Re: Whois vs GDPR, latest news

2018-06-05 Thread Matt Baldwin 
You mean something like this?

https://certikit.com/products/gdpr-toolkit/

While not CC licensed it might get you where you need to go.


On Sat, May 26, 2018, 7:06 PM Dan Hollis  wrote:

> On Sat, 26 May 2018, Royce Williams wrote:
> > Naively ... to counter potential panic, it would be awesome to
> crowdsource
> > some kind of CC-licensed GDPR toolkit for small orgs. Something like a
> > boilerplate privacy policy (perhaps generated by answers to questions),
> > plus some simplified checklists, could go a long way - towards both
> > compliance and actual security benefit.
>
> who is willing to accept the risk of being involved in creation of such a
> thing? would you?
>
> if someone uses it and ends up being hit by eu regulators, you can bet
> the toolkit creators will be sued.
>
> who would be willing to use a crowdsourced legal toolkit given the risks
> of a violation? would you?
>
> -Dan
>

Re: Whois vs GDPR, latest news

2018-05-28 Thread Anne P. Mitchell Esq. 



> 
> This is really off-topic for NANOG.  Is there a better place where this
> discussion can be found?

ISIPP hosts several email groups where this conversation would be appropriate.

Anybody who would like to continue the conversation there is welcome to ping me 
offlist requesting to join one or more of those groups...please include your 
full name, for whom you work (if relevant), and a one sentence description of 
your interest in/connection to network security, privacy, and/or policies.

Anne

Anne P. Mitchell, 
Attorney at Law
GDPR Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Whois vs GDPR, latest news

2018-05-28 Thread Anne P. Mitchell Esq. 



> On May 27, 2018, at 3:19 AM, Michel 'ic' Luczak  wrote:
> 
> Still on ec.europa.eu  they seem to try to reassure 
> SMEs that the penalties will be “proportionate” both to the nature of the 
> infringement and to the size to the company. It also seem to largely be 
> related to whether you infringed the regulation in good faith or not. At 
> least in France where I live the climate is pro-SMEs so I guess small 
> mistakes will be forgiven. The head of our DPA also gave an interview 
> recently saying that there will be no sanctions in the coming months and that 
> they’re available to answer questions when in doubt about what to do.

Here's the thing...unless the EU is vastly different from the US in terms of 
legislative construction, what any third-party says - even those involved in 
developing the law - is almost (not completely, but almost) immaterial to how 
the law will be applied.  The law *is the law*, and nothing anybody says about 
it will have much impact on how it will be construed by a court of law.  Which 
is why:

> Lastly, our law firm told us that basically we have to wait until the first 
> settlements to see what will be done…

..exactly.  The law will have to be construed and refined by lawsuits (unless a 
newer law clarifies or supersedes it).

And this is why we take a strict, conservative view of what one has to do to 
get into compliance.  Because our job is to keep the entities with whom we 
consult on GDPR from becoming those test cases.

Anne

Anne P. Mitchell, 
Attorney at Law
GDPR Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Whois vs GDPR, latest news

2018-05-27 Thread Stephen Satchell 
This is really off-topic for NANOG.  Is there a better place where this
discussion can be found?

Re: Whois vs GDPR, latest news

2018-05-27 Thread John Levine 
In article <230722.1527374...@turing-police.cc.vt.edu> you write:
>Now here's the big question - a *lot* of companies are targeting "anybody with
>a freemail account like GMail and a valid Visa or Mastercard card" or similar
>business models - does that count as "specifically targeting at EU", or not?

This is an excellent question, because anyone who purports to give you
an answer has self-identifed as a fool.

The closest thing to an answer is that nobody knows, maybe after some
rulings from various national authorities we'll have an idea, except
that they'll probably be inconsistent and contradictory.

R's,
John

Re: Whois vs GDPR, latest news

2018-05-27 Thread niels=nanog 

* l...@satchell.net (Stephen Satchell) [Sun 27 May 2018, 23:17 CEST]:

On 05/27/2018 12:54 PM, niels=na...@bakker.net wrote:
You have this the wrong way around.  You'll need permission to 
store their IP address in logs that you keep and to inform third 
parties about their visits to your site.  And that is because that 
information belongs to the visitor, not to you.


This is going to run afoul of some data retention laws currently on 
the books in some places.  You *have* to keep logs, WITH IP 
addresses...


Owen doesn't.


-- Niels.

Re: Whois vs GDPR, latest news

2018-05-27 Thread Stephen Satchell 
On 05/27/2018 12:54 PM, niels=na...@bakker.net wrote:
> You have this the wrong way around.  You'll need permission to store
> their IP address in logs that you keep and to inform third parties about
> their visits to your site.  And that is because that information belongs
> to the visitor, not to you.

This is going to run afoul of some data retention laws currently on the
books in some places.  You *have* to keep logs, WITH IP addresses...

Re: Whois vs GDPR, latest news

2018-05-27 Thread Sander Steffann 
Hi,

>> The way GDPR is written, if you want to collect (and store) so much as
>> the IP address of the potential customer who visited your website, you
>> need their informed consent and you can’t require that they consent as
>> a condition of providing service.
> 
> What we were told is that since security > GDPR, storing IPs in logs is 
> obviously OK since it’s a legal requirement.

GDPR article 6.1c (legal obligation) and 6.1f (legitimate interests) would 
probably both qualify for logging HTTP requests.

In this context it's also not likely that the IP address is considered personal 
data at all. Personal data is defined as data related to "an identifiable 
natural person is one who can be identified, directly or indirectly, in 
particular by reference to an identifier such as a name, an identification 
number, [...]". If you have no way to determine who an IP address belongs to 
then it's not personal data to you.

This can actually be a tricky point: the ISP who provides connectivity to a 
customer obviously knows which IP address they provided, so to that ISP the IP 
address is definitely personal data. If you ask for someone's name on your 
website and you log the IP address together with answers then you suddenly turn 
that IP address into personal data, even regarding you web server logs.

To be safe, adding something like the following to the privacy notice on the 
website would be fine for this case: "In order to comply with law enforcement 
requirements and to be able to detect and investigate abuse of our website we 
log all requests in including the IP addresses of the requester. If our systems 
detect abuse they may block access to our services from that IP address. This 
data will be stored for up to 2 weeks and will then automatically be deleted.". 
Add boilerplate text for contact information etc and that should cover article 
13.

> Storing them in a database for targeting / marketing is not.
> 
> What is a gray area so far is any use of IDS/IPS…

Sounds like legitimate interests to me :)  But it really depends on what is 
done with that information. Just protecting your servers should be fine. The 
big change with the GDPR is that you have to tell your users that you do this.

Hmmm. It might be a good idea to write some boilerplate privacy policy text for 
common components like IDP/IDS, load balancers, web server logs, DDOS 
protection etc.

Cheers,
Sander

Re: Whois vs GDPR, latest news

2018-05-27 Thread Michel 'ic' Luczak 

> On 27 May 2018, at 21:41, Owen DeLong  wrote:
> 
> The way GDPR is written, if you want to collect (and store) so much as
> the IP address of the potential customer who visited your website, you
> need their informed consent and you can’t require that they consent as
> a condition of providing service.

What we were told is that since security > GDPR, storing IPs in logs is 
obviously OK since it’s a legal requirement.

Storing them in a database for targeting / marketing is not.

What is a gray area so far is any use of IDS/IPS…

+

Re: Whois vs GDPR, latest news

2018-05-27 Thread niels=nanog 

* o...@delong.com (Owen DeLong) [Sun 27 May 2018, 21:42 CEST]:
The way GDPR is written, if you want to collect (and store) so much 
as the IP address of the potential customer who visited your 
website, you need their informed consent and you can’t require that 
they consent as a condition of providing service.


You have this the wrong way around.  You'll need permission to store 
their IP address in logs that you keep and to inform third parties 
about their visits to your site.  And that is because that 
information belongs to the visitor, not to you.



Basically, the regulation is so poorly written that it is utterly 
nonsensical and I wonder how business in Europe intend to function 
when they can’t make collecting someone’s address a condition of 
allowing them to order something online.


Basically, this example is so bad that it's not even wrong.


-- Niels.

Re: Whois vs GDPR, latest news

2018-05-27 Thread Owen DeLong 


> On May 26, 2018, at 18:42 , Royce Williams  wrote:
> 
> On Sat, May 26, 2018 at 4:57 PM Dan Hollis  wrote:
> 
>> I imagine small businesses who do a small percentage of revenue to EU
>> citizens will simply decide to do zero percentage of revenue to EU
>> citizens. The risk is simply too great.
> 
> That would be a shame. I would expect the level of effort to be roughly
> commensurate with A) the size of the org, and B) the risk inherent in what
> data is being collected, processed, stored, etc. I would also expect
> compliance to at least partially derive from
> vendor/cloud/outsource/whatever partners, many of whom should be
> scaled/scaling up to minimally comply.

Here’s the problem…

The way GDPR is written, if you want to collect (and store) so much as
the IP address of the potential customer who visited your website, you
need their informed consent and you can’t require that they consent as
a condition of providing service.

Basically, the regulation is so poorly written that it is utterly nonsensical
and I wonder how business in Europe intend to function when they can’t
make collecting someone’s address a condition of allowing them to order
something online.

> I would also not be surprised if laws of similar scope start to emerge in
> other countries. If so, taking your ball and going home won't be
> sustainable. If small, vulnerable orgs panic and can't realistically engage
> the risk, they may be selecting themselves out of the market - an "I
> encourage my competitors to do this" variant.

Let’s hope that if enough businesses take their ball and go home, the EU
and other regulators will wake up and smell the hydrogen-sulfide and write
better laws.

I’m not opposed to privacy protection, but GDPR contains way too much overreach
and way too little logic or common sense.

> Naively ... to counter potential panic, it would be awesome to crowdsource
> some kind of CC-licensed GDPR toolkit for small orgs. Something like a
> boilerplate privacy policy (perhaps generated by answers to questions),
> plus some simplified checklists, could go a long way - towards both
> compliance and actual security benefit.

The first word does a pretty good job of describing the rest of that paragraph
as mentioned by others.

> In a larger sense ... can any org - regardless of size - afford to not know
> their data, understand (at least at a high level) how it could be abused,
> know who is accessing it, manage it so that it can be verifiably purged,
> and enable their customers to self-manage their portion of it??

Yes. But even if an org does all of that, there are still significant problems
with GDPR.

Owen

Re: Whois vs GDPR, latest news

2018-05-27 Thread Sander Steffann 
Hi,

>> Thanks for the clarification. But whether that fine will be less than 10M is 
>> extremely vague and (I guess?) left up to the opinions or whims of a Euro 
>> bureaucrat or judge panel, or something like that... based on very vague and 
>> subjective criteria. I've searched and nobody can seem to find any more 
>> specifics or assurances. Therefore, there is NOTHING that a very small 
>> business with a very small data breach or mistake, could point to... to give 
>> them confidence than their fine will be any less than 10M Euros, other than 
>> that "up to" wording - that is in the same sentence where it also clarifies 
>> "whichever is larger".
>> 
>> All these people in this discussion who are expressing opinions that 
>> penalties in such situations won't be nearly so bad - are expressing what 
>> may very with be "wishful thinking" that isn't rooted in reality.
> 
> Still on ec.europa.eu  they seem to try to reassure 
> SMEs that the penalties will be “proportionate” both to the nature of the 
> infringement and to the size to the company. It also seem to largely be 
> related to whether you infringed the regulation in good faith or not. At 
> least in France where I live the climate is pro-SMEs so I guess small 
> mistakes will be forgiven. The head of our DPA also gave an interview 
> recently saying that there will be no sanctions in the coming months and that 
> they’re available to answer questions when in doubt about what to do.

That is also what I see in the Netherlands.

> Lastly, our law firm told us that basically we have to wait until the first 
> settlements to see what will be done…

True. Considering that GDPR is an EU regulation and that in general European 
culture is a lot less litigious than in the US I don't expect massive fines 
unless the infractions are malignant + persistent + performed by a large 
corporation. Smaller companies (or people) that make mistakes will not get 
fines that would bankrupt them. That's just not the way the justice system 
works on this side of the pond :)

Cheers,
Sander

Re: Whois vs GDPR, latest news

2018-05-27 Thread Michel 'ic' Luczak 

> On 26 May 2018, at 21:04, Rob McEwen  wrote:
> 
> Thanks for the clarification. But whether that fine will be less than 10M is 
> extremely vague and (I guess?) left up to the opinions or whims of a Euro 
> bureaucrat or judge panel, or something like that... based on very vague and 
> subjective criteria. I've searched and nobody can seem to find any more 
> specifics or assurances. Therefore, there is NOTHING that a very small 
> business with a very small data breach or mistake, could point to... to give 
> them confidence than their fine will be any less than 10M Euros, other than 
> that "up to" wording - that is in the same sentence where it also clarifies 
> "whichever is larger".
> 
> All these people in this discussion who are expressing opinions that 
> penalties in such situations won't be nearly so bad - are expressing what may 
> very with be "wishful thinking" that isn't rooted in reality.

Still on ec.europa.eu  they seem to try to reassure SMEs 
that the penalties will be “proportionate” both to the nature of the 
infringement and to the size to the company. It also seem to largely be related 
to whether you infringed the regulation in good faith or not. At least in 
France where I live the climate is pro-SMEs so I guess small mistakes will be 
forgiven. The head of our DPA also gave an interview recently saying that there 
will be no sanctions in the coming months and that they’re available to answer 
questions when in doubt about what to do.

