A draft of the new ICANN Whois policy was published a few days ago. https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-...
From that document:
"This Temporary Specification for gTLD Registration Data (Temporary Specification) establishes temporary requirements to allow ICANN and gTLD registry operators and registrars to continue to comply with existing ICANN contractual requirements and community-developed policies in light of the GDPR. Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains robust collection of Registration Data (including Registrant, Administrative, and Technical contact information), but restricts most Personal Data to layered/tiered access. Users with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators. Users will also maintain the ability to contact the Registrant or Administrative and Technical contacts through an anonymized email or web form. The Temporary Specification shall be implemented where required by the GDPR, while providing flexibility to Registry Operators and Registrars to choose to apply the requirements on a global basis based on implementation, commercial reasonableness and fairness considerations. The Temporary Specification applies to all registrations, without requiring Registrars to differentiate between registrations of legal and natural persons. It also covers data processing arrangements between and among ICANN, Registry Operators, Registrars, and Data Escrow Agents as necessary for compliance with the GDPR."
I think this is the worst of both worlds. The data is basically still public, but you cannot access it unless someone marks you as a "friend". This policy is basically what Facebook is. And how well it played out once folks realised that their shared data wasn't actually private? C. On 16 May 2018 at 16:02, Brian Kantor <Brian@ampr.org> wrote:
A draft of the new ICANN Whois policy was published a few days ago.
https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-...
From that document:
"This Temporary Specification for gTLD Registration Data (Temporary Specification) establishes temporary requirements to allow ICANN and gTLD registry operators and registrars to continue to comply with existing ICANN contractual requirements and community-developed policies in light of the GDPR. Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains robust collection of Registration Data (including Registrant, Administrative, and Technical contact information), but restricts most Personal Data to layered/tiered access. Users with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators. Users will also maintain the ability to contact the Registrant or Administrative and Technical contacts through an anonymized email or web form. The Temporary Specification shall be implemented where required by the GDPR, while providing flexibility to Registry Operators and Registrars to choose to apply the requirements on a global basis based on implementation, commercial reasonableness and fairness considerations. The Temporary Specification applies to all registrations, without requiring Registrars to differentiate between registrations of legal and natural persons. It also covers data processing arrangements between and among ICANN, Registry Operators, Registrars, and Data Escrow Agents as necessary for compliance with the GDPR."
On May 16, 2018 at 16:10 mureninc@gmail.com (Constantine A. Murenin) wrote:
I think this is the worst of both worlds. The data is basically still public, but you cannot access it unless someone marks you as a "friend".
This policy is basically what Facebook is. And how well it played out once folks realised that their shared data wasn't actually private?
The problem is that once the data gets out it's out and in many cases such as this WHOIS data only stales very slowly. So one malicious breach or outlaw/misbehaving assignee and you may as well have done nothing. I suppose one could /reductio ad absurdum/ and ask so therefore do nothing? No, but perhaps more focus on misuse would be more productive. The penalties for violations of GDPR are eye-watering like 4% of gross revenues. That is, could be billions of dollars (or euros if you prefer.) We know how well all this has worked in 20+ years of spam-fighting which is to say not really well at all. It relies on this rather blue-sky model of the problem which is that abuse can be reigned in by putting pressure on people who actually answer their phone rather than abusers who generally don't. Another problem is the relatively unilateral approach of GDPR coming out of the EU yet promising application to any company with an EU nexus (or direct jurisdiction of course.) In that it resembles a tariff war. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
At this point if I were a registrar or registry doing business in such a way as to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for that purpose and leave it with minimal revenues and nothing to collect in the event of a lawsuit. Either that or simply stop doing business with Europeans until their government comes to its senses. Fortunately For now I get to watch from the sidelines with amusement as this unfolds. Owen
On May 16, 2018, at 17:26, bzs@theworld.com wrote:
On May 16, 2018 at 16:10 mureninc@gmail.com (Constantine A. Murenin) wrote: I think this is the worst of both worlds. The data is basically still public, but you cannot access it unless someone marks you as a "friend".
This policy is basically what Facebook is. And how well it played out once folks realised that their shared data wasn't actually private?
The problem is that once the data gets out it's out and in many cases such as this WHOIS data only stales very slowly.
So one malicious breach or outlaw/misbehaving assignee and you may as well have done nothing.
I suppose one could /reductio ad absurdum/ and ask so therefore do nothing?
No, but perhaps more focus on misuse would be more productive. The penalties for violations of GDPR are eye-watering like 4% of gross revenues. That is, could be billions of dollars (or euros if you prefer.)
We know how well all this has worked in 20+ years of spam-fighting which is to say not really well at all.
It relies on this rather blue-sky model of the problem which is that abuse can be reigned in by putting pressure on people who actually answer their phone rather than abusers who generally don't.
Another problem is the relatively unilateral approach of GDPR coming out of the EU yet promising application to any company with an EU nexus (or direct jurisdiction of course.)
In that it resembles a tariff war.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On May 16, 2018 at 18:18 owen@delong.com (Owen DeLong) wrote:
At this point if I were a registrar or registry doing business in such a way as to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for that purpose and leave it with minimal revenues and nothing to collect in the event of a lawsuit. Either that or simply stop doing business with Europeans until their government comes to its senses.
2018-04-19, The Guardian... https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users... or http://tinyurl.com/yaeqguhz Headline: Facebook moves 1.5bn users out of reach of new European privacy law ... "The move is due to come into effect shortly before General Data Protection Regulation (GDPR) comes into force in Europe on 25 May. Facebook is liable under GDPR for fines of up to 4% of its global turnover – around $1.6bn – if it breaks the new data protection rules." ... "The company follows other US multinationals in the switch. LinkedIn, for instance, is to move its own non-EU users to its US branch on 8 May. “We’ve simply streamlined the contract location to ensure all members understand the LinkedIn entity responsible for their personal data,” it told Reuters." -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
* owen@delong.com (Owen DeLong) [Thu 17 May 2018, 03:19 CEST]:
At this point if I were a registrar or registry doing business in such a way as to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for that purpose and leave it with minimal revenues and nothing to collect in the event of a lawsuit. Either that or simply stop doing business with Europeans until their government comes to its senses.
Fortunately For now I get to watch from the sidelines with amusement as this unfolds.
I'm happy as a European to finally do business with companies that will have at least a modicum of respect for my privacy. We cannot escape UDRP but at least we now have a say in what we are forced to publish about ourselves. -- Niels.
