[gnso-rds-pdp-wg] Mp3, AC Recording, AC Chat & Attendance for Next-Gen RDS PDP WG call on Wednesday, 19 April 2017
Gomes, Chuck
cgomes at verisign.com
Wed Apr 19 14:24:37 UTC 2017
For those who were unable to participate in this WG meeting, I strongly encourage you to listen to the recording. We didn’t reach any tentative conclusions but I believe that the discussion illustrated the diverse issues that we need to address and hopefully showed our intent to try to find solutions to address all legitimate ones even when they may be in conflict.
Chuck
From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Nathalie Peregrine
Sent: Wednesday, April 19, 2017 3:55 AM
To: gnso-rds-pdp-wg at icann.org
Cc: gnso-secs at icann.org
Subject: [EXTERNAL] [gnso-rds-pdp-wg] Mp3, AC Recording, AC Chat & Attendance for Next-Gen RDS PDP WG call on Wednesday, 19 April 2017
Dear All,
Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Wednesday, 19 April 2017 at 05:00 UTC.
MP3: http://audio.icann.org/gnso/gnso-nextgen-rds-pdp-19apr17-en.mp3
AC recording: https://participate.icann.org/p6e1urc6y3e/<https://participate.icann.org/p6e1urc6y3e/?OWASP_CSRFTOKEN=adafe81581d64faa1c522c7df75a296bd1944eab0fa9de6de3c681a267bc868e>
The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:
http://gnso.icann.org/en/group-activities/calendar<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-2Dactivities_calendar-23nov&d=DwMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=GJMkY4Fbi9sry9Z53DaSWJm-mHxMfFxg7MEVDf2JU90&s=FI3QJYH6DWWCDQir6NDMSjPkzdqfTTUmf9Ua-AYpc14&e=>
** Please let me know if your name has been left off the list **
Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
Wiki page: https://community.icann.org/x/CcPRAw
Thank you.
Kind regards,
Nathalie
———————————————
AC Chat Next-Gen RDS PDP WG Wednesday, 19 April 2017
Nathalie Peregrine:Dear all, welcome to the GNSO Next-Gen RDS PDP Working Group call on Wednesday 19 April 2017
Nathalie Peregrine:Meeting page: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_C8PRAw&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=KoCEuw64tqi1FHTYtTr4Y6Xa5Sl_gtTToIyqtY_XyQc&s=634WCVY8ddPbY75-HNHJ2S-t2BoAJN6GBLtKLnCuPMs&e=
Chuck Gomes:Hello
Alex Deacon:hi chuck and everyone....
Maxim Alzoba (FAITID):Hello All
Maxim Alzoba (FAITID):I am on the bridge, hear you well
Maxim Alzoba (FAITID):Will use audio only from 5.30 ro 6.10 then back to Adobe
Nathalie Peregrine:Thanks for this information, we will know not to dial you back when we see your line drop
Chris Pelling:Good morning all
David Cake:Hi Chuck and others
Benny Samuelsen / Nordreg AB:Well its morning, good can be discussed ;-)
Tim O'Brien:+1 Benny
Lisa Phifer:Link to poll results: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_64078603_AnnotatedResultsV2-2DPoll-2Dfrom-2D11AprilCall.pdf&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=KoCEuw64tqi1FHTYtTr4Y6Xa5Sl_gtTToIyqtY_XyQc&s=r84GA9FdYymRhevcHn_XrZd2RW7RSjRujgsTY04GJ58&e=
Lisa Phifer:Mute your microphone
Lisa Phifer:Starting with Q4 on pages 7-9
Lisa Phifer:Refer to summary of key concepts identified in poll responses on bottom of page 9 (last page)
Tim O'Brien:agree with A, I do this on a regular basis
Lisa Phifer:Possible key concept: a) Allowing people to get in touch with a domain name holder is a legitimate purpose
Alan Greenberg:Sorry to be late.
Benny Samuelsen / Nordreg AB:No it 's not a website owner, its a domain owner
Benny Samuelsen / Nordreg AB:different
Chris Pelling:Gone quiet steph
Chris Pelling:thats better
Stephanie Perrin:ok now I am hearing nothing.....
Chris Pelling:all quiet ?
Maxim Alzoba (FAITID):Does the domain name owner want to be contacted for reasons outside of nis contract with Registrar (if no breach of laws detected) - it is the question
Benny Samuelsen / Nordreg AB:+1 maxim
Chris Pelling:+1 maxim
Kal Feher:agree with Stephanie that there are nuances to the ability to contact a domain owner that may be lost with this kind of description for purpose
Benny Samuelsen / Nordreg AB:legitimate purpose need to be defined then
Benny Samuelsen / Nordreg AB:in what circumstances
Benny Samuelsen / Nordreg AB:is it legitimate purpose
Stephanie Perrin:And the issue of why you need to contact the person is key.
