Re: ICANN GDPR lawsuit

[Mike Meredith]

On Wed, 6 Jun 2018 08:01:35 +0300, Hank Nussbacher 
may have written:
> "The European Commission has insisted it is *not subject to the strict
> new data protection law* that it has imposed across Europe after it was
> revealed the personal information of hundreds of people had been leaked
> on its website. "

Neglecting where it goes on to say "it would be subject to a
new law that “mirrors” GDPR which will come into effect in the autumn.".


-- 
Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer
 


pgpdyFKzJLwJ4.pgp
Description: OpenPGP digital signature

Re: ICANN GDPR lawsuit

[Hank Nussbacher]

On 31/05/2018 08:14, Badiei, Farzaneh wrote:

Gotta love the EU logic:

https://inews.co.uk/news/uk/gdpr-eu-commission-not-compliant/

The European Commission is not GDPR compliant even though it was
responsible for the new GDPR law

"The European Commission has insisted it is *not subject to the strict
new data protection law* that it has imposed across Europe after it was
revealed the personal information of hundreds of people had been leaked
on its website. "

-Hank

> And here is the court decision, 
> https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-en.pdf
>
>
> gotta love the German wisdom:
>
>
> The Application for preliminary injunction of May 25, 2018 is rejected at the 
> expense of the Applicant.
>
>
> "Insofar as the Applicant bases its claim to relief on a parallel of the 
> so-called "WHOIS" system to international agreements on trade mark registers, 
> the Chamber is unable to follow this. The legal basis for the trademark 
> registers on the basis of international agreements is missing in relation to 
> the "WHOIS" service claimed by the Applicant. The fundamental comparability 
> of the respective general need for protection does not change this."
>
>

RE: ICANN GDPR lawsuit

[McBride, Mack]

There is a major difference between a directory listing service
where the primary goal is to advertise potentially protected information
and a domain registration or net block registration where the information
is secondary and its dissemination is not what you are actually requesting.
Remember peering DB has a sole purpose of disseminating names, phone
numbers and email addresses.

Mack

From: Rubens Kuhl [mailto:rube...@gmail.com]
Sent: Tuesday, June 05, 2018 1:41 PM
To: McBride, Mack 
Cc: Daniel Corbe ; Baldur Norddahl 
; nanog@nanog.org
Subject: Re: ICANN GDPR lawsuit



On Tue, Jun 5, 2018 at 4:31 PM, McBride, Mack 
mailto:c-mack.mcbr...@charter.com>> wrote:
PeeringDB is already 100% opt-in.

Domain registration is also opt-in, and still registrars, registries and ICANN 
have to change things to comply with GDPR.


Rubens

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: ICANN GDPR lawsuit

[Rubens Kuhl]

On Tue, Jun 5, 2018 at 4:31 PM, McBride, Mack 
wrote:

> PeeringDB is already 100% opt-in.
>

Domain registration is also opt-in, and still registrars, registries and
ICANN have to change things to comply with GDPR.


Rubens

RE: ICANN GDPR lawsuit

[McBride, Mack]

PeeringDB is already 100% opt-in.

Mack

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Daniel Corbe
Sent: Monday, June 04, 2018 12:56 PM
To: Baldur Norddahl 
Cc: nanog@nanog.org
Subject: Re: ICANN GDPR lawsuit

at 2:40 PM, Baldur Norddahl  wrote:

> man. 4. jun. 2018 17.31 skrev McBride, Mack :
>
>> GDPR doesn't play well with directory listing services.
>> BUT since providing contact information is exactly what a directory 
>> listing service does, It is safe to assume that this is 'essential' 
>> under GDPR.
>
> No it is very clear that publishing private information about 
> individuals is in fact not necessary to assign netblocks and domains to 
> companies.
>
> It is a little less clear when the ressource is assigned to an individual.
> But considering there already exist privacy options for domains, the 
> same solutions could be implemented for other ressource types.
>

It occurs to me that operators might want to opt-in to have their data 
published through PeeringDB.  From a purely pragmatic standpoint, I won’t peer 
with anyone I can’t reach out to and if you don’t have a 24/7 NOC chances are 
good that you’re going to get depeered the first time there’s a technical issue 
and I can’t reach you for help.

An academic exercise, for sure.   But one that would render this line of  
thinking rather moot.



E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: ICANN GDPR lawsuit

[Daniel Corbe]

at 2:40 PM, Baldur Norddahl  wrote:


man. 4. jun. 2018 17.31 skrev McBride, Mack :


GDPR doesn't play well with directory listing services.
BUT since providing contact information is exactly what a directory
listing service does,
It is safe to assume that this is 'essential' under GDPR.


No it is very clear that publishing private information about individuals
is in fact not necessary to assign netblocks and domains to companies.

It is a little less clear when the ressource is assigned to an individual.
But considering there already exist privacy options for domains, the same
solutions could be implemented for other ressource types.



