[gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 9 January 2018
Lisa Phifer
lisa at corecom.com
Tue Jan 9 22:43:14 UTC 2018
Dear all,
Below please find notes from today's RDS PDP WG meeting.
To recap Action Items from today's call: https://community.icann.org/x/QgByB
WG Agreement: The following registration data is needed for the purpose of
Domain Name Management: Domain Name, Registrant Name, Registrant
Organization, Registrant Email, Registrar Name, Creation Date, Updated Date,
Expiration Date, Nameservers, Domain Status, and Administrative Contact.
Action: Staff to incorporate this WG Agreement in the working draft, and to
start maintaining a table of data that has been agreed to be collected for
legitimate purposes
Possible WG Agreement (revised, to be confirmed by poll): Domain Name
Certification is NOT a legitimate purpose for requiring collection of
registration data, but may be a legitimate purpose for allowing some data to
be collected, or for using some data collected for another purpose.
Possible WG Agreement (to be confirmed by poll): Criminal Activity/ DNS
Abuse - Investigation is NOT a legitimate purpose for requiring collection
of registration data, but may be a legitimate purpose for using some data
collected for other purposes.
Action: Leadership team to draft poll questions to test these two possible
WG Agreements. All WG members encouraged to participate in this poll no
later than COB Saturday 13 January.
Best regards,
Lisa
Action Items and Notes from RDS PDP WG Call - 9 January 2018
These high-level notes are designed to help PDP WG members navigate through
the content of the call and are not meant as a substitute for the transcript
and/or recording. The MP3, transcript, and chat are provided separately and
are posted on the wiki.
1. Roll Call/SOI Updates
. Link to meeting page: https://community.icann.org/x/QgByB
. Greg Shatan has a new employer: Moses & Finger, has new role with
ISOC
2. Complete deliberation on data required for Domain Name Management
a. Review poll results from 20 December call Question 2
. 92% supported the possible WG agreement on Domain Name Management
given below
. Note responses giving rationale for additional data not included
due to lack of support - may be considered later
b. Finalize agreement on data required for Domain Name Management
. Accept as rough consensus the following WG Agreement
WG Agreement: The following registration data is needed for the purpose of
Domain Name Management: Domain Name, Registrant Name, Registrant
Organization, Registrant Email, Registrar Name, Creation Date, Updated Date,
Expiration Date, Nameservers, Domain Status, and Administrative Contact.
Action: Staff to incorporate this WG Agreement in the working draft, and to
start maintaining a table of data that has been agreed to be collected for
legitimate purposes
3. Complete deliberation on Domain Name Certification
a. Review poll results from 20 December call Question 3
. 84% supported the possible WG agreement:
. Domain Name Certification is NOT a legitimate purpose for requiring
collection of registration data, but may be a legitimate purpose for using
some data collected for other purposes. (Access requirements to be
deliberated at a later stage.)
. 3 responses proposed revisions to the above text and 3 gave
rationale for treating DN Certification as a legitimate purpose for data
collection
b. Finalize agreement on Domain Name Certification as a legitimate purpose
. Comments:
. Not an essential requirement but may be something we need to allow
to be collected to enable DN certification - that is, not mandatory to
collect, but allow to collect
. RDS should not be limited to data of interest to registrant in its
relationship with its registrar - RDS exists in part to provide data needed
by third parties in their relationship with the registrant - this is such a
case
. Registration data is required by several processes during DN
certification, but there are other processes that do not require WHOIS data
today
. Is this required for operation of the domain name ecosystem? No.
But should the RDS be required to allow collection of registration data for
this purpose?
. From chat: ICANN is in the security, stability, resiliency and
trust business. Certification is an integral part of that.
. Choices we may need to consider:
((MUST be collected) or (MAY be collected with informed consent)) or (not
legitimate)
. We are trying to identify purposes that are legitimate for
collection of some registration data. We were not trying to parse mandatory
or optional for each data element at this stage.