Maxim Alzoba (FAITID):+1 Jim, there might be no need for direct contact ..
Kal Feher:@maxim, there might be times when contacting the domain owner is in their interest, but not something they may have explicitly allowed. for example their site has been hacked.
Stephanie Perrin:If you want to purchase my domain name, that is not a sufficient reason....
Tim O'Brien:+1 Kal
Maxim Alzoba (FAITID):@Kal, agree, I just do not think there is a need in a direct contact, relayed info is as good as direct
Tim O'Brien:Disagree Maxim - most times the communications are not passed
Alex Deacon:some domain owners may in fact want to hear offer from 3rd parties who which to purchase the domain...
Kal Feher:@maxim and Stephanie, I think that shows why we need a more nuanced purpose than simply contacting a domain owner.
Maxim Alzoba (FAITID):It is up to a Registrarnt oh whose services to use , for example cell phones provided do not work few hours a day for most people
Greg Shatan:How does one guarantee that it is passed on?
Greg Shatan:And why would one want the intermediary to see the communication? That seems like a privacy issue.......
Stephanie Perrin:@Kal yes
Alex Deacon:2:55
Lisa Phifer:Possible key concept: b) Proportionality needs be assess in relation to each data user
Sam Lanfranco:There needs to be clarity about what is meant by "get in touch with" => a valid place to send a query but not necessarily know who or where
Kal Feher:@greg, the forwarding could be mechanical. it is no more or less reliable than any messaging provider.
Greg Shatan:We're starting out with key concepts, which are by definition high level. They can all be subject to the death of a thousand cuts of "nuance."
Maxim Alzoba (FAITID):assessment for every uses seems to be non realistic idea ... no automated processing then
Maxim Alzoba (FAITID):*user
Greg Shatan:Kal, I don't think that happens regularly now. I have the sense it does not. Would intermediaries commit to a system.
Kal Feher:@greg, I think we are afraid of the impact of an overly simplified purpose. how useful would such a purpose be for a deliberations if it give us no effective guidance?
Lisa Phifer:Possible alternative: b) Proportionality needs be assess in relation to each data element and user?
Maxim Alzoba (FAITID):be back to keyboard in 35 min, will stay on cellphone
Lisa Phifer:Possible key concept: c) ICANN needs to distinguish between individual person and legal person registration data
Maxim Alzoba (FAITID):+1 for "personal data"/"not" flag in RDS
Greg Shatan:Kal, if that's the case, all of these one line answers will be too simple. Is this entire process a rabbit hole, then?
Tim O'Brien:distinugishing could help in profiling threat actors - but how would this be verified?
Maxim Alzoba (FAITID):even in legal body fields some non well educated person can use his own phone and address .. so it might be more about setting flags for other fields too
Lisa Phifer:Possible alternative: c) ICANN needs to distinguish between individual person and legal person registration data, as required by applicable law?
Lisa Phifer:or "where required by applicable law"
Maxim Alzoba (FAITID):I think it is more about - does this thing content personal info/not
Kal Feher:Greg, I think we have to find some way of making our purposes useful for adjudicating solutions later. we can't yet judge if we are wasting time or not. no reason to give up, but it is reason to work towards specificity.
Lisa Phifer:@Jim, terminology is often natural person, distinct from legal person (corporation or other legal entity)
Maxim Alzoba (FAITID):division between legal bodies/persons - is that legal bodies are not protected by privacy laws, but... they still can use personal info of their directors
Jim Galvin (Afilias):@lisa - thanks for the distinction
Maxim Alzoba (FAITID):and formally those fields will be need to protected
Rod Rasmussen:@Jim G. One reason for knowing is whether or not a domain is being used as per requirements and in particular, if a claim of being a "natural person" with different data protections are appropriate.
Jim Galvin (Afilias):@rod - so, what we're saying is we need to know if the domain name holder is a "natural person" or not on collection of the data so that the publication can be properly processed. this does not mean that whether or not it is a natural person should be a published data element, does it?
Maxim Alzoba (FAITID):+1 Stehane
Maxim Alzoba (FAITID):Stephanie
Greg Shatan:Every high level concept, including rights to privacy, will be too nuanced if we take that approach. We might as well go to sleep, in that case.
