Would those same laws effect a reseller whereby they are moving
domains between registrars in differing jurisdiction? Would those same
laws effect the bulk whois transfers that are required under the RAA?
It get very complicated quickly, and tracking these movements and
making some sense of it is extremely difficult.
I hope that you can provide us some examples of the laws that have
changed and how they might apply. I'm not an attorney, but I look
forward to your enumeration of these laws and examples so I could
consider how they apply to these cases.
best,
-rick
On Tue, Feb 5, 2013 at 1:47 PM, Don Blumenthal <dblumenthal@xxxxxxx> wrote:
> True but some things have changed in data protection laws since 2003, both
> new statutes/regulations and changes to existing ones. I don't know how
> they might affect what we're considering but the issue has to be checked.
>
> For folks on the DP sub team, I'll send a note out tomorrow. The WG has
> taken up much more to day's time than planned. Good because it's
> interesting stuff but sadly I had to give up on choosing the interesting
> vs mundane a long time ago.
>
>
> On 2/5/13 4:26 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>>Volker,
>>
>>When .ORG was transitioned the same situation applied. To the best of
>>my knowledge there are no records of complaint. While I agree that in
>>the case of the registrant executing a transfer they agree to the
>>terms, it does demonstrate that the registrant data does move cross
>>jurisdiction daily. The fact that registrants, registrars and
>>registries participate in this activity daily and have for years is a
>>significant observation which deserves recording.
>>
>>-rick
>>
>>
>>On Tue, Feb 5, 2013 at 1:13 PM, Volker Greimann
>><vgreimann@xxxxxxxxxxxxxxx> wrote:
>>> I think it happens all the time, but that would be beside the point as
>>>they
>>> agree to the new registrars agreement and thereby agree to provide him
>>>with
>>> their whois data.
>>>
>>> Volker
>>>
>>>> Rick,
>>>>
>>>> You make a good point that transfers of data from one registrar to
>>>>another
>>>> might not be different from transfer in a thin-thick transition.
>>>>However,
>>>> the jurisdiction issue here refers to companies based in different
>>>> countries. Do you have any idea how common it is for a registrant to
>>>>move
>>>> a registration across a border when switching registrars?
>>>>
>>>> Thanks.
>>>>
>>>> Don
>>>>
>>>>
>>>> On 2/5/13 1:58 PM, "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>>>
>>>>> One point I believe folks are missing in the jurisdiction discussion
>>>>> is that transfers of a domain from one registrar to another are
>>>>> effectively moving this same information between jurisdictions. We
>>>>> have had many millions of transfers in thin registries over the years,
>>>>> many of which moved registrant data between jurisdictions. We are
>>>>> talking millions and millions of times, without incident.
>>>>>
>>>>> I believe that it is as important to enumerate the volume and time
>>>>> that this has occurred without notice, or catastrophe.
>>>>>
>>>>> -rick
>>>>>
>>>>>
>>>>> On Tue, Feb 5, 2013 at 10:19 AM, Alan Greenberg
>>>>> <alan.greenberg@xxxxxxxxx> wrote:
>>>>>>
>>>>>> Roy, some of us (or perhaps all of us) HAVE read the NCUC
>>>>>>submission. It
>>>>>> talks a lot about potential problems with respect to privacy laws of
>>>>>>the
>>>>>> Whois model. But they apply equally to both thin and thick models.
>>>>>>
>>>>>> It also raises issues such as "ownership" of Whois data (the specific
>>>>>> sentence was "The movement of that that data, and ownership of that
>>>>>> data,
>>>>>> from a European, or Canadian, or Japanese, or Korean jurisdiction
>>>>>>(among
>>>>>> regions/countries with strong data protection laws) to another
>>>>>>country
>>>>>> (the
>>>>>> US) raises enormous issues." I cannot recall anyone saying anything
>>>>>> about
>>>>>> ownership. As far as I know, we are talking about the USE of the data
>>>>>> which
>>>>>> is already publicly (and very widely) available.
>>>>>>
>>>>>> If there are any restrictions (regarding revealing or making
>>>>>>available
>>>>>> cross-boarders) to what a registrar may do with the data they collect
>>>>>> from
>>>>>> registrants, that problem exists today with a thin model. How does it
>>>>>> change
>>>>>> with thick? In both cases, they are widely broadcasting the data in a
>>>>>> way
>>>>>> that is universal and irretrievable. Once put on a whois server, it
>>>>>>is
>>>>>> completely out of their control.