It occurs to me that operators might want to opt-in to have their data  
published through PeeringDB.  From a purely pragmatic standpoint, I won’t  
peer with anyone I can’t reach out to and if you don’t have a 24/7 NOC  
chances are good that you’re going to get depeered the first time there’s a  
technical issue and I can’t reach you for help.


An academic exercise, for sure.   But one that would render this line of  
thinking rather moot.

Re: ICANN GDPR lawsuit

[Badiei, Farzaneh]

And here is the court decision, 
https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-en.pdf


gotta love the German wisdom:


The Application for preliminary injunction of May 25, 2018 is rejected at the 
expense of the Applicant.


"Insofar as the Applicant bases its claim to relief on a parallel of the 
so-called "WHOIS" system to international agreements on trade mark registers, 
the Chamber is unable to follow this. The legal basis for the trademark 
registers on the basis of international agreements is missing in relation to 
the "WHOIS" service claimed by the Applicant. The fundamental comparability of 
the respective general need for protection does not change this."


From: NANOG  on behalf of John Levine 
Sent: Wednesday, May 30, 2018 11:16:08 PM
To: nanog@nanog.org
Subject: Re: ICANN GDPR lawsuit

In article  you write:
>http://www.circleid.com/posts/20180527_icann_files_legal_action_against_domain_registrar_whois_data/

Elliot said that if he had to choose between fighting ICANN and
fighting governments, he'd fight ICANN.  I can't blame him.

http://www.tucows.com/tucows-statement-on-icann-legal-action/

R's,
John

Re: ICANN GDPR lawsuit

[bzs]

On June 4, 2018 at 17:01 ra...@psg.com (Randy Bush) wrote:
 > once upon a time, when one received what had yet to be called spam, or
 > logs showed an attack, one wrote to the owner of the source ip to tell
 > them their system had been hacked.  dunno about everyone else, but i
 > stopped doing that sometime in the '80s.

I remember one night, early 1990s, watching keystrokes of a guy who'd
gotten into one of our systems and realized I knew the owner of the
system he was coming in from, a name most of you would recognize, so
called him at home at like 2AM which was appreciated.

ISTR that was the guy who was actually typing VMS commands to a unix
shell which is why I wasn't all that concerned, other than the holes
he'd used to get a shell prompt which is what I was trying to track
down.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: ICANN GDPR lawsuit

[Rubens Kuhl]

On Mon, Jun 4, 2018 at 9:34 PM, Dan Hollis  wrote:

> On Mon, 4 Jun 2018, Rubens Kuhl wrote:
>
>> On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher 
>> wrote:
>> Usually, identifying attackers at other online services is a duty on RIR
>> directories, and even the RIPE one is not suffering that many changes due
>> to GDPR.
>>
>> Also, GDPR doesn't prevent law enforcement access.
>>
>
> It might be desirable to provide enough contact information to mitigate
> issues before it has to end up in the hands of law enforcement.
>

Specifically on gTLD domains GDPR effects, domain contacts will still be
reachable thru a web-form or short-term anonymised email. European ccTLDs
adopted a myriad of solutions but they usually trend towards maintaining
reachability somehow.



> black hats and bullet proof hosting are definitely going to enjoy using
> gdpr to hide behind though.


Like they already do signing up for domain privacy services ? Currently,
only the poor criminals or the newbie ones do not elect privacy when
registering domains.


Rubens

Re: ICANN GDPR lawsuit

[Dan Hollis]

On Mon, 4 Jun 2018, Rubens Kuhl wrote:

On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher 
wrote:
Usually, identifying attackers at other online services is a duty on RIR
directories, and even the RIPE one is not suffering that many changes due
to GDPR.

Also, GDPR doesn't prevent law enforcement access.


It might be desirable to provide enough contact information to mitigate 
issues before it has to end up in the hands of law enforcement.


black hats and bullet proof hosting are definitely going to enjoy using 
gdpr to hide behind though.


-Dan

Re: ICANN GDPR lawsuit

[Randy Bush]

once upon a time, when one received what had yet to be called spam, or
logs showed an attack, one wrote to the owner of the source ip to tell
them their system had been hacked.  dunno about everyone else, but i
stopped doing that sometime in the '80s.

randy

   _   //` `\
 _,-"\%   // /``\`\
~^~ >__^  |% // /  } `\`\
   )  )%// / }  } }`\`\
  /  (%/`/.\_/\_/\_/\`/
 (` `-._`
  \   , (  \   _`-.__.-%>
 /_`\ \  `\ \." `-..- `
``` /_/`"-=-``/_/
```   ```

RE: ICANN GDPR lawsuit

[McBride, Mack]

Peering DB is also a directory service.
The only 'service' they provide is to distribute contact information.
Therefor maintaining and distributing information is in fact 'essential'.
Further, Peering DB make it easy to remove contact information.
The difference in legal systems makes Peering DB a very low risk in the EU.

