsoHyperlink {color:blue;text-decoration:underline;}#yiv1356810958 a:visited, #yiv1356810958 span.yiv1356810958MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv1356810958 pre {margin:0in;margin-bottom:.0001pt;font-size:10.0pt;color:black;}#yiv1356810958 p.yiv1356810958msonormal0, #yiv1356810958 li.yiv1356810958msonormal0, #yiv1356810958 div.yiv1356810958msonormal0 {margin-right:0in;margin-left:0in;font-size:11.0pt;color:black;}#yiv1356810958 span.yiv1356810958HTMLPreformattedChar {font-family:Consolas;}#yiv1356810958 span.yiv1356810958EmailStyle20 {color:windowtext;}#yiv1356810958 span.yiv1356810958EmailStyle21 {color:windowtext;}#yiv1356810958 span.yiv1356810958EmailStyle22 {color:windowtext;}#yiv1356810958 span.yiv1356810958EmailStyle25 {color:windowtext;}#yiv1356810958 .yiv1356810958MsoChpDefault {font-size:10.0pt;}#yiv1356810958 filtered {margin:1.0in 1.0in 1.0in 1.0in;}#yiv1356810958 div.yiv1356810958WordSection1 {}#yiv1356810958 Good points Chris. Thanks again. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:16 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :) Kind regards, Chris From: "Chuck" <consult@cgomes.com> To: "Chris Pelling" <chris@netearth.net> Cc: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Thursday, 15 February, 2018 21:12:23 Subject: RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:10 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Hi Chuck, Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta= Kind regards, Chris From: "Chuck" <consult@cgomes.com> To: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit.Stephanie PerrinOn 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem. Sara sara bockeysr. policy manager | GoDaddy™sbockey@godaddy.com 480-366-3616skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <gregshatanipc@gmail.com> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change.Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net> wrote: Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it.Best,Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here. Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi, Nathalie- I don't think this is a technical question, but a policy one. If I am understanding correctly, you are asking, in a tiered-access system, how would an Internet end-user be able to retrieve the personally identifiable information of a domain name registrant, like he or she can today? I know we are getting ahead of ourselves here, because as a Working Group we have not started to deliberate on this question, but I wouldn't think that the "general public" would satisfy authentication requirements. Nor do I think they should. A tiered-access system that anyone could use would be no different to what we have today in WHOIS. I feel very strongly that we need to put an end to the over collection and over publication of information that exposes domain name registrants to harm by virtue of their online speech. WHOIS data today is being used beyond its narrow, original scope and purpose (e.g. to rapidly find a contact to help resolve a technical problem related to a domain name), a purpose that was unquestionably within the scope and mission of ICANN. The expansion of the WHOIS to solve, resolve, threaten, exploit, or 'ascertain the trustworthiness' of any type of Internet domain name speaker for any type of reason goes far beyond ICANN's narrow technical mission and scope, in my opinion. Kind regards, Ayden -------- Original Message -------- On 16 February 2018 6:19 AM, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:
To technical people on this list: In a tiered-system with authenticated access, how could the general public satisfy authentication requirements and what would those be, in order to have access to information about the trustworthiness of a website (what would this data be)? Would it be possible to mandate someone who is duly authorized within the registrar to look up the data on her behest? Is there a way to automatize this process?
Personal thought: I keep on thinking we will find a silver bullet in the principles set by the law of the sea, the mechanisms of the EEZ or natural law. Still looking.
Thanks,
Nathalie
On Thursday, February 15, 2018 7:59 PM, Chuck <consult@cgomes.com> wrote:
Good points Chris. Thanks again.
Chuck
From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:16 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :)
Kind regards,
Chris
---------------------------------------------------------------
From: "Chuck" <consult@cgomes.com> To: "Chris Pelling" <chris@netearth.net> Cc: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Thursday, 15 February, 2018 21:12:23 Subject: RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June.