Lastly, our law firm told us that basically we have to wait until the first 
settlements to see what will be done…

Regards, Michel

Re: Whois vs GDPR, latest news

2018-05-27 Thread JORDI PALET MARTINEZ via NANOG 
I know that LOPD and LSSI is not the same as GDPR.

However, each country in the EU need to modify its own LOPD in order to adapt 
it to the GDPR.

*I've done some further reading and according to the 1st and 2nd paragraphs of 
GDPR Art. 83 each DPA will establish the fines, which should respect what is 
said in 4, 5 and 6 (including the maximum fines, so clearly 10 and 20 MEuros or 
2% and 4% of the previous year turnover).

So after that, I found what is going on and in the case of Spain, the council 
of Ministers approved the law 24th Nov. 2017 
(http://www.congreso.es/docu/docum/ddocum/dosieres/sleg/legislatura_12/spl_13/pdfs/1.pdf)
 and it was expected to be sanctioned by the Parliament last week, after some 
discussion and some changes. However seems to be delayed as the parliament 
asked for some amendments.

In this document, again, it is indicated that the DPA will follow what is being 
said in GDPR (see * above) and doesn't mention the amount of each fine, because 
"Each supervisory authority shall ensure that the imposition of administrative 
fines pursuant to this Article in respect of infringements of this Regulation 
referred to in paragraphs 4, 5 and 6 shall in each individual case be 
effective, proportionate and dissuasive." See also the text in p. 2 of the GDPR.

This facilitates the DPAs to take in consideration *each* individual case, or 
even to change the fines in the future.

However, the Spanish law, talks about some specific fine amounts in the article 
78, referred to the prescription of the infringements depending on the fine 
amount. For example, for fines up to 40.000 Euros, 300.000 euros and over 
300.000 euros.

What that means? Each DPA have to modify the "actual" LOPD and associated 
tables of fines, and the GDPR only stablishes the maximum amounts.

Other countries already have done that:
Italy: LEGGE 20 novembre 2017, n. 167
Germany: Bundesdatenschutzgesetz
France: looks like a similar situation as Spain

So, for the countries that have not yet finalized the approval of the "new 
LOPD", the fines are still the same as the ones defined in the "actual LOPD". 
So, I think I was right in my assertion, and the minimum fines in Spain, will 
be for sure lower than 40.000 euros, and my guess is that will start as today 
with 600 or so ... at the end in will depend on the "individual decision" 
(based in a categorization table, which the Spanish DPA for sure has already 
prepared, but will not make public until the new LOPD is approved by the 
parliament).

Of course I'm not saying that you should ignore the GDPR because the fines are 
low. I think everybody really need to adapt their data protection procedures to 
it.

Regards,
Jordi
 
 PD: An informal document that I've found say that the new fines are in the 
ranges of 900-40.000, 40.001-300.000 and 300.000-600.000.



-Mensaje original-
De: NANOG <nanog-boun...@nanog.org> en nombre de Rob McEwen 
<r...@invaluement.com>
Fecha: domingo, 27 de mayo de 2018, 0:16
Para: <nanog@nanog.org>
Asunto: Re: Whois vs GDPR, latest news

On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote:
> Talking from the experience because the previous laws in Spain, LOPD and 
LSSI

Jordi,

LOPD/LSSI does not = GDPR

But even if there was a probability that GDPR would operate like they do: 
(1) it is alarming that the fines mentioned on GDPR are 10-20X higher than even 
LOPD/LSSI's higher fines -AND- regarding LOPD/LSSI's relatively low minimum 
fine of 600 EUROs that you mentioned - it was explicated mentioned on the page 
you referenced - HOWEVER there is NOT any similar official (relatively) 
low-cost fines mentioned for GDPR anywhere there is only that 
NOT-reassuring "up to" phrase.

For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET 
MARTINEZ claimed that the fine will be more reasonable for a smaller business 
that had a less egregious offense" - is going to necessarily make it so.

Believe me, I WANT you to be my GDPR fairy. I really really do. But I have 
to operate my business more realistically.

-- 
Rob McEwen
https://www.invaluement.com






**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, i

Re: Whois vs GDPR, latest news

2018-05-26 Thread Dan Hollis 

On Sat, 26 May 2018, Royce Williams wrote:

Naively ... to counter potential panic, it would be awesome to crowdsource
some kind of CC-licensed GDPR toolkit for small orgs. Something like a
boilerplate privacy policy (perhaps generated by answers to questions),
plus some simplified checklists, could go a long way - towards both
compliance and actual security benefit.


who is willing to accept the risk of being involved in creation of such a 
thing? would you?


if someone uses it and ends up being hit by eu regulators, you can bet 
the toolkit creators will be sued.


who would be willing to use a crowdsourced legal toolkit given the risks 
of a violation? would you?


-Dan

Re: Whois vs GDPR, latest news

2018-05-26 Thread Royce Williams 
On Sat, May 26, 2018 at 4:57 PM Dan Hollis  wrote:

> I imagine small businesses who do a small percentage of revenue to EU
> citizens will simply decide to do zero percentage of revenue to EU
> citizens. The risk is simply too great.

That would be a shame. I would expect the level of effort to be roughly
commensurate with A) the size of the org, and B) the risk inherent in what
data is being collected, processed, stored, etc. I would also expect
compliance to at least partially derive from
vendor/cloud/outsource/whatever partners, many of whom should be
scaled/scaling up to minimally comply.

I would also not be surprised if laws of similar scope start to emerge in
other countries. If so, taking your ball and going home won't be
sustainable. If small, vulnerable orgs panic and can't realistically engage
the risk, they may be selecting themselves out of the market - an "I
encourage my competitors to do this" variant.

Naively ... to counter potential panic, it would be awesome to crowdsource
some kind of CC-licensed GDPR toolkit for small orgs. Something like a
boilerplate privacy policy (perhaps generated by answers to questions),
plus some simplified checklists, could go a long way - towards both
compliance and actual security benefit.

In a larger sense ... can any org - regardless of size - afford to not know
their data, understand (at least at a high level) how it could be abused,
know who is accessing it, manage it so that it can be verifiably purged,
and enable their customers to self-manage their portion of it??

I'm personally a big fan of undue diligence and all, but we need to
advocate for some ... realistic scaling of response.

Royce

Re: Whois vs GDPR, latest news

2018-05-26 Thread Dan Hollis 

On Sat, 26 May 2018, Seth Mattinen wrote:

On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:
Actually, GDPR specifically requires processors to include statements of 
compliance right in their contracts;  we also strongly recommend that 
controllers insist on indemnification clauses in their contracts with 
processors, because if the processor screws up and there is a breach, 
the_controller_  can also be held liable, and the financial penalties in 
GDPR are very stiff.
Good luck getting multiple millions worth of fines out of small businesses 
that never even touch a million a year in revenue, let alone the added 
expenses of trying to do all the crap GDPR thinks everyone can suddenly 
afford out of nowhere.


I imagine small businesses who do a small percentage of revenue to EU 
citizens will simply decide to do zero percentage of revenue to EU 
citizens. The risk is simply too great.


-Dan

Re: Whois vs GDPR, latest news

2018-05-26 Thread valdis . kletnieks 
On Sat, 26 May 2018 10:31:29 +0200, "Michel 'ic' Luczak" said:

> "When the regulation does not apply

> Your company is service provider based outside the EU. It provides services
> to customers outside the EU.  Its clients can use its services when they 
> travel
> to other countries, including within the EU. Provided your company  doesn't
> specifically target its services at individuals in the EU, it is not subject 
> to
> the rules of the GDPR.”

Now here's the big question - a *lot* of companies are targeting "anybody with
a freemail account like GMail and a valid Visa or Mastercard card" or similar
business models - does that count as "specifically targeting at EU", or not?



pgpgBXNoceMAK.pgp
Description: PGP signature

Re: Whois vs GDPR, latest news

2018-05-26 Thread Rob McEwen 

On 5/26/2018 3:36 PM, JORDI PALET MARTINEZ via NANOG wrote:

Talking from the experience because the previous laws in Spain, LOPD and LSSI


Jordi,

LOPD/LSSI does not = GDPR

But even if there was a probability that GDPR would operate like they do: (1) it is 
alarming that the fines mentioned on GDPR are 10-20X higher than even LOPD/LSSI's higher 
fines -AND- regarding LOPD/LSSI's relatively low minimum fine of 600 EUROs that you 
mentioned - it was explicated mentioned on the page you referenced - HOWEVER there is NOT 
any similar official (relatively) low-cost fines mentioned for GDPR anywhere there is 
only that NOT-reassuring "up to" phrase.

For someone hit with a GDPR fine, I don't think telling them, "JORDI PALET MARTINEZ 
claimed that the fine will be more reasonable for a smaller business that had a less 
egregious offense" - is going to necessarily make it so.

Believe me, I WANT you to be my GDPR fairy. I really really do. But I have to 
operate my business more realistically.

--
Rob McEwen
https://www.invaluement.com

Re: Whois vs GDPR, latest news

2018-05-26 Thread JORDI PALET MARTINEZ via NANOG 
Talking from the experience because the previous laws in Spain, LOPD and LSSI 
(which basically was the same across the different EU countries).

They had "maximum" fines (it was 600.000 Euros). They start for small law 
infringement with 600 euros, 1.500 euros, unless is something very severe, then 
it come to something like 30.000 euros, etc.

If you keep repeating the law infringement, then the 2nd time it may become 
150.000 Euros.

If it is massive infringement (for example massive spam), then it comes to 
300.000 or even 600.000 euros.

Here there is an explanation for the LOPD fines, is in Spanish, but a 
translator should work:
http://www.cuidatusdatos.com/infracciones/

My guess is that the GDPR maximum fines are there just as maximum, and there 
will be agreements among the EU DPAs, to better define how much is the fine, in 
a similar way they are doing now.

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG <nanog-bounces+jordi.palet=consulintel...@nanog.org> en nombre de Rob 
McEwen <r...@invaluement.com>
Fecha: sábado, 26 de mayo de 2018, 21:06
Para: <nanog@nanog.org>
Asunto: Re: Whois vs GDPR, latest news

On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote:
> Original text from EU Commission:
> "Infringements of the following provisions shall, in accordance with 
paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the 
case of an undertaking, up to 2 % of the total worldwide annual turnover of the 
preceding financial year, whichever is higher”
>
> -> Administrative fines_up to_  10M (or 2% if your 2% is higher than 10M).
>
> It’s a cap, not a minimum.


Thanks for the clarification. But whether that fine will be less than 
10M is extremely vague and (I guess?) left up to the opinions or whims 
of a Euro bureaucrat or judge panel, or something like that... based on 
very vague and subjective criteria. I've searched and nobody can seem to 
find any more specifics or assurances. Therefore, there is NOTHING that 
a very small business with a very small data breach or mistake, could 
point to... to give them confidence than their fine will be any less 
than 10M Euros, other than that "up to" wording - that is in the same 
sentence where it also clarifies "whichever is larger".

All these people in this discussion who are expressing opinions that 
penalties in such situations won't be nearly so bad - are expressing 
what may very with be "wishful thinking" that isn't rooted in reality.

-- 
Rob McEwen
https://www.invaluement.com
  





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Florian Weimer 
* Mark Andrews:

> Domain whois is absolutely useful.  Try contacting a site to report
> that their nameservers are hosed without it.

A lot of WHOIS servers do not show who's running the name servers, or
who maintains the data served by them.  Those that do usually provide
information which is provably wrong.

> Remember that about 50% of zones have not RFC compliant name servers
> (the software is broken) and that newer resolver depend on default
> behaviour working correctly.

If WHOIS records were useful for contacting operators, you wouldn't
have to raise these issues on public lists periodically.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Rob McEwen 

On 5/26/2018 2:36 PM, Michel 'ic' Luczak wrote:

Original text from EU Commission:
"Infringements of the following provisions shall, in accordance with paragraph 
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an 
undertaking, up to 2 % of the total worldwide annual turnover of the preceding 
financial year, whichever is higher”

-> Administrative fines_up to_  10M (or 2% if your 2% is higher than 10M).

It’s a cap, not a minimum.



Thanks for the clarification. But whether that fine will be less than 
10M is extremely vague and (I guess?) left up to the opinions or whims 
of a Euro bureaucrat or judge panel, or something like that... based on 
very vague and subjective criteria. I've searched and nobody can seem to 
find any more specifics or assurances. Therefore, there is NOTHING that 
a very small business with a very small data breach or mistake, could 
point to... to give them confidence than their fine will be any less 
than 10M Euros, other than that "up to" wording - that is in the same 
sentence where it also clarifies "whichever is larger".


All these people in this discussion who are expressing opinions that 
penalties in such situations won't be nearly so bad - are expressing 
what may very with be "wishful thinking" that isn't rooted in reality.


