<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Alan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I agree of course it is understood that by legal basis we mean the GDPR, however using a term as "lawful basis" instead would leave no room for confusion<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Best<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hadia
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org]
<b>On Behalf Of </b>Alan Greenberg<br>
<b>Sent:</b> Thursday, September 13, 2018 3:01 PM<br>
<b>To:</b> Amr Elsadr<br>
<b>Cc:</b> gnso-epdp-team@icann.org<br>
<b>Subject:</b> Re: [Gnso-epdp-team] Section 4.4.8<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Amr, my point was the uses the expression "legal bases" which can have multiple competing definitions and that is not a good basis (pun intended) for agreement.<br>
<br>
Alan<br>
-- <br>
Sent from my mobile. Please excuse brevity and typos.<o:p></o:p></p>
<div>
<p class="MsoNormal">On September 13, 2018 7:44:47 AM EDT, Amr Elsadr <aelsadr@icannpolicy.ninja> wrote:<o:p></o:p></p>
<p class="MsoNormal">Hi Alan,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The intention here was to state a principle on which further work down the road may be developed when we eventually get to deliberation on an access model. The principle is meant to provide guidance on a set of specific circumstances, that
if met, should allow specific portions of non-public gTLD Registration Data to be shared with specific third-parties, to address specific issues. The objective is to allow this while maintaining compliance with GDPR, or possibly other privacy laws/regulations.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is not to say that a third-party requires the kind of legal rights or mandate I believe you are describing, as in your comparison between LEAs and independent cybersecurity workers. So yes, ICANN’s Mission does come into play here.
In fact, I believe it to be a key factor of consideration. At some point, we’re going to have to deliberate on how that Mission does or does not allow third-parties access non-public Registration Data.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I hope this was helpful.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Amr<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On Sep 13, 2018, at 4:55 AM, Alan Greenberg <<a href="mailto:alan.greenberg@mcgill.ca">alan.greenberg@mcgill.ca</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">I am generally in support of this, but I question the term "grounded in legal bases". It this the legal basis in reference to GDPR (ie that there needs to be a legitimate demonstrable need to access otherwise private information). Or a
legal basis as in reference to law enforcement having a right to demand certain information.
<br>
<br>
I can accept the former (if it is made clear), but not the latter. ICANN's Mission-defined interest in ensuring that security and stability of the DNS (and by implication, the trusted nature of the DNS) may create a need for cybersecurity workers to have access
to certain data, but there is no LAW that gives them that right.<br>
<br>
Alan<br>
<br>
At 11/09/2018 04:33 PM, Alex Deacon wrote:<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi All,<br>
<br>
As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.
<br>
<br>
While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
<span style="color:blue">4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues
involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:blue"><br>
</span>The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.
<br>
<br>
Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.
<br>
<br>
Alex<br>
<br>
<span style="color:blue"><br>
</span><br>
-- <br>
___________<br>
Alex Deacon<br>
Cole Valley Consulting<br>
<a href="mailto:alex@colevalleyconsulting.com">alex@colevalleyconsulting.com</a><br>
+1.415.488.6009<br>
<br>
_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>