Chuck
From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:10 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Hi Chuck,
Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta=
Kind regards,
Chris
---------------------------------------------------------------
From: "Chuck" <consult@cgomes.com> To: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible.
Chuck
From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem.
Sara
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: gnso-rds-pdp-wg [<gnso-rds-pdp-wg-bounces@icann.org>](mailto:gnso-rds-pdp-wg-bounces@icann.org) on behalf of Volker Greimann [<vgreimann@key-systems.net>](mailto:vgreimann@key-systems.net) Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan [<gregshatanipc@gmail.com>](mailto:gregshatanipc@gmail.com) Cc: ["gnso-rds-pdp-wg@icann.org"](mailto:gnso-rds-pdp-wg@icann.org) [<gnso-rds-pdp-wg@icann.org>](mailto:gnso-rds-pdp-wg@icann.org) Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
[That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. ] I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo [here](https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...). Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Ayden, If original scope and intent are the metric we are using, I'll point out that today's Internet is well beyond the original scope and intent. Were you around for NSF and AUP? HTTP/HTTPS protocol didn't exist. Perhaps we should all go back to using gopher. Michael Hammer On Fri, Feb 16, 2018 at 3:31 AM, Ayden Férdeline <icann@ferdeline.com> wrote:
Hi, Nathalie-
I don't think this is a technical question, but a policy one. If I am understanding correctly, you are asking, in a tiered-access system, how would an Internet end-user be able to retrieve the personally identifiable information of a domain name registrant, like he or she can today? I know we are getting ahead of ourselves here, because as a Working Group we have not started to deliberate on this question, but I wouldn't think that the "general public" would satisfy authentication requirements.
Nor do I think they should. A tiered-access system that anyone could use would be no different to what we have today in WHOIS. I feel very strongly that we need to put an end to the over collection and over publication of information that exposes domain name registrants to harm by virtue of their online speech. WHOIS data today is being used beyond its narrow, original scope and purpose (e.g. to rapidly find a contact to help resolve a technical problem related to a domain name), a purpose that was unquestionably within the scope and mission of ICANN. The expansion of the WHOIS to solve, resolve, threaten, exploit, or 'ascertain the trustworthiness' of any type of Internet domain name speaker for any type of reason goes far beyond ICANN's narrow technical mission and scope, in my opinion.
Kind regards,
Ayden
-------- Original Message -------- On 16 February 2018 6:19 AM, nathalie coupet via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
To technical people on this list: In a tiered-system with authenticated access, how could the general public satisfy authentication requirements and what would those be, in order to have access to information about the trustworthiness of a website (what would this data be)? Would it be possible to mandate someone who is duly authorized within the registrar to look up the data on her behest? Is there a way to automatize this process?
Personal thought: I keep on thinking we will find a silver bullet in the principles set by the law of the sea, the mechanisms of the EEZ or natural law. Still looking.
Thanks,
Nathalie
On Thursday, February 15, 2018 7:59 PM, Chuck <consult@cgomes.com> wrote:
Good points Chris. Thanks again.
Chuck
*From:* Chris Pelling [mailto:chris@netearth.net] *Sent:* Thursday, February 15, 2018 1:16 PM *To:* Chuck <consult@cgomes.com> *Cc:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :)
Kind regards,
Chris
------------------------------
*From: *"Chuck" <consult@cgomes.com> *To: *"Chris Pelling" <chris@netearth.net> *Cc: *"Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Thursday, 15 February, 2018 21:12:23 *Subject: *RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June.
Chuck
*From:* Chris Pelling [mailto:chris@netearth.net <chris@netearth.net>] *Sent:* Thursday, February 15, 2018 1:10 PM *To:* Chuck <consult@cgomes.com> *Cc:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Hi Chuck,
Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta=
Kind regards,
Chris
------------------------------
*From: *"Chuck" <consult@cgomes.com> *To: *"Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Thursday, 15 February, 2018 18:14:24 *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible.
