[gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose
Carlton Samuels
carlton.samuels at gmail.com
Thu Jan 26 01:06:13 UTC 2017
...that is a recommendation of the EWG. Even the candidate data elements
for unfettered access and reporting are nominated.
-Carlton
==============================
*Carlton A Samuels*
*Mobile: 876-818-1799Strategy, Planning, Governance, Assessment &
Turnaround*
=============================
On Tue, Jan 24, 2017 at 2:25 PM, Hollenbeck, Scott <shollenbeck at verisign.com
> wrote:
> The situations Greg and Jim describe below are precisely why I think we
> need to consider that there are some uses for which no client
> authentication is required and some for which it should be required – and
> that there should be a corresponding type and amount of information
> returned in response to a query based on what the user/client is willing to
> share.
>
>
>
> We already have “a query/response system that does not require credentials
> or permissions” in WHOIS. If WHOIS met our needs we wouldn’t be having this
> conversation.
>
>
>
> Scott
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org] *On Behalf Of *Greg Aaron
> *Sent:* Tuesday, January 24, 2017 1:53 PM
> *To:* James Galvin; RDS PDP WG
> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on
> Purpose
>
>
>
> Dear Jim:
>
>
>
> If legitimate users must identify themselves before looking up a domain
> name, and are required to state their purpose for making that query, that
> is a significant collection of data with huge privacy and security
> implications. It means that registrars and registry operators would
> collect information about what specific people are searching for, and why.
> Users who have perfectly legitimate uses are not currently required to
> give up their identities and use cases – can such a change be justified?
>
>
>
> As a practical matter, a change would makes people jump through hoops
> unnecessarily. If we’re talking about thin data, that data is not
> sensitive or personally identifiable. Thus there’s no reason for people
> who want to access it to declare their identities and use cases.
>
>
>
> Currently our RDS system (WHOIS) is a public query/response system.
> You’re pointing to turning RDS into a credential-driven system. That poses
> enormous consequences for privacy, security, and cost. A lot of people
> commented about those things in response to the EWG. See SAC061 or example.
>
>
>
> There are use cases that argue in favor of anonymous access. For example
> law enforcement investigators do not want to reveal what they are looking
> into, for obvious reasons. I also assume that they do they want to violate
> terms of service or lie about who they are or what they are doing.
>
>
>
> The setup we currently have -- a query/response system that does not
> require credentials or permissions -- avoids the above problems, among
> others.
>
>
>
> All best,
>
> --Greg
>
>
>
>
>
> *From:* James Galvin [mailto:jgalvin at afilias.info <jgalvin at afilias.info>]
> *Sent:* Tuesday, January 24, 2017 12:55 PM
> *To:* RDS PDP WG <gnso-rds-pdp-wg at icann.org>
> *Cc:* Greg Aaron <gca at icginc.com>
> *Subject:* Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose
>
>
>
> I have a comment and a question about Greg’s suggestion/conclusion.
>
> First, while I appreciate the documented history and recollection of
> precedent, we are frequently reminded that we are starting with a clean
> slate. Thus the fact that “all use is allowed except when a use is
> specifically prohibited” currently exists in contracts is not binding for
> us.
>
> Second, could you say more about how the rights of legitimate users are
> infringed by having to identify themselves before getting access to data?
> In my experience it is ordinary process to identify yourself for access
> (and sometimes authenticate yourself) unless the circumstances are known to
> be anonymous or public. This group has to decide if the circumstances
> justify anonymous or public access, and what that means.
>
> Thanks,
>
> Jim
>
>
>
>
> On 23 Jan 2017, at 12:45, Greg Aaron wrote:
>
> The question is not “Is ICANN a law enforcement body?’’ (Clearly it is
> not.) The question is whether ICANN can require that data be collected and
> published in order to facilitate various legitimate goals. The answer to
> that question is clearly “yes.”