--
Rob McEwen
https://www.invaluement.com

Re: Whois vs GDPR, latest news

2018-05-26 Thread Michel 'ic' Luczak 


> On 26 May 2018, at 20:28, Seth Mattinen  wrote:
> 
> 
> 
> On 5/26/18 8:15 PM, Michel 'ic' Luczak wrote:
>> The two levels depend on the nature of the infringement, but it says clearly 
>> “up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the 
>> “less serious” infringements. So no, there is no minimum fine actually.
> 
> 
> To me that says the fine is 10M if your 2% is lower than 10M. Or it wasn't 
> originally written in English and the translation is flawed.

Original text from EU Commission:
"Infringements of the following provisions shall, in accordance with paragraph 
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of 
an undertaking, up to 2 % of the total worldwide annual turnover of the 
preceding financial year, whichever is higher”

-> Administrative fines _up to_ 10M (or 2% if your 2% is higher than 10M). 

It’s a cap, not a minimum.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Seth Mattinen 



On 5/26/18 8:15 PM, Michel 'ic' Luczak wrote:

The two levels depend on the nature of the infringement, but it says clearly 
“up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the 
“less serious” infringements. So no, there is no minimum fine actually.



To me that says the fine is 10M if your 2% is lower than 10M. Or it 
wasn't originally written in English and the translation is flawed.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Michel 'ic' Luczak 


> On 26 May 2018, at 19:37, Rob McEwen  wrote:
> 
> The *MINIMUM* fine is 10M euros.
> 
> SEE: https://www.gdpreu.org/compliance/fines-and-penalties/ 
> 
The two levels depend on the nature of the infringement, but it says clearly 
“up to 10M” (or 2% of your worldwide revenue, whichever is bigger) for the 
“less serious” infringements. So no, there is no minimum fine actually.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Rob McEwen 

On 5/26/2018 12:29 PM, JORDI PALET MARTINEZ via NANOG wrote:

I don't recall right now the exact details about how they calculate the fine



The *MINIMUM* fine is 10M euros.

SEE: https://www.gdpreu.org/compliance/fines-and-penalties/

This is true no matter how small the business, and (potentially) even if 
there was just one minor incident.


And the law is so vague and expansive - and with such massive minimum 
fines - that I wonder if this might be exploited to target political 
rivals/enemies? Or those who donate to such? It certainly could easily 
be weaponized!


And before it even gets nearly to that point, it could also turn into 
the equivalent of the tiny city of Waldo, Florida (USA) (population 
1K)... who turned their police force into a speeding-ticket revenue 
factory for some time before the State of FL shut them down. Certainly, 
the Euro bureaucrats are incentivized.


--
Rob McEwen
https://www.invaluement.com

Re: Whois vs GDPR, latest news

2018-05-26 Thread Owen DeLong 
I’m not sure that’s true. I think that the notice is sufficient to indicate 
that I have no intention to have EU persons visiting my web site and thus 
should not be subject to their extraterritorial overreach.

Obviously time will tell what happens.

Owen


> On May 26, 2018, at 09:29 , JORDI PALET MARTINEZ via NANOG <nanog@nanog.org> 
> wrote:
> 
> I don't recall right now the exact details about how they calculate the fine, 
> which is appropriate for each case, but the 4% of turnover or 20 million 
> Euros is just the maximum amount (per case). I'm sure there is something 
> already documented, about that, or may be is each country DPA the one 
> responsible to define the exact fine for each case.
> 
> For example, up to now (with the previous law, LOPD for Spain), the maximum 
> fine was 600.000 euros, and the "starting" fine was 1.500 euros. So, 
> depending on the number of people affected, the degree of infringement, if it 
> is the first time or if the company has been warned or fined before, you can 
> get a fine in the "middle" of those figures.
> 
> I'm sure it will be the same way for the GDPR.
> 
> Regards,
> Jordi
> 
> 
> 
> -Mensaje original-
> De: NANOG <nanog-boun...@nanog.org> en nombre de Seth Mattinen 
> <se...@rollernet.us>
> Fecha: sábado, 26 de mayo de 2018, 16:00
> Para: <nanog@nanog.org>
> Asunto: Re: Whois vs GDPR, latest news
> 
> 
> 
>On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:
>> I don't think, in general the DPAs need to use lawsuits.
>> 
>> If they discover (by their own, or by means of a customer claim) that a 
>> company (never mind is from the EU or outside) is not following the GDPR, 
>> they will just fine it and the corresponding government authorities are the 
>> responsible to cash the fine, even with "bank account embargos". If the 
>> company is outside the EU, but there are agreements with that country, they 
>> can proceed to that via the third country authorities.
> 
> 
>If someone were to show up and issue me a 10 or 20 million euro fine 
>(more in USD), I'd just laugh since I'll never see that much money at 
>one time in my whole life.
> 
>I'm not convinced they will limit reach to the Facebooks and Googles of 
>the world until a lower limit is codified. I suspect that won't happen 
>until enough small guys are fined 10-20 million euros who could never 
>hope to repay it in a lifetime.
> 
>~Seth
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
> confidential. The information is intended to be for the exclusive use of the 
> individual(s) named above and further non-explicilty authorized disclosure, 
> copying, distribution or use of the contents of this information, even if 
> partially, including attached files, is strictly prohibited and will be 
> considered a criminal offense. If you are not the intended recipient be aware 
> that any disclosure, copying, distribution or use of the contents of this 
> information, even if partially, including attached files, is strictly 
> prohibited, will be considered a criminal offense, so you must reply to the 
> original sender to inform about this communication and delete it.
> 
> 
>

Re: Whois vs GDPR, latest news

2018-05-26 Thread JORDI PALET MARTINEZ via NANOG 
I don't recall right now the exact details about how they calculate the fine, 
which is appropriate for each case, but the 4% of turnover or 20 million Euros 
is just the maximum amount (per case). I'm sure there is something already 
documented, about that, or may be is each country DPA the one responsible to 
define the exact fine for each case.

For example, up to now (with the previous law, LOPD for Spain), the maximum 
fine was 600.000 euros, and the "starting" fine was 1.500 euros. So, depending 
on the number of people affected, the degree of infringement, if it is the 
first time or if the company has been warned or fined before, you can get a 
fine in the "middle" of those figures.

I'm sure it will be the same way for the GDPR.

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG <nanog-boun...@nanog.org> en nombre de Seth Mattinen 
<se...@rollernet.us>
Fecha: sábado, 26 de mayo de 2018, 16:00
Para: <nanog@nanog.org>
Asunto: Re: Whois vs GDPR, latest news



On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:
> I don't think, in general the DPAs need to use lawsuits.
> 
> If they discover (by their own, or by means of a customer claim) that a 
company (never mind is from the EU or outside) is not following the GDPR, they 
will just fine it and the corresponding government authorities are the 
responsible to cash the fine, even with "bank account embargos". If the company 
is outside the EU, but there are agreements with that country, they can proceed 
to that via the third country authorities.


If someone were to show up and issue me a 10 or 20 million euro fine 
(more in USD), I'd just laugh since I'll never see that much money at 
one time in my whole life.

I'm not convinced they will limit reach to the Facebooks and Googles of 
the world until a lower limit is codified. I suspect that won't happen 
until enough small guys are fined 10-20 million euros who could never 
hope to repay it in a lifetime.

~Seth




**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Seth Mattinen 



On 5/26/18 1:30 PM, JORDI PALET MARTINEZ via NANOG wrote:

I don't think, in general the DPAs need to use lawsuits.

If they discover (by their own, or by means of a customer claim) that a company (never 
mind is from the EU or outside) is not following the GDPR, they will just fine it and the 
corresponding government authorities are the responsible to cash the fine, even with 
"bank account embargos". If the company is outside the EU, but there are 
agreements with that country, they can proceed to that via the third country authorities.



If someone were to show up and issue me a 10 or 20 million euro fine 
(more in USD), I'd just laugh since I'll never see that much money at 
one time in my whole life.


I'm not convinced they will limit reach to the Facebooks and Googles of 
the world until a lower limit is codified. I suspect that won't happen 
until enough small guys are fined 10-20 million euros who could never 
hope to repay it in a lifetime.


~Seth

Re: Whois vs GDPR, latest news

2018-05-26 Thread JORDI PALET MARTINEZ via NANOG 
I don't think, in general the DPAs need to use lawsuits.

If they discover (by their own, or by means of a customer claim) that a company 
(never mind is from the EU or outside) is not following the GDPR, they will 
just fine it and the corresponding government authorities are the responsible 
to cash the fine, even with "bank account embargos". If the company is outside 
the EU, but there are agreements with that country, they can proceed to that 
via the third country authorities.

Same as when you don't pay a traffic fine in the EU and you are from non-EU 
countries (some allow the embargo, others not).

This has been happening, in most of the EU countries for a while. In recent 
months, the Spanish DPA has ordered fines of 600.000 euros (with the previous 
law, LOPD), to companies such as Facebook, Google, Whatsapp, and many others ...

Regards,
Jordi
 
 

-Mensaje original-
De: NANOG <nanog-boun...@nanog.org> en nombre de Nick Hilliard <n...@foobar.org>
Fecha: sábado, 26 de mayo de 2018, 11:29
Para: Seth Mattinen <se...@rollernet.us>
CC: <nanog@nanog.org>
Asunto: Re: Whois vs GDPR, latest news

Seth Mattinen wrote on 26/05/2018 08:41:
> Good luck getting multiple millions worth of fines out of small 
> businesses that never even touch a million a year in revenue, let alone 
> the added expenses of trying to do all the crap GDPR thinks everyone can 
> suddenly afford out of nowhere.

You can put the straw man away - Europe isn't the US.  No Data 
Protection Authority in Europe is going to sue a mom & pop business in 
the US for millions because they haven't clarified their cookies policy. 
The upper limits of the fines are aimed at the robber barons of the world.

The DPAs in Europe are for the most part lawsuit-averse and engage with 
companies to build alignment rather than taking the punitive approach 
and liberally dishing out lawsuits and fines.  The emphasis on GDPR 
compliance is aiming at reasonable steps rather than pretending that 
every organisation is going to end up redesigning their entire existence 
around GDPR on may 25.

Nick




**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Whois vs GDPR, latest news

2018-05-26 Thread Nick Hilliard 

Seth Mattinen wrote on 26/05/2018 08:41:
Good luck getting multiple millions worth of fines out of small 
businesses that never even touch a million a year in revenue, let alone 
the added expenses of trying to do all the crap GDPR thinks everyone can 
suddenly afford out of nowhere.


You can put the straw man away - Europe isn't the US.  No Data 
Protection Authority in Europe is going to sue a mom & pop business in 
the US for millions because they haven't clarified their cookies policy. 
The upper limits of the fines are aimed at the robber barons of the world.


The DPAs in Europe are for the most part lawsuit-averse and engage with 
companies to build alignment rather than taking the punitive approach 
and liberally dishing out lawsuits and fines.  The emphasis on GDPR 
compliance is aiming at reasonable steps rather than pretending that 
every organisation is going to end up redesigning their entire existence 
around GDPR on may 25.


Nick

Re: Whois vs GDPR, latest news

2018-05-26 Thread Michel 'ic' Luczak 

> On 23 May 2018, at 19:12, Anne P. Mitchell Esq.  wrote:
> 
> 
> 
>> On May 23, 2018, at 11:05 AM, K. Scott Helms  wrote:
>> 
>> Yep, if you're doing a decent job around securing data then you don't have 
>> much to be worried about on that side of things.  The problem for most 
>> companies is that GDPR isn't really a security law, it's a privacy law (and 
>> set of regulations).  That's where it's hard because there are a limited 
>> number of ways you can, from the EU's standpoint, lawfully process someone's 
>> PII.  Things like opting out and blanket agreements to use all of someone's 
>> data for any reason a company may want are specifically prohibited.  Even 
>> companies that don't intentionally sell into the EU (or the UK) can find 
>> themselves dealing with this if they have customers with employees in the 
>> EU. 
> 
> Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based 
> website and orders something (or even just provides their PII)... but happens 
> to be in a plane flying over an EU country at the time.  Because GDPR doesn't 
> talk about residence or citizenship, it talks only about a vague and 
> ambiguous "in the Union", and I can certainly envision an argument in which 
> the person in the plane claims that they were, technically, "in the Union" at 
> the time. 
> 

Actually, the EU Commission is pretty clear about the non-E.U. person 
travelling to E.U. and using a service not specifically targetting E.U. users :

"When the regulation does not apply
Your company is service provider based outside the EU. It provides services to 
customers outside the EU.  Its clients can use its services when they travel to 
other countries, including within the EU. Provided your company  doesn't 
specifically target its services at individuals in the EU, it is not subject to 
the rules of the GDPR.”

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

There are many other examples on their website which leave pretty little doubts 
about when it applies and when it does not.

Regards, Michel

Re: Whois vs GDPR, latest news

2018-05-26 Thread Seth Mattinen 



On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:

Actually, GDPR specifically requires processors to include statements of 
compliance right in their contracts;  we also strongly recommend that 
controllers insist on indemnification clauses in their contracts with 
processors, because if the processor screws up and there is a breach, 
the_controller_  can also be held liable, and the financial penalties in GDPR 
are very stiff.



Good luck getting multiple millions worth of fines out of small 
businesses that never even touch a million a year in revenue, let alone 
the added expenses of trying to do all the crap GDPR thinks everyone can 
suddenly afford out of nowhere.


