[gnso-rds-pdp-purpose] Purpose sub team
Kathy Kleiman
kathy at kathykleiman.com
Wed Mar 30 03:44:46 UTC 2016
Hi Susan and All,
I appreciate the goal of this sub-group - to delve into the "purpose" of
the registration data being collected by the registrars when a gTLD
domain name is registered. Unfortunately, few of the documents below
shed much light on this question. The reason why is ICANN inherited the
WHOIS/domain name registration system from the US Government and
National Science Foundation. WHOIS was created in the 1980s when all of
the information included (except the name of the person) was business
information - a business address (e.g., at Harvard IT), a business
phone, a business fax.
We are the very first PDP WG in the history of ICANN to work together to
rethink and redesign the Whois system -- the new "RDS." Thus it falls to
*us *to answer the question of what is the primary purpose for which the
registration data is collected, and what data we collect for this new
system is *"adequate, relevant and not excessive in relation to the
purposes for which it is collected and/or further processed." *
http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm
That's the hard work for us ahead. I would suggest that the purpose of
domain name registration data is to register a domain name technically
and operationally within the global DNS.
Further, I note that secondary uses of the data, no matter how valuable,
cannot drive or change the primary purpose of the data collection. In
one of the letters in our repository below, sent by Peter Schaar (then
Data Protection commission of German and Chair of the Article 29 Working
Party of Data Protection Commissioners created under the EU Privacy
Directive) warned ICANN that consideration of purpose for this data is
"an extremely delicate matter" and "can not be extended to other
purposes just because they are considered useful by some potential
users of the directories." 2006 -
https://www.icann.org/en/system/files/files/schaar-to-cerf-22jun06-en.pdf
In light of this warning,I submit that the sentence in the materials
below is mislabeled: "/Purpose:
//https://community.icann.org/x/YIxlAw/". When I access this link, it
leads to the question “Who should have access to gTLD registration data
and why?” (not "what is the primary purpose for which the data is
collected.") This is a key confusion - and I would ask that it be
re-labeled.
But in the process, it raises the key question before us: /what is the
primary purpose for which the registration data is collected //and used
/versus /what are the secondary purposes to which the registration data
might also be applied/? I am not saying we have to answer this question,
but I am saying that Commissioner Schaar's letter as well as other
letters and materials below indicate that there are key "purpose"
questions, raise issues that lie at the heart of the work of this
sub-group, and, if discussed, will allow us to provide important clarity
and guidance to our larger WG.
I note that there are people with far more experience than I have, with
data protection laws generally and in drafting national data protection
laws, in particular. I look forward to their guidance - and that of our
subgroup overall.
Best,
Kathy
On 3/28/2016 6:49 PM, Susan Kawaguchi via gnso-rds-pdp-purpose wrote:
> Thanks all for beginning the work of digging into the resource
> materials helping to summarize the data. ICANN staff has prepared a
> template and reference document for our review of all the sources that
> have identified purposes of registration data.
>
> Please take a look at the document.
>
> They have defined our first task below. We simply want to identify
> sections of these documents that our subteam recommends all the WG
> members read.
>
> *_Synopsis of Key Input Documents:
> _*/[For each document identified by the small team as most helpful, a
> single paragraph to help educate the full WG. For example,
> highlighting sections that this small team recommends every WG member
> read in order to better understand the Question and/or dependencies
> with between Questions. While this is NOT intended to limit the WG’s
> consideration of additional or future inputs, it should serve as an
> indexed a starting point for all WG members to familiarize themselves
> with each Question and its history.]/
>
>
> In the attached template is a link to all the documents on the wiki
> that may be relevant. (if there are others not on the wiki please
> send to the group) It would be helpful to have each sub team member
> pick one or two of the resources to identify the sections that useful.
> After we have done that the next step will be to summarize this
> information but I would like to focus on identification of the
> resource material first.
>
> For ease of reference list of the resource documents below.