On May 17, 2018 at 10:29 niels=nanog@bakker.net (Niels Bakker) wrote:
We cannot escape UDRP but at least we now have a say in what we are forced to publish about ourselves.
Just curious, what does UDRP have to do with any of this? UDRP is an ICANN process which allows someone who believes they have intellectual property rights in a domain to challenge an ownership. Granted it's been abused (but so have baseball bats) creating the new dreaded acronym RDNH (reverse domain name hijacking) but I don't see how that's related. Even under GDPR a litigant can get the owner's contact information or, if the info is false or not practically available, pursue a default judgement which if successful would result in the domain's transfer to them. FWIW for new TLDs (.RODEO or whatever) the equivalent process is URS. Gratuitous Side Note: One of the more publicized cases of late involved FRANCE.COM which apparently the French govt seized ownership of via WEB.COM without any UDRP process or notice to the owner. Overview article, you can find others: https://www.sgtreport.com/2018/04/france-seizes-france-com-from-man-whos-had... Legal filing: https://domainnamewire.com/wp-content/france-com.pdf -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Agreed. This is garbage, un-needed legislation. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Owen DeLong" <owen@delong.com> To: bzs@theworld.com Cc: "Constantine A. Murenin" <mureninc@gmail.com>, "North American Network Operators' Group" <nanog@nanog.org> Sent: Wednesday, May 16, 2018 8:18:54 PM Subject: Re: Whois vs GDPR, latest news At this point if I were a registrar or registry doing business in such a way as to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for that purpose and leave it with minimal revenues and nothing to collect in the event of a lawsuit. Either that or simply stop doing business with Europeans until their government comes to its senses. Fortunately For now I get to watch from the sidelines with amusement as this unfolds. Owen
On May 16, 2018, at 17:26, bzs@theworld.com wrote:
On May 16, 2018 at 16:10 mureninc@gmail.com (Constantine A. Murenin) wrote: I think this is the worst of both worlds. The data is basically still public, but you cannot access it unless someone marks you as a "friend".
This policy is basically what Facebook is. And how well it played out once folks realised that their shared data wasn't actually private?
The problem is that once the data gets out it's out and in many cases such as this WHOIS data only stales very slowly.
So one malicious breach or outlaw/misbehaving assignee and you may as well have done nothing.
I suppose one could /reductio ad absurdum/ and ask so therefore do nothing?
No, but perhaps more focus on misuse would be more productive. The penalties for violations of GDPR are eye-watering like 4% of gross revenues. That is, could be billions of dollars (or euros if you prefer.)
We know how well all this has worked in 20+ years of spam-fighting which is to say not really well at all.
It relies on this rather blue-sky model of the problem which is that abuse can be reigned in by putting pressure on people who actually answer their phone rather than abusers who generally don't.
Another problem is the relatively unilateral approach of GDPR coming out of the EU yet promising application to any company with an EU nexus (or direct jurisdiction of course.)
In that it resembles a tariff war.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed. These are great and necessary regulations. I'm loving the flood of convoluted unsubscribe notices this month from companies that had stored PII for no reason. -- Niels.
Dne 17/05/2018 v 15:03 Niels Bakker napsal(a):
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed. These are great and necessary regulations.> I'm loving the flood of convoluted unsubscribe notices this month from companies that had stored PII for no reason.
Those who would give up essential liberty, to purchase a little temporary safety(*), deserve neither liberty nor safety(*). (*) you can replace this word with comfort in this case without loosing the point This is what all the regulation fans still not understood. Regards, Zbynek
Hi,
Dne 17/05/2018 v 15:03 Niels Bakker napsal(a):
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed. These are great and necessary regulations.> I'm loving the flood of convoluted unsubscribe notices this month from companies that had stored PII for no reason.
Those who would give up essential liberty, to purchase a little temporary safety(*), deserve neither liberty nor safety(*).
But this regulation increases essential liberty for individuals, so I don't understand your argument... Cheers, Sander
If of use, last Monday I recorded and posted video of Jonathan Zuck's briefing to NARALO on ICANN's interim plan .
-- Joly MacFie President - Internet Society New York Chapter (ISOC-NY) http://isoc-ny.org 218 565 9365
Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
Hi,
But this regulation increases essential liberty for individuals, so I don't understand your argument...
No, it don't. It has two aspects: 1. It brings new positive defined rights. But as with any other positive defined rights, it brings an obligation for anyone other to provide such rights, it requires enforcement, inspections/whatever which anyone in Europe must pay from taxes and it requires implementation of a lot of rules, possible changing of existing internal systems etc. etc. in companies which will be paid from their revenue, so again from consumer money. 2. It would be the true in an ideal situation. In the real world, there is no ideal situation. Accept the fact that if you would like to keep any data private, you must not tell them to anyone. You. You are the one who can decide about your data and who can really protect your data, no one else, no government, no GDPR. There is a lot of anonymization techniques, strong encryption and other things helping to cover who used/published/steal your private data when it is done by experienced professionals. It could help a little bit to keep private data protected againest beginner and intermediate data thieves and perhaps againest some kinds of stupid mistakes, maybe. Nothing more. Is it enough when we mention all the costs, including hidden? I don't think so. BTW, nobody told me he is going to propose such regulation before the last EP elections, no party I have been able to vote has anything like this nor oposing anything like this in their program. -- Regards, Zbynek
What about my right to not have this crap on NANOG? On Thu, May 17, 2018 at 2:03 PM, Zbyněk Pospíchal <zbynek@dialtelecom.cz> wrote:
Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
Hi,
But this regulation increases essential liberty for individuals, so I don't understand your argument...
No, it don't. It has two aspects:
1. It brings new positive defined rights. But as with any other positive defined rights, it brings an obligation for anyone other to provide such rights, it requires enforcement, inspections/whatever which anyone in Europe must pay from taxes and it requires implementation of a lot of rules, possible changing of existing internal systems etc. etc. in companies which will be paid from their revenue, so again from consumer money.
2. It would be the true in an ideal situation. In the real world, there is no ideal situation. Accept the fact that if you would like to keep any data private, you must not tell them to anyone. You. You are the one who can decide about your data and who can really protect your data, no one else, no government, no GDPR. There is a lot of anonymization techniques, strong encryption and other things helping to cover who used/published/steal your private data when it is done by experienced professionals. It could help a little bit to keep private data protected againest beginner and intermediate data thieves and perhaps againest some kinds of stupid mistakes, maybe. Nothing more. Is it enough when we mention all the costs, including hidden? I don't think so.