Whois is more 'at risk' because it doesn't require individual information to 
maintain a net block.
BUT, most whois can be handled by role accounts and privacy guard services.
Best practice is to use role accounts.
Privacy guard deals with the now rare condition where a net block is owned by 
an individual.
Most domain name services have provided a privacy guard option for years.

Most network providers simply want an email address that works.
I don't really care if it is joe or the purple people eater as long as it gets
a response from an intelligent entity that can fix a routing issue.
For this purpose a level 1 tech capable of escalating an issue counts as
an intelligent entity.

Mack

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Owen DeLong
Sent: Monday, June 04, 2018 12:58 PM
To: Baldur Norddahl 
Cc: nanog@nanog.org
Subject: Re: ICANN GDPR lawsuit



> On Jun 3, 2018, at 22:44 , Baldur Norddahl  wrote:
> 
>> 
>> 
>> 
>> Yeah, what Niels is really leaving out here is the open question of 
>> whether or not GDPR will eventually lead to the destruction of Peering DB.
>> 
>> Owen
>> 
> 
> 
> Of course it will not. We just need to accept that only roles not 
> people are published. Those people will change job anyway and nobody updates 
> whois.
> 
> GDPR does not apply to companies, so you can still publish the owner 
> of domains and IP prefixes as company names with contact information.
> 
> Regards
> 
> Baldur
> 
>> 

Much of the information in Peering DB is people. In fact, IIRC, peering DB 
doesn’t really have “role” accounts.

Peering DB is unrelated to whois.

Owen

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: ICANN GDPR lawsuit

[Baldur Norddahl]

man. 4. jun. 2018 20.56 skrev Daniel Corbe :

>
> It occurs to me that operators might want to opt-in to have their data
> published through PeeringDB.  From a purely pragmatic standpoint, I won’t
> peer with anyone I can’t reach out to and if you don’t have a 24/7 NOC
> chances are good that you’re going to get depeered the first time there’s
> a
> technical issue and I can’t reach you for help.
>
> An academic exercise, for sure.   But one that would render this line of
> thinking rather moot.
>

If it is a true 24/7 NOC you can not possibly expect a specific person to
answer the call. It will be whoever is on duty or on call at that time.

You do not need a name. Just the number and the email address. And that is
exactly what many operators put into peeringdb as is. No changes needed.

Regards
Baldur

Re: ICANN GDPR lawsuit

[Baldur Norddahl]

man. 4. jun. 2018 20.58 skrev Owen DeLong :

>
>
> Much of the information in Peering DB is people. In fact, IIRC, peering DB
> doesn’t really have “role” accounts.
>
> Peering DB is unrelated to whois.
>
> Owen
>

No actually I just checked and peeringdb has none of my personal
information. It has the phone number and email address for our NOC. This is
just company info and does not go to a specific person.

As long that is an option, peeringdb can also allow people to publish their
direct contact information. It is true opt in when the alternative works
just as well.

Do not make more of it than needs to be.

Regards
Baldur

>

Re: ICANN GDPR lawsuit

[Rubens Kuhl]

On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher 
wrote:

> On 31/05/2018 21:44, John Peach wrote:
> > On 05/31/2018 02:37 PM, Dan Hollis wrote:
> >> On Thu, 31 May 2018, b...@theworld.com wrote:
> >>> FWIW a German court has just ruled against ICANN's injunction and in
> >>> favor of Tucows/EPAG.
> >>>   https://www.icann.org/news/announcement-4-2018-05-30-en
> >>
> >> Welcome to contact-free whois?
> >>
> >> -Dan
> >
> >
> > Already been bitten by it and trying to get the contact info reinstated.
> >
> >
> >
> The entire whois debacle will only get resolved when some hackers attack
> www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
> response they get will be "sorry, we can't determine who is attacking
> you since that contravenes GDPR", will the EU light bulb go on that
> something in GDPR needs to be tweaked.
>

Usually, identifying attackers at other online services is a duty on RIR
directories, and even the RIPE one is not suffering that many changes due
to GDPR.

Also, GDPR doesn't prevent law enforcement access.


Rubens

Re: ICANN GDPR lawsuit

[Owen DeLong]

That’s a wonderful theory. However, in practice, it’s a bit different.

GDPR eliminates or at the very least complicates the maintenance of directory
services.

If past experience is any guide, once something becomes sufficiently difficult
to maintain while complying with regulation, said thing eventually ceases to
exist at least in any meaningful or useful form.

It is not at all unlikely that this will be the inevitable consequence of GDPR
when it comes to whois and thus, it is not at all unlikely that the scenario
Hank described may be an (admittedly unintended, but very likely) outcome of
GDPR.