. Alternative proposal which gained some traction: Domain Name
Certification is NOT a legitimate purpose for requiring collection of
registration data, but may be a legitimate purpose for allowing some data to
be collected, or for using some data collected for another purpose.
. Another alternative: Domain Name Certification MAY BE a legitimate
purpose for requiring collection of registration data, but may not be a
legitimate purpose for registrants who do not intend to use a Certification
Authority that uses RDS registration data.
. Suggestion to change "another" to "this" purpose...introduces a
potential wild card otherwise.
. Some cert vendors use the RDS in their processes. That is a
legitimate use, and a legitimate reason (all on its own) for collection,
even if there is no other reason to collect the data. That is not a reason
to require everyone to provide such data.
Possible WG Agreement (revised, to be confirmed by poll): Domain Name
Certification is NOT a legitimate purpose for requiring collection of
registration data, but may be a legitimate purpose for allowing some data to
be collected, or for using some data collected for another purpose.
4. Start deliberation on "Criminal Activity/ DNS Abuse - Investigation"
. Slide 7-10 provides an overview of Drafting Team 7's definition of
this purpose
. "Investigation" is one of three purposes identified by DT7
. Definition: The following information is to be made available to
regulatory authorities, law enforcement, cybersecurity professionals, IT
administrators, automated protection systems and other incident responders
for the purpose of enabling identification of the nature of the registration
and operation of a domain name linked to abuse and/or criminal activities to
facilitate the eventual mitigation and resolution of the abuse identified:
o Domain metadata (registrar, registration date, nameservers, etc.)
o Registrant contact information
o Registrar contact Information
o DNS contact, etc...
. Question: Is this just law enforcement? No.
. Is requiring collection of data to prevent crime beyond ICANN's
mandate?
. Deterring DNS Abuse is part of ICANN's remit
. From Hamilton memo #3: "Processing of Whois data by law enforcement
agencies for such law enforcement purposes should constitute a legitimate
interest that motivates processing of personal data in accordance with
Article 6.1(f) GDPR."
. Note that this assumes the needed data will be collected for other
purposes - need to confirm this after all purposes for collection have been
deliberated upon
. Support expressed for possible WG agreement as presented in slides
. The rephrasing used for DN Certification may not be necessary for
this purpose - that is, there may be no need to allow for optional
collection for this purpose
. Agreed to test both formulations of this possible WG agreement -
that is, with and without clause regarding optional collection
Possible WG Agreement (to be confirmed by poll): Criminal Activity/ DNS
Abuse - Investigation is NOT a legitimate purpose for requiring collection
of registration data, but may be a legitimate purpose for using some data
collected for other purposes.
Action: Leadership team to draft poll questions to test these two possible
WG Agreements. All WG members encouraged to participate in this poll no
later than COB Saturday 13 January.
5. Confirm action items and proposed decision points
WG Agreement: The following registration data is needed for the purpose of
Domain Name Management: Domain Name, Registrant Name, Registrant
Organization, Registrant Email, Registrar Name, Creation Date, Updated Date,
Expiration Date, Nameservers, Domain Status, and Administrative Contact.
Action: Staff to incorporate this WG Agreement in the working draft, and to
start maintaining a table of data that has been agreed to be collected for
legitimate purposes
Possible WG Agreement (revised, to be confirmed by poll): Domain Name
Certification is NOT a legitimate purpose for requiring collection of
registration data, but may be a legitimate purpose for allowing some data to
be collected, or for using some data collected for another purpose.
Possible WG Agreement (to be confirmed by poll): Criminal Activity/ DNS
Abuse - Investigation is NOT a legitimate purpose for requiring collection
of registration data, but may be a legitimate purpose for using some data
collected for other purposes.
Action: Leadership team to draft poll questions to test these two possible
WG Agreements. All WG members encouraged to participate in this poll no
later than COB Saturday 13 January.
6. Confirm next WG meeting: Tuesday, 16 January at 17:00 UTC
Meeting Materials: https://community.icann.org/x/QgByB
Including call handout with poll results and the definitions produced by DT7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180109/b049812a/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list