BTW, nobody told me he is going to propose such regulation before the last EP elections, no party I have been able to vote has anything like this nor oposing anything like this in their program.
-- Regards, Zbynek
-- Fletcher Kittredge GWI 207-602-1134 www.gwi.net
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive). Matthew
Mind pointing out where in the GDPR that it directly relates to these types of mail services ?
On May 21, 2018, at 20:07, Matthew Kaufman <matthew@matthew.at> wrote:
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Matthew
-- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Mon, May 21, 2018 at 7:03 PM Jason Hellenthal <jhellenthal@dataix.net> wrote:
Mind pointing out where in the GDPR that it directly relates to these types of mail services ?
Like most regulations, it doesn’t call out a specific thing like email or social networking sites or ecommerce. But it follows quite directly: GDPR covers processing of personal data of EU subjects. Email addresses are personal data. Article 14 says that if you receive personal data but not directly from the subject, you must notify the subject and provide them with a variety of information. There are exceptions for things like scientific studies and archival purposes... but not because it is simply inconvenient to do so. That this probably just isn’t going to happen for any email servers or search engine crawlers doesn’t mean the law doesn’t say what it says. Matthew
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Some of us whose businesses and equipment are entirely in North America will take our chances. This is NANOG, not EUNOG, you know. Also, one thing that has become painfully clear is that the number of people who imagine that they understand the GDPR exceeds the number who actually understand it by several orders of magnitude. The "you have to delete all my messages from the archive if I unsubscribe" nonsense is a good indicator. R's, John
What is GDPR? My current guess is "Just another thing to learn since whois is now broken because to many of us just abused a once useful tool" On 23 May 2018 1:50:17 PM NZST, John Levine <johnl@iecc.com> wrote:
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Some of us whose businesses and equipment are entirely in North America will take our chances. This is NANOG, not EUNOG, you know.
Also, one thing that has become painfully clear is that the number of people who imagine that they understand the GDPR exceeds the number who actually understand it by several orders of magnitude.
The "you have to delete all my messages from the archive if I unsubscribe" nonsense is a good indicator.
R's, John
-- Don Gould 5 Cargill Place Richmond Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb) www.bowenvale.co.nz skype: don.gould.nz
Maybe I'm going out on a limb here, but was domain whois ever really that useful? I can't remember ever using it for any legitimate sort of activity, and I know it gets scraped quite a bit by spammers. Most of the data is bogus these days on a lot of TLDs which allow "anonymous registrations" and which registrars often charge an extra dollar or two for. Showing the authoritative nameservers is neat, but a simple NS record query against the next level up would suffice to provide that information as well. The date of expiration may be useful if you're trying to grab a domain when it expires, but registrar policies often drag that out anyways and half the time the registrar squats on any decent domain when it expires anyhow. Date of original registration may be interesting for one reason or another... but none of this data is personally identifiable information anyhow. Now on the other hand, RIR whois is actually very useful for determining the rightful owner and abuse contacts for IP address space... Since RIRs are designated by region and, afaik, only RIPE NCC data would be impacted by GDPR... well, I'm surprised this isn't being talked about more than the domain name side of things. Take care, Matt
Domain whois is absolutely useful. Try contacting a site to report that their nameservers are hosed without it. People forget that the primary purpose of whois is to report faults. You don’t need to do it very often but when you do it is crucial. Remember that about 50% of zones have not RFC compliant name servers (the software is broken) and that newer resolver depend on default behaviour working correctly.
On 23 May 2018, at 12:37 pm, Matt Harris <matt@netfire.net> wrote:
Maybe I'm going out on a limb here, but was domain whois ever really that useful? I can't remember ever using it for any legitimate sort of activity, and I know it gets scraped quite a bit by spammers. Most of the data is bogus these days on a lot of TLDs which allow "anonymous registrations" and which registrars often charge an extra dollar or two for. Showing the authoritative nameservers is neat, but a simple NS record query against the next level up would suffice to provide that information as well. The date of expiration may be useful if you're trying to grab a domain when it expires, but registrar policies often drag that out anyways and half the time the registrar squats on any decent domain when it expires anyhow. Date of original registration may be interesting for one reason or another... but none of this data is personally identifiable information anyhow.
Now on the other hand, RIR whois is actually very useful for determining the rightful owner and abuse contacts for IP address space... Since RIRs are designated by region and, afaik, only RIPE NCC data would be impacted by GDPR... well, I'm surprised this isn't being talked about more than the domain name side of things.
Take care, Matt
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
* Mark Andrews:
Domain whois is absolutely useful. Try contacting a site to report that their nameservers are hosed without it.
A lot of WHOIS servers do not show who's running the name servers, or who maintains the data served by them. Those that do usually provide information which is provably wrong.
Remember that about 50% of zones have not RFC compliant name servers (the software is broken) and that newer resolver depend on default behaviour working correctly.
If WHOIS records were useful for contacting operators, you wouldn't have to raise these issues on public lists periodically.
On 23/05/2018 04:50, John Levine wrote:
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive). Some of us whose businesses and equipment are entirely in North America will take our chances. This is NANOG, not EUNOG, you know. Also, one thing that has become painfully clear is that the number of people who imagine that they understand the GDPR exceeds the number who actually understand it by several orders of magnitude. The "you have to delete all my messages from the archive if I unsubscribe" nonsense is a good indicator. R's, John Every generation needs its religious wars. Unix vs Windows. OSI vs TCPIP. Now there is GDPR vs Theworld.
-Hank
On May 23, 2018 at 07:45 hank@efes.iucc.ac.il (Hank Nussbacher) wrote:
...Now there is GDPR vs Theworld.