~Seth

Re: Whois vs GDPR, latest news

2018-05-24 Thread K. Scott Helms 
 Anne,

While I was re-reading some of the emails last night I realized that I
mischaracterized your description here, *"You may accuse me of being a
lawyer here (and rightly so :-) ), but "in", as in "in the Union" (which is
the actual language) is very much open to interpretation.  In a judicial
system where lawsuits have turned on  - I kid you not - the interpretation
of what a comma meant, I can almost guarantee you that "in the Union" is
going to get interpreted through lawsuits, and it is absolutely not outside
the realm of possibility that a U.S. citizen visiting in the EU will bring
a lawsuit based on something happening with their PII while they were "in
the Union".*

I didn't make it clear that you were suggesting that some would make this
claim rather than you making that claim.  Mea culpa :)

Our counselors made it clear (as did the regulators I was able to ask) that
short term visits weren't intended to be covered *in their opinion.*  There
are and will be many questions that won't be fully answered until
adjudicated or more precise language is used to make the meaning clear.
 Juhan Lepassaar (Head of VP Ansip Cabinet, European Commission) was one of
the speakers and we were able to ask questions of him.  It looks like the
video of one of the presentations I was at is now publicly available and I
encourage those with questions to watch it.

https://www.rsaconference.com/speakers/juhan-lepassaar

*" Actually, GDPR specifically requires processors to include statements of
compliance right in their contracts;  we also strongly recommend that
controllers insist on indemnification clauses in their contracts with
processors, because if the processor screws up and there is a breach, the
_controller_ can also be held liable, and the financial penalties in GDPR
are very stiff."*

Yep, this is better (clearer) wording than what I used and is absolutely
correct.



On Thu, May 24, 2018 at 10:21 AM Anne P. Mitchell Esq. 
wrote:

>
>
> > On May 23, 2018, at 7:18 PM, K. Scott Helms 
> wrote:
> >
> > Anything that can tie back to an individual data subject is PII, that
> means email addresses, names in combination with addresses or phone
> numbers, finger prints, or even insufficiently abstracted internal ID
> numbers/codes.
>
> Don't forget IP addresses, as part of the wonderfully vague "online
> identifiers".
>
> > Notice I didn't say EU citizen there, that's because the law and
> regulations (GDPR consists of both) intentionally cover any natural person
> in any of the 28 EU nations including the citizens of non-EU nations.
> >  I don't go as far as I think Anne was suggesting, in that someone in EU
> airspace who sent an email or made a purchase is now suddenly an EU data
> subject.
>
> You may accuse me of being a lawyer here (and rightly so :-) ), but "in",
> as in "in the Union" (which is the actual language) is very much open to
> interpretation.  In a judicial system where lawsuits have turned on  - I
> kid you not - the interpretation of what a comma meant, I can almost
> guarantee you that "in the Union" is going to get interpreted through
> lawsuits, and it is absolutely not outside the realm of possibility that a
> U.S. citizen visiting in the EU will bring a lawsuit based on something
> happening with their PII while they were "in the Union".
>
> > Any company that is covered by the GDPR must be extremely careful that
> any company they do business with is also compliant if that company will
> have access or act as a data processor.  That means that if you are a US
> company that has US only customers, but some of your customers have
> employees that are US citizens but who live in an EU nation then they are
> bound to only use providers that are GDPR compliant.  Now, this will result
> in contractual disputes and/or loss of business rather than having EU
> regulators fine your company directly.  The end result is that many many
> many companies that don't sell or market to the EU are finding themselves
> needing to comply in the same way that companies that sell services to
> medical companies often have to follow HIPAA  (and be audited) even though
> they provide medical services themselves.
> >
>
> Actually, GDPR specifically requires processors to include statements of
> compliance right in their contracts;  we also strongly recommend that
> controllers insist on indemnification clauses in their contracts with
> processors, because if the processor screws up and there is a breach, the
> _controller_ can also be held liable, and the financial penalties in GDPR
> are very stiff.
>
> Anne
>
> Anne P. Mitchell,
> Attorney at Law
> CEO/President,
> SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> GDPR Compliance Consultant
> GDPR Compliance Certification
> http://www.SuretyMail.com/
> http://www.SuretyMail.eu/
>
> Attorney at Law / Legislative Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam

Re: Whois vs GDPR, latest news

2018-05-24 Thread Anne P. Mitchell Esq. 


> On May 23, 2018, at 7:18 PM, K. Scott Helms  wrote:
> 
> Anything that can tie back to an individual data subject is PII, that means 
> email addresses, names in combination with addresses or phone numbers, finger 
> prints, or even insufficiently abstracted internal ID numbers/codes.

Don't forget IP addresses, as part of the wonderfully vague "online 
identifiers".

> Notice I didn't say EU citizen there, that's because the law and regulations 
> (GDPR consists of both) intentionally cover any natural person in any of the 
> 28 EU nations including the citizens of non-EU nations.
>  I don't go as far as I think Anne was suggesting, in that someone in EU 
> airspace who sent an email or made a purchase is now suddenly an EU data 
> subject. 

You may accuse me of being a lawyer here (and rightly so :-) ), but "in", as in 
"in the Union" (which is the actual language) is very much open to 
interpretation.  In a judicial system where lawsuits have turned on  - I kid 
you not - the interpretation of what a comma meant, I can almost guarantee you 
that "in the Union" is going to get interpreted through lawsuits, and it is 
absolutely not outside the realm of possibility that a U.S. citizen visiting in 
the EU will bring a lawsuit based on something happening with their PII while 
they were "in the Union".

> Any company that is covered by the GDPR must be extremely careful that any 
> company they do business with is also compliant if that company will have 
> access or act as a data processor.  That means that if you are a US company 
> that has US only customers, but some of your customers have employees that 
> are US citizens but who live in an EU nation then they are bound to only use 
> providers that are GDPR compliant.  Now, this will result in contractual 
> disputes and/or loss of business rather than having EU regulators fine your 
> company directly.  The end result is that many many many companies that don't 
> sell or market to the EU are finding themselves needing to comply in the same 
> way that companies that sell services to medical companies often have to 
> follow HIPAA  (and be audited) even though they provide medical services 
> themselves.
> 

Actually, GDPR specifically requires processors to include statements of 
compliance right in their contracts;  we also strongly recommend that 
controllers insist on indemnification clauses in their contracts with 
processors, because if the processor screws up and there is a breach, the 
_controller_ can also be held liable, and the financial penalties in GDPR are 
very stiff.

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation Certification and Inbox Delivery Assistance
GDPR Compliance Consultant
GDPR Compliance Certification
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Attorney at Law / Legislative Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Board of Directors, Asilomar Microcomputer Workshop
Member, Advisory Board, Cause for Awareness
Member, Elevations Credit Union Member Council
Former Chair, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose

Available for consultations by special arrangement.
amitch...@isipp.com | @AnnePMitchell
Facebook/AnnePMitchell  | LinkedIn/in/annemitchell

Re: Whois vs GDPR, latest news

2018-05-24 Thread jeff murphy 
There’s speculation that enforcement could occur via the FTC Privacy Shield 
program. 

> On May 23, 2018, at 7:38 PM, John Levine  wrote:
> 
>> No, but in the absence of a law that specifically bars the courts from
>> doing so the will under current reciprocal treaty arrangements.
> 
> No, really, what treaties?  I understand treaties about domesticating a tort 
> judgement but this isn't a tort, this is a regulation.
> 
> R's,
> John
> 
> PS:
> 
>>> can treaties supercede US law?
> 
> That question has a very complicated answer.  tl;dr: sometimes

Re: Whois vs GDPR, latest news

2018-05-23 Thread bzs 

In a nutshell this is a tariff war.

They should have pursued their ideas about data privacy etc in
international, multilateral venues.

The EU is only about 10% of the world's population and perhaps 20% of
the world's GDP.

What does, for example, China or India think about all this? Is the EU
going to seek enforcement against Alibaba or Baidu or FlipKart (ok
Walmart owns most of FlipKart now but you get my point I hope)? Latin
America? Africa? Brooklyn?!

Are APEC, ASEAN, CIS, GCC, DJT, etc (regional trade organizations)
each going to launch their own "GDPR"?

My guess:

Some noise, some lawyers make a buttload* of money, other countries
and multinational trade orgs begin resisting which attracts attention
from their non-EU nation members, and then it's modified into
oblivion.

* Note: a "butt" is a standard English barrel measure, a large barrel,
108 imperial gallons.

  https://en.wikipedia.org/wiki/English_brewery_cask_units#Butt

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-23 Thread bzs 

On May 23, 2018 at 07:45 h...@efes.iucc.ac.il (Hank Nussbacher) wrote:
 > ...Now there is GDPR vs Theworld.

Or vice-versa.

Sincerely, TheWorld.com.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-23 Thread Owen DeLong 
How is it false?

If you don’t do business in the EU or with EU persons, then you are not 
included in the class of organizations which GDPR says are subject to GDPR.

Owen


> On May 23, 2018, at 4:36 PM, K. Scott Helms  wrote:
> 
> Owen,
> 
> That's false, please don't spread misinformation.  
> 
> Scott Helms
> 
> On Wed, May 23, 2018, 7:34 PM Owen DeLong  > wrote:
> 
> 
> > On May 23, 2018, at 9:29 AM, Anne P. Mitchell Esq.  > > wrote:
> > 
> > 
> > 
> >> On May 23, 2018, at 10:21 AM, Daniel Brisson  >> > wrote:
> >> 
> >>> Also, don't forget the private right of action.  Anyone can file anything 
> >>> in the U.S. courts... you  may get it dismissed (although then again you 
> >>> may not) but either way, it's going to be time and money out of your 
> >>> pocket fighting it.  MUCH better to just get compliant than to end up a 
> >>> test case.
> >> 
> >> Isn't "better" a factor of how much it costs to become compliant with 
> >> GPDR?  I'm no expert, but some of the things I've heard sounded not 
> >> trivial to implement (read potentially BIG investment).
> >> 
> >> -dan
> > 
> > In our experience, orgs that are already following all industry best 
> > practices are, generally, at least 70% of the way to becoming compliant 
> > already.   Where it can get expensive for the ones who aren't is in 
> > hardening their systems to provide for better security/privacy.  U.S. 
> > companies are used to being able to drink at the firehose of data that is 
> > collected here in the U.S., and use it however they want.. this is the real 
> > major change.  I suppose you could say it's expensive in that it is 
> > reducing the ways they can monetize that data. 
> 
> Of course a perfectly valid alternative is to refuse to do business with EU 
> persons. Then GDPR compliance becomes entirely unnecessary.
> 
> Owen
> 
> > 
> > Anne
> > 
> > Anne P. Mitchell, 
> > Attorney at Law
> > CEO/President, 
> > SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> > GDPR Compliance Consultant
> > GDPR Compliance Certification
> > http://www.SuretyMail.com/ 
> > http://www.SuretyMail.eu/ 
> > 
> > Attorney at Law / Legislative Consultant
> > Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> > Author: The Email Deliverability Handbook
> > Legal Counsel: The CyberGreen Institute
> > Legal Counsel: The Earth Law Center
> > Member, California Bar Cyberspace Law Committee
> > Member, Colorado Cybersecurity Consortium
> > Member, Board of Directors, Asilomar Microcomputer Workshop
> > Member, Advisory Board, Cause for Awareness
> > Member, Elevations Credit Union Member Council
> > Former Chair, Asilomar Microcomputer Workshop
> > Ret. Professor of Law, Lincoln Law School of San Jose
> > 
> > Available for consultations by special arrangement.
> > amitch...@isipp.com  | @AnnePMitchell
> > Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
> > 
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread John Levine 

No, but in the absence of a law that specifically bars the courts from
doing so the will under current reciprocal treaty arrangements.


No, really, what treaties?  I understand treaties about domesticating a 
tort judgement but this isn't a tort, this is a regulation.


R's,
John

PS:


can treaties supercede US law?


That question has a very complicated answer.  tl;dr: sometimes

Re: Whois vs GDPR, latest news

2018-05-23 Thread Owen DeLong 


> On May 23, 2018, at 9:29 AM, Anne P. Mitchell Esq.  
> wrote:
> 
> 
> 
>> On May 23, 2018, at 10:21 AM, Daniel Brisson  wrote:
>> 
>>> Also, don't forget the private right of action.  Anyone can file anything 
>>> in the U.S. courts... you  may get it dismissed (although then again you 
>>> may not) but either way, it's going to be time and money out of your pocket 
>>> fighting it.  MUCH better to just get compliant than to end up a test case.
>> 
>> Isn't "better" a factor of how much it costs to become compliant with GPDR?  
>> I'm no expert, but some of the things I've heard sounded not trivial to 
>> implement (read potentially BIG investment).
>> 
>> -dan
> 
> In our experience, orgs that are already following all industry best 
> practices are, generally, at least 70% of the way to becoming compliant 
> already.   Where it can get expensive for the ones who aren't is in hardening 
> their systems to provide for better security/privacy.  U.S. companies are 
> used to being able to drink at the firehose of data that is collected here in 
> the U.S., and use it however they want.. this is the real major change.  I 
> suppose you could say it's expensive in that it is reducing the ways they can 
> monetize that data. 

Of course a perfectly valid alternative is to refuse to do business with EU 
persons. Then GDPR compliance becomes entirely unnecessary.