Chuck
*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Stephanie Perrin *Sent:* Thursday, February 15, 2018 9:45 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP *forward*, you are part of the problem.
Sara
*sara bockey* *sr. policy manager | **Go**Daddy™* *sbockey@godaddy.com <sbockey@godaddy.com> 480-366-3616 <(480)%20366-3616>* *skype: sbockey*
*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*
*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> <vgreimann@key-systems.net> *Date: *Thursday, February 15, 2018 at 4:30 AM *To: *Greg Shatan <gregshatanipc@gmail.com> <gregshatanipc@gmail.com> *Cc: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Oh yeah, ICANN didn't exist either. Perhaps you are suggesting we ditch ICANN. Michael Hammer On Fri, Feb 16, 2018 at 3:36 AM, Dotzero <dotzero@gmail.com> wrote:
Ayden,
If original scope and intent are the metric we are using, I'll point out that today's Internet is well beyond the original scope and intent. Were you around for NSF and AUP? HTTP/HTTPS protocol didn't exist. Perhaps we should all go back to using gopher.
Michael Hammer
On Fri, Feb 16, 2018 at 3:31 AM, Ayden Férdeline <icann@ferdeline.com> wrote:
Hi, Nathalie-
I don't think this is a technical question, but a policy one. If I am understanding correctly, you are asking, in a tiered-access system, how would an Internet end-user be able to retrieve the personally identifiable information of a domain name registrant, like he or she can today? I know we are getting ahead of ourselves here, because as a Working Group we have not started to deliberate on this question, but I wouldn't think that the "general public" would satisfy authentication requirements.
Nor do I think they should. A tiered-access system that anyone could use would be no different to what we have today in WHOIS. I feel very strongly that we need to put an end to the over collection and over publication of information that exposes domain name registrants to harm by virtue of their online speech. WHOIS data today is being used beyond its narrow, original scope and purpose (e.g. to rapidly find a contact to help resolve a technical problem related to a domain name), a purpose that was unquestionably within the scope and mission of ICANN. The expansion of the WHOIS to solve, resolve, threaten, exploit, or 'ascertain the trustworthiness' of any type of Internet domain name speaker for any type of reason goes far beyond ICANN's narrow technical mission and scope, in my opinion.
Kind regards,
Ayden
-------- Original Message -------- On 16 February 2018 6:19 AM, nathalie coupet via gnso-rds-pdp-wg < gnso-rds-pdp-wg@icann.org> wrote:
To technical people on this list: In a tiered-system with authenticated access, how could the general public satisfy authentication requirements and what would those be, in order to have access to information about the trustworthiness of a website (what would this data be)? Would it be possible to mandate someone who is duly authorized within the registrar to look up the data on her behest? Is there a way to automatize this process?
Personal thought: I keep on thinking we will find a silver bullet in the principles set by the law of the sea, the mechanisms of the EEZ or natural law. Still looking.
Thanks,
Nathalie
On Thursday, February 15, 2018 7:59 PM, Chuck <consult@cgomes.com> wrote:
Good points Chris. Thanks again.
Chuck
*From:* Chris Pelling [mailto:chris@netearth.net] *Sent:* Thursday, February 15, 2018 1:16 PM *To:* Chuck <consult@cgomes.com> *Cc:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :)
Kind regards,
Chris
------------------------------
*From: *"Chuck" <consult@cgomes.com> *To: *"Chris Pelling" <chris@netearth.net> *Cc: *"Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Thursday, 15 February, 2018 21:12:23 *Subject: *RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June.
Chuck
*From:* Chris Pelling [mailto:chris@netearth.net <chris@netearth.net>] *Sent:* Thursday, February 15, 2018 1:10 PM *To:* Chuck <consult@cgomes.com> *Cc:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Hi Chuck,
Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta=
Kind regards,
Chris
------------------------------
*From: *"Chuck" <consult@cgomes.com> *To: *"Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org> *Sent: *Thursday, 15 February, 2018 18:14:24 *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible.