Or vice-versa. Sincerely, TheWorld.com. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
If you don't have operations in the EU, you can not so politely tell the EU to piss off. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Matthew Kaufman" <matthew@matthew.at> To: "Fletcher Kittredge" <fkittred@gwi.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Monday, May 21, 2018 8:07:15 PM Subject: Re: Whois vs GDPR, latest news On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive). Matthew
Sadly this isn't true. While I doubt the EU regulators are going to come head hunting for companies any time soon they do have mechanisms in place to sanction companies who don't do business in the EU and the scope is clearly intended to reach where ever the data of EU natural persons is being held. https://gdpr-info.eu/art-3-gdpr/ I asked one of the EU regulators at RSA how they intended to enforce GDPR violations on businesses that don't operate in their jurisdiction and without hesitation he told me they'd use civil courts to sue the offending companies. On Wed, May 23, 2018 at 8:36 AM, Mike Hammett <nanog@ics-il.net> wrote:
If you don't have operations in the EU, you can not so politely tell the EU to piss off.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Matthew Kaufman" <matthew@matthew.at> To: "Fletcher Kittredge" <fkittred@gwi.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Monday, May 21, 2018 8:07:15 PM Subject: Re: Whois vs GDPR, latest news
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Matthew
*shrugs* Me hurting the EU's feelings is rather low on the list of things I care about. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "K. Scott Helms" <kscotthelms@gmail.com> To: "Mike Hammett" <nanog@ics-il.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Wednesday, May 23, 2018 7:46:19 AM Subject: Re: Whois vs GDPR, latest news Sadly this isn't true. While I doubt the EU regulators are going to come head hunting for companies any time soon they do have mechanisms in place to sanction companies who don't do business in the EU and the scope is clearly intended to reach where ever the data of EU natural persons is being held. https://gdpr-info.eu/art-3-gdpr/ I asked one of the EU regulators at RSA how they intended to enforce GDPR violations on businesses that don't operate in their jurisdiction and without hesitation he told me they'd use civil courts to sue the offending companies. On Wed, May 23, 2018 at 8:36 AM, Mike Hammett < nanog@ics-il.net > wrote: If you don't have operations in the EU, you can not so politely tell the EU to piss off. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Matthew Kaufman" < matthew@matthew.at > To: "Fletcher Kittredge" < fkittred@gwi.net > Cc: "NANOG list" < nanog@nanog.org > Sent: Monday, May 21, 2018 8:07:15 PM Subject: Re: Whois vs GDPR, latest news On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge < fkittred@gwi.net > wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive). Matthew
Of course not, but do you really want to be sued? Even if the US courts decline to accept GDPR cases, which is not at all a given since we have a long history of bilateral enforcement, it costs money to deal with and I don't want to worry that I'm going to fly one day to a country that will enforce civil penalties. While I don't tell most people or companies to worry if they only do business in the US I also don't think it's a good idea to simply thumb your nose at the EU regulators. Some North American direct marketing and data collection firms are definitely going to get a rude, and expensive, awakening despite not having any EU operations. On Wed, May 23, 2018 at 8:49 AM, Mike Hammett <nanog@ics-il.net> wrote:
*shrugs* Me hurting the EU's feelings is rather low on the list of things I care about.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "K. Scott Helms" <kscotthelms@gmail.com> To: "Mike Hammett" <nanog@ics-il.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Wednesday, May 23, 2018 7:46:19 AM Subject: Re: Whois vs GDPR, latest news
Sadly this isn't true. While I doubt the EU regulators are going to come head hunting for companies any time soon they do have mechanisms in place to sanction companies who don't do business in the EU and the scope is clearly intended to reach where ever the data of EU natural persons is being held.
https://gdpr-info.eu/art-3-gdpr/
I asked one of the EU regulators at RSA how they intended to enforce GDPR violations on businesses that don't operate in their jurisdiction and without hesitation he told me they'd use civil courts to sue the offending companies.
On Wed, May 23, 2018 at 8:36 AM, Mike Hammett < nanog@ics-il.net > wrote:
If you don't have operations in the EU, you can not so politely tell the EU to piss off.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Matthew Kaufman" < matthew@matthew.at > To: "Fletcher Kittredge" < fkittred@gwi.net > Cc: "NANOG list" < nanog@nanog.org > Sent: Monday, May 21, 2018 8:07:15 PM Subject: Re: Whois vs GDPR, latest news
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge < fkittred@gwi.net > wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Matthew
In article <CAE-M_OBdDv1+DFto=h1O-ghLbs2TQ_x_P9kuw4LS24mSBaw9Ww@mail.gmail.com> you write:
I asked one of the EU regulators at RSA how they intended to enforce GDPR violations on businesses that don't operate in their jurisdiction and without hesitation he told me they'd use civil courts to sue the offending companies.
He probably thought you meant if he's in France and the business is in Ireland, since they're both in the EU. Outside the EU, on the other hand, ... If they try to sue in, say, US courts, the US court will ask them to explain why a US court should try a suit under foreign law. There is a very short list of reasons to do that, and this isn't on it. I'm not saying that one should gratuitously poke EU regulators in the eye but it's pretty silly to imagine that they will waste time harassing people over whom they have no jurisdiction and against whom they have no recourse. R's, John
On May 23, 2018, at 08:53, John Levine <johnl@iecc.com> wrote:
In article <CAE-M_OBdDv1+DFto=h1O-ghLbs2TQ_x_P9kuw4LS24mSBaw9Ww@mail.gmail.com> you write:
I asked one of the EU regulators at RSA how they intended to enforce GDPR violations on businesses that don't operate in their jurisdiction and without hesitation he told me they'd use civil courts to sue the offending companies.
He probably thought you meant if he's in France and the business is in Ireland, since they're both in the EU. Outside the EU, on the other hand, ...
If they try to sue in, say, US courts, the US court will ask them to explain why a US court should try a suit under foreign law. There is a very short list of reasons to do that, and this isn't on it.
Actually, due to treaty, it is. At least according to some lawyers that have been advising ICANN stakeholder group(s).
I'm not saying that one should gratuitously poke EU regulators in the eye but it's pretty silly to imagine that they will waste time harassing people over whom they have no jurisdiction and against whom they have no recourse.
True. But unfortunately, companies in the US (and many other places with treaties with the EU, including Mauritius, for example) don’t fit that description. Owen
On May 23, 2018, at 9:59 AM, Owen DeLong <owen@delong.com> wrote:
On May 23, 2018, at 08:53, John Levine <johnl@iecc.com> wrote:
In article <CAE-M_OBdDv1+DFto=h1O-ghLbs2TQ_x_P9kuw4LS24mSBaw9Ww@mail.gmail.com> you write:
I asked one of the EU regulators at RSA how they intended to enforce GDPR violations on businesses that don't operate in their jurisdiction and without hesitation he told me they'd use civil courts to sue the offending companies.
He probably thought you meant if he's in France and the business is in Ireland, since they're both in the EU. Outside the EU, on the other hand, ...
If they try to sue in, say, US courts, the US court will ask them to explain why a US court should try a suit under foreign law. There is a very short list of reasons to do that, and this isn't on it.
Actually, due to treaty, it is. At least according to some lawyers that have been advising ICANN stakeholder group(s).