Owen


> On Jun 4, 2018, at 09:30 , McBride, Mack  wrote:
> 
> That would be real time information involving 'essential' activities.
> GDPR would not prevent determining the source of an attack.
> GDPR specifically doesn't protect anyone involved in criminal activity
> nor contradict any regulatory requirement (which covers cyber attacks).
> 
> Mack
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Johnny Eriksson
> Sent: Monday, June 04, 2018 12:24 PM
> To: nanog@nanog.org
> Subject: Re: ICANN GDPR lawsuit
> 
> Hank Nussbacher wrote:
> 
>> The entire whois debacle will only get resolved when some hackers 
>> attack www.eugdpr.org, ec.europa.eu and some other key .eu sites.  
>> When the response they get will be "sorry, we can't determine who is 
>> attacking you since that contravenes GDPR", will the EU light bulb go 
>> on that something in GDPR needs to be tweaked.
> 
> You seem to assume that said light bulb does in fact exist.
> 
>> -Hank
> 
> --Johnny
> 
>  /\_/\
> ( *.* )
>> ^ <
> E-MAIL CONFIDENTIALITY NOTICE: 
> The contents of this e-mail message and any attachments are intended solely 
> for the addressee(s) and may contain confidential and/or legally privileged 
> information. If you are not the intended recipient of this message or if this 
> message has been addressed to you in error, please immediately alert the 
> sender by reply e-mail and then delete this message and any attachments. If 
> you are not the intended recipient, you are notified that any use, 
> dissemination, distribution, copying, or storage of this message or any 
> attachment is strictly prohibited.
> 

Re: ICANN GDPR lawsuit

[Owen DeLong]

> On Jun 3, 2018, at 22:44 , Baldur Norddahl  wrote:
> 
>> 
>> 
>> 
>> Yeah, what Niels is really leaving out here is the open question of
>> whether or not GDPR will eventually lead to the destruction of Peering DB.
>> 
>> Owen
>> 
> 
> 
> Of course it will not. We just need to accept that only roles not people
> are published. Those people will change job anyway and nobody updates whois.
> 
> GDPR does not apply to companies, so you can still publish the owner of
> domains and IP prefixes as company names with contact information.
> 
> Regards
> 
> Baldur
> 
>> 

Much of the information in Peering DB is people. In fact, IIRC, peering DB
doesn’t really have “role” accounts.

Peering DB is unrelated to whois.

Owen

Re: ICANN GDPR lawsuit

[Baldur Norddahl]

man. 4. jun. 2018 17.31 skrev McBride, Mack :

> GDPR doesn't play well with directory listing services.
> BUT since providing contact information is exactly what a directory
> listing service does,
> It is safe to assume that this is 'essential' under GDPR.
>

No it is very clear that publishing private information about individuals
is in fact not necessary to assign netblocks and domains to companies.

It is a little less clear when the ressource is assigned to an individual.
But considering there already exist privacy options for domains, the same
solutions could be implemented for other ressource types.

Regards
Baldur

Regards
Baldur

RE: ICANN GDPR lawsuit

[McBride, Mack]

That would be real time information involving 'essential' activities.
GDPR would not prevent determining the source of an attack.
GDPR specifically doesn't protect anyone involved in criminal activity
nor contradict any regulatory requirement (which covers cyber attacks).

Mack

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Johnny Eriksson
Sent: Monday, June 04, 2018 12:24 PM
To: nanog@nanog.org
Subject: Re: ICANN GDPR lawsuit

Hank Nussbacher wrote:

> The entire whois debacle will only get resolved when some hackers 
> attack www.eugdpr.org, ec.europa.eu and some other key .eu sites.  
> When the response they get will be "sorry, we can't determine who is 
> attacking you since that contravenes GDPR", will the EU light bulb go 
> on that something in GDPR needs to be tweaked.

You seem to assume that said light bulb does in fact exist.

> -Hank

--Johnny

  /\_/\
 ( *.* )
  > ^ <
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: ICANN GDPR lawsuit

[Johnny Eriksson]

Hank Nussbacher wrote:

> The entire whois debacle will only get resolved when some hackers attack
> www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
> response they get will be "sorry, we can't determine who is attacking
> you since that contravenes GDPR", will the EU light bulb go on that
> something in GDPR needs to be tweaked.

You seem to assume that said light bulb does in fact exist.

> -Hank

--Johnny

  /\_/\
 ( *.* )
  > ^ <

RE: ICANN GDPR lawsuit

[McBride, Mack]

GDPR doesn't play well with directory listing services.
BUT since providing contact information is exactly what a directory listing 
service does, 
It is safe to assume that this is 'essential' under GDPR.

Ie. Unlike the US, an EU judge would find it silly that you signed up for a 
directory listing
Service and were upset they listed your contact information.  Similarly keeping 
contact
Information of entities you have an ongoing peering relationship with would be 
essential.

In physical terms, a milk delivery company has to keep track of its customers 
addresses and
Billing information in order to deliver the milk and bill the customers.

GDPR doesn't want individuals information collected or retained that isn't 
essential to providing 
services, nor can you share that information without permission unless it is 
essential.
Obviously that is a one run-on sentence over simplification of a regulation 
that could take
many volumes to fully decipher.  Unlike the US, EU law is based on fairness and 
reasonableness
so generally their society is not as litigious.