Owen

> 
> Anne
> 
> Anne P. Mitchell, 
> Attorney at Law
> CEO/President, 
> SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> GDPR Compliance Consultant
> GDPR Compliance Certification
> http://www.SuretyMail.com/
> http://www.SuretyMail.eu/
> 
> Attorney at Law / Legislative Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Author: The Email Deliverability Handbook
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> Member, California Bar Cyberspace Law Committee
> Member, Colorado Cybersecurity Consortium
> Member, Board of Directors, Asilomar Microcomputer Workshop
> Member, Advisory Board, Cause for Awareness
> Member, Elevations Credit Union Member Council
> Former Chair, Asilomar Microcomputer Workshop
> Ret. Professor of Law, Lincoln Law School of San Jose
> 
> Available for consultations by special arrangement.
> amitch...@isipp.com | @AnnePMitchell
> Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread Dan Hollis 

On Wed, 23 May 2018, Owen DeLong wrote:

On May 23, 2018, at 08:53, John Levine  wrote:
If they try to sue in, say, US courts, the US court will ask them to
explain why a US court should try a suit under foreign law.  There is
a very short list of reasons to do that, and this isn't on it.

Actually, due to treaty, it is. At least according to some lawyers that have 
been advising ICANN stakeholder group(s).


can treaties supercede US law?

-Dan

Re: Whois vs GDPR, latest news

2018-05-23 Thread Anne P. Mitchell Esq. 


> On May 23, 2018, at 11:05 AM, K. Scott Helms  wrote:
> 
> Yep, if you're doing a decent job around securing data then you don't have 
> much to be worried about on that side of things.  The problem for most 
> companies is that GDPR isn't really a security law, it's a privacy law (and 
> set of regulations).  That's where it's hard because there are a limited 
> number of ways you can, from the EU's standpoint, lawfully process someone's 
> PII.  Things like opting out and blanket agreements to use all of someone's 
> data for any reason a company may want are specifically prohibited.  Even 
> companies that don't intentionally sell into the EU (or the UK) can find 
> themselves dealing with this if they have customers with employees in the EU. 

Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based 
website and orders something (or even just provides their PII)... but happens 
to be in a plane flying over an EU country at the time.  Because GDPR doesn't 
talk about residence or citizenship, it talks only about a vague and ambiguous 
"in the Union", and I can certainly envision an argument in which the person in 
the plane claims that they were, technically, "in the Union" at the time. 

Anne

Anne P. Mitchell, 
Attorney at Law
GDPR Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Whois vs GDPR, latest news

2018-05-23 Thread K. Scott Helms 
Anne,

Yep, if you're doing a decent job around securing data then you don't have
much to be worried about on that side of things.  The problem for most
companies is that GDPR isn't really a security law, it's a privacy law (and
set of regulations).  That's where it's hard because there are a limited
number of ways you can, from the EU's standpoint, lawfully process
someone's PII.  Things like opting out and blanket agreements to use all of
someone's data for any reason a company may want are specifically
prohibited.  Even companies that don't intentionally sell into the EU (or
the UK) can find themselves dealing with this if they have customers with
employees in the EU.

On Wed, May 23, 2018 at 12:29 PM, Anne P. Mitchell Esq.  wrote:

>
>
> > On May 23, 2018, at 10:21 AM, Daniel Brisson  wrote:
> >
> >> Also, don't forget the private right of action.  Anyone can file
> anything in the U.S. courts... you  may get it dismissed (although then
> again you may not) but either way, it's going to be time and money out of
> your pocket fighting it.  MUCH better to just get compliant than to end up
> a test case.
> >
> > Isn't "better" a factor of how much it costs to become compliant with
> GPDR?  I'm no expert, but some of the things I've heard sounded not trivial
> to implement (read potentially BIG investment).
> >
> > -dan
>
> In our experience, orgs that are already following all industry best
> practices are, generally, at least 70% of the way to becoming compliant
> already.   Where it can get expensive for the ones who aren't is in
> hardening their systems to provide for better security/privacy.  U.S.
> companies are used to being able to drink at the firehose of data that is
> collected here in the U.S., and use it however they want.. this is the real
> major change.  I suppose you could say it's expensive in that it is
> reducing the ways they can monetize that data.
>
> Anne
>
> Anne P. Mitchell,
> Attorney at Law
> CEO/President,
> SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> GDPR Compliance Consultant
> GDPR Compliance Certification
> http://www.SuretyMail.com/
> http://www.SuretyMail.eu/
>
> Attorney at Law / Legislative Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Author: The Email Deliverability Handbook
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> Member, California Bar Cyberspace Law Committee
> Member, Colorado Cybersecurity Consortium
> Member, Board of Directors, Asilomar Microcomputer Workshop
> Member, Advisory Board, Cause for Awareness
> Member, Elevations Credit Union Member Council
> Former Chair, Asilomar Microcomputer Workshop
> Ret. Professor of Law, Lincoln Law School of San Jose
>
> Available for consultations by special arrangement.
> amitch...@isipp.com | @AnnePMitchell
> Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
>
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread K. Scott Helms 
Yeah, that's not accurate.  US organizations sue EU organizations in US
courts (and vice versus) on a regular basis but have EU courts collect the
damages.  Congress can carve out an exemption, but I haven't heard of an
effort in that direction getting started yet.  In the absence of a
legislative exemption the EU regulators can absolutely sue a US entity in
US civil courts and get a ruling based on EU laws and regulations.

Here's a completely unrelated civil case, on libel, that references the
bilateral enforcement and how NY state carved out an exemption.

https://www.npr.org/sections/parallels/2015/03/21/394273902/on-libel-and-the-law-u-s-and-u-k-go-separate-ways

Scott Helms

http://twitter.com/kscotthelms


On Wed, May 23, 2018 at 11:56 AM, Owen DeLong <o...@delong.com> wrote:

> Not really. If you don’t offer services to EU persons, then you are right.
> However, due to treaties signed by the US and other countries, many places
> outside the EU are subject to GDPR overreach.
>
> Owen
>
>
> > On May 23, 2018, at 05:36, Mike Hammett <na...@ics-il.net> wrote:
> >
> > If you don't have operations in the EU, you can not so politely tell the
> EU to piss off.
> >
> >
> >
> >
> > -
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > Midwest-IX
> > http://www.midwest-ix.com
> >
> > - Original Message -
> >
> > From: "Matthew Kaufman" <matt...@matthew.at>
> > To: "Fletcher Kittredge" <fkitt...@gwi.net>
> > Cc: "NANOG list" <nanog@nanog.org>
> > Sent: Monday, May 21, 2018 8:07:15 PM
> > Subject: Re: Whois vs GDPR, latest news
> >
> >> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkitt...@gwi.net>
> wrote:
> >>
> >> What about my right to not have this crap on NANOG?
> >>
> >
> >
> > What about the likely truth that if anyone from Europe mails the list,
> then
> > every mail server operator with subscribers to the list must follow the
> > GDPR Article 14 notification requirements, as the few exceptions appear
> to
> > not apply (unless you’re just running an archive).
> >
> > Matthew
> >
>
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread Anne P. Mitchell Esq. 


> On May 23, 2018, at 10:21 AM, Daniel Brisson  wrote:
> 
>> Also, don't forget the private right of action.  Anyone can file anything in 
>> the U.S. courts... you  may get it dismissed (although then again you may 
>> not) but either way, it's going to be time and money out of your pocket 
>> fighting it.  MUCH better to just get compliant than to end up a test case.
> 
> Isn't "better" a factor of how much it costs to become compliant with GPDR?  
> I'm no expert, but some of the things I've heard sounded not trivial to 
> implement (read potentially BIG investment).
> 
> -dan

In our experience, orgs that are already following all industry best practices 
are, generally, at least 70% of the way to becoming compliant already.   Where 
it can get expensive for the ones who aren't is in hardening their systems to 
provide for better security/privacy.  U.S. companies are used to being able to 
drink at the firehose of data that is collected here in the U.S., and use it 
however they want.. this is the real major change.  I suppose you could say 
it's expensive in that it is reducing the ways they can monetize that data. 

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation Certification and Inbox Delivery Assistance
GDPR Compliance Consultant
GDPR Compliance Certification
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Attorney at Law / Legislative Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Board of Directors, Asilomar Microcomputer Workshop
Member, Advisory Board, Cause for Awareness
Member, Elevations Credit Union Member Council
Former Chair, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose

Available for consultations by special arrangement.
amitch...@isipp.com | @AnnePMitchell
Facebook/AnnePMitchell  | LinkedIn/in/annemitchell

Re: Whois vs GDPR, latest news

2018-05-23 Thread Daniel Brisson 


On 5/23/18, 12:10 PM, "NANOG on behalf of Anne P. Mitchell Esq." 
 wrote:



> On May 23, 2018, at 9:59 AM, Owen DeLong  wrote:
> 
> 
> 
>> On May 23, 2018, at 08:53, John Levine  wrote:
>> 
>> In article 
 you write:
>>> I asked one of the EU regulators at RSA how they intended to enforce 
GDPR
>>> violations on businesses that don't operate in their jurisdiction and
>>> without hesitation he told me they'd use civil courts to sue the 
offending
>>> companies.
>> 
>> He probably thought you meant if he's in France and the business is in
>> Ireland, since they're both in the EU.  Outside the EU, on the other
>> hand, ...
>> 
>> If they try to sue in, say, US courts, the US court will ask them to
>> explain why a US court should try a suit under foreign law.  There is
>> a very short list of reasons to do that, and this isn't on it.
> 
> Actually, due to treaty, it is. At least according to some lawyers that 
have been advising ICANN stakeholder group(s). 
> 

>Also, don't forget the private right of action.  Anyone can file anything 
> in the U.S. courts... you  may get it dismissed (although then again you may 
> not) but either way, it's going to be time and money out of your pocket 
> fighting it.  MUCH better to just get compliant than to end up a test case.

Isn't "better" a factor of how much it costs to become compliant with GPDR?  
I'm no expert, but some of the things I've heard sounded not trivial to 
implement (read potentially BIG investment).

-dan

Re: Whois vs GDPR, latest news

2018-05-23 Thread Stephen Satchell 

On 05/23/2018 09:09 AM, Anne P. Mitchell Esq. wrote:

Also, don't forget the private right of action.  Anyone can file
anything in the U.S. courts... you  may get it dismissed (although
then again you may not) but either way, it's going to be time and
money out of your pocket fighting it.  MUCH better to just get
compliant than to end up a test case.


And that's why my domains use Register.com's proxy service.  I'm 
risk-adverse, especially with the revenue (pennies) my domains earn. 
Better to just bite the bullet.


That said, I have abuse contacts listed for my domains.  You just have 
to ask the proxy for them.


(In 15 years, the only abuse mail I've received is mail from people who 
HATED what I said on NANAE newsgroup...and I've not used USENET for 10 
of those years.)

Re: Whois vs GDPR, latest news

2018-05-23 Thread Anne P. Mitchell Esq. 


> On May 23, 2018, at 9:59 AM, Owen DeLong  wrote:
> 
> 
> 
>> On May 23, 2018, at 08:53, John Levine  wrote:
>> 
>> In article 
>>  you 
>> write:
>>> I asked one of the EU regulators at RSA how they intended to enforce GDPR
>>> violations on businesses that don't operate in their jurisdiction and
>>> without hesitation he told me they'd use civil courts to sue the offending
>>> companies.
>> 
>> He probably thought you meant if he's in France and the business is in
>> Ireland, since they're both in the EU.  Outside the EU, on the other
>> hand, ...
>> 
>> If they try to sue in, say, US courts, the US court will ask them to
>> explain why a US court should try a suit under foreign law.  There is
>> a very short list of reasons to do that, and this isn't on it.
> 
> Actually, due to treaty, it is. At least according to some lawyers that have 
> been advising ICANN stakeholder group(s). 
> 

Also, don't forget the private right of action.  Anyone can file anything in 
the U.S. courts... you  may get it dismissed (although then again you may not) 
but either way, it's going to be time and money out of your pocket fighting it. 
 MUCH better to just get compliant than to end up a test case.

Anne

Anne P. Mitchell, 
Attorney at Law
GDPR Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Whois vs GDPR, latest news

2018-05-23 Thread Owen DeLong 


> On May 23, 2018, at 08:53, John Levine  wrote:
> 
> In article 
>  you 
> write:
>> I asked one of the EU regulators at RSA how they intended to enforce GDPR
>> violations on businesses that don't operate in their jurisdiction and
>> without hesitation he told me they'd use civil courts to sue the offending
>> companies.
> 
> He probably thought you meant if he's in France and the business is in
> Ireland, since they're both in the EU.  Outside the EU, on the other
> hand, ...
> 
> If they try to sue in, say, US courts, the US court will ask them to
> explain why a US court should try a suit under foreign law.  There is
> a very short list of reasons to do that, and this isn't on it.

Actually, due to treaty, it is. At least according to some lawyers that have 
been advising ICANN stakeholder group(s). 


> 
> I'm not saying that one should gratuitously poke EU regulators in the
> eye but it's pretty silly to imagine that they will waste time
> harassing people over whom they have no jurisdiction and against whom
> they have no recourse.

True. But unfortunately, companies in the US (and many other places with 
treaties with the EU, including Mauritius, for example) don’t fit that 
description. 

Owen

Re: Whois vs GDPR, latest news

2018-05-23 Thread Owen DeLong 
Not really. If you don’t offer services to EU persons, then you are right. 
However, due to treaties signed by the US and other countries, many places 
outside the EU are subject to GDPR overreach. 