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case. Anne Anne P. Mitchell, Attorney at Law GDPR Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
On 05/23/2018 09:09 AM, Anne P. Mitchell Esq. wrote:
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case.
And that's why my domains use Register.com's proxy service. I'm risk-adverse, especially with the revenue (pennies) my domains earn. Better to just bite the bullet. That said, I have abuse contacts listed for my domains. You just have to ask the proxy for them. (In 15 years, the only abuse mail I've received is mail from people who HATED what I said on NANAE newsgroup...and I've not used USENET for 10 of those years.)
On 5/23/18, 12:10 PM, "NANOG on behalf of Anne P. Mitchell Esq." <nanog-bounces@nanog.org on behalf of amitchell@isipp.com> wrote: > On May 23, 2018, at 9:59 AM, Owen DeLong <owen@delong.com> wrote: > > > >> On May 23, 2018, at 08:53, John Levine <johnl@iecc.com> wrote: >> >> In article <CAE-M_OBdDv1+DFto=h1O-ghLbs2TQ_x_P9kuw4LS24mSBaw9Ww@mail.gmail.com> you write: >>> I asked one of the EU regulators at RSA how they intended to enforce GDPR >>> violations on businesses that don't operate in their jurisdiction and >>> without hesitation he told me they'd use civil courts to sue the offending >>> companies. >> >> He probably thought you meant if he's in France and the business is in >> Ireland, since they're both in the EU. Outside the EU, on the other >> hand, ... >> >> If they try to sue in, say, US courts, the US court will ask them to >> explain why a US court should try a suit under foreign law. There is >> a very short list of reasons to do that, and this isn't on it. > > Actually, due to treaty, it is. At least according to some lawyers that have been advising ICANN stakeholder group(s). >
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case.
Isn't "better" a factor of how much it costs to become compliant with GPDR? I'm no expert, but some of the things I've heard sounded not trivial to implement (read potentially BIG investment). -dan
On May 23, 2018, at 10:21 AM, Daniel Brisson <dbrisson@uvm.edu> wrote:
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case.
Isn't "better" a factor of how much it costs to become compliant with GPDR? I'm no expert, but some of the things I've heard sounded not trivial to implement (read potentially BIG investment).
-dan
In our experience, orgs that are already following all industry best practices are, generally, at least 70% of the way to becoming compliant already. Where it can get expensive for the ones who aren't is in hardening their systems to provide for better security/privacy. U.S. companies are used to being able to drink at the firehose of data that is collected here in the U.S., and use it however they want.. this is the real major change. I suppose you could say it's expensive in that it is reducing the ways they can monetize that data. Anne Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance GDPR Compliance Consultant GDPR Compliance Certification http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitchell@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Anne, Yep, if you're doing a decent job around securing data then you don't have much to be worried about on that side of things. The problem for most companies is that GDPR isn't really a security law, it's a privacy law (and set of regulations). That's where it's hard because there are a limited number of ways you can, from the EU's standpoint, lawfully process someone's PII. Things like opting out and blanket agreements to use all of someone's data for any reason a company may want are specifically prohibited. Even companies that don't intentionally sell into the EU (or the UK) can find themselves dealing with this if they have customers with employees in the EU. On Wed, May 23, 2018 at 12:29 PM, Anne P. Mitchell Esq. <amitchell@isipp.com
wrote:
On May 23, 2018, at 10:21 AM, Daniel Brisson <dbrisson@uvm.edu> wrote:
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case.
Isn't "better" a factor of how much it costs to become compliant with GPDR? I'm no expert, but some of the things I've heard sounded not trivial to implement (read potentially BIG investment).
-dan
In our experience, orgs that are already following all industry best practices are, generally, at least 70% of the way to becoming compliant already. Where it can get expensive for the ones who aren't is in hardening their systems to provide for better security/privacy. U.S. companies are used to being able to drink at the firehose of data that is collected here in the U.S., and use it however they want.. this is the real major change. I suppose you could say it's expensive in that it is reducing the ways they can monetize that data.
Anne
Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance GDPR Compliance Consultant GDPR Compliance Certification http://www.SuretyMail.com/ http://www.SuretyMail.eu/
Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose
Available for consultations by special arrangement. amitchell@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
On May 23, 2018, at 11:05 AM, K. Scott Helms <kscotthelms@gmail.com> wrote:
Yep, if you're doing a decent job around securing data then you don't have much to be worried about on that side of things. The problem for most companies is that GDPR isn't really a security law, it's a privacy law (and set of regulations). That's where it's hard because there are a limited number of ways you can, from the EU's standpoint, lawfully process someone's PII. Things like opting out and blanket agreements to use all of someone's data for any reason a company may want are specifically prohibited. Even companies that don't intentionally sell into the EU (or the UK) can find themselves dealing with this if they have customers with employees in the EU.
Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based website and orders something (or even just provides their PII)... but happens to be in a plane flying over an EU country at the time. Because GDPR doesn't talk about residence or citizenship, it talks only about a vague and ambiguous "in the Union", and I can certainly envision an argument in which the person in the plane claims that they were, technically, "in the Union" at the time. Anne Anne P. Mitchell, Attorney at Law GDPR Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
On 23 May 2018, at 19:12, Anne P. Mitchell Esq. <amitchell@isipp.com> wrote:
On May 23, 2018, at 11:05 AM, K. Scott Helms <kscotthelms@gmail.com> wrote:
Yep, if you're doing a decent job around securing data then you don't have much to be worried about on that side of things. The problem for most companies is that GDPR isn't really a security law, it's a privacy law (and set of regulations). That's where it's hard because there are a limited number of ways you can, from the EU's standpoint, lawfully process someone's PII. Things like opting out and blanket agreements to use all of someone's data for any reason a company may want are specifically prohibited. Even companies that don't intentionally sell into the EU (or the UK) can find themselves dealing with this if they have customers with employees in the EU.
Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based website and orders something (or even just provides their PII)... but happens to be in a plane flying over an EU country at the time. Because GDPR doesn't talk about residence or citizenship, it talks only about a vague and ambiguous "in the Union", and I can certainly envision an argument in which the person in the plane claims that they were, technically, "in the Union" at the time.
