[gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Wed Jan 18 19:58:25 UTC 2017
I will do my best to make the call next week, but am travelling so may
not manage it. Since I am the one querying the suggestion that
protecting the data and the names of the individuals under the rubric of
privacy is a wee bit off base, believing instead that people should be
accountable for what they are putting in their polling data, here is my
view, for what it is worth.
1. ICANN is fundamentally an open, transparent multistakeholder
organization where pdps are open to all. There is an expectation that
there will be robust debate and that people will be accountable for the
views they wish to express. IF a person wishes to watch what is
happening and not participate, they can monitor and thereby not be
forced to express a view. Participation in the working group should mean
that one's expectations of privacy in terms of opinions expressed is
very limited. I would like to hear the arguments for such an opinion,
if anyone has advanced them.
2. In this respect, if an organization sends a representative to attend
a pdp and they do not have the authority to speak for the organization
without vetting/checking, they have a number of options: a) omit the
survey b) fill it out in their own name with caveats that they do not
represent the organization c) get the survey questions and consult on
the answers. I don't really think it is acceptable for organizations to
anonymously fill out the survey, just as I don't buy the privacy
argument from individuals.
3. The data is useful to those of us who are trying to understand where
people are coming from. As I have said numerous times, we all view
these matters from our own perspectives and knowledge base. I am trying
to understand the degree to which people still do not understand privacy
concepts, which I think I can detect from their answers. (others may
wonder why I still don't understand how the RDS works, fair enough says
I! CHeck my data, it might help you detect necessary educational
opportunities...) I am also interested in the variance across questions,
cumulative totals per SG, etc etc).
4. At a rather fundamental level, data that is used by us even to form
rough concepts of concensus should be accessible to all in my view. This
is very controversial topic which has caused considerable conflict over
the years, let us try to minimize any potential for later questions or
distrust by ensuring all data is available.
There are ways around this problem of disclosure vs non-disclosure.
1. Inform people that polling data will be available. Forwarned.
2. RElease data minus the name. However, folks will be guessing who is
from what constituency, and frankly we must have the constituency data.
Normally for disclosure of PI for people in groups we go by the rule of
4.....rarely are there 4 NCSG folks filling out the polls, so you can
identify us anyway, this may be different for other groups. I think
this one is a non-starter but there it is.
3. Seek consent. As discussed above, I don't think the privacy
arguments hold water; it is bad policy to seek consent on something that
you could not /should not protect in the first place. Also a
non-starter in my view, but there it is.
Again, I hope to make the call next week but wanted to start off this
discussion on the list in case I don't make it.
Cheers STephanie
On 2017-01-18 10:45, Gomes, Chuck wrote:
>
> For those of you who were unable to attend this meeting, I encourage
> you to listen to the MP3 recording and/or review the transcript as
> well as the notes that Marika sent right after the meeting. We made
> quite a lot of progress; we discussed all of the remaining proposed
> purposes for the collection of thin data and there were no objections
> from anyone on the call to the conclusion that each of the purposes
> are legitimate for the collection of thin data.
>
> The third purpose, where we started for this meeting, is Domain Name
> Certification. We spent quite a bit of time talking about this. For
> those who feel that you do not understand this purpose fully, at about
> 14:50 into the call we had what I thought was a very good discussion
> designed to make sure everyone understands Domain Name Certification,
> so I encourage you to at least listen to that portion and the
> discussion following where we discussed whether it was an acceptable
> purpose. You will note that some thick data elements were also
> mentioned but we did not make any conclusions regarding thick data.
>
> Once we finished our deliberation on Domain Name Certification, there
> was just minimal discussion on the other remaining purposes so you may
> not find the balance of the recording very informative.
>
> Near the very end of the recording we alerted everyone to an agenda
> topic we will have next week about whether raw poll data should be
> shared with the WG and, if so, in what way. Those not on the call may
> benefit from listening to that discussion in preparation for next week.
>
> Happy listening.