>
> *_Input Documents that the WG should at minimum consider when
> addressing this Question:
> _*/[Hyper-linked list of all key input documents for this Question,
> noting which of these documents were considered most helpful by the
> small team when creating the concise summary below. Small teams may
> identify both existing and additional inputs. However, to minimize
> duplication of effort, small teams should be sure to include the key
> inputs already posted on the WG's wiki: /
>
> ·/Purpose: //https://community.icann.org/x/YIxlAw///
>
> ·/All:
> //https://community.icann.org/pages/viewpage.action?pageId=56986688///
>
> /
> A starter list is provided below from the WG’s wiki to be reviewed and
> refined by this small team]/
>
> ·WHOIS Task Force Final Report
> <https://archive.icann.org/en/gnso/whois-tf/report-19feb03.htm>(2007)
>
> ·WHOIS Policy Review Team Final Report
> <https://www.icann.org/en/system/files/files/final-report-11may12-en.pdf>
> (2012)
>
> ·SAC055, WHOIS: Blind Men and an Elephant
> <https://www.icann.org/en/system/files/files/sac-055-en.pdf> (September 2012)
>
> ·GAC Communiqués <https://gacweb.icann.org/display/GACADV/WHOIS>
> regarding WHOIS (2007-2015), especially
>
> -GAC Principles Regarding gTLD WHOIS Services
> <http://whois.icann.org/en/link/gac-principles-regarding-gtld-whois-services>
> (2007)
>
> ·/[Note: All Article 29 inputs identified thus far are listed below,
> but *this team may wish to focus on purpose aspects* since data
> protection inputs will be summarized by privacy team.]/
>
> ·Article 29 WP statement on the data protection impact of the ICANN
> RAA (2013-2014)
> -
> https://www.icann.org/en/system/files/correspondence/namazi-to-kohnstamm-25mar14-en.pdf
> -
> https://www.icann.org/en/system/files/correspondence/kohnstamm-to-jeffrey-08jan14-en.pdf
> -
> https://www.icann.org/en/system/files/correspondence/jeffrey-to-kohnstamm-20sep13--
> en.pdf
> <https://www.icann.org/en/system/files/correspondence/jeffrey-to-kohnstamm-20sep13-en.pdf>https://www.icann.org/en/system/files/correspondence/kohnstamm-to-crocker-chehade-06jun13-en.pdf
>
> ·Article 29 WP comments on the data protection impact of the revision
> of the ICANN RAA concerning accuracy and data retention of WHOIS (2012)
> -
> https://www.icann.org/en/system/files/correspondence/kohnstamm-to-crocker-atallah-26sep12-en.pdf
> -
> https://www.icann.org/en/news/correspondence/chehade-to-kohnstamm-09oct12-en
>
> ·Article 29 WP on ICANN Procedure for Handling WHOIS Conflicts with
> Privacy Law (2007)
> - http://gnso.icann.org/en/correspondence/cerf-to-schaar-24oct07.pdf
> -
> https://www.icann.org/en/system/files/files/cerf-to-schaar-15mar07-en.pdf
> - https://www.icann.org/en/correspondence/schaar-to-cerf-12mar07.pdf
>
> ·Article 29 WP on ICANN’s WHOIS Database Policy (2006)
> -
> https://www.icann.org/en/system/files/files/schaar-to-cerf-22jun06-en.pdf
> - https://www.icann.org/en/correspondence/lawson-to-cerf-22jun06.pdf
> - https://www.icann.org/en/correspondence/parisse-to-icann-22jun06.pdf
> -
> https://www.icann.org/en/system/files/files/fingleton-to-cerf-20jun06-en.pdf
>
> ·Article 29 WP Opinion on the application of the data protection
> principles to WHOIS directories
> Article 29 WP 76 Opinion 2/2003
> <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp76_en.pdf>
>
>
> ·Additional Article 29 WP documents that may be of interest to this PDP WG
>
> - Article 29 WP 5 Recommendation 2/97
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/1997/wp5_en.pdf>
>