Actually, the EU Commission is pretty clear about the non-E.U. person travelling to E.U. and using a service not specifically targetting E.U. users : "When the regulation does not apply Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.” https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-busines... There are many other examples on their website which leave pretty little doubts about when it applies and when it does not. Regards, Michel
However, if an EU citizen or resident uses the services of those companies, they are bound to comply with the GDPR. So, if you target your services to people outside the EU, you must have a way to DENY that anyone in the EU register to your services, or even sent a request via a form in your web, etc. I don't think that's so easy as to make 100% proof ... and maybe the cost of complying the GDPR is even cheaper/easier and you open your services to the EU as well (or EU people, for example, visiting US). Regards, Jordi -----Mensaje original----- De: NANOG <nanog-bounces@nanog.org> en nombre de Michel 'ic' Luczak <lists@benappy.com> Fecha: sábado, 26 de mayo de 2018, 10:34 Para: "Anne P. Mitchell Esq." <amitchell@isipp.com> CC: "Gary T. Giesen via NANOG" <nanog@nanog.org> Asunto: Re: Whois vs GDPR, latest news > On 23 May 2018, at 19:12, Anne P. Mitchell Esq. <amitchell@isipp.com> wrote: > > > >> On May 23, 2018, at 11:05 AM, K. Scott Helms <kscotthelms@gmail.com> wrote: >> >> Yep, if you're doing a decent job around securing data then you don't have much to be worried about on that side of things. The problem for most companies is that GDPR isn't really a security law, it's a privacy law (and set of regulations). That's where it's hard because there are a limited number of ways you can, from the EU's standpoint, lawfully process someone's PII. Things like opting out and blanket agreements to use all of someone's data for any reason a company may want are specifically prohibited. Even companies that don't intentionally sell into the EU (or the UK) can find themselves dealing with this if they have customers with employees in the EU. > > Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based website and orders something (or even just provides their PII)... but happens to be in a plane flying over an EU country at the time. Because GDPR doesn't talk about residence or citizenship, it talks only about a vague and ambiguous "in the Union", and I can certainly envision an argument in which the person in the plane claims that they were, technically, "in the Union" at the time. > Actually, the EU Commission is pretty clear about the non-E.U. person travelling to E.U. and using a service not specifically targetting E.U. users : "When the regulation does not apply Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.” https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-busines... There are many other examples on their website which leave pretty little doubts about when it applies and when it does not. Regards, Michel ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Sat, 26 May 2018 10:31:29 +0200, "Michel 'ic' Luczak" said:
"When the regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
Now here's the big question - a *lot* of companies are targeting "anybody with a freemail account like GMail and a valid Visa or Mastercard card" or similar business models - does that count as "specifically targeting at EU", or not?
In article <230722.1527374328@turing-police.cc.vt.edu> you write:
Now here's the big question - a *lot* of companies are targeting "anybody with a freemail account like GMail and a valid Visa or Mastercard card" or similar business models - does that count as "specifically targeting at EU", or not?
This is an excellent question, because anyone who purports to give you an answer has self-identifed as a fool. The closest thing to an answer is that nobody knows, maybe after some rulings from various national authorities we'll have an idea, except that they'll probably be inconsistent and contradictory. R's, John
This is really off-topic for NANOG. Is there a better place where this discussion can be found?
This is really off-topic for NANOG. Is there a better place where this discussion can be found?
ISIPP hosts several email groups where this conversation would be appropriate. Anybody who would like to continue the conversation there is welcome to ping me offlist requesting to join one or more of those groups...please include your full name, for whom you work (if relevant), and a one sentence description of your interest in/connection to network security, privacy, and/or policies. Anne Anne P. Mitchell, Attorney at Law GDPR Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
On May 23, 2018, at 9:29 AM, Anne P. Mitchell Esq. <amitchell@isipp.com> wrote:
On May 23, 2018, at 10:21 AM, Daniel Brisson <dbrisson@uvm.edu> wrote:
Also, don't forget the private right of action. Anyone can file anything in the U.S. courts... you may get it dismissed (although then again you may not) but either way, it's going to be time and money out of your pocket fighting it. MUCH better to just get compliant than to end up a test case.
Isn't "better" a factor of how much it costs to become compliant with GPDR? I'm no expert, but some of the things I've heard sounded not trivial to implement (read potentially BIG investment).
-dan
In our experience, orgs that are already following all industry best practices are, generally, at least 70% of the way to becoming compliant already. Where it can get expensive for the ones who aren't is in hardening their systems to provide for better security/privacy. U.S. companies are used to being able to drink at the firehose of data that is collected here in the U.S., and use it however they want.. this is the real major change. I suppose you could say it's expensive in that it is reducing the ways they can monetize that data.
Of course a perfectly valid alternative is to refuse to do business with EU persons. Then GDPR compliance becomes entirely unnecessary. Owen
Anne
Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance GDPR Compliance Consultant GDPR Compliance Certification http://www.SuretyMail.com/ http://www.SuretyMail.eu/
Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose
Available for consultations by special arrangement. amitchell@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
On Wed, 23 May 2018, Owen DeLong wrote:
On May 23, 2018, at 08:53, John Levine <johnl@iecc.com> wrote: If they try to sue in, say, US courts, the US court will ask them to explain why a US court should try a suit under foreign law. There is a very short list of reasons to do that, and this isn't on it. Actually, due to treaty, it is. At least according to some lawyers that have been advising ICANN stakeholder group(s).
can treaties supercede US law? -Dan
In a nutshell this is a tariff war. They should have pursued their ideas about data privacy etc in international, multilateral venues. The EU is only about 10% of the world's population and perhaps 20% of the world's GDP. What does, for example, China or India think about all this? Is the EU going to seek enforcement against Alibaba or Baidu or FlipKart (ok Walmart owns most of FlipKart now but you get my point I hope)? Latin America? Africa? Brooklyn?! Are APEC, ASEAN, CIS, GCC, DJT, etc (regional trade organizations) each going to launch their own "GDPR"? My guess: Some noise, some lawyers make a buttload* of money, other countries and multinational trade orgs begin resisting which attracts attention from their non-EU nation members, and then it's modified into oblivion. * Note: a "butt" is a standard English barrel measure, a large barrel, 108 imperial gallons. https://en.wikipedia.org/wiki/English_brewery_cask_units#Butt -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Not really. If you don’t offer services to EU persons, then you are right. However, due to treaties signed by the US and other countries, many places outside the EU are subject to GDPR overreach. Owen
On May 23, 2018, at 05:36, Mike Hammett <nanog@ics-il.net> wrote:
If you don't have operations in the EU, you can not so politely tell the EU to piss off.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Matthew Kaufman" <matthew@matthew.at> To: "Fletcher Kittredge" <fkittred@gwi.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Monday, May 21, 2018 8:07:15 PM Subject: Re: Whois vs GDPR, latest news
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Matthew
Yeah, that's not accurate. US organizations sue EU organizations in US courts (and vice versus) on a regular basis but have EU courts collect the damages. Congress can carve out an exemption, but I haven't heard of an effort in that direction getting started yet. In the absence of a legislative exemption the EU regulators can absolutely sue a US entity in US civil courts and get a ruling based on EU laws and regulations. Here's a completely unrelated civil case, on libel, that references the bilateral enforcement and how NY state carved out an exemption. https://www.npr.org/sections/parallels/2015/03/21/394273902/on-libel-and-the... Scott Helms -------------------------------- http://twitter.com/kscotthelms -------------------------------- On Wed, May 23, 2018 at 11:56 AM, Owen DeLong <owen@delong.com> wrote:
Not really. If you don’t offer services to EU persons, then you are right. However, due to treaties signed by the US and other countries, many places outside the EU are subject to GDPR overreach.