Mack

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Owen DeLong
Sent: Sunday, June 03, 2018 10:00 PM
To: Rodney Joffe 
Cc: NANOG 
Subject: Re: ICANN GDPR lawsuit



> On Jun 3, 2018, at 14:17 , Rodney Joffe  wrote:
> 
> 
> 
>> On Jun 1, 2018, at 10:21 AM, niels=na...@bakker.net wrote:
>> 
>> * l...@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
>>> How does your shop, Niels, go about making contact with an operator that is 
>>> hijacking one of your netblocks, or is doing something weird with routing 
>>> that is causing your customers problems, or has broken BGP?
>> 
>> The same as we do now, by posting on NANOG "Can someone from ASx / 
>> largetelco.com contact me offlist?”
> 
> Seriously? You’ve been around long enough to know thats a bull$&^% answer. 
> 
> Feel free to look through the archives of *this* list and look at how many 
> times some $random handle at some $random privacy protected or generic domain 
> asks for someone from $bignetwork to contact them about a network problem.
> 
> Take you for example. You’ve been around for at least 15-20 years that I 
> recall. But I bet you that 80% of the people on NANOG have *no* idea who you 
> are or who you work for, and given the “useful" information on your website, 
> an op would have to take the time to google you - which is way above the 
> threshold of effort most people would take.
> 
> And that preassumes that the ops from the tiny little network leaking your 
> routes is actually a) subscribed here, and b) monitoring or filtering 
> appropriately. And before you talk about the fact you stated “ 
> largetelco(dot)com” I would bet that there are large telco’s who don’t have 
> op’s like us who waste their time on NANOG.
> 
> So, instead of the suggestion you provided, do you have any other suggestions 
> that are useful? I’m asking seriously, because I really do see this as a 
> problem we all have to be able to solve as operators. I believe this is 
> absolutely on-topic for one of the NANOG lists because this is a 100% 
> operational problem, that has appears to have as its only GDPR acceptable 
> solution alternative, following a manual/email thread from *your* next hop 
> network, requesting contacts/intros all the way down to the dumba$$ BGP 
> speaking edge network with a part-time routing guy/antenna installer.
> 
> /rlj
> 


Yeah, what Niels is really leaving out here is the open question of whether or 
not GDPR will eventually lead to the destruction of Peering DB.

Owen

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

RE: ICANN GDPR lawsuit

[McBride, Mack]

If they are hijacking a netblock, it is safe to assume they will also hijack an 
ASN.
The best method of dealing with hijacking is still deaggregation and contacting
Upstreams providers from a registered whois address which should be a role 
account.

Mack

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rodney Joffe
Sent: Sunday, June 03, 2018 3:17 PM
To: NANOG 
Subject: Re: ICANN GDPR lawsuit



> On Jun 1, 2018, at 10:21 AM, niels=na...@bakker.net wrote:
> 
> * l...@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
>> How does your shop, Niels, go about making contact with an operator that is 
>> hijacking one of your netblocks, or is doing something weird with routing 
>> that is causing your customers problems, or has broken BGP?
> 
> The same as we do now, by posting on NANOG "Can someone from ASx / 
> largetelco.com contact me offlist?”

Seriously? You’ve been around long enough to know thats a bull$&^% answer. 

Feel free to look through the archives of *this* list and look at how many 
times some $random handle at some $random privacy protected or generic domain 
asks for someone from $bignetwork to contact them about a network problem.

Take you for example. You’ve been around for at least 15-20 years that I 
recall. But I bet you that 80% of the people on NANOG have *no* idea who you 
are or who you work for, and given the “useful" information on your website, an 
op would have to take the time to google you - which is way above the threshold 
of effort most people would take.

And that preassumes that the ops from the tiny little network leaking your 
routes is actually a) subscribed here, and b) monitoring or filtering 
appropriately. And before you talk about the fact you stated “ 
largetelco(dot)com” I would bet that there are large telco’s who don’t have 
op’s like us who waste their time on NANOG.

So, instead of the suggestion you provided, do you have any other suggestions 
that are useful? I’m asking seriously, because I really do see this as a 
problem we all have to be able to solve as operators. I believe this is 
absolutely on-topic for one of the NANOG lists because this is a 100% 
operational problem, that has appears to have as its only GDPR acceptable 
solution alternative, following a manual/email thread from *your* next hop 
network, requesting contacts/intros all the way down to the dumba$$ BGP 
speaking edge network with a part-time routing guy/antenna installer.

/rlj

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: ICANN GDPR lawsuit

[Baldur Norddahl]

>
>
>
> Yeah, what Niels is really leaving out here is the open question of
> whether or not GDPR will eventually lead to the destruction of Peering DB.
>
> Owen
>


Of course it will not. We just need to accept that only roles not people
are published. Those people will change job anyway and nobody updates whois.

GDPR does not apply to companies, so you can still publish the owner of
domains and IP prefixes as company names with contact information.