Owen


> On May 23, 2018, at 05:36, Mike Hammett <na...@ics-il.net> wrote:
> 
> If you don't have operations in the EU, you can not so politely tell the EU 
> to piss off. 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> Midwest-IX 
> http://www.midwest-ix.com 
> 
> - Original Message -
> 
> From: "Matthew Kaufman" <matt...@matthew.at> 
> To: "Fletcher Kittredge" <fkitt...@gwi.net> 
> Cc: "NANOG list" <nanog@nanog.org> 
> Sent: Monday, May 21, 2018 8:07:15 PM 
> Subject: Re: Whois vs GDPR, latest news 
> 
>> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkitt...@gwi.net> wrote: 
>> 
>> What about my right to not have this crap on NANOG? 
>> 
> 
> 
> What about the likely truth that if anyone from Europe mails the list, then 
> every mail server operator with subscribers to the list must follow the 
> GDPR Article 14 notification requirements, as the few exceptions appear to 
> not apply (unless you’re just running an archive). 
> 
> Matthew 
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread John Levine 
In article  
you write:
>I asked one of the EU regulators at RSA how they intended to enforce GDPR
>violations on businesses that don't operate in their jurisdiction and
>without hesitation he told me they'd use civil courts to sue the offending
>companies.

He probably thought you meant if he's in France and the business is in
Ireland, since they're both in the EU.  Outside the EU, on the other
hand, ...

If they try to sue in, say, US courts, the US court will ask them to
explain why a US court should try a suit under foreign law.  There is
a very short list of reasons to do that, and this isn't on it.

I'm not saying that one should gratuitously poke EU regulators in the
eye but it's pretty silly to imagine that they will waste time
harassing people over whom they have no jurisdiction and against whom
they have no recourse.

R's,
John

Re: Whois vs GDPR, latest news

2018-05-23 Thread Roger Marquis 

Dan Hollis wrote:

How about the ones with broken contact data - deliberately or not?
A whois blacklist sounds good to me. DNS WBL?


Many sites are already doing this locally.  It's just a matter of time
before Spamhaus or an up-and-coming entity has an RBL for it.  The data
is perhaps not precise enough for a blacklist but obfuscated whois
records are certainly useful in calculating the reputation of
ingress/egress SMTP, HTTP and other services.  This is not a new idea
and similar to the (unmaintained?) whois.abuse.net contact lookup
service, razor/pyzor, and other useful SIEM and Spamassassin inputs.

Roger Marquis

Re: Whois vs GDPR, latest news

2018-05-23 Thread K. Scott Helms 
Of course not, but do you really want to be sued?  Even if the US courts
decline to accept GDPR cases, which is not at all a given since we have a
long history of bilateral enforcement, it costs money to deal with and I
don't want to worry that I'm going to fly one day to a country that will
enforce civil penalties.

While I don't tell most people or companies to worry if they only do
business in the US I also don't think it's a good idea to simply thumb your
nose at the EU regulators.  Some North American direct marketing and data
collection firms are definitely going to get a rude, and expensive,
awakening despite not having any EU operations.

On Wed, May 23, 2018 at 8:49 AM, Mike Hammett <na...@ics-il.net> wrote:

> *shrugs* Me hurting the EU's feelings is rather low on the list of things
> I care about.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "K. Scott Helms" <kscotthe...@gmail.com>
> To: "Mike Hammett" <na...@ics-il.net>
> Cc: "NANOG list" <nanog@nanog.org>
> Sent: Wednesday, May 23, 2018 7:46:19 AM
> Subject: Re: Whois vs GDPR, latest news
>
>
> Sadly this isn't true. While I doubt the EU regulators are going to come
> head hunting for companies any time soon they do have mechanisms in place
> to sanction companies who don't do business in the EU and the scope is
> clearly intended to reach where ever the data of EU natural persons is
> being held.
>
>
> https://gdpr-info.eu/art-3-gdpr/
>
>
>
> I asked one of the EU regulators at RSA how they intended to enforce GDPR
> violations on businesses that don't operate in their jurisdiction and
> without hesitation he told me they'd use civil courts to sue the offending
> companies.
>
>
> On Wed, May 23, 2018 at 8:36 AM, Mike Hammett < na...@ics-il.net > wrote:
>
>
> If you don't have operations in the EU, you can not so politely tell the
> EU to piss off.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ----- Original Message -
>
> From: "Matthew Kaufman" < matt...@matthew.at >
> To: "Fletcher Kittredge" < fkitt...@gwi.net >
> Cc: "NANOG list" < nanog@nanog.org >
> Sent: Monday, May 21, 2018 8:07:15 PM
> Subject: Re: Whois vs GDPR, latest news
>
>
>
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge < fkitt...@gwi.net >
> wrote:
>
> > What about my right to not have this crap on NANOG?
> >
>
>
> What about the likely truth that if anyone from Europe mails the list,
> then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
>
> Matthew
>
>
>
>
>
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread Mike Hammett 
*shrugs* Me hurting the EU's feelings is rather low on the list of things I 
care about. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "K. Scott Helms" <kscotthe...@gmail.com> 
To: "Mike Hammett" <na...@ics-il.net> 
Cc: "NANOG list" <nanog@nanog.org> 
Sent: Wednesday, May 23, 2018 7:46:19 AM 
Subject: Re: Whois vs GDPR, latest news 


Sadly this isn't true. While I doubt the EU regulators are going to come head 
hunting for companies any time soon they do have mechanisms in place to 
sanction companies who don't do business in the EU and the scope is clearly 
intended to reach where ever the data of EU natural persons is being held. 


https://gdpr-info.eu/art-3-gdpr/ 



I asked one of the EU regulators at RSA how they intended to enforce GDPR 
violations on businesses that don't operate in their jurisdiction and without 
hesitation he told me they'd use civil courts to sue the offending companies. 


On Wed, May 23, 2018 at 8:36 AM, Mike Hammett < na...@ics-il.net > wrote: 


If you don't have operations in the EU, you can not so politely tell the EU to 
piss off. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message - 

From: "Matthew Kaufman" < matt...@matthew.at > 
To: "Fletcher Kittredge" < fkitt...@gwi.net > 
Cc: "NANOG list" < nanog@nanog.org > 
Sent: Monday, May 21, 2018 8:07:15 PM 
Subject: Re: Whois vs GDPR, latest news 



On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge < fkitt...@gwi.net > wrote: 

> What about my right to not have this crap on NANOG? 
> 


What about the likely truth that if anyone from Europe mails the list, then 
every mail server operator with subscribers to the list must follow the 
GDPR Article 14 notification requirements, as the few exceptions appear to 
not apply (unless you’re just running an archive). 

Matthew

Re: Whois vs GDPR, latest news

2018-05-23 Thread K. Scott Helms 
Sadly this isn't true.  While I doubt the EU regulators are going to come
head hunting for companies any time soon they do have mechanisms in place
to sanction companies who don't do business in the EU and the scope is
clearly intended to reach where ever the data of EU natural persons is
being held.

https://gdpr-info.eu/art-3-gdpr/

I asked one of the EU regulators at RSA how they intended to enforce GDPR
violations on businesses that don't operate in their jurisdiction and
without hesitation he told me they'd use civil courts to sue the offending
companies.

On Wed, May 23, 2018 at 8:36 AM, Mike Hammett <na...@ics-il.net> wrote:

> If you don't have operations in the EU, you can not so politely tell the
> EU to piss off.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "Matthew Kaufman" <matt...@matthew.at>
> To: "Fletcher Kittredge" <fkitt...@gwi.net>
> Cc: "NANOG list" <nanog@nanog.org>
> Sent: Monday, May 21, 2018 8:07:15 PM
> Subject: Re: Whois vs GDPR, latest news
>
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkitt...@gwi.net>
> wrote:
>
> > What about my right to not have this crap on NANOG?
> >
>
>
> What about the likely truth that if anyone from Europe mails the list,
> then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
>
> Matthew
>
>

Re: Whois vs GDPR, latest news

2018-05-23 Thread Mike Hammett 
If you don't have operations in the EU, you can not so politely tell the EU to 
piss off. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Matthew Kaufman" <matt...@matthew.at> 
To: "Fletcher Kittredge" <fkitt...@gwi.net> 
Cc: "NANOG list" <nanog@nanog.org> 
Sent: Monday, May 21, 2018 8:07:15 PM 
Subject: Re: Whois vs GDPR, latest news 

On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge <fkitt...@gwi.net> wrote: 

> What about my right to not have this crap on NANOG? 
> 


What about the likely truth that if anyone from Europe mails the list, then 
every mail server operator with subscribers to the list must follow the 
GDPR Article 14 notification requirements, as the few exceptions appear to 
not apply (unless you’re just running an archive). 

Matthew

Re: Whois vs GDPR, latest news

2018-05-23 Thread Dan Hollis 

On Tue, 22 May 2018, Jimmy Hess wrote:

Perhaps it's time that some would consider  new RBLs  and  Blackhole
feeds  based on :
Domains with deliberately unavailable WHOIS data.


How about the ones with broken contact data - deliberately or not?

A whois blacklist sounds good to me. DNS WBL?


exhibit A:
==
https://whois.arin.net/rest/net/NET-66-111-32-0-1/pft?s=66.111.56.98

   - Transcript of session follows -
... while talking to aspmx.l.google.com.:

DATA

<<< 550-5.1.1 The email account that you tried to reach does not exist. Please 
try
<<< 550-5.1.1 double-checking the recipient's email address for typos or
<<< 550-5.1.1 unnecessary spaces. Learn more at
<<< 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser 
d26-v6si14042755pge.500 - gsmtp
550 5.1.1 ... User unknown
<<< 503 5.5.1 RCPT first. d26-v6si14042755pge.500 - gsmtp


exhibit B:
=
https://apps.db.ripe.net/db-web-ui/#/query?searchtext=79.121.0.5#resultsSection

   - Transcript of session follows -
... while talking to mail.kabelnet.hu.:

DATA

<<< 451 Could not complete sender verify callout ... 
Deferred: 451 Could not complete sender verify callout
<<< 503-All RCPT commands were rejected with this error:
<<< 503-Could not complete sender verify callout
<<< 503 Valid RCPT command must precede DATA
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old



-Dan

Re: Whois vs GDPR, latest news

2018-05-22 Thread Hank Nussbacher 
On 23/05/2018 04:50, John Levine wrote:
>> What about the likely truth that if anyone from Europe mails the list, then
>> every mail server operator with subscribers to the list must follow the
>> GDPR Article 14 notification requirements, as the few exceptions appear to
>> not apply (unless you’re just running an archive).
> Some of us whose businesses and equipment are entirely in North
> America will take our chances. This is NANOG, not EUNOG, you know.
> Also, one thing that has become painfully clear is that the number of
> people who imagine that they understand the GDPR exceeds the number
> who actually understand it by several orders of magnitude. The "you
> have to delete all my messages from the archive if I unsubscribe"
> nonsense is a good indicator. R's, John
Every generation needs its religious wars.  Unix vs Windows.  OSI vs
TCPIP.  Now there is GDPR vs Theworld.

-Hank

Re: Whois vs GDPR, latest news

2018-05-22 Thread Mark Andrews 
Domain whois is absolutely useful.  Try contacting a site to report
that their nameservers are hosed without it.  People forget that the
primary purpose of whois is to report faults.  You don’t need to do
it very often but when you do it is crucial.  Remember that about
50% of zones have not RFC compliant name servers (the software is
broken) and that newer resolver depend on default behaviour working
correctly.

> On 23 May 2018, at 12:37 pm, Matt Harris  wrote:
> 
> Maybe I'm going out on a limb here, but was domain whois ever really that
> useful?  I can't remember ever using it for any legitimate sort of
> activity, and I know it gets scraped quite a bit by spammers.  Most of the
> data is bogus these days on a lot of TLDs which allow "anonymous
> registrations" and which registrars often charge an extra dollar or two
> for.  Showing the authoritative nameservers is neat, but a simple NS record
> query against the next level up would suffice to provide that information
> as well.  The date of expiration may be useful if you're trying to grab a
> domain when it expires, but registrar policies often drag that out anyways
> and half the time the registrar squats on any decent domain when it expires
> anyhow.  Date of original registration may be interesting for one reason or
> another... but none of this data is personally identifiable information
> anyhow.
> 
> Now on the other hand, RIR whois is actually very useful for determining
> the rightful owner and abuse contacts for IP address space... Since RIRs
> are designated by region and, afaik, only RIPE NCC data would be impacted
> by GDPR... well, I'm surprised this isn't being talked about more than the
> domain name side of things.
> 
> Take care,
> Matt

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: Whois vs GDPR, latest news

2018-05-22 Thread Matt Harris 
 Maybe I'm going out on a limb here, but was domain whois ever really that
useful?  I can't remember ever using it for any legitimate sort of
activity, and I know it gets scraped quite a bit by spammers.  Most of the
data is bogus these days on a lot of TLDs which allow "anonymous
registrations" and which registrars often charge an extra dollar or two
for.  Showing the authoritative nameservers is neat, but a simple NS record
query against the next level up would suffice to provide that information
as well.  The date of expiration may be useful if you're trying to grab a
domain when it expires, but registrar policies often drag that out anyways
and half the time the registrar squats on any decent domain when it expires
anyhow.  Date of original registration may be interesting for one reason or
another... but none of this data is personally identifiable information
anyhow.

