Below — John Bambenek
On July 1st, 2019, my DGA feeds are converting to a CC-BY-NC-SA 4.0 license which means commercial use will require a license. Contact sa...@bambenekconsulting.com for details On Jul 9, 2019, at 16:21, Brian Dickson <brian.peter.dick...@gmail.com> wrote: > > >> On Tue, Jul 9, 2019 at 2:01 PM John Bambenek >> <jcb=40bambenekconsulting....@dmarc.ietf.org> wrote: >> Below >> >> — >> John Bambenek >> >> On July 1st, 2019, my DGA feeds are converting to a CC-BY-NC-SA 4.0 license >> which means commercial use will require a license. Contact >> sa...@bambenekconsulting..com for details >> >> On Jul 9, 2019, at 15:51, Jim Reid <j...@rfc1035.com> wrote: >> >> >> On 9 Jul 2019, at 17:43, John Bambenek >> >> <jcb=40bambenekconsulting....@dmarc.ietf.org> wrote: >> >> >> >> I guess I'm not understanding the risks of people accidentally disclosing >> >> what they don't intend to. >> > >> > I suggest you learn more about GDPR. The penalties for non-compliance can >> > hurt - up to 4% of global turnover. >> > >> >> No DPA is going to fine me for publishing my email on my dns zone. Not the >> use of only first person pronouns. No one is talking about anything a third >> party will do. > >> Only what domain registrants may do if they so choose. > > That is technically true, only in the cases where the registrant operates > their authoritative DNS server. > > What is problematic, is if a registrant's data is published, where the > registrant uses a third party DNS hosting provider, and the registrant makes > a claim about that not being intentional. The starting point is a "he said, > she said" scenario where GDPR essentially reverses the presumption of > innocence on the data providers' part. There is nuance there. For instance, on twitter, I could tweet my phone number. I may want to do that for any number of reasons, but in no way to twitter compel me to do it, require me to do it, or could it be an accident. This gets into an implementation question but anyone implementing this as a DNS operator on behalf of others would need to do something to prevent such circumstances. Namely, it can’t be a checkbox, must be free form and accept what the user wants as long a syntactically valid (ie phone number with just numbers). Having the third party autopopulate, yes, definitely GDPR issue. But the domain I am emailing from now uses a third-party CDN for DNS. I can publish these records and there is no way it could be an accident. > > Protecting themselves against this kind of claim would require a significant > effort by DNS hosting providers, precisely because there would be a liability > issue. > The bar would probably be quite high, for proving that the publication was > done by the registrant, including some manner of proof regarding identity. > That is a hard problem. > For little to no perceived benefit, with a lot of development and support > (i.e. expense), I don't see this as likely to be taken up by DNS hosting > providers. > > And without uptake by DNS hosting providers, there will not likely be any > significant uptake at all, IMHO. High relative risk, no reward. > If I were betting, I would bet it won’t be widely adopted. Sure. I think it should be, and I think you overestimate the complexity of doing it legally (social media companies have figured this out). But without an actual standard there is nothing to implement and we’re all guessing at adoption. > >> >> There is nothing in this I-D to require publishing anything. There is >> nothing in this I-D to require if someone publishes that its PII (can use >> role based accounts). > > This line of argument resembles that of the NRA regarding gun use, in > promoting the interests of weapons manufacturers. > No offense intended, but maybe highlighting the real-world benefits rather > than minimizing the risks, would be a better approach. > I don't yet see any benefit for using DNS as the publication point, > particularly all the way down in the registrant's zones. > > Brian > >> >> Please read the I-D being proposed. >> >> The concern is that a standard structure of a DNS TXT record for WHOIS may >> inspire someone to “accidentally” publish their email in DNS, something they >> can coincidently do today because absolutely no new functionality is >> required to make this I-D happen. >> >> The only thing being proposed here is a standard format be which to put >> contact info (even role based contact info) into a DNS TXT record in a >> standard format. >> >> > Some CIOs are learning this the hard way. British Airways got fined $200M+ >> > yesterday and Marriott’s been hit by a $100M+ fine today, both for data >> > breaches which involved due diligence failures covered by GDPR. >> >> These are third parties managing someone else’s data. >> > >> > Anyone proposing policies or protocols that involve Personal Data really >> > need to take account of the GDPR implications of their proposals and the >> > likely impact on those who will be affected. >> > >> > Hey, what’s this got to do with dnsop? :-) >> > >> >> Because the I-D at hand is about DNS TXT records. >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