Chuck
*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Stephanie Perrin *Sent:* Thursday, February 15, 2018 9:45 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote:
Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle.
EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.”
Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP *forward*, you are part of the problem.
Sara
*sara bockey* *sr. policy manager | **Go**Daddy™* *sbockey@godaddy.com <sbockey@godaddy.com> 480-366-3616 <(480)%20366-3616>* *skype: sbockey*
*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*
*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> <vgreimann@key-systems.net> *Date: *Thursday, February 15, 2018 at 4:30 AM *To: *Greg Shatan <gregshatanipc@gmail.com> <gregshatanipc@gmail.com> *Cc: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out!
Am 15.02.2018 um 05:14 schrieb Greg Shatan:
In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement.
On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann < vgreimann@key-systems.net> wrote:
Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker
Am 14.02.2018 um 02:21 schrieb Rubens Kuhl:
On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com> wrote:
Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here <https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one.
It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid.
What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk.
If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go.
Rubens
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi, On Fri, Feb 16, 2018 at 03:31:10AM -0500, Ayden Férdeline wrote:
Nor do I think they should. A tiered-access system that anyone could use would be no different to what we have today in WHOIS.
That isn't true. In an access system in which an unauthenticated user gets a minimal response, but an authenticated user gets even the full response returned today, there's an important difference: you know who the authenticated user is, and can require various assurances by retrieval through that authenticated use. _Also_, one permission that one might give as part of getting authenticated access is that each authenticated access to a registrant's data might be reported to the registrant. So, as a condition of finding out everything, you also expose that you are looking at the information. Once there is an athentication of the query source, there are _lots_ of potential possibilities, particularly when combined with privacy and proxy operators that are already in place. Now, this is not an argument, please note, that we ought to head in that direction. It is merely to point out that there are substantive differences between unauthenticated access and authenticated access to the very same data. On a different issue (and this might be pedantry, so you can stop now):
WHOIS data today is being used beyond its narrow, original scope and purpose (e.g. to rapidly find a contact to help resolve a technical problem related to a domain name), a purpose that was unquestionably within the scope and mission of ICANN.
I am not entirely convinced you are right about the "original" scope and purpose, since WHOIS (or NICNAME) predates the DNS and domain names by more than a year (they first appear respectively in RFC 812 and RFC 882, though of course the programs predate the documentation -- this is quite obvious from the text in 812, and less plain in 882). Even RFC 954 is mostly about a directory for _people_, not hosts or domain names. It is quite plain from RFC 3912 -- almost 20 years later -- that WHOIS had been extended past its original purpose. At the same time, it is quite plain that the _reason_ you'd need a NICNAME facility in the first place had to do with the network operations. It was maintained by the NIC, under contract to the DCA, and the basis for collecting the data was the "request" of the DCA about any users who had a directory on an ARPANET-connected machine and who could pass traffic across the ARPANET. (Others on this list will know whether a "request" from DCA in those days was effectively a requirement. I don't know, but I observe that Steve Crocker just joined the list :) ) I think, then, that we can say the point of NICNAME (aka WHOIS) was to support the important functions relevant to the operation of the network of the day. At the time, that appears to have extended to everyone connected; but the protocol dates from the NCP period, so anyone connected could be expected to be more related to actual operations than was perhaps later the case. This also, note, gives the best argument for why to abandon the idea wholesale: it was designed to look up the names of everyone connected to the Internet, but that is neither necessary nor desirable nor even feasible on an internet of 2 billion people. Of course, if we embrace that argument, we still have the question of what to do in support of DNS operations near the top level, in a distributed network without existing transitive contractual relationships. I think that's how we get to RDS: it needs to provide the data necessary to make the Internet continue to work more reliably than might be expected of an entirely voluntary system built with unreliable parts. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