Now on the other hand, RIR whois is actually very useful for determining
the rightful owner and abuse contacts for IP address space... Since RIRs
are designated by region and, afaik, only RIPE NCC data would be impacted
by GDPR... well, I'm surprised this isn't being talked about more than the
domain name side of things.

Take care,
Matt

Re: Whois vs GDPR, latest news

2018-05-22 Thread Don Gould 
What is GDPR?

My current guess is "Just another thing to learn since whois is now broken 
because to many of us just abused a once useful tool"



On 23 May 2018 1:50:17 PM NZST, John Levine  wrote:
>>What about the likely truth that if anyone from Europe mails the list,
>then
>>every mail server operator with subscribers to the list must follow
>the
>>GDPR Article 14 notification requirements, as the few exceptions
>appear to
>>not apply (unless you’re just running an archive).
>
>Some of us whose businesses and equipment are entirely in North
>America will take our chances.  This is NANOG, not EUNOG, you know.
>
>Also, one thing that has become painfully clear is that the number of
>people who imagine that they understand the GDPR exceeds the number
>who actually understand it by several orders of magnitude.
>
>The "you have to delete all my messages from the archive if I
>unsubscribe" nonsense is a good indicator.
>
>R's,
>John

--
Don Gould
5 Cargill Place
Richmond
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699
Ph: +61 3 9111 1821 (Melb)
www.bowenvale.co.nz
skype: don.gould.nz

Re: Whois vs GDPR, latest news

2018-05-22 Thread Jimmy Hess 
Perhaps it's time that some would consider  new RBLs  and  Blackhole
feeds  based on :
Domains with deliberately unavailable WHOIS data.

Including  domains whose  registrant has failed to cause their domain
registrar and/or registry to
list personally identifiable details for registrant and contacts   on
servers available to
the public using the TCP port 43 WHOIS service.

For any reason,  whether use of a privacy service,  or by a  Default
"Opt-to-Privacy Rule" enforced
by a  local / country-specific regulation such as GPDR.

Stance

* Ultimate burden goes to the REGISTRANT of any Internet Domain to take the
  steps to ensure their domain or IP address registry makes public
contacts appear
  in WHOIS at all times for  their Domain and/or IP address(es) --- including
  a traceable registrant name AND direct Telephone and E-mail contacts
 to a responsible
  party specific to the domain from which a timely response is available and
  are not through a re-mailer or proxy service.

People may have in their country a legal right to secure control of
a domain on a registry
And anonymize  their registration:"Choose not to have personal
information listed in WHOIS".

HOWEVER, Making this choice might then result in adverse consequences
towards connectivity AND accessibility to your resources from others
during such times
as you exercise your option to have no identifiable WHOIS data.

The registration of a domain with hidden or anonymous data only ensures
exclusivity of control.  Registration of a domain  with
questionable or unverifiable personal
registrant or contact information does not guarantee that  ISPs  or
other sites connected to the
internet will choose to allow their own users and DNS infrastructure
access to   un-WHOISable domains.

Then have:
---

* Right-hand sided BLs for Internet domains with no direct
WHOIS-listed registrant address and  real-person contacts
including  name, address, direct e-mail and phone number valid for
contact during the domain's operational hours.

* Addons/Extensions for Common Web Browsers  to check the BLs  before
allowing access to a HTTP or HTTPS  URL.  Then display a prominent
"Anonymized Domain:
Probable  Scam/Phishing Site"   within the Web Browser MUA;

And limit or disable high-risk functions for anonymous sites:  such as
 Web Form Submissions,
Scripting,  Cookies,  Etc   to  Non-WHOIS'd domains.

if   the domain's  WHOIS  listingis  missing  or showed a privacy
service, or had appeared  t
runcated or anonymized.

* IP Address DNSBL for IP Address allocations  with no direct
WHOIS-listed  holder address real-person contacts.
including name, address, direct e-mail and phone number valid for
contact during the hours when that IP address
is connected to the internet.

* DNS response policy zones (for resolver blacklists)  for internet
domains with no WHOIS-listed registrant &
real-person contacts  including name, address, direct e-mail and phone
number valid for contact.


The EU  GDPR   _might_  require  your  registrar to offer you the
ability Opt by default to mask your
personal information and e-mail from domain or IP  WHOIS data,

But  should you  choose  to Not opt to have identifiable contacts and
ownership published:

There may be networks and resources that will refuse access,  Or whose
users  will not be allowed
to resolve your DNS names,  due to your refusal to identify
yourself/provide contacts   for   vetting,
identifying and reporting technical issues, abuse, etc.

Real-Life equivalent  would beDirectories/Listings of
Recommended businesses that
refuse to accept listings from businesses whose  Owner  wants to stay Anonymous.

Or  people who don't want to buy their groceries from random shady
buildings  that don't even
have a proper sign out.

--
-JH

On Wed, May 16, 2018 at 4:10 PM, Constantine A. Murenin
 wrote:
> I think this is the worst of both worlds.  The data is basically still
> public, but you cannot access it unless someone marks you as a
> "friend".
>
> This policy is basically what Facebook is.  And how well it played out
> once folks realised that their shared data wasn't actually private?
>
> C.
>
> On 16 May 2018 at 16:02, Brian Kantor  wrote:
>> A draft of the new ICANN Whois policy was published a few days ago.
>>
>> https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf
>>
>> From that document:
>>
>> "This Temporary Specification for gTLD Registration Data (Temporary
>> Specification) establishes temporary requirements to allow ICANN
>> and gTLD registry operators and registrars to continue to comply
>> with existing ICANN contractual requirements and community-developed
>> policies in light of the GDPR. Consistent with ICANN’s stated
>> objective to comply with the GDPR, while maintaining the existing
>> WHOIS system to the greatest extent possible, the Temporary
>> Specification maintains robust

Re: Whois vs GDPR, latest news

2018-05-22 Thread John Levine 
>What about the likely truth that if anyone from Europe mails the list, then
>every mail server operator with subscribers to the list must follow the
>GDPR Article 14 notification requirements, as the few exceptions appear to
>not apply (unless you’re just running an archive).

Some of us whose businesses and equipment are entirely in North
America will take our chances.  This is NANOG, not EUNOG, you know.

Also, one thing that has become painfully clear is that the number of
people who imagine that they understand the GDPR exceeds the number
who actually understand it by several orders of magnitude.

The "you have to delete all my messages from the archive if I
unsubscribe" nonsense is a good indicator.

R's,
John

Re: Whois vs GDPR, latest news

2018-05-21 Thread Matthew Kaufman 
On Mon, May 21, 2018 at 7:03 PM Jason Hellenthal 
wrote:

> Mind pointing out where in the GDPR that it directly relates to these
> types of mail services ?
>
>
>
Like most regulations, it doesn’t call out a specific thing like email or
social networking sites or ecommerce. But it follows quite directly:

GDPR covers processing of personal data of EU subjects.

Email addresses are personal data.

Article 14 says that if you receive personal data but not directly from the
subject, you must notify the subject and provide them with a variety of
information.

There are exceptions for things like scientific studies and archival
purposes... but not because it is simply inconvenient to do so.

That this probably just isn’t going to happen for any email servers or
search engine crawlers doesn’t mean the law doesn’t say what it says.

Matthew

Re: Whois vs GDPR, latest news

2018-05-21 Thread Jason Hellenthal 
Mind pointing out where in the GDPR that it directly relates to these types of 
mail services ?

> On May 21, 2018, at 20:07, Matthew Kaufman  wrote:
> 
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote:
> 
>> What about my right to not have this crap on NANOG?
>> 
> 
> 
> What about the likely truth that if anyone from Europe mails the list, then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
> 
> Matthew


-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

Re: Whois vs GDPR, latest news

2018-05-21 Thread Matthew Kaufman 
On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote:

> What about my right to not have this crap on NANOG?
>


What about the likely truth that if anyone from Europe mails the list, then
every mail server operator with subscribers to the list must follow the
GDPR Article 14 notification requirements, as the few exceptions appear to
not apply (unless you’re just running an archive).

Matthew

Re: Whois vs GDPR, latest news

2018-05-21 Thread valdis . kletnieks 
On Thu, 17 May 2018 14:06:27 -0400, Fletcher Kittredge said:
> What about my right to not have this crap on NANOG?

procmail is your friend.


pgpSkSM4c3_8E.pgp
Description: PGP signature

Re: Whois vs GDPR, latest news

2018-05-21 Thread Joly MacFie 
If of use, last Monday I recorded and posted video of Jonathan Zuck's
briefing to NARALO on ICANN's interim plan .


> ​https://youtu.be/9WVI4aFg0Lc​



-- 

Joly MacFie
President - Internet Society New York Chapter (ISOC-NY)
http://isoc-ny.org  218 565 9365

Re: Whois vs GDPR, latest news

2018-05-21 Thread Mark Rousell 
On 17/05/2018 19:03, Zbyněk Pospíchal wrote:
> Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
>> Hi,
>>
>> But this regulation increases essential liberty for individuals, so I don't 
>> understand your argument...
> No, it don't. It has two aspects:
>
> [...]

Very well said.

-- 
Mark Rousell

Re: Whois vs GDPR, latest news

2018-05-21 Thread Fletcher Kittredge 
What about my right to not have this crap on NANOG?

On Thu, May 17, 2018 at 2:03 PM, Zbyněk Pospíchal 
wrote:

> Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
> > Hi,
> >
> > But this regulation increases essential liberty for individuals, so I
> don't understand your argument...
>
> No, it don't. It has two aspects:
>
> 1. It brings new positive defined rights. But as with any other positive
> defined rights, it brings an obligation for anyone other to provide such
> rights, it requires enforcement, inspections/whatever which anyone in
> Europe must pay from taxes and it requires implementation of a lot of
> rules, possible changing of existing internal systems etc. etc. in
> companies which will be paid from their revenue, so again from consumer
> money.
>
> 2. It would be the true in an ideal situation. In the real world, there
> is no ideal situation. Accept the fact that if you would like to keep
> any data private, you must not tell them to anyone. You. You are the one
> who can decide about your data and who can really protect your data, no
> one else, no government, no GDPR. There is a lot of anonymization
> techniques, strong encryption and other things helping to cover who
> used/published/steal your private data when it is done by experienced
> professionals. It could help a little bit to keep private data protected
> againest beginner and intermediate data thieves and perhaps againest
> some kinds of stupid mistakes, maybe. Nothing more. Is it enough when we
> mention all the costs, including hidden? I don't think so.
>
>
> BTW, nobody told me he is going to propose such regulation before the
> last EP elections, no party I have been able to vote has anything like
> this nor oposing anything like this in their program.
>
> --
> Regards,
> Zbynek
>



-- 
Fletcher Kittredge
GWI
207-602-1134
www.gwi.net

Re: Whois vs GDPR, latest news

2018-05-21 Thread Badiei, Farzaneh 
The privacy implications that WHOIS had for domain name registrants was not 
only acknowledged by Europe. For a long time we were in a battle to get minimum 
privacy for domain registrants and the privacy proxy services provided some 
sort of relief. But the intellectual property interest with the backing of 
governments always dominated the discussions. otherwise IETF had recognized the 
privacy issues of WHOIS as early as 2002 and protocols were recommended that 
could respect registrants privacy rights.

This was not solely a European issue. It was a global issue and with GDPR 
coming into effect it only made the process faster and diluted the power of ip 
people and those who were piggy backing on their power. It's time to move on. 
GDPR is not a great law but a community that for so many years violated the 
privacy rights of domain name registrants had to be somehow stopped. It's 
unfortunate that we didn't deal with this through innovative ways... But  
saying Europe and GDPR brought this upon us is false.

Get Outlook for iOS<https://aka.ms/o0ukef>

From: NANOG <nanog-boun...@nanog.org> on behalf of Brian Kantor <br...@ampr.org>
Sent: Thursday, May 17, 2018 10:23:22 AM
To: North American Network Operators' Group
Subject: Re: Whois vs GDPR, latest news

An article in The Register on the current status of Whois and the GDPR.

https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/

Re: Whois vs GDPR, latest news

2018-05-17 Thread Rob Evans 

I don't.  I have better things to do than babysit various accounts
I've signed up over the years.  Just because someone signs up for an
account and forgets about it is not a good enough reason to have my
information DESTROYED WITHOUT MY PERMISSION if I do happen to be busy
that week to sign in somewhere to accept a legal disclaimer.


It’s only ‘{one|that} week’ from today.  The people that hold your 
personal data appear to have not planned in advance.


Why should people (“data processors”) have the right to forward your 
personal contact details in perpetuity?  Isn’t that a problem?  They 
don’t need to ask permission to use those details for purposes for 
which you’ve already granted permission.



GDPR is touted as a policy to tackle the issue of the larger players
abusing their market positions and our trust; instead, so far, my lack
of response would just ensure that I am unsubscribed from my alumni
association in the UK; what good does it do to me?!


This may be a misunderstanding, or a cautious approach, from your alma 
mater.  If you’ve given them permission for them to hold your data 
about their activities all is well.  Many companies are choosing this as 
an opportunity to confirm that permission for the sake of future legal 
argument.