>
>
>
> ICANN’s Bylaws describe ICANN’s responsibilities and their scope –
> especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission,
> Commitments and Core Values.” (https://www.icann.org/
> resources/pages/governance/bylaws-en/#article1 ) Among other things,
> “ICANN's scope is to coordinate the development and implementation of
> policies: For which uniform or coordinated resolution is reasonably
> necessary to facilitate the openness, interoperability, resilience,
> security and/or stability of the DNS including, with respect to gTLD
> registrars and registries… functional and performance specifications for
> the provision of registrar services; registrar policies reasonably
> necessary to implement Consensus Policies relating to a gTLD registry;
> resolution of disputes regarding the registration of domain names...
> Examples of the above include, without limitation: …maintenance of and
> access to accurate and up-to-date information concerning registered names
> and name servers”.
>
> Years back it was decided that the collection and publication of the data
> was important for accomplishing some legitimate goals, in keeping with the
> above principles. And since the old days there have been additional
> statements of note. For example in 2007 the GAC weighed in recognizing a
> number of specific legitimate uses, including “facilitating inquiries and
> subsequent steps to conduct trademark clearances and help counter
> intellectual property infringement” and “contributing to user confidence in
> the Internet”, in keeping with law. We’re reviewing all this now; just
> saying that there’s a lot of precedent, and proposals for chnage need to
> address precedent.
>
> Currently there is an approach that’s important to mention. The contracts
> say that registrars “shall permit *use *of data it provides in response
> to queries *for any lawful purposes*”. [Emphases added; and except for
> “mass unsolicited, commercial messages” i.e. spamming, and some high-volume
> queries.) *Access *is not prohibited or regulated. *All use is allowed*
> except when a use is specifically prohibited.
>
> The alternative is to enumerate all allowable uses and to regulate access
> based on each user’s intent to honor those allowed uses. And that takes
> the world to a place where a system must gatekeep all users, and parcel out
> data to them only after the assert or prove they have a legitimate use and
> that they will employ the data only for that purpose. IMHO that infringes
> upon the rights of legitimate users, and is also a completely unmanageable
> solution.
>
> All best,
>
> --Greg
>
>
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kimpian
> Peter
> *Sent:* Monday, January 23, 2017 8:53 AM
> *To:* Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>;
> gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose
>
>
>
> Dear All,
>
>
>
> Adding to the purpose debate: usually it is common sense and wiedly
> reckognised that we don't collect personal data just for the sake of it or
> in bulk saying it will be good for one purpose or another. Usually data
> controllers have the obligation to say openly in advance this is why I am
> going to process (ie collect, agregate, transfer, etc.) personal data.
> Being said that it can not be excluded that those data will be
> used/accessed for "higher" common good and for the benefit for all by
> another athorised data controller. For example a telco company can if all
> conditions met disclose (!) data it previously collected to law enforcement
> agencies but this does not mean that the Telco compony can collect, process
> etc data for law enforcement purpose...
>
>
>
> My simple question to start with would be and always was: Is ICANN a law
> enforcement body? Does ICANN have any power/competence in fighting against
> crime? And it goes for other purposes as well: Is ICANN an international
> trademark organisation? Etc...Is the answer given to those questions is
> shared by all the community of ICANN? In my sense we have to be sure that
> we answer first those questions before deciding on possible purposes (which
> does not mean that discloser of data on a case-by case base according to
> international legal requirements will not be possible after this, but those
> will be exceptions !!!)
>
>
>
> Best regards,
>
>
>
> Peter
>
> 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta:
>
> I love your analogy Shane, it is perfect. In data protection terms that
> would be a use. For a legitimate purpose... sledding. There might have to
> be repercussions if you cracked the lid....that might be a data breach:-)
>
> I hate being a nit picker and calling out this distinction between purpose
> of collection as opposed to purpose for use and disclosure, but it is
> extremely important in terms of data protection. Some laws are more clear
> than others on the distinction, and you are correct that if we are not
> careful DP laws will forbid the collection and disclosure of the data. It
> is certainly clear that for collection of thin data, there is ample
> justification for collecting the info based on ICANN's limited mandate.