>>>>>>
>>>>>> A specific example of how the models might differ in a real-life
>>>>>> scenario
>>>>>> would be useful.
>>>>>>
>>>>>> Alan
>>>>>>
>>>>>>
>>>>>> At 05/02/2013 09:52 AM, Balleste, Roy wrote:
>>>>>>>
>>>>>>> Perhaps the question should be, what new threats we have now have to
>>>>>>> consider. The Internet world has changed. Any recommendations that
>>>>>>> we make
>>>>>>> will affect millions of users for years to come.
>>>>>>> If I may, a suggestion, please read the submission from NCUC.
>>>>>>>
>>>>>>> Roy Balleste, J.S.D.
>>>>>>> Professor of Law
>>>>>>> Law Library Director
>>>>>>> St. Thomas University
>>>>>>> 16401 NW 37th Avenue
>>>>>>> Miami Gardens, FL 33054 USA
>>>>>>> 1-305-623-2341
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
>>>>>>> [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
>>>>>>> Sent: Tuesday, February 05, 2013 9:44 AM
>>>>>>> To: Alan Greenberg
>>>>>>> Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
>>>>>>> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>>>
>>>>>>>
>>>>>>> Threats of exposure of Personal Information? Isn't the Whois system
>>>>>>>by
>>>>>>> definition public? And in any event, how would this threat increase
>>>>>>>if
>>>>>>> we
>>>>>>> went from many down to one holding the information? Not being
>>>>>>> argumentative,
>>>>>>> just trying to understand what the threats are. Also, it seems if
>>>>>>> there are
>>>>>>> threats won't we encounter those as we go forward? Does there really
>>>>>>> need to
>>>>>>> be a separate exercise to identify them?
>>>>>>>
>>>>>>>
>>>>>>> Tim
>>>>>>>
>>>>>>>
>>>>>>> -------- Original Message --------
>>>>>>> Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>>> From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
>>>>>>> Date: Mon, February 4, 2013 11:08 am
>>>>>>> To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
>>>>>>> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor"
>>>>>>> <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>>>>>>>
>>>>>>>
>>>>>>> I have yet to observe a single threat in both the transitions I've
>>>>>>> participated over some 13 years of ICANN participation as a
>>>>>>>registrar
>>>>>>> and service on the SSAC -- in regards to the Escrow transition and
>>>>>>> the registry transition for .ORG, both of which I actively
>>>>>>> participated in.
>>>>>>>
>>>>>>> If I had observed any issue that could be potentially identified as
>>>>>>>a
>>>>>>> credible threat, in this regard, I'd be the first to raise it to
>>>>>>>your
>>>>>>> attention.
>>>>>>>
>>>>>>> -rick
>>>>>>>
>>>>>>> On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
>>>>>>> <alan.greenberg@xxxxxxxxx>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Steve, I concur with your analysis. However, various posting have
>>>>>>>> claimed
>>>>>>>> dire results of the transition, and Mikey proposed that we do a
>>>>>>>
>>>>>>> threat
>>>>>>>>
>>>>>>>> analysis to try to understand how sever the problems is. Once
>>>>>>>>someone
>>>>>>>> comes
>>>>>>>> up with a SPECIFIC threat, we can do this. If none can be construed
>>>>>>>
>>>>>>> (as
>>>>>>>>
>>>>>>>> we
>>>>>>>> both hypothesize), then the job is done.
>>>>>>>>
>>>>>>>> Alan
>>>>>>>>
>>>>>>>>
>>>>>>>> At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>>>>>>>>
>>>>>>>> These questions might be relevant to the Whois PDP that is slated
>>>>>>>>for
>>>>>>>> this
>>>>>>>> year pursuant to the board�s November resolutions; but I don�t
>>>>>>>> understand
>>>>>>>> their relevance to our job.
>>>>>>>>
>>>>>>>> At most the question would be whether
the �threat� changes if all
>>>>>>>
>>>>>>> gTLD
>>>>>>>>
>>>>>>>> registries were thick --- but that would first require agreement on
>>>>>>>
>>>>>>> what
>>>>>>>>
>>>>>>>> the
>>>>>>>> �threat� is today. This would be
an extremely long path to take to
>>>>>>>
>>>>>>> our
>>>>>>>>
>>>>>>>> goal.