> - Article 29 WP 33 Opinion 5/2000
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2000/wp33_en.pdf>
>
> - Article 29 WP 41
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2001/wp41_en.pdf>Opinion
> 4/2001
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2001/wp41_en.pdf>
>
> - Article 29 WP 56 Working Document 5/2002
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf>
>
> - Article 29 WP 217 Opinion 4/2014
> <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf>
>
> ·Council of Europe Declaration
>
> -Declaration of the Committee of Ministers on ICANN, human rights and
> the rule of law
> <https://wcd.coe.int/ViewDoc.jsp?Ref=Decl%2803.06.2015%292> (3 June 2015)
>
> ·EDPS Correspondence regarding Registration Data
>
> -Opinion of the European Data Protection Supervisor: Europe's role in
> shaping the future of Internet Governance
> <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-06-23_Internet_Governance_EN.pdf>(23
> June 2014)
>
> -ICANN's public consultation on 2013 RAA Data Retention Specification
> Data Elements and - Legitimate Purposes for Collection and Retention
> <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2014/14-04-17_EDPS_letter_to_ICANN_EN.pdf>(17
> April 2014)
>
> ·International Working Group on Data Protection in Telecommunications
> and Media Documents
>
> -Common Position relating to Reverse Directories
> <https://datenschutz-berlin.de/attachments/176/rever_en.pdf?1201099194> (Hong
> Kong, 15.04.1998)
>
> -Common Position on Privacy and Data Protection aspects of the
> Registration of Domain Names on the Internet
> <https://datenschutz-berlin.de/attachments/222/dns_en.pdf?1200656953>
> (Crete, 4./5.05.2000)
>
> -Common Position on Privacy and Data Protection aspects of the
> Publication of Personal Data contained in publicly available documents
> on the Internet
> <https://datenschutz-berlin.de/attachments/220/pd_en.pdf?1201099774>
> (Crete, 4./5.05.2000)
>
> -Common Position on Incorporation of telecommunications-specific
> principles in multilateral privacy agreements: Ten Commandments to
> protect Privacy in the Internet World
> <https://datenschutz-berlin.de/attachments/216/tc_en.pdf?1200658742>
> (Berlin, 13/14.09.2000)
>
> -Common Position on data protection aspects in the Draft Convention on
> cyber-crime of the Council of Europe
> <https://datenschutz-berlin.de/attachments/218/cy_en.pdf?1200656876>
> (Berlin, 13/14.09.2000)
>
> ·EWG Recommendations for a Next-Generation RDS
> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>,
> especially
>
> -Section 3, Users and Purposes
>
> -Annex C, Example Use Cases
>
> -Annex A, Board Questions
>
> ·EWG Tutorial
> <http://london50.icann.org/en/schedule/mon-ewg-final-overview/presentation-ewg-final-overview-23jun14-en.pdf>Pages
> 17-20, 37-41and EWG FAQs
> <https://community.icann.org/display/EWG/EWG+FAQs> 9-12, 67
>
> *·*Video FAQ “Is my purpose supported by the RDS?
> <https://www.youtube.com/watch?v=YzPkxNNfDY4&list=UUl7rV9qJaQEx3GKhtSLx4QA>*”***
>
> ·Statements/Blogs by Perrin
> <https://www.icann.org/en/system/files/files/perrin-statement-24jun14-en.pdf>
> andSamuels
> <http://www.circleid.com/posts/20141011_building_a_better_whois_for_the_individual_registrant/>
>
> ·Process Framework
> <https://community.icann.org/display/gTLDRDS/Process+Framework> for a
> PDP on Next-Generation RDS, especially Page 9, Row 1
>
>
> Please let me know which documents you each of you have chosen to review.
>
> Thank you all for volunteering.
> Susan Kawaguchi
> Domain Name Manager
> Facebook Legal Dept.