> However adding law enforcement and other similar website related
> investigative activities to the list of legitimate purposes is in my view
> opening a barn door. After a year of discussion we may understand the
> nuance, that we are talking about thin data, etc etc but when the fruits of
> our labours are published, it looks like we have all agreed that law
> enforcement (eg) is a legitimate purpose for collecting registration data.
> In my view, it is not.
>
> cheers Stephanie
>
>
>
> On 2017-01-22 04:03, Shane Kerr wrote:
>
> Greg,
>
>
>
> If we can say that not all legitimate purposes have to be catered for,
>
> then I agree with you. :)
>
>
>
> If we say that tracking down the registrar of a domain as part of
>
> trademark research is a legitimate purpose, that does not mean that we
>
> have to design the system for this purpose, right?
>
>
>
> To try an analogy: We can recognize that using the plastic top of a
>
> garbage can as a sled is legitimate, but we don't insist on designing
>
> lids with sledding in mind.
>
>
>
> Full disclosure: My own take on the "legitimate purpose" discussion
>
> with regards to "thin data" is that we need *some* purpose for both
>
> gathering and publishing the information, because otherwise privacy
>
> laws may prohibit companies from gathering or publishing it. Luckily I
>
> think that there are so many such purposes that the need for the
>
> information is indisputable.
>
>
>
> Jumping ahead... as I said in a prior call (sorry for missing ones since
>
> then), I would prefer that the information is then allowed for any
>
> purpose, without restriction, because otherwise you have to have not
>
> only tiresome rules about what is allowed but also the Internet Police
>
> to enforce those rules, which seems like a step towards Armageddon.
>
>
>
> Given that we're still talking about "thin data", which is basically
>
> just a pointer to a registrar who has *actual* data, my own
>
> recommendation is not to stress too much. This stuff is only very, very
>
> vaguely personally identifiable.
>
>
>
> Cheers,
>
>
>
> --
>
> Shane
>
>
>
> At 2017-01-21 14:51:29 -0500
>
> Greg Shatan <gregshatanipc at gmail.com> <gregshatanipc at gmail.com> wrote:
>
>
>
> I have to disagree. These are legitimate purposes for collection, as well
>
> as for disclosure.
>
>
>
> Greg
>
>
>
> On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin <
>
> stephanie.perrin at mail.utoronto.ca> wrote:
>
>
>
> I filled it out, but I am afraid for most of the purposes I could not
>
> agree. We do not *collect *data for many of those purposes. We disclose
>
> it to people for those purposes, but the purpose of collecting those data
>
> elements is not for tax collection, trademark enforcement actions, etc.
>
> This is the conflation issue I have raised repeatedly.
>
>
>
> Apologies if I did not make that point clear enough on the call.
>
>
>
> Stephanie Perrin
>
>
>
> On 2017-01-20 17:35, Gomes, Chuck wrote:
>
>
>
> Please note that our current poll ends in about 24 hours. So far only 16
>
> people have responded.
>
>
>
>
>
>
>
> Chuck
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg <gnso-rds-pdp-wg>-
>
> bounces at icann.org <gnso-rds-pdp-wg-bounces at icann.org> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Lisa
>
> Phifer
>
> *Sent:* Wednesday, January 18, 2017 1:50 PM
>
> *To:* RDS PDP WG <gnso-rds-pdp-wg at icann.org> <gnso-rds-pdp-wg at icann.org> <gnso-rds-pdp-wg at icann.org> <gnso-rds-pdp-wg at icann.org>
>
> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on
>
> Purpose
>
>
>
>
>
>
>
> Dear all,
>
>
>
> As directed in the 18 January WG call, this week's new Poll on Purpose is
>
> now open for WG member participation:
>
>
>
> https://www.surveymonkey.com/r/SZX9QJZ
>
>
>
> A PDF of this poll's questions and notes/recordings of the meeting are
>
> posted on the 18 January meeting page: https://community.icann.org/x/
>
> EbTDAw
>
>
>
> This poll will close at *COB Saturday 21 January 2017*.
>
>
>
> All WG members are encouraged to participate in this poll to help advance
>
> deliberation and prepare for next week's meeting.
>
>
>
> Best regards,
>
> Lisa
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170125/6dd9fd0e/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list