Fabricio Vayra:+1 Greg
Stephanie Perrin:Hot button it was, indeed.
Alex Deacon:some PPSAI providers to also....
Rod Rasmussen:@Jim - that sounds like a legal question to me - from a technical perspective, that data element determines whether or not you display certain data (or even collect it) but the "flag" itself is not necessary to publish. However, I would argue from "usabilty" perspective, it would be best to publish it or you'll create more questions than you'll answer by hiding it. There may be separate legal requirements on publishing this data element. I do believe some of the ccTLD's do publish that flag if I remember correctly. Good question for that subteam.
Alex Deacon:do also
Lisa Phifer:Note that distinguishing between natural and legal persons does not require that distinction to be used in particular ways in policy - it simply allows policy to treat NPs and LPs differently (for example, to comply with applicable laws that apply only to NPs)
Alex Deacon:+1 Lisa
Susan Kawaguchi:+ 1 Lisa
Fabricio Vayra:+1 Lisa
Lisa Phifer:If memory serves me, the EWG approach was to allow LPs to identify they are LPs, to allow NPs to identify they are NPs, and to treat registrants as NPs if no indication is given when the DN is registered
Stephanie Perrin:That seems to match my recollection, Lisa
Alex Deacon:the distinction is important when applying data protection laws...
Rod Rasmussen:@Jim :-)
Fabricio Vayra:+1Alex
Stephanie Perrin:NO one is trying to prevent a corporation from identifying itself as the owner of an asset, but the situation is more nuanced for those who are not large corporations
Alex Deacon:@stephanie - is there a grey area between natural personals and legal persons? I didn't think so...but your comment above indicates there may be....
Greg Shatan:A legal person is a legal person. I don't see how size matters.
Kal Feher:there is a flow on effect if we choose to have the collection of the distinction. if it becomes a purpose of the RDS, then it may be subject to any accuracy/validation policies we come up with. And that could only be acheived via PII collection. so unless you decide that the distinction between NP and LP is important, but the accuracy of such an ascertion is irrelevant, then there'll be some addition data validation required in the future.
Tim O'Brien:Disagree on gated access
Lisa Phifer:Possible key concept: d) There should be layered/gated access to gTLD registration data
Stephanie Perrin:Where I feel there is a grey area is in where an individual, who is also the principal in a company or corporation, registers a name in his/her own name.
Stephanie Perrin:And does not use it for a commercial purpose.
Stephanie Perrin:Yet....
Maxim Alzoba (FAITID):back to Adobe, dropping the call line
Greg Shatan:If they are registering in their personal name, how would their association with a legal entity be known?
Nathalie Peregrine:thanks Maxim.
Lisa Phifer:@Stephanie, Greg - I think you're pointing out there are domain names registered by proxy (for example, by an individual or third party, for use by another entity)
Maxim Alzoba (FAITID):if the person doing something liiegal due to believe to do "good thing" ... formally it is going to be illegal
Greg Shatan:Lisa, I did not think that was the topic here.
Maxim Alzoba (FAITID):you need to be accredited some way with the local LEa to use some of their powers :(
Stephanie Perrin:No, Lisa, what I am talking about is a sole operator registering a name without a commercial purpose.
Stephanie Perrin:+1 Rod
Lisa Phifer:@Stephanie, Greg - got it, you are talking about use of domain name, not who registers it, correct?
Greg Shatan:Stephanie, isn't that a natural person? Not sure what you mean by sole operator....
Stephanie Perrin:Sort of....
Stephanie Perrin:If I am acting in my own right in my own name, I am a person entitled to data protection. If I am operating as the president of a privately owned sole entrepreneur corp, I am a business. Do I have to declare when I register a name? this is what is implied at the collection stage....
Lisa Phifer:@Stephanie, or do you have the ability to designate intended for commercial use (and change that over the lifetime of a DN)
Fabricio Vayra:• Article 29 WP 76 Opinion 2/2003 (https://urldefense.proofpoint.com/v2/url?u=http-3A__ec.europa.eu_justice_policies_privacy_docs_wpdocs_2003_wp76-5Fen.pdf&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=KoCEuw64tqi1FHTYtTr4Y6Xa5Sl_gtTToIyqtY_XyQc&s=_LWzPuws-GOPgdKoZMSuhUz8wHNo3r5B2-xKmdQ5FGA&e= ) o "registration of domain names by individuals raises different legal considerations than that of companies or other legal persons registering domain names" ... "the publication of certain information about the company or organisation (such as their identification and their physical address) is often a requirement by law in the framework of the commercial or professional activities they perform"
Maxim Alzoba (FAITID):@Stephane ... the issue might arise when the person first registers a domain and only then goes into creation of own company
Fabricio Vayra:just one example for context
Stephanie Perrin:Yes Maxim. Gets complicated if I have an idea for something, and not sure which company I might use it in when I have several.