>
> Chuck
>
> *From:*gnso-rds-pdp-wg-bounces at icann.org
> [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On Behalf Of *Nathalie
> Peregrine
> *Sent:* Wednesday, January 18, 2017 6:57 AM
> *To:* gnso-rds-pdp-wg at icann.org
> *Cc:* gnso-secs at icann.org
> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Updated: Mp3, Attendance, AC
> Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
>
> *With updated apologies*
>
> *From: *"owner-gnso-secs at icann.org <mailto:owner-gnso-secs at icann.org>"
> <owner-gnso-secs at icann.org <mailto:owner-gnso-secs at icann.org>> on
> behalf of Nathalie Peregrine <nathalie.peregrine at icann.org
> <mailto:nathalie.peregrine at icann.org>>
> *Date: *Wednesday, January 18, 2017 at 11:52 AM
> *To: *"gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>"
> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
> *Cc: *"gnso-secs at icann.org <mailto:gnso-secs at icann.org>"
> <gnso-secs at icann.org <mailto:gnso-secs at icann.org>>
> *Subject: *[gnso-secs] Mp3, Attendance, AC Chat for Next-Gen RDS PDP
> WG on Wednesday, 18 January 2017 at 06:00 UTC
>
> Dear all,
>
> Please find the attendance of the call attached to this email and
> the MP3 recording below for the Next-Gen RDS PDP Working group call
> held on Wednesday, 18 January 2017 at 06:00 UTC.
>
> *MP3:*https://audio.icann.org/gnso/gnso-nextgen-rds-pdp-18jan17-en.mp3[audio.icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__audio.icann.org_gnso_gnso-2Dnextgen-2Drds-2Dpdp-2D18jan17-2Den.mp3&d=DwMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=KzV067Eeyuj3JRSZjh52PCELr7QkhUBq7VIagMYGQHQ&s=uyVJrYZT_qdZJbfPUPpqgfDfWFEr8V_cPaLxcsC8WHg&e=>
>
> The recordings and transcriptions of the calls are posted on the GNSO
> Master Calendar page:
>
> http://gnso.icann.org/en/group-activities/calendar
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-2Dactivities_calendar-23nov&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8_WhWIPqsLT6TmF1Zmyci866vcPSFO4VShFqESGe_5iHWGlBLwwwehFBfjrsjWv9&m=weT6ABypO2mbhE1dWs5uImJ38Mh2plfgTgH1L07rZf0&s=EHJpg8atZYvWGJ5XfS368jdC7F4jfuSw2xjKnh_5bn8&e=>
>
> ** Please let me know if your name has been left off the list **
>
> Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
>
> Wiki page: https://community.icann.org/x/tarDAw[community.icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_tarDAw&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=F8D7r-W_wECDv1_jEDzbEWNFadeWG_alTD0XBlxPtBQ&s=RaRFcjj5cgZxXRr3idDQZOPXm8sHAdt_QG2T3G_mqU8&e=>
>
> Thank you.
>
> Kind regards,
>
> Nathalie
>
> ———————————————
>
> *_AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017_*
>
> Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call
> on Wednesday 18 January 2017 at 06:00 UTC.
>
> Nathalie Peregrine:Meeting page:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_EbTDAw&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=9uxit6N-giqXHRfYH-5VIR7I-CJjYrAxWqkj2PJDjGc&e=
>
> Michele Neylon:good morning people
>
> Michele Neylon:it's good middle of the bloody night :)
>
> Chuck Gomes:Morning?!!
>
> Benny / Nordreg AB:Good Afternoon ;-)
>
> Alex Deacon:Hi all...
>
> Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone
>
> Maxim Alzoba (FAITID):Good morning all.
>
> Michele Neylon:MUTE yourselves please
>
> Fabricio Vayra:good morning
>
> Tapani Tarvainen:Decent hour in Finland, too
>
> Farell FOLLY (africa 2.0):Morning All
>
> Michele Neylon:6am is an hour
>
> Tapani Tarvainen:8am here
>
> Michele Neylon:I'm not sure if it's decent or desiarable
>
> Maxim Alzoba (FAITID):not thaat horrible - 9am
>
> Farell FOLLY (africa 2.0):6 am here !
>
> Benny / Nordreg AB:Currently in Bangkok 1 PM
>
> Benny / Nordreg AB:so not to bad
>
> Stephanie Perrin:1 am here. I am not at my perkiest I must admit.
>
> Benny / Nordreg AB:So a silent Stephanie today? ;-)
>
> Stephanie Perrin:Not likely...just delayed, I suspect....:-)
>
> Marika Konings:no, I haven't seen anything
>
> Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is
> -5C outside and the weather is freezing rain (-:
>
> Lisa Phifer:Actually, question 3 assessed level of support for
> several listed purposes, not just Domain Name Certification
>
> Stephanie Perrin:Yes Sam, if the power goes out again I may be extra
> quiet....
>
> Alex Deacon:1995 - earlier if you count the RSA days :)
>
> Fabricio Vayra:@Alex - Nice!
>
> Sam Lanfranco npoc/csih:Question: What percentage of DN
> Certificate Requests turn out to be bogus?
>
> Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should
> we assume that not all 100% are good?