Regards

Baldur

>

Re: ICANN GDPR lawsuit

[Owen DeLong]

> On Jun 3, 2018, at 14:17 , Rodney Joffe  wrote:
> 
> 
> 
>> On Jun 1, 2018, at 10:21 AM, niels=na...@bakker.net wrote:
>> 
>> * l...@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
>>> How does your shop, Niels, go about making contact with an operator that is 
>>> hijacking one of your netblocks, or is doing something weird with routing 
>>> that is causing your customers problems, or has broken BGP?
>> 
>> The same as we do now, by posting on NANOG "Can someone from ASx / 
>> largetelco.com contact me offlist?”
> 
> Seriously? You’ve been around long enough to know thats a bull$&^% answer. 
> 
> Feel free to look through the archives of *this* list and look at how many 
> times some $random handle at some $random privacy protected or generic domain 
> asks for someone from $bignetwork to contact them about a network problem.
> 
> Take you for example. You’ve been around for at least 15-20 years that I 
> recall. But I bet you that 80% of the people on NANOG have *no* idea who you 
> are or who you work for, and given the “useful" information on your website, 
> an op would have to take the time to google you - which is way above the 
> threshold of effort most people would take.
> 
> And that preassumes that the ops from the tiny little network leaking your 
> routes is actually a) subscribed here, and b) monitoring or filtering 
> appropriately. And before you talk about the fact you stated “ 
> largetelco(dot)com” I would bet that there are large telco’s who don’t have 
> op’s like us who waste their time on NANOG.
> 
> So, instead of the suggestion you provided, do you have any other suggestions 
> that are useful? I’m asking seriously, because I really do see this as a 
> problem we all have to be able to solve as operators. I believe this is 
> absolutely on-topic for one of the NANOG lists because this is a 100% 
> operational problem, that has appears to have as its only GDPR acceptable 
> solution alternative, following a manual/email thread from *your* next hop 
> network, requesting contacts/intros all the way down to the dumba$$ BGP 
> speaking edge network with a part-time routing guy/antenna installer.
> 
> /rlj
> 


Yeah, what Niels is really leaving out here is the open question of whether or 
not GDPR will eventually lead to the destruction of Peering DB.

Owen

Re: ICANN GDPR lawsuit

[Rodney Joffe]

> On Jun 1, 2018, at 10:21 AM, niels=na...@bakker.net wrote:
> 
> * l...@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
>> How does your shop, Niels, go about making contact with an operator that is 
>> hijacking one of your netblocks, or is doing something weird with routing 
>> that is causing your customers problems, or has broken BGP?
> 
> The same as we do now, by posting on NANOG "Can someone from ASx / 
> largetelco.com contact me offlist?”

Seriously? You’ve been around long enough to know thats a bull$&^% answer. 

Feel free to look through the archives of *this* list and look at how many 
times some $random handle at some $random privacy protected or generic domain 
asks for someone from $bignetwork to contact them about a network problem.

Take you for example. You’ve been around for at least 15-20 years that I 
recall. But I bet you that 80% of the people on NANOG have *no* idea who you 
are or who you work for, and given the “useful" information on your website, an 
op would have to take the time to google you - which is way above the threshold 
of effort most people would take.

And that preassumes that the ops from the tiny little network leaking your 
routes is actually a) subscribed here, and b) monitoring or filtering 
appropriately. And before you talk about the fact you stated “ 
largetelco(dot)com” I would bet that there are large telco’s who don’t have 
op’s like us who waste their time on NANOG.

So, instead of the suggestion you provided, do you have any other suggestions 
that are useful? I’m asking seriously, because I really do see this as a 
problem we all have to be able to solve as operators. I believe this is 
absolutely on-topic for one of the NANOG lists because this is a 100% 
operational problem, that has appears to have as its only GDPR acceptable 
solution alternative, following a manual/email thread from *your* next hop 
network, requesting contacts/intros all the way down to the dumba$$ BGP 
speaking edge network with a part-time routing guy/antenna installer.

/rlj

Re: ICANN GDPR lawsuit

[Stephen Satchell]

On 06/01/2018 09:37 AM, McBride, Mack wrote:
> For routing whois information there aren't going to be many individuals and 
> it would seem
> that the corporations who employee individuals should be the ones protecting 
> those individuals
> work emails by providing a generic contact email forward.  Which is good 
> practice anyway
> since people leave and go on vacation and problems still happen.
> And the routing whois information is a lot more relevant to most of us here.

+1

Perhaps the Right Thing(SM) to do is to update the best practices
documents regarding role e-mail accounts for network operators.

1.  Add "networkmas...@example.com" to the list of required role accounts.

2.  Require that e-mail sent to role "networkmas...@example.com" be
accessible in some way by all technical people for the network in
question.  This can be done using a ticket system, or a simple mail
exploder.

3.  Require that e-mail sent to role account "ab...@example.com" by
accessible in some way by all members of the abuse desk.  This can be
done using a ticket system, or a simple mail exploder.