Benny Samuelsen / Nordreg AB:yes maxim
Lisa Phifer:re: solution in search of problem, the problem the DPs were identifying I think is that there should not be a requirement for all registration data to be made public
Stephanie Perrin:Yes Lisa, the last line is the key one and brings us back to proportionality.
Lisa Phifer:Possible key concept: e) There is a need to identify and document query purposes; collection/derivation only for legit purposes
Lisa Phifer:Another alternative (from 19): Data should not be disseminated unless it is in line with a legitimate purpose
Maxim Alzoba (FAITID):@Tim, I am not saying that what you do is wrong, We need to ensure , that even after some kind of protection of personal data, you ,still be able to report breaches to the Registrant/Registrar/Registry
Jim Galvin (Afilias):@lisa - yes, let's identify the problem (not all data should be public) and then let's consider the best way to solve that problem. differentiated access is simply one possible solution
Alex Deacon:gated
Lisa Phifer:tiered, differentiated, gated.... various terms for access that is not entirely public
Maxim Alzoba (FAITID):Also in situation of potential LEA specail kind of access to RDS - cybersecurity companies will need to be able to report to those LEA RDS contacts
Tim O'Brien:to the uninformed, how is someones name, mailing & email address, and phone number deemed "personal information"
Maxim Alzoba (FAITID):so they can deal with the breach as LEAs
Stephanie Perrin:Just like the phone book, it has been considered personal for some time. The fact that it is all available in the US does not nullify that.
Greg Shatan:Maxim, there's no reason for that.
Alex Deacon:@maxim - i do not agree with that comment. (i.e. cybersecurity companies need to report to LEA's)
Maxim Alzoba (FAITID):@Greg, LEAs do not have to act, they might use the qualified input
Alex Deacon:I'm certain LEA's would also disagree.
Tim O'Brien:Disagree with Maxim as well - most LEO's do not care
Maxim Alzoba (FAITID):I am saying they might , not have to (both LEAs and cybersecurity companies)
Tim O'Brien:nor will help unless it is a significant loss anount
Lisa Phifer:Q2 - page 2 of results displayed
Greg Shatan:unless you meant they need to be free to report to lea should they choose to,,,,
Lisa Phifer:Comment 4: Every legitimate purpose requires a domain name registration data element
Maxim Alzoba (FAITID):@Greg - the latter - they a free to do so if they choose to do so
Maxim Alzoba (FAITID):*are
Kal Feher:it should be noted that not all queries to the RDS are for domain names
Kal Feher:host queries for example
Greg Shatan:got it, thanks.
Stephanie Perrin:See Lisa's comment
Kal Feher:"every legitimate purpose for a domain name query requires a domain name registration data element"
Stephanie Perrin:registration data is our business, our only business (apologies to Gerber)
Kal Feher:the domain name data element is not required at all for registrar or name server queries. I think most people on this group mean domain name queries against the RDS when they talk about querying the RDS.
Lisa Phifer:Note that IP WHOIS is not within our scope - our scope is gTLD DN WHOIS
Lisa Phifer:(or RDS more generically)
Kal Feher:@Lisa, the the query types discussed are all available in gTLD DN Whois
Stephanie Perrin:As painful as it is I do agree with Chuck that our mutual understanding is growing as we go through this process.
Rod Rasmussen:Right on Chuck!
Stephanie Perrin:Let's remember that, as Buttarelli said of himself, they are members of the judiciary. Not just any old data protection experts.
Greg Shatan:Regulator and judiciary. a neat trick. executioner too?
Maxim Alzoba (FAITID):the idea looks similar to "Judge Dredd" procedures :)
Alex Deacon:Have we asked the other participants for their answers to our questions?
Chris Pelling:thanks all
Maxim Alzoba (FAITID):bye all
Stephanie Perrin:They are not the regulators, the European Parliament is; in the case of the existing law of course, it would have been their own parliaments....
Amr Elsadr:Thanks all. Bye.
Venkata Atluri:Good night
Patrick Lenihan:Thanks to Each and All!
Fabricio Vayra:Byw bye
Tim OBrien:thanks all!
Fabricio Vayra:zzzzz
Rod Rasmussen:TTFN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170419/5cf74599/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list