>
> Abdeldjalil Bachar Bong:I need some clarification about the first
> question as iam newcomer in this WG ,Thanks my second do you have some
> resources for no-English speaker ?
>
> Benny / Nordreg AB:or .se / .nu where there are no info in whois for
> private persons
>
> Lisa Phifer:@Geoff, with respect to thin data elements, which
> elements are consulted for this authentication?
>
> Michele Neylon:My current bugbear is a particular company who
> insists on sending us their requests
>
> Michele Neylon:not to our clients
>
> Daniel K. Nanghaka:The challenge with the WHOIS is that there is no
> appropriate verification method for the users - there should be a way
> to validate sensitive data
>
> Stephanie Perrin:How often do you need to authenticate for these
> certificates?
>
> Benny / Nordreg AB:at least once per year
>
> Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the
> technical/administrative contact?
>
> Benny / Nordreg AB:per domain/ certificate
>
> Stephanie Perrin:what data do you trust? IN other words, how do you
> verify the data?
>
> Michele Neylon:domain validated certs are the cheapest ones
>
> Michele Neylon:they're also the fastest ones to get issued
>
> Michele Neylon:the level of "trust" is negligible
>
> Stephanie Perrin:But what are they worth?
>
> Michele Neylon:Stephanie - to whom?
>
> Stephanie Perrin:To anyone who is relying on the certificate....
>
> Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?
>
> Michele Neylon:FYI - they're also used by valid users like me :)
>
> Michele Neylon:I'm using one on michele.blog
>
> Alex Deacon:You could argue that Domain Validation certs are good
> for encryption only. they provide zero value from an
> authentication/identity point of view.
>
> Stephanie Perrin:I would have no clue what I am using. I think I
> speak for most consumers....
>
> Michele Neylon:what Alex said
>
> Michele Neylon:they're a step up from a self-signed cert
>
> Stephanie Perrin:Thanks Alex, that is kind of where I was heading....
>
> Daniel K. Nanghaka:This is where Domain verification comes in
> strongly - and the Domain validated certificates should be placed in
> the page of the Domain to prove that the domain is validated. The
> Company should have a respective data handler who will be responsible
> for domain validation and certificate authentication.
>
> Michele Neylon:Daniel - which company?
>
> Benny / Nordreg AB:Unsure how you will make that happen Daniel?
>
> Maxim Alzoba (FAITID):The company
>
> Maxim Alzoba (FAITID):in some movies it was the name for one of the
> agencies
>
> Alex Deacon:@stephanie - it depends on the type of cert.
>
> Daniel K. Nanghaka:@Michele - the company that that owns the Domain
>
> Daniel K. Nanghaka:Yes, the biggest challenge is that many companies
> take these certificates for granted
>
> Michele Neylon:Daniel - what makes you think they're a company?
> these days a LOT of the domain validated certs are for individiuals
> not companies
>
> Michele
> Neylon:https://urldefense.proofpoint.com/v2/url?u=https-3A__letsencrypt.org_&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=gUMAlV9Le_Uk-WKSJISZI3A_tCUNIGZECo84Qr5k-w0&e=
>
> Michele Neylon:see also
> https://urldefense.proofpoint.com/v2/url?u=http-3A__motherboard.vice.com_read_google-2Dwill-2Dsoon-2Dshame-2Dall-2Dwebsites-2Dthat-2Dare-2Dunencrypted-2Dchrome-2Dhttps&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=pFgFCnrUIsQEyD06VMwyJjHMCAjk5hpZrorKO9I0cCU&e=
>
> Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix,
> for exumple and the latter uses whois ...
>
> Maxim Alzoba (FAITID):*example
>
> Maxim Alzoba (FAITID):the only other source of info ... is LEA
>
> Alex Deacon:@maxim - you lost me. what info does LEA have?
>
> Maxim Alzoba (FAITID):Law Enforcement Agency
>
> Alex Deacon:i know what lea stands for....
>
> Stephanie Perrin:I must be missing something here. If I am a
> legitimate rep of a company requesting a cert, why could you not ask
> for a whole mess of non-publically available data, signed by the
> company, to validate my request?
>
> Maxim Alzoba (FAITID):current internet users will surely suffer (and
> services too ) if certificates are no more
>
> Michele Neylon:Stephanie - because it's time consuming and a pain in
> the neck?
>
> Stephanie Perrin:If you are looking for a phone number is that part
> of thin data? I did not think so.
>
> Michele Neylon:it doesn't scale
>
> Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an
> org/user with a domain. WHOIS does this today.
>
> Michele Neylon:phone numbers are "thick"
>
> Stephanie Perrin:That is what I thought. So we are talking about
> thick data here. And if only some registrants want certs, then why
> should all registrants have to put their thick data in WHOIS?