>>>>>>>>
>>>>>>>> In any case, if the �threat� is �disclosure of non-public
>>>>>>>>registrant
>>>>>>>> information,� then the threshold
question is whether the transition
>>>>>>>
>>>>>>> to
>>>>>>>>
>>>>>>>> thick
>>>>>>>> Whois has any impact whatsoever on �non-public registrant
>>>>>>>
>>>>>>> information.�
>>>>>>>>
>>>>>>>> To
>>>>>>>> my knowledge the answer is no, and so all the subsequent questions
>>>>>>>> become
>>>>>>>> irrelevant.
>>>>>>>>
>>>>>>>> If, as our chair has stated, �we're edging pretty close to Beijing
>>>>>>>
>>>>>>> and
>>>>>>>>
>>>>>>>> need
>>>>>>>> to think through what we're going to
be able to deliver by then,� I
>>>>>>>> think
>>>>>>>> this type of excursion ought to be avoided.
>>>>>>>>
>>>>>>>> Steve Metalitz
>>>>>>>> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
>>>>>>>> mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike
>>>>>>>
>>>>>>> O'Connor
>>>>>>>>
>>>>>>>> Sent: Sunday, February 03, 2013 7:30 PM
>>>>>>>> To: Thick Whois WG
>>>>>>>> Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>>>>>>>>
>>>>>>>> hi all,
>>>>>>>>
>>>>>>>> i promised to send along some materials extracted from the DSSA
>>>>>>>>(DNS
>>>>>>>> Security and Stability Analysis) working group where i serve as
>>>>>>>>GNSO
>>>>>>>> co-chair and day-to-day project leader. this is in the "break a
>>>>>>>
>>>>>>> large
>>>>>>>>
>>>>>>>> puzzle into smaller pieces" department.
>>>>>>>>
>>>>>>>> i've attached a one page summary of the process that we've been
>>>>>>>
>>>>>>> working
>>>>>>>>
>>>>>>>> on
>>>>>>>> (it's based on NIST SP 800-30 for you in the security world), and
>>>>>>>> thought
>>>>>>>> i'd build a list of questions that people could use as a starting
>>>>>>>
>>>>>>> point
>>>>>>>>
>>>>>>>> in
>>>>>>>> building risk scenarios associated with the transition from thin to
>>>>>>>> thick
>>>>>>>> Whois.
>>>>>>>>
>>>>>>>> Questions:
>>>>>>>>
>>>>>>>> -- What is the description of the threat event? [1st-try, open to
>>>>>>>> editing,
>>>>>>>> guess -- "disclosure of non-public registrant information"]
>>>>>>>>
>>>>>>>>
>>>>>>>> -- What is the source of this threat? [options/examples --
>>>>>>>
>>>>>>> criminals,
>>>>>>>>
>>>>>>>> governments, businesses, etc.]
>>>>>>>>
>>>>>>>> -- What are the capability, intent and targeting of that threat
>>>>>>>
>>>>>>> source?
>>>>>>>>
>>>>>>>> -- What vulnerabilities might these threat-sources exploit in order
>>>>>>>
>>>>>>> to
>>>>>>>>
>>>>>>>> achieve their aim? [categories -- managerial, operational or
>>>>>>>
>>>>>>> technical
>>>>>>>>
>>>>>>>> vulnerabilities]
>>>>>>>>
>>>>>>>> -- Where [registries, registrars?], and how severe are these
>>>>>>>> vulnerabilities?
>>>>>>>>
>>>>>>>> -- What is the likelihood that such a threat would be initiated?
>>>>>>>>
>>>>>>>> -- What would the impact on the registrant be?
>>>>>>>>
>>>>>>>> -- How likely is it that this impact will be felt?
>>>>>>>>
>>>>>>>> -- How severe is the impact?
>>>>>>>>
>>>>>>>> -- What's the range of impact (how many registrants would this be a
>>>>>>>> problem
>>>>>>>> for)?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> if you want to read more about this DSSA stuff, here's a link to a
>>>>>>>
>>>>>>> page
>>>>>>>>
>>>>>>>> where you can download the final Phase I report;
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> https://community.icann.org/display/AW/Phase+1+Final+Report
>>>>>>>>
>>>>>>>> and here's a link to a page where you can download an Excel
>>>>>>>>worksheet
>>>>>>>> that
>>>>>>>> we've been developing as an alpha-test of this tool
>>>>>>>>
>>>>>>>>
>>>>>>>> https://community.icann.org/display/AW/Risk+Scenario+worksheet
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>>
>>>>>>>> mikey
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
>