Nathalie, I don’t want to venture a guess at which bits of information are needed to determine web site trustworthiness, but I can tell you what’s implemented for demonstration purposes in my ccTLD (.cc and .tv) RDAP pilot. We have three access tiers: 1. Unauthenticated access: the client receives basic information to confirm domain registration and delegation. Things like name servers, registrar info, etc. 2. Basic access: the client authenticates with a “free, easy to acquire” credential like a Gmail or Hotmail email address (Google and Microsoft already support the underlying technology and nothing special is required). At this tier the client will receive additional information like registration and expiration dates, but no contact information. 3. Authorized access: the client authenticates with a credential provided by one of a small number of identity provider partners that my RDAP implementation recognizes. My team is running one such provider, as are the folks at CZNIC. This is analogous to the “accredited” entities that we’ve been talking about. At this tier the client receives everything, including contact data. As I said, this is just an example. The data available at any tier and the tiers in which various actors fit are significant topics of policy discussion. The system can be made to work in such a way that a registrant or their delegate is indeed duly and fully authorized to see everything. I’ve made the offer on this list before and I’ll make it again: I’ll provide a credential to anyone on this list who wants to see how how gated access can work with RDAP. Just ask and I’ll get you set up. We are working to add this feature to our gTLD pilot “soon”. Scott From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of nathalie coupet via gnso-rds-pdp-wg Sent: Friday, February 16, 2018 12:19 AM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc To technical people on this list: In a tiered-system with authenticated access, how could the general public satisfy authentication requirements and what would those be, in order to have access to information about the trustworthiness of a website (what would this data be)? Would it be possible to mandate someone who is duly authorized within the registrar to look up the data on her behest? Is there a way to automatize this process? Personal thought: I keep on thinking we will find a silver bullet in the principles set by the law of the sea, the mechanisms of the EEZ or natural law. Still looking. Thanks, Nathalie On Thursday, February 15, 2018 7:59 PM, Chuck <consult@cgomes.com> wrote: Good points Chris. Thanks again. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:16 PM To: Chuck <consult@cgomes.com> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc No issue Chuck, although, June is very optimistic in my opinion simply because the month prior - all hell breaks loose with GDPR :) At least if we look at October, we can get the info out to as many DPA's as poss to get them there, plus, being Barcelona, it will be a lot cheaper for the countries to send them to Spain than the other side of the world (as governmetns dont like paying for very much to start with) :) Kind regards, Chris _____ From: "Chuck" <consult@cgomes.com<mailto:consult@cgomes.com>> To: "Chris Pelling" <chris@netearth.net<mailto:chris@netearth.net>> Cc: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Sent: Thursday, 15 February, 2018 21:12:23 Subject: RE: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc My mistake Chris. Thanks for setting me straight. I am probably too optimistic, but it would be nice if it could happen in Panama in June. Chuck From: Chris Pelling [mailto:chris@netearth.net] Sent: Thursday, February 15, 2018 1:10 PM To: Chuck <consult@cgomes.com<mailto:consult@cgomes.com>> Cc: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Hi Chuck, Barcelona is ICANN 63 in October, in June its ICANN 62 in Panama City : https://www.google.co.uk/search?hl=en&q=icann+meetings+2018&meta= Kind regards, Chris _____ From: "Chuck" <consult@cgomes.com<mailto:consult@cgomes.com>> To: "Stephanie Perrin" <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Sent: Thursday, 15 February, 2018 18:14:24 Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc Because of the long lead time for scheduling workshops, it’s not too early to explore the value of one in Barcelona in June. It would be helpful if we could get to our charter question on Gated Access well before then if possible. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Thursday, February 15, 2018 9:45 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc I agree with Sara wholeheartedly. I would like to propose a workshop at the Barcelona meeting to discuss accreditation requirements for cybersecurity an IP actors who want to retain access to personal data in a tiered access solution. Release of data in such a system will require standards, and I (as mentioned in Abu, on the public panel on GDPR, and in my own comments on the 3 models) I think we should get on with developing those standards, preferably ISO standards with possibility for independent audit. Stephanie Perrin On 2018-02-15 11:34, Sara Bockey wrote: Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. EXACTLY! And what’s lacking from most of our conversations are SOLUTIONS. We understand that many of you have come to rely on various types of data from WHOIS. We get it. We’ve heard you. What we have NOT heard is “we understand the changing landscape, and while we are concerned about losing X data, perhaps if we do Y, we can improve RDS and still have access OR if we do Z, we can _________.” Given the number of really smart people on this list, I am frustrated by the lack of innovative, forward thinking. Change doesn’t have to be scary. Change can be better - an improvement. We need to stop with the myopia. We need to stop looking backward. We need to stop demonizing. If you are not saying something NEW, something to move this PDP forward, you are part of the problem. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net><mailto:vgreimann@key-systems.net> Date: Thursday, February 15, 2018 at 4:30 AM To: Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> Cc: "gnso-rds-pdp-wg@icann.org"<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc That would be problematic, as you should know, since there is no clear cut line of what would constitute over-enforcement or under-enforcement. Well, the latter will resolve itself due to the incoming DPA actions. I also never heard of fees to be paid into a fund by those simply trying to remain compliant with their applicable laws. Contracted parties have been stating for years, if not over a decade that publication whois details in the current form and shape is problematic from a data protection perspective. We have repeatedly tried to drive home the point that the current system is not sustainable. We were ignored or ridiculed, or asked to get sued to prove our point. Now that we are forced to take action, everybody is protesting as if this were something new. It is not. Now we have to do a short-term fix, that will hurt more than it would have needed to if everyone had cooperated in good faith to reform whois years ago. The status quo will change. Our job is now to cooperate in good faith to build a new universal system that still fits most needs but also takes data protection as its core principle. Volker out! Am 15.02.2018 um 05:14 schrieb Greg Shatan: In a similar vein, ICANN could establish an “Over-enforce the GDPR Fund,” in which everyone who thinks the GDPR’s data blackout should be extended to the data of non-EU and legal persons would pay in, and it would be used to defray the expenses incurred by those who should have access to information and instead must expend additional time, money and effort, and often incur additional harm, due GDPR over-enforcement. On Wed, Feb 14, 2018 at 5:03 AM Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Maybe you are hitting on something here. ICANN could just establish a "Leave-Whois-as-it-is" legal defense fund. Everyone who argues that whois should remain as it is has to pay into that fund and everyone who is fined by data protection violations can take the fines and their legal costs out of that fund. Of course, that would necessitate huge investments to set up the fund from mainly volunteer organizations that do not actually have the means to support it. Best, Volker Am 14.02.2018 um 02:21 schrieb Rubens Kuhl: On 13 Feb 2018, at 20:32, John Horton <john.horton@legitscript.com<mailto:john.horton@legitscript.com>> wrote: Thanks, Rubens -- I don't agree with that interpretation. (I think you mean the Q&A memo Section 2, right?) See memo here<https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en...>. Let me know if you meant the first or a different one. It's exactly that memo. Since you don't agree, does that mean that your organisation is willing to pay every GDPR fine contracted parties get from following your interpretation ? Because if you are unwilling to do that, then your belief in that interpretation is not rock solid. What I can tell you is that this risk has been flagged by that paper, by the eco model and by internal analysis of some registries, all independently of each other; which means you will likely see a good number of contracted parties following exactly the path I outlined in order to mitigate this risk. If you see things differently, get Europeans DPAs to put that in writing, and we are all good to go. Rubens _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
participants (5)
-
Andrew Sullivan -
Ayden Férdeline -
Dotzero -
Hollenbeck, Scott -
nathalie coupet