>
> Lisa Phifer:Note that handout is now displayed, showing this purpose
> and related thin data elements
>
> Stephanie Perrin:So what percentage of registrations want/need certs?
>
> Michele Neylon:Stephanie - see the link I posted above
>
> Benny / Nordreg AB:Soon every active domains with a website
>
> Michele Neylon:what Benny said :)
>
> Stephanie Perrin:We are talking about a purpose for collection. I
> will certainly argue about disclosure. you are collecting for a valid
> purpose. We need to discuss how you are going to use and disclose it.
>
> Abdeldjalil Bachar Bong:@Maxim I need more information when you said
> the current internet user will sufer if we don't have more certifications
>
> Stephanie Perrin:As far as I can see though, you are not collecting
> any separate data elements solely for the purpose of domain certs.
> validation
>
> Michele Neylon:Stephanie - in thin?
>
> Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on
> certificates ... e-mail , online banking e.t.c.
>
> Stephanie Perrin:certainly in thin, but even in thick...what new
> data elements are you looking for?
>
> Michele Neylon:Stephanie - no new ones
>
> Abdeldjalil Bachar Bong:Thanks @Maxim
>
> Lisa Phifer:After we get rough consensus on purposes for collecting
> thin data, we'll move to Data Elements and examine the individual data
> elements needed by that purpose, and given that we can look at under
> what conditions that data should be disclosed for that purpose...
>
> Stephanie Perrin:I seem to be the only one quibbling here. I am not
> arguing about the importance of encryption, or certification of
> sites. I am quibbling about whether authenticators, who arguably
> ought to be trusted parties, should be harvesting this data off an
> open WHOIS. If this is what they are doing as part of their
> functions, they could be autheticated to seek the data at a deeper level.
>
> Lisa Phifer:@Sam, do study subjects not have any opportunity for
> anonymity, or does it depend on the study and the types of data involved?
>
> Stephanie Perrin:It depends on the university ethics
> protocols. Certainly in Canadian unis you would not be able to
> disclose the personal data, you would have to bind users to the same
> privacy commitements.
>
> Stephanie Perrin:ICANN would have to set a research protocol for
> this, that meets the highest standard, otherwise academic access could
> become one of those jurisdictional nightmares....
>
> Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to
> the list of thin data elements for this purpose?
>
> Stephanie Perrin:Is it not the case that every time you need thick
> data, you absolutely have to have access to the thin data to get at it??
>
> Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query
> any WHOIS data, but beyond that you may not need other thin data
> elements (dates, etc) for a given purpose
>
> Michele Neylon:Stephanie - yes
>
> Stephanie Perrin:Thanks Michele
>
> Michele Neylon:the thin tells you where to find the thick
>
> Michele Neylon:(sort of)
>
> Michele Neylon:(and I can't believe I just wrote that and it made
> sense to me)
>
> Stephanie Perrin:It is indeed a worrying sign...
>
> Stephanie Perrin:We have been at this a full year, I would point out....
>
> Stephanie Perrin:Consumer protection is very limited. Yes it is a
> valid purpose. Disclosure is another matter...
>
> Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick
> raw data from the polls? (-:
>
> Maxim Alzoba (FAITID):just add checkbox - I do want my name shown
>
> Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit
> less convenient than xls
>
> Stephanie Perrin:I think it would be interesting to see both. I
> want to look for contradictions in responses. I also want to look for
> aggregates.
>
> Maxim Alzoba (FAITID):NamesCon?
>
> Tapani Tarvainen:(having written a number of pdf-to-text thingies...)
>
> Maxim Alzoba (FAITID):Could we add example of report as a header to
> survey? like after you fill this - it is going to look like this and that?
>
> Lisa Phifer:In short, we would need to get consent of all who responded
>
> Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT
> pool of the local ISP
>
> Michele Neylon:Stephanie is that you??
>
> Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.
>
> Michele Neylon:has someone hijacked her identity??
>
> Michele Neylon:/me ducks
>
> Lisa Phifer:@Maxim, generally not true of respondents taking survey
> from within corporate networks - in that case, IP is often static
>
> Stephanie Perrin:Sadly I may not be on the call next week, depending
> on travel schedule
>
> Maxim Alzoba (FAITID):@Lisa, agree - it depends
>
> Maxim Alzoba (FAITID):Bye all
>
> Benny / Nordreg AB:bye all
>
> Daniel K. Nanghaka:bye
>
> Patrick Lenihan:Thanks to Each and All!
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170118/829f1be3/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list