4.  Require the WHOIS information specify exactly these role accounts
for TECH and ABUSE, not a person.  This gets around the GDPR
requirements while maintaining the usefulness of the WHOIS without
having to go through an intermediate party or web site.

ICANN may want to consider this idea when adjusting its contracts with
registrars to eliminate GDPR exposure.

RE: ICANN GDPR lawsuit

[McBride, Mack]

The whois guard solution seems workable where the registrar just forwards 
information.
It would be nice if there were corporate phone numbers as GDPR doesn't apply to 
corporations.
For routing whois information there aren't going to be many individuals and it 
would seem
that the corporations who employee individuals should be the ones protecting 
those individuals
work emails by providing a generic contact email forward.  Which is good 
practice anyway
since people leave and go on vacation and problems still happen.
And the routing whois information is a lot more relevant to most of us here.
Of course anyone posting to a public list should be aware that their email 
address is
part of that information.  Which is particularly relevant to this list.

Mack

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William Herrin
Sent: Friday, June 01, 2018 9:24 AM
To: l...@satchell.net
Cc: nanog@nanog.org
Subject: Re: ICANN GDPR lawsuit

On Fri, Jun 1, 2018 at 8:47 AM, Stephen Satchell  wrote:
> In other words, how do you do your job in light of the GDPR 
> restrictions on accessing contact information for other network operators?
>
> Please be specific.  A lot of NOC policies and procedures will need to 
> be updated.

Publish role accounts in whois instead of personal information?

Sorry, I don't mean to break up an energetic tirade but a phone number is not 
PII when it's attached to "hostmaster" instead of "John Doe".
You and I like knowing that there's a specific person there and it certainly 
helps when auditing public policy compliance but as a technical matter contact 
doesn't have to work that way.

I noticed that Namecheap solved their GDPR problem by simply making their 
"WhoisGuard" product free.

Regards,
Bill Herrin


--
William Herrin  her...@dirtside.com  b...@herrin.us Dirtside 
Systems . Web: <http://www.dirtside.com/>
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: ICANN GDPR lawsuit

[William Herrin]

On Fri, Jun 1, 2018 at 8:47 AM, Stephen Satchell  wrote:
> In other words, how do you do your job in light of the GDPR restrictions
> on accessing contact information for other network operators?
>
> Please be specific.  A lot of NOC policies and procedures will need to
> be updated.

Publish role accounts in whois instead of personal information?

Sorry, I don't mean to break up an energetic tirade but a phone number
is not PII when it's attached to "hostmaster" instead of "John Doe".
You and I like knowing that there's a specific person there and it
certainly helps when auditing public policy compliance but as a
technical matter contact doesn't have to work that way.

I noticed that Namecheap solved their GDPR problem by simply making
their "WhoisGuard" product free.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: ICANN GDPR lawsuit

[niels=nanog]

* l...@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator 
that is hijacking one of your netblocks, or is doing something weird 
with routing that is causing your customers problems, or has broken 
BGP?


The same as we do now, by posting on NANOG "Can someone from ASx / 
largetelco.com contact me offlist?"



-- Niels.

Re: ICANN GDPR lawsuit

[John Peach]

On 06/01/2018 08:47 AM, Stephen Satchell wrote:

On 06/01/2018 05:24 AM, niels=na...@bakker.net wrote:

* h...@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:

The entire whois debacle will only get resolved when some hackers attack
www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
response they get will be "sorry, we can't determine who is attacking
you since that contravenes GDPR", will the EU light bulb go on that
something in GDPR needs to be tweaked.


Please stop inciting lawbreaking, and stop spreading long debunked
talking points.  Both are really inappropriate for this list.


OK, then let's talk about something that IS appropriate for this list.
How does your shop, Niels, go about making contact with an operator that
is hijacking one of your netblocks, or is doing something weird with
routing that is causing your customers problems, or has broken BGP?

I will say right now that in large shops, the owner is NOT the right
contact.  In fact, if things are broken enough you may not be able to
send email to the owner -- he could be isolated.  The registration
authorities want the owner contact for legal reasons.  We poor sods in
the trenches need tech contacts, preferably contacts with clue.

In other words, how do you do your job in light of the GDPR restrictions
on accessing contact information for other network operators?

Please be specific.  A lot of NOC policies and procedures will need to
be updated.

Right now my policies and procedures book says to use WHOIS.  What needs
to change?



$dayjob has approaching 800 domains registered, of which a handful are 
set up for email and the hostmaster address was on only one of those. We 
only discovered the problem when a certificate authority attempted to 
contact us for one of the other domains. At that point I found that 
Network Solutions had removed all our contact information and trying to 
find someone with a clue at NetSol is nigh on impossible.


--
John
PGP Public Key: 412934AC

Re: ICANN GDPR lawsuit

[Stephen Satchell]

On 06/01/2018 05:24 AM, niels=na...@bakker.net wrote:
> * h...@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
>> The entire whois debacle will only get resolved when some hackers attack
>> www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
>> response they get will be "sorry, we can't determine who is attacking
>> you since that contravenes GDPR", will the EU light bulb go on that
>> something in GDPR needs to be tweaked.
> 
> Please stop inciting lawbreaking, and stop spreading long debunked
> talking points.  Both are really inappropriate for this list.