>
>
> From: <gnso-rds-pdp-purpose-bounces at icann.org
> <mailto:gnso-rds-pdp-purpose-bounces at icann.org>> on behalf of Kiran
> Malancharuvil via gnso-rds-pdp-purpose <gnso-rds-pdp-purpose at icann.org
> <mailto:gnso-rds-pdp-purpose at icann.org>>
> Reply-To: Kiran Malancharuvil <Kiran.Malancharuvil at markmonitor.com
> <mailto:Kiran.Malancharuvil at markmonitor.com>>
> Date: Monday, March 28, 2016 at 11:57 AM
> To: "gnso-rds-pdp-purpose at icann.org
> <mailto:gnso-rds-pdp-purpose at icann.org>"
> <gnso-rds-pdp-purpose at icann.org <mailto:gnso-rds-pdp-purpose at icann.org>>
> Subject: Re: [gnso-rds-pdp-purpose] Purpose sub team
>
> If we are going to table a recent ICANN expert group report on
> Registration Directory Services, why don’t we start with the Expert
> Working Group on Registration Directory Services rather than SSAC?
> It’s much more recent and was subjected to several public comment
> periods.
>
> Thanks,
>
> Kiran
>
> *From:*gnso-rds-pdp-purpose-bounces at icann.org
> <mailto:gnso-rds-pdp-purpose-bounces at icann.org>
> [mailto:gnso-rds-pdp-purpose-bounces at icann.org] *On Behalf Of *Greg
> Shatan via gnso-rds-pdp-purpose
> *Sent:* Monday, March 28, 2016 11:53 AM
> *To:* Ayden Fabien Férdeline
> *Cc:* Gnso-rds-pdp-purpose at icann.org
> <mailto:Gnso-rds-pdp-purpose at icann.org>
> *Subject:* Re: [gnso-rds-pdp-purpose] Purpose sub team
>
> Edited below.
>
> Greg
>
>
> On Mon, Mar 28, 2016 at 12:46 PM, Ayden Fabien Férdeline
> <gnso-rds-pdp-purpose at icann.org
> <mailto:gnso-rds-pdp-purpose at icann.org>> wrote:
>
> Hello all,
>
>
> Thank you to Susan for setting out the approach we will take in our
> sub-team. I will begin this exercise by tabling “WHOIS: Blind Men and
> an Elephant
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__links5.mixmaxusercontent.com_aMjjKHWxnLSD3SEwj_l_JHXwtM1x9354tdJND-3Frn-3DIyZy9mLu5WYjlGQlN3bwJXdw1CckBXLzRmct82cudkI-26re-3DIyZy9mLu5WYjlGQlN3bwJXdw1CckBXLzRmct82cudkI&d=CwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=mDMhW9B--jmtTN0Mneg8s2Aa-wco-YonCU1kdHYXoFQ&s=yIpnt7pEScNoV0T60C9yTIJ9Ga0fXAwdStrsm2mmtgk&e=>”,
> a report from the Security and Stability Advisory Committee (SSAC) in
> September 2012.
>
>
> The gist of their report is that there are four current uses of the
> WHOIS service, two of which the SSAC says are legitimate (law
> enforcement access to data; security practitioner access to data), and
> two where it is silent on the question of legitimacy (public access to
> data; intellectual property owner access to data). I have bullet
> pointed below the main arguments they raise in relation to the purpose
> of collecting and maintaining this data:
>
> * *_Terminology:_*
> * SSAC disagrees with the term “WHOIS” - prefers three specific
> terms be used: domain name “registration data,” “access protocol,”
> and “directory services”.
> * *_Data Elements:_*
> * The appearance of email addresses guarantees that spam will be
> delivered to those email addresses.
> * *_Purpose:_*
> * WHOIS was created to provide a means to make contact information
> available for what was then a very small (and essentially
> homogeneous in terms of user community) Internet compared to what
> exists today.
> * Today there are four main uses of WHOIS:
> o Public access to details about a domain name registration.
> + SSAC
>
> notes that "It is a widely held belief that the public Internet
> should have access to domain name registration data."
>
>
> o Law enforcement access to details about a domain name
> registration.
> + SSAC says this is a legitimate use case.
> o Intellectual property owner access to details about a domain
> name registration.
> + SSAC
>
> notes that "It is a widely held belief that intellectual property
> owners should have access to domain name registration data."
>
>
> .
>
> o Security practitioner access to details about a domain name
> registration.
> + SSAC says this is a legitimate use case.
> * SSAC would like to see research into why users purchase
> privacy-proxy services. It has heard that some people do so to
> hide from law enforcement, but would like to see more
> research/evidence to validate this point. Privacy-proxy services
> should not hinder the ability to trace the identity of a domain
> name registrant.