Rob

Re: Whois vs GDPR, latest news

2018-05-17 Thread Constantine A. Murenin 
On 17 May 2018 at 08:03, Niels Bakker

Re: Whois vs GDPR, latest news

2018-05-17 Thread bzs 

On May 17, 2018 at 10:29 niels=na...@bakker.net (Niels Bakker) wrote:
 > We cannot escape UDRP but at least we now have a say in what we are 
 > forced to publish about ourselves.

Just curious, what does UDRP have to do with any of this?

UDRP is an ICANN process which allows someone who believes they have
intellectual property rights in a domain to challenge an ownership.

Granted it's been abused (but so have baseball bats) creating the new
dreaded acronym RDNH (reverse domain name hijacking) but I don't see
how that's related.

Even under GDPR a litigant can get the owner's contact information or,
if the info is false or not practically available, pursue a default
judgement which if successful would result in the domain's transfer to
them.

FWIW for new TLDs (.RODEO or whatever) the equivalent process is URS.

Gratuitous Side Note:

One of the more publicized cases of late involved FRANCE.COM which
apparently the French govt seized ownership of via WEB.COM without any
UDRP process or notice to the owner.

Overview article, you can find others:

  
https://www.sgtreport.com/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/

Legal filing:

  https://domainnamewire.com/wp-content/france-com.pdf

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-17 Thread Sander Steffann 
Hi,

> Dne 17/05/2018 v 15:03 Niels Bakker napsal(a):
>> * na...@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
>>> Agreed. This is garbage, un-needed legislation.
>> 
>> Disagreed.  These are great and necessary regulations.>
>> I'm loving the flood of convoluted unsubscribe notices this month from
>> companies that had stored PII for no reason.
> 
> Those who would give up essential liberty, to purchase a little
> temporary safety(*), deserve neither liberty nor safety(*).

But this regulation increases essential liberty for individuals, so I don't 
understand your argument...

Cheers,
Sander



smime.p7s
Description: S/MIME cryptographic signature

Re: Whois vs GDPR, latest news

2018-05-17 Thread Stephen Satchell 
In a related note, I received a note from my registrar this morning 
telling me that, per current ICANN rules, I need to verify all the 
personal identifying information for the domains I control.


1.  I checked WHOIS for all my domains, and they point to the proxy 
service that my registrar offers.  So, I have no PII visible via WHOIS.


2.  I checked the contact information page, and all my (hidden) PII is 
correct.


So, at least for my domains, everything is GDPR compliant as far as 
public display is concerned.  The question about the proxy service 
providing an anonymous tunnel for, say, abuse e-mail is open to 
question.  As well as all the other bells and whistles I've seen discussed.


By the way, setting up the proxy service just takes money, not time, in 
the old school.


The fines are heavy enough that the registrars can consider forcing 
proxy service on all domains, and figure out how to recoup the costs 
later.  Months?  I don't think so.


But then again, I'm not a registrar, only a customer of those folks.

On 05/17/2018 08:29 AM, Niels Bakker wrote:

* br...@ampr.org (Brian Kantor) [Thu 17 May 2018, 16:23 CEST]:

An article in The Register on the current status of Whois and the GDPR.

https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/


My registrar already does all the things listed in this article that 
registrars supposedly don't yet do.


American companies that think they have a need, or even the right, to 
see the billing address for my personal domain can go pound sand.



 -- Niels.

Re: Whois vs GDPR, latest news

2018-05-17 Thread Niels Bakker 

* br...@ampr.org (Brian Kantor) [Thu 17 May 2018, 16:23 CEST]:
An article in The Register on the current status of Whois and the 
GDPR.


https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/


My registrar already does all the things listed in this article that 
registrars supposedly don't yet do.


American companies that think they have a need, or even the right, to 
see the billing address for my personal domain can go pound sand.



-- Niels.

Re: Whois vs GDPR, latest news

2018-05-17 Thread Brian Kantor 
An article in The Register on the current status of Whois and the GDPR.

https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/

Re: Whois vs GDPR, latest news

2018-05-17 Thread Niels Bakker 

* na...@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:

Agreed. This is garbage, un-needed legislation.


Disagreed.  These are great and necessary regulations.

I'm loving the flood of convoluted unsubscribe notices this month from 
companies that had stored PII for no reason.



-- Niels.

Re: Whois vs GDPR, latest news

2018-05-17 Thread Mike Hammett 
Agreed. This is garbage, un-needed legislation. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Owen DeLong" <o...@delong.com> 
To: b...@theworld.com 
Cc: "Constantine A. Murenin" <muren...@gmail.com>, "North American Network 
Operators' Group" <nanog@nanog.org> 
Sent: Wednesday, May 16, 2018 8:18:54 PM 
Subject: Re: Whois vs GDPR, latest news 

At this point if I were a registrar or registry doing business in such a way as 
to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for 
that purpose and leave it with minimal revenues and nothing to collect in the 
event of a lawsuit. Either that or simply stop doing business with Europeans 
until their government comes to its senses. 

Fortunately For now I get to watch from the sidelines with amusement as this 
unfolds. 

Owen 

> On May 16, 2018, at 17:26, b...@theworld.com wrote: 
> 
> 
>> On May 16, 2018 at 16:10 muren...@gmail.com (Constantine A. Murenin) wrote: 
>> I think this is the worst of both worlds. The data is basically still 
>> public, but you cannot access it unless someone marks you as a 
>> "friend". 
>> 
>> This policy is basically what Facebook is. And how well it played out 
>> once folks realised that their shared data wasn't actually private? 
> 
> The problem is that once the data gets out it's out and in many cases 
> such as this WHOIS data only stales very slowly. 
> 
> So one malicious breach or outlaw/misbehaving assignee and you may as 
> well have done nothing. 
> 
> I suppose one could /reductio ad absurdum/ and ask so therefore do 
> nothing? 
> 
> No, but perhaps more focus on misuse would be more productive. The 
> penalties for violations of GDPR are eye-watering like 4% of gross 
> revenues. That is, could be billions of dollars (or euros if you 
> prefer.) 
> 
> We know how well all this has worked in 20+ years of spam-fighting 
> which is to say not really well at all. 
> 
> It relies on this rather blue-sky model of the problem which is that 
> abuse can be reigned in by putting pressure on people who actually 
> answer their phone rather than abusers who generally don't. 
> 
> Another problem is the relatively unilateral approach of GDPR coming 
> out of the EU yet promising application to any company with an EU 
> nexus (or direct jurisdiction of course.) 
> 
> In that it resembles a tariff war. 
> 
> -- 
> -Barry Shein 
> 
> Software Tool & Die | b...@theworld.com | http://www.TheWorld.com 
> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD 
> The World: Since 1989 | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-17 Thread Niels Bakker 

* o...@delong.com (Owen DeLong) [Thu 17 May 2018, 03:19 CEST]:
At this point if I were a registrar or registry doing business in 
such a way as to be subject to gdpr, I’d seriously consider spinning 
up a subsidiary only for that purpose and leave it with minimal 
revenues and nothing to collect in the event of a lawsuit. Either 
that or simply stop doing business with Europeans until their 
government comes to its senses.


Fortunately For now I get to watch from the sidelines with amusement 
as this unfolds.


I'm happy as a European to finally do business with companies that 
will have at least a modicum of respect for my privacy.


We cannot escape UDRP but at least we now have a say in what we are 
forced to publish about ourselves.



-- Niels.

Re: Whois vs GDPR, latest news

2018-05-16 Thread bzs 

On May 16, 2018 at 18:18 o...@delong.com (Owen DeLong) wrote:
 > At this point if I were a registrar or registry doing business in such a way 
 > as to be subject to gdpr, I’d seriously consider spinning up a subsidiary 
 > only for that purpose and leave it with minimal revenues and nothing to 
 > collect in the event of a lawsuit. Either that or simply stop doing business 
 > with Europeans until their government comes to its senses. 

2018-04-19, The Guardian...

   
https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law

or

   http://tinyurl.com/yaeqguhz

Headline:

   Facebook moves 1.5bn users out of reach of new European privacy law

...

"The move is due to come into effect shortly before General Data
Protection Regulation (GDPR) comes into force in Europe on 25
May. Facebook is liable under GDPR for fines of up to 4% of its global
turnover – around $1.6bn – if it breaks the new data protection rules."

...

"The company follows other US multinationals in the switch. LinkedIn,
for instance, is to move its own non-EU users to its US branch on 8
May. “We’ve simply streamlined the contract location to ensure all
members understand the LinkedIn entity responsible for their personal
data,” it told Reuters."

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-16 Thread Owen DeLong 
At this point if I were a registrar or registry doing business in such a way as 
to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for 
that purpose and leave it with minimal revenues and nothing to collect in the 
event of a lawsuit. Either that or simply stop doing business with Europeans 
until their government comes to its senses. 

Fortunately For now I get to watch from the sidelines with amusement as this 
unfolds. 

Owen

> On May 16, 2018, at 17:26, b...@theworld.com wrote:
> 
> 
>> On May 16, 2018 at 16:10 muren...@gmail.com (Constantine A. Murenin) wrote:
>> I think this is the worst of both worlds.  The data is basically still
>> public, but you cannot access it unless someone marks you as a
>> "friend".
>> 
>> This policy is basically what Facebook is.  And how well it played out
>> once folks realised that their shared data wasn't actually private?
> 
> The problem is that once the data gets out it's out and in many cases
> such as this WHOIS data only stales very slowly.
> 
> So one malicious breach or outlaw/misbehaving assignee and you may as
> well have done nothing.
> 
> I suppose one could /reductio ad absurdum/ and ask so therefore do
> nothing?
> 
> No, but perhaps more focus on misuse would be more productive. The
> penalties for violations of GDPR are eye-watering like 4% of gross
> revenues. That is, could be billions of dollars (or euros if you
> prefer.)
> 
> We know how well all this has worked in 20+ years of spam-fighting
> which is to say not really well at all.
> 
> It relies on this rather blue-sky model of the problem which is that
> abuse can be reigned in by putting pressure on people who actually
> answer their phone rather than abusers who generally don't.
> 
> Another problem is the relatively unilateral approach of GDPR coming
> out of the EU yet promising application to any company with an EU
> nexus (or direct jurisdiction of course.)
> 
> In that it resembles a tariff war.
> 
> -- 
>-Barry Shein
> 
> Software Tool & Die| b...@theworld.com | 
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
> The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-16 Thread bzs 

On May 16, 2018 at 16:10 muren...@gmail.com (Constantine A. Murenin) wrote:
 > I think this is the worst of both worlds.  The data is basically still
 > public, but you cannot access it unless someone marks you as a
 > "friend".
 > 
 > This policy is basically what Facebook is.  And how well it played out
 > once folks realised that their shared data wasn't actually private?

The problem is that once the data gets out it's out and in many cases
such as this WHOIS data only stales very slowly.

So one malicious breach or outlaw/misbehaving assignee and you may as
well have done nothing.

I suppose one could /reductio ad absurdum/ and ask so therefore do
nothing?

No, but perhaps more focus on misuse would be more productive. The
penalties for violations of GDPR are eye-watering like 4% of gross
revenues. That is, could be billions of dollars (or euros if you
prefer.)

We know how well all this has worked in 20+ years of spam-fighting
which is to say not really well at all.

It relies on this rather blue-sky model of the problem which is that
abuse can be reigned in by putting pressure on people who actually
answer their phone rather than abusers who generally don't.

Another problem is the relatively unilateral approach of GDPR coming
out of the EU yet promising application to any company with an EU
nexus (or direct jurisdiction of course.)

In that it resembles a tariff war.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

2018-05-16 Thread Constantine A. Murenin 
I think this is the worst of both worlds.  The data is basically still
public, but you cannot access it unless someone marks you as a
"friend".

This policy is basically what Facebook is.  And how well it played out
once folks realised that their shared data wasn't actually private?

C.

On 16 May 2018 at 16:02, Brian Kantor  wrote:
> A draft of the new ICANN Whois policy was published a few days ago.
>
> https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf
>
> From that document:
>
> "This Temporary Specification for gTLD Registration Data (Temporary
> Specification) establishes temporary requirements to allow ICANN
> and gTLD registry operators and registrars to continue to comply
> with existing ICANN contractual requirements and community-developed
> policies in light of the GDPR. Consistent with ICANN’s stated
> objective to comply with the GDPR, while maintaining the existing
> WHOIS system to the greatest extent possible, the Temporary
> Specification maintains robust collection of Registration Data
> (including Registrant, Administrative, and Technical contact
> information), but restricts most Personal Data to layered/tiered
> access. Users with a legitimate and proportionate purpose for
> accessing the non-public Personal Data will be able to request
> such access through Registrars and Registry Operators. Users will
> also maintain the ability to contact the Registrant or Administrative
> and Technical contacts through an anonymized email or web form. The
> Temporary Specification shall be implemented where required by the
> GDPR, while providing flexibility to Registry Operators and Registrars
> to choose to apply the requirements on a global basis based on
> implementation, commercial reasonableness and fairness considerations.
> The Temporary Specification applies to all registrations, without
> requiring Registrars to differentiate between registrations of legal
> and natural persons. It also covers data processing arrangements
> between and among ICANN, Registry Operators, Registrars, and Data
> Escrow Agents as necessary for compliance with the GDPR."