Owen
On May 23, 2018, at 05:36, Mike Hammett <nanog@ics-il.net> wrote:
If you don't have operations in the EU, you can not so politely tell the EU to piss off.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Matthew Kaufman" <matthew@matthew.at> To: "Fletcher Kittredge" <fkittred@gwi.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Monday, May 21, 2018 8:07:15 PM Subject: Re: Whois vs GDPR, latest news
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
What about my right to not have this crap on NANOG?
What about the likely truth that if anyone from Europe mails the list, then every mail server operator with subscribers to the list must follow the GDPR Article 14 notification requirements, as the few exceptions appear to not apply (unless you’re just running an archive).
Matthew
On 17/05/2018 19:03, Zbyněk Pospíchal wrote:
Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
Hi,
But this regulation increases essential liberty for individuals, so I don't understand your argument... No, it don't. It has two aspects:
[...]
Very well said. -- Mark Rousell
On 17 May 2018 at 08:03, Niels Bakker <niels=nanog@bakker.net> wrote:
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed. These are great and necessary regulations.
I'm loving the flood of convoluted unsubscribe notices this month from companies that had stored PII for no reason.
I don't. I have better things to do than babysit various accounts I've signed up over the years. Just because someone signs up for an account and forgets about it is not a good enough reason to have my information DESTROYED WITHOUT MY PERMISSION if I do happen to be busy that week to sign in somewhere to accept a legal disclaimer. GDPR is touted as a policy to tackle the issue of the larger players abusing their market positions and our trust; instead, so far, my lack of response would just ensure that I am unsubscribed from my alumni association in the UK; what good does it do to me?! C.
I don't. I have better things to do than babysit various accounts I've signed up over the years. Just because someone signs up for an account and forgets about it is not a good enough reason to have my information DESTROYED WITHOUT MY PERMISSION if I do happen to be busy that week to sign in somewhere to accept a legal disclaimer.
It’s only ‘{one|that} week’ from today. The people that hold your personal data appear to have not planned in advance. Why should people (“data processors”) have the right to forward your personal contact details in perpetuity? Isn’t that a problem? They don’t need to ask permission to use those details for purposes for which you’ve already granted permission.
GDPR is touted as a policy to tackle the issue of the larger players abusing their market positions and our trust; instead, so far, my lack of response would just ensure that I am unsubscribed from my alumni association in the UK; what good does it do to me?!
This may be a misunderstanding, or a cautious approach, from your alma mater. If you’ve given them permission for them to hold your data about their activities all is well. Many companies are choosing this as an opportunity to confirm that permission for the sake of future legal argument. Rob
An article in The Register on the current status of Whois and the GDPR. https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/
* Brian@ampr.org (Brian Kantor) [Thu 17 May 2018, 16:23 CEST]:
An article in The Register on the current status of Whois and the GDPR.
https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/
My registrar already does all the things listed in this article that registrars supposedly don't yet do. American companies that think they have a need, or even the right, to see the billing address for my personal domain can go pound sand. -- Niels.
In a related note, I received a note from my registrar this morning telling me that, per current ICANN rules, I need to verify all the personal identifying information for the domains I control. 1. I checked WHOIS for all my domains, and they point to the proxy service that my registrar offers. So, I have no PII visible via WHOIS. 2. I checked the contact information page, and all my (hidden) PII is correct. So, at least for my domains, everything is GDPR compliant as far as public display is concerned. The question about the proxy service providing an anonymous tunnel for, say, abuse e-mail is open to question. As well as all the other bells and whistles I've seen discussed. By the way, setting up the proxy service just takes money, not time, in the old school. The fines are heavy enough that the registrars can consider forcing proxy service on all domains, and figure out how to recoup the costs later. Months? I don't think so. But then again, I'm not a registrar, only a customer of those folks. On 05/17/2018 08:29 AM, Niels Bakker wrote:
* Brian@ampr.org (Brian Kantor) [Thu 17 May 2018, 16:23 CEST]:
An article in The Register on the current status of Whois and the GDPR.
https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/
My registrar already does all the things listed in this article that registrars supposedly don't yet do.
American companies that think they have a need, or even the right, to see the billing address for my personal domain can go pound sand.
-- Niels.