> * *_Access Levels:_*
> * SSAC says we need to distinguish between what information is
> collected and what information is published in an open database.
> Does not comment any further.
> * *_Universality:_*
> * Whatever policy is adopted it should be applied universally across
> all gTLDs.
> * *_Accuracy:_*
> * Whatever data is collected must be accurate and there must be
> enforcement and compliance mechanisms in place to support this.
>
> I hope this summary is useful. Please let me know if you would prefer
> that I summarise reports in a different way as we move forward with
> the review of past literature.
>
> Best wishes,
>
>
> Ayden Férdeline
>
> On Fri, Mar 25, 2016 at 11:28 PM, Susan Kawaguchi via
> gnso-rds-pdp-purpose <gnso-rds-pdp-purpose at icann.org
> <mailto:gnso-rds-pdp-purpose at icann.org>> wrote:
>
> Hello All,
>
> Thank you for volunteering for the Purpose sub team.
>
> This is a list of all that have volunteered - Carlton Samuels,
> Fabricio Vayra, Susan Prosser, Beth Allegretti, Jim Galvin, Kiran
> Malancharuvil, Lori Schulman, Vlad Dinculescu, Richard Leaning, Amr
> Elsadr, Donna Austin, Stephanie Perrin, Tjabbe Bos, Sana Ali, Ayden
> Ferdeline, Greg Aaron, Jody Kolker, Adrian Cheek, Kathy Kleiman, Chuck
> Gomes, Maryan Rizinski, Nathalie Coupet, Roger Carney
>
> I look forward to working with you all over the next couple of weeks
> to collect, consolidate, concisely summarize, and then present inputs
> and information about the purpose of registration data.
>
> This is a link to the RDS PDP WG document that describes the approach
> the WG agreed upon
> https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-Summary-Approach.pdf
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_58730879_RDS-2DPDP-2DProposed-2DSummary-2DApproach.pdf&d=CwMBAg&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=u1EVRiHe_hJc7jxNs5HvrA_j6PFk6zDIgTHzeV5HW-I&s=2ky2gNfugoilw7hdnuB-Li1SPS7b_5IFQFq5Dm1QeEk&e=>
>
>
> Would any one like to volunteer to start collecting information on
> purpose of registration data? I am sure that the RDS PDP WG wiki has
> resources to start this collection and then we should think of what
> else should be included. Once we have started collecting the
> information I think a sub team conference call to discuss what we are
> collecting would be helpful.
>
> Any other ideas on how to approach our work?
>
> Looking forward to the discussion.
>
> Susan Kawaguchi
>
> Domain Name Manager
>
> Facebook Legal Dept.
>
>
> _______________________________________________
> gnso-rds-pdp-purpose mailing list
> gnso-rds-pdp-purpose at icann.org <mailto:gnso-rds-pdp-purpose at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-purpose
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dpurpose&d=CwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=mDMhW9B--jmtTN0Mneg8s2Aa-wco-YonCU1kdHYXoFQ&s=E5d7OSngK_MJQ_XYYyZ__P5oY7YGk_RxVxKurwEV69I&e=>
>
> Ayden Férdeline
>
> +44.77.8018.7421 <tel:%2B44.77.8018.7421>
>
> Image removed by sender.
>
>
> _______________________________________________
> gnso-rds-pdp-purpose mailing list
> gnso-rds-pdp-purpose at icann.org <mailto:gnso-rds-pdp-purpose at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-purpose
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dpurpose&d=CwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=mDMhW9B--jmtTN0Mneg8s2Aa-wco-YonCU1kdHYXoFQ&s=E5d7OSngK_MJQ_XYYyZ__P5oY7YGk_RxVxKurwEV69I&e=>
>
>
>
> _______________________________________________
> gnso-rds-pdp-purpose mailing list
> gnso-rds-pdp-purpose at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-purpose
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-purpose/attachments/20160329/d6e110eb/attachment-0001.html>
More information about the gnso-rds-pdp-purpose
mailing list