OK, then let's talk about something that IS appropriate for this list.
How does your shop, Niels, go about making contact with an operator that
is hijacking one of your netblocks, or is doing something weird with
routing that is causing your customers problems, or has broken BGP?

I will say right now that in large shops, the owner is NOT the right
contact.  In fact, if things are broken enough you may not be able to
send email to the owner -- he could be isolated.  The registration
authorities want the owner contact for legal reasons.  We poor sods in
the trenches need tech contacts, preferably contacts with clue.

In other words, how do you do your job in light of the GDPR restrictions
on accessing contact information for other network operators?

Please be specific.  A lot of NOC policies and procedures will need to
be updated.

Right now my policies and procedures book says to use WHOIS.  What needs
to change?

Re: ICANN GDPR lawsuit

[Hank Nussbacher]

On 01/06/2018 15:24, niels=na...@bakker.net wrote:
> * h...@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
>> The entire whois debacle will only get resolved when some hackers attack
>> www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
>> response they get will be "sorry, we can't determine who is attacking
>> you since that contravenes GDPR", will the EU light bulb go on that
>> something in GDPR needs to be tweaked.
>
> Please stop inciting lawbreaking, and stop spreading long debunked
> talking points.  Both are really inappropriate for this list.
>
>
> -- Niels.
>
The point was not to encourage law breaking.  Sorry if that what was
perceived.  The point is that the people who designed GDPR did not take
whois into consideration in the least.  And we  all will suffer because
of that.

-Hank

Re: ICANN GDPR lawsuit

[niels=nanog]

* h...@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:

The entire whois debacle will only get resolved when some hackers attack
www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
response they get will be "sorry, we can't determine who is attacking
you since that contravenes GDPR", will the EU light bulb go on that
something in GDPR needs to be tweaked.


Please stop inciting lawbreaking, and stop spreading long debunked 
talking points.  Both are really inappropriate for this list.



-- Niels.

Re: ICANN GDPR lawsuit

[Hank Nussbacher]

On 31/05/2018 21:44, John Peach wrote:
> On 05/31/2018 02:37 PM, Dan Hollis wrote:
>> On Thu, 31 May 2018, b...@theworld.com wrote:
>>> FWIW a German court has just ruled against ICANN's injunction and in
>>> favor of Tucows/EPAG.
>>>   https://www.icann.org/news/announcement-4-2018-05-30-en
>>
>> Welcome to contact-free whois?
>>
>> -Dan
>
>
> Already been bitten by it and trying to get the contact info reinstated.
>
>
>
The entire whois debacle will only get resolved when some hackers attack
www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
response they get will be "sorry, we can't determine who is attacking
you since that contravenes GDPR", will the EU light bulb go on that
something in GDPR needs to be tweaked.

-Hank

Re: ICANN GDPR lawsuit

[Oliver O'Boyle]

whoisnt

On Thu, May 31, 2018 at 2:37 PM, Dan Hollis  wrote:
> On Thu, 31 May 2018, b...@theworld.com wrote:
>>
>> FWIW a German court has just ruled against ICANN's injunction and in
>> favor of Tucows/EPAG.
>>   https://www.icann.org/news/announcement-4-2018-05-30-en
>
>
> Welcome to contact-free whois?
>
> -Dan



-- 
:o@>

Re: ICANN GDPR lawsuit

[John Peach]

On 05/31/2018 02:37 PM, Dan Hollis wrote:

On Thu, 31 May 2018, b...@theworld.com wrote:

FWIW a German court has just ruled against ICANN's injunction and in
favor of Tucows/EPAG.
  https://www.icann.org/news/announcement-4-2018-05-30-en


Welcome to contact-free whois?

-Dan



Already been bitten by it and trying to get the contact info reinstated.



--
John
PGP Public Key: 412934AC

Re: ICANN GDPR lawsuit

[Dan Hollis]

On Thu, 31 May 2018, b...@theworld.com wrote:

FWIW a German court has just ruled against ICANN's injunction and in
favor of Tucows/EPAG.
  https://www.icann.org/news/announcement-4-2018-05-30-en


Welcome to contact-free whois?

-Dan

Re: ICANN GDPR lawsuit

[bzs]

FWIW a German court has just ruled against ICANN's injunction and in
favor of Tucows/EPAG.

   https://www.icann.org/news/announcement-4-2018-05-30-en

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: ICANN GDPR lawsuit

[John Levine]

In article  you write:
>http://www.circleid.com/posts/20180527_icann_files_legal_action_against_domain_registrar_whois_data/

Elliot said that if he had to choose between fighting ICANN and
fighting governments, he'd fight ICANN.  I can't blame him.

http://www.tucows.com/tucows-statement-on-icann-legal-action/

R's,
John