The privacy implications that WHOIS had for domain name registrants was not only acknowledged by Europe. For a long time we were in a battle to get minimum privacy for domain registrants and the privacy proxy services provided some sort of relief. But the intellectual property interest with the backing of governments always dominated the discussions. otherwise IETF had recognized the privacy issues of WHOIS as early as 2002 and protocols were recommended that could respect registrants privacy rights. This was not solely a European issue. It was a global issue and with GDPR coming into effect it only made the process faster and diluted the power of ip people and those who were piggy backing on their power. It's time to move on. GDPR is not a great law but a community that for so many years violated the privacy rights of domain name registrants had to be somehow stopped. It's unfortunate that we didn't deal with this through innovative ways... But saying Europe and GDPR brought this upon us is false. Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Brian Kantor <Brian@ampr.org> Sent: Thursday, May 17, 2018 10:23:22 AM To: North American Network Operators' Group Subject: Re: Whois vs GDPR, latest news An article in The Register on the current status of Whois and the GDPR. https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/
Perhaps it's time that some would consider new RBLs and Blackhole feeds based on.... : Domains with deliberately unavailable WHOIS data. Including domains whose registrant has failed to cause their domain registrar and/or registry to list personally identifiable details for registrant and contacts on servers available to the public using the TCP port 43 WHOIS service. For any reason, whether use of a privacy service, or by a Default "Opt-to-Privacy Rule" enforced by a local / country-specific regulation such as GPDR. Stance * Ultimate burden goes to the REGISTRANT of any Internet Domain to take the steps to ensure their domain or IP address registry makes public contacts appear in WHOIS at all times for their Domain and/or IP address(es) --- including a traceable registrant name AND direct Telephone and E-mail contacts to a responsible party specific to the domain from which a timely response is available and are not through a re-mailer or proxy service. People may have in their country a legal right to secure control of a domain on a registry And anonymize their registration: "Choose not to have personal information listed in WHOIS". HOWEVER, Making this choice might then result in adverse consequences towards connectivity AND accessibility to your resources from others during such times as you exercise your option to have no identifiable WHOIS data. The registration of a domain with hidden or anonymous data only ensures exclusivity of control. Registration of a domain with questionable or unverifiable personal registrant or contact information does not guarantee that ISPs or other sites connected to the internet will choose to allow their own users and DNS infrastructure access to un-WHOISable domains. Then have: ------------------- * Right-hand sided BLs for Internet domains with no direct WHOIS-listed registrant address and real-person contacts including name, address, direct e-mail and phone number valid for contact during the domain's operational hours. * Addons/Extensions for Common Web Browsers to check the BLs before allowing access to a HTTP or HTTPS URL. Then display a prominent "Anonymized Domain: Probable Scam/Phishing Site" within the Web Browser MUA; And limit or disable high-risk functions for anonymous sites: such as Web Form Submissions, Scripting, Cookies, Etc to Non-WHOIS'd domains. if the domain's WHOIS listing is missing or showed a privacy service, or had appeared t runcated or anonymized. * IP Address DNSBL for IP Address allocations with no direct WHOIS-listed holder address real-person contacts. including name, address, direct e-mail and phone number valid for contact during the hours when that IP address is connected to the internet. * DNS response policy zones (for resolver blacklists) for internet domains with no WHOIS-listed registrant & real-person contacts including name, address, direct e-mail and phone number valid for contact. The EU GDPR _might_ require your registrar to offer you the ability Opt by default to mask your personal information and e-mail from domain or IP WHOIS data, But should you choose to Not opt to have identifiable contacts and ownership published: There may be networks and resources that will refuse access, Or whose users will not be allowed to resolve your DNS names, due to your refusal to identify yourself/provide contacts for vetting, identifying and reporting technical issues, abuse, etc. Real-Life equivalent would be.... Directories/Listings of Recommended businesses that refuse to accept listings from businesses whose Owner wants to stay Anonymous. Or people who don't want to buy their groceries from random shady buildings that don't even have a proper sign out..... -- -JH On Wed, May 16, 2018 at 4:10 PM, Constantine A. Murenin <mureninc@gmail.com> wrote:
I think this is the worst of both worlds. The data is basically still public, but you cannot access it unless someone marks you as a "friend".
This policy is basically what Facebook is. And how well it played out once folks realised that their shared data wasn't actually private?
C.
On 16 May 2018 at 16:02, Brian Kantor <Brian@ampr.org> wrote:
A draft of the new ICANN Whois policy was published a few days ago.
https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-...
From that document:
"This Temporary Specification for gTLD Registration Data (Temporary Specification) establishes temporary requirements to allow ICANN and gTLD registry operators and registrars to continue to comply with existing ICANN contractual requirements and community-developed policies in light of the GDPR. Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains robust collection of Registration Data (including Registrant, Administrative, and Technical contact information), but restricts most Personal Data to layered/tiered access. Users with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators. Users will also maintain the ability to contact the Registrant or Administrative and Technical contacts through an anonymized email or web form. The Temporary Specification shall be implemented where required by the GDPR, while providing flexibility to Registry Operators and Registrars to choose to apply the requirements on a global basis based on implementation, commercial reasonableness and fairness considerations. The Temporary Specification applies to all registrations, without requiring Registrars to differentiate between registrations of legal and natural persons. It also covers data processing arrangements between and among ICANN, Registry Operators, Registrars, and Data Escrow Agents as necessary for compliance with the GDPR."
-- -Mysid
On Tue, 22 May 2018, Jimmy Hess wrote:
Perhaps it's time that some would consider new RBLs and Blackhole feeds based on.... : Domains with deliberately unavailable WHOIS data.
How about the ones with broken contact data - deliberately or not? A whois blacklist sounds good to me. DNS WBL? exhibit A: ========== https://whois.arin.net/rest/net/NET-66-111-32-0-1/pft?s=66.111.56.98 ----- Transcript of session follows ----- ... while talking to aspmx.l.google.com.:
DATA <<< 550-5.1.1 The email account that you tried to reach does not exist. Please try <<< 550-5.1.1 double-checking the recipient's email address for typos or <<< 550-5.1.1 unnecessary spaces. Learn more at <<< 550 5.1.1 https://support.google.com/mail/?p=NoSuchUser d26-v6si14042755pge.500 - gsmtp 550 5.1.1 <tim@synergyisp.com>... User unknown <<< 503 5.5.1 RCPT first. d26-v6si14042755pge.500 - gsmtp
exhibit B: ========= https://apps.db.ripe.net/db-web-ui/#/query?searchtext=79.121.0.5#resultsSect... ----- Transcript of session follows ----- ... while talking to mail.kabelnet.hu.:
DATA <<< 451 Could not complete sender verify callout <webadmin@kabelnet.hu>... Deferred: 451 Could not complete sender verify callout <<< 503-All RCPT commands were rejected with this error: <<< 503-Could not complete sender verify callout <<< 503 Valid RCPT command must precede DATA Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old
-Dan
participants (30)
-
Anne P. Mitchell Esq. -
Badiei, Farzaneh -
Brian Kantor -
bzs@theworld.com -
Constantine A. Murenin -
Dan Hollis -
Daniel Brisson -
Don Gould -
Fletcher Kittredge -
Florian Weimer -
Hank Nussbacher -
Jason Hellenthal -
Jimmy Hess -
John Levine -
Joly MacFie -
JORDI PALET MARTINEZ -
K. Scott Helms -
Mark Andrews -
Mark Rousell -
Matt Harris -
Matthew Kaufman -
Michel 'ic' Luczak -
Mike Hammett -
Niels Bakker -
Owen DeLong -
Rob Evans -
Sander Steffann -
Stephen Satchell -
valdis.kletnieks@vt.edu -
Zbyněk Pospíchal