<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<p>Hello all,<br>
</p>
<p>The RrSG has significant concerns with the inclusion of
Registrants as a user group for the System for Standardized
Disclosure of non-public gTLD registration data, and strongly
recommends that this group be removed from the proposed list of
users. We are curious as to the origin of these proposed user
groups, and suggest that instead of working through this list we
begin by reviewing the purposes for processing data
(Recommendation 1) and assessing the potential user group
applicable to each purpose. <br>
<br>
Registrants already access their domains via their service
provider (registrar or reseller)’s system, as required under the
RAA. Having multiple interfaces to access the same information
poses a significant risk of inappropriate data exposure; this
unnecessary and unbalanced security risk is not compliant with
data protection law. It also creates a confusing user experience
for the registrant. For example, if a registrant uses the SSAD to
review their domain data for the purpose of confirming that it is
accurate, they would still need to work with their service
provider to confirm that the data held in that system is also up
to date. <br>
<br>
The RrSG notes that a system used to access or disclose data is
not also a system to modify that data. The EPDP team definitions
of access and disclosure do not include any capability to modify
the data, so this is a new addition to the requirements not
grounded in any previously agreed-upon basis or definition.
Modification of domains via the SSAD could easily result in
synchronization issues and security risks, where the SSAD holds
data that is different from what is in the registrar or reseller’s
platform, or an unauthorized party could modify and even hijack a
registered domain. This also represents a fundamental shift from
the system in place for the past twenty years: EPP is
one-directional, with data flowing from the reseller or registrar
through to the registry, so any functionality for updating domain
data would need to be created and implemented by thousands of
service providers worldwide. <br>
<br>
We look forward to discussing this important concern at today’s
EPDP team call. Beyond these concerns about the “Registrants”
group, we are also uncertain that “end users” is a valid group;
this and the other groups should be discussed with the plenary
team. <br>
<br>
</p>
<pre class="moz-signature" cols="72">--
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
</pre>
</body>
</html>