Professional Standards for Private Sector Cybersecurity Enforcement Agents, to permit Access to Canadians' Personal Internet Information

Organization

Faculty of Information, University of Toronto

Published

2019

Project Leader(s)

Stephanie Perrin & Andrew Clement

Summary

This research project focused on registration data of individuals who purchase a domain name on the Internet, and whether international standards could ensure that personal data was protected according to law when provided to third parties, notably cybercrime investigators. With the European General Data Protection Regulation (GDPR) coming into force in 2018, the companies who register and put into service domain names were not willing to publish personal data, as required by the Internet Corporation for Assigned Names and Numbers (ICANN). This “WHOIS” interface “went dark” in 2018, and third parties including governments have been pressing ICANN and the registries and registrars to resume routine disclosure.

The researchers raised questions about how high volumes of data, necessary to fight cybercrime, can be released legally under GDPR. Are there standards of practice that would foster trust and ensure compliance with law? If so, which ones? Existing ISO standards were reviewed, but found inadequate. If not, what needs to be developed? The project leaders held a workshop at the Annual General Meeting of ICANN, inviting representatives of the multi-stakeholder organization to present their views on the issues and how access could be accommodated (full recordings, transcripts and presentations available on the project website). Stakeholders generally did not think that new standards for accrediting professionals were necessary. The proposal by the Canadian civil liberties advocates who participated that standardization efforts focus on the development of a digital data trust was well received. The project bibliography focuses on models and norms surrounding data trusts.

The final report details how options for standardization were considered, and makes recommendations for future work.

Project deliverables are available in the following language(s):

English (with some French translation)

• English (HTML document)

OPC Funded Project

This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin, with some materials translated into French.

Contact Information

University of Toronto, Faculty of Information 140 St. George Street Toronto, Ontario, M5S 3G6 Phone: (250) 536-3029 E-mail: Andrew Clement