[gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 10 March

Mon Mar 12 14:01:35 UTC 2018

Dear All, 

Below, please find notes from the RDS PDP WG meeting on Saturday 10 March at ICANN61.

To recap Action Items from today’s call: https://go.icann.org/2GgBm9f.

Action: DT5 Regulatory and ICANN Contractual Enforcement, DT6 Legal Actions, and DT7 Criminal Investigation/DNS Abuse Mitigation Investigation, Notification, and Reputation should be prepared to present at Wednesday’s F2F (Wednesday 14 March from 15.15 - 18.30 local time).

Kind regards,

Caitlin

Action Items and Notes from RDS PDP WG Call – 10 March 2018

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki.

Introductions and SOI Updates

2. PDP Background
RDS PDP - Newsletter - March 2018 v3.pdf

3. Meeting Goals 
As the WG has deliberated on the below Charter Questions, we may be constraining our thinking by deliberating on existing WHOIS data elements, assuming today’s (often implicit) definitions, without clearly-stated expectations of the entities identified and/or contacted using registration data
Who should have access to gTLD registration data and for what purposes?
What data should be collected, stored, and disclosed for those purposes?

To address these concerns and enable more effective deliberation, purpose drafting teams were asked to re-convene to answer the following questions:

1. Who associated with the domain name registration needs to be identified and/or contacted for each purpose?

2. What is the objective achieved by identifying and/or contacting each of those entities?

3. What might be expected of that entity with regard to the domain name?

Today, each drafting team will present its answers for consideration by the full WG
Results from today’s session will be input to deliberation on possible purposes and associated data

4. Review DT answers on entities to be identified or contacted for each possible purpose for processing gTLD registration data 

Domain Name Purchase/Sale
DT4 Answers: Domain Name Purchase/Sale 

WG Response:
The expectation is that a potential buyer can verify the seller owns the DN; this is not a requirement for public access – for example, a DN registrant could supply a lookup key to the buyer
At what point would this be opened up to verification – after initial inquiry, or when the seller chooses to go forward?
Potential buyers may want to see a registrant’s full portfolio, not just one DN
Is this purpose limited to business-owned DNs or does it apply to all DNs?
Should it be a requirement to be able to find out the full set of domains controlled by a single entity, or is this just a particular desire?
A potential buyer should send a note to the account holder, via the registrar
Why is there a need for the account holder to have control of a DN?
The account holder is not always the registrant and may not have the ability to sell a domain name
Ultimately it should be the potential seller that controls further communication for this purpose
Are there two different audiences? All registrants, or only those that express interest in being contacted for this purpose?
There may be value in supplying additional information, but it seems this may be best handled outside of the basic system, e.g. by exchanges for listing names potentially available for sale
Is there any threshold for the buyer is identifying itself as a bona fide purchaser?
Are there two different types of entities being contacted in the beginning of this purpose? (1)  any registrant that may or may not be interested in selling names; (2) registrants that specifically wish to receive potential purchase offers for their DN?
To what extent must this be supported by the mandatory system as opposed to external services that have developed and will continue to develop?
The buyer needs to have a third-party place to verify the registrant holds the rights to the DN – a public record of ownership, not just the current contact information
If the seller opts in to full disclosure of other DNs, that could be done at the seller’s discretion, based on an incentive (e.g., paying more for the DN)
There's a sharp distinction between validating whether the seller has title versus whether the car is in running order.  For the latter, the state does not participate; the buyer would get an assessment from their own mechanic
Being contactable for this purpose is different from publishing contact data for this purpose
The info listed in the Registrant field is supplied by the Account Holder, and it's entirely possible that the information is unrelated to the account and domain.

Domain Name Management
DT2 Answers: Domain Name Management and Individual Internet Use 

WG Response:
Noted that WG Agreement 48 refers to legitimate purpose but does not give grounds for what criteria is used to determine legitimacy (e.g., consistency with mission)
Legitimate interests of the parties should be identified – this is basis for lawful processing
Third party legitimate interests are not limited to those of contracted parties.
Benefit to the registrant is security and stability: To prevent unauthorized changes to the DN registration, that their DN doesn’t get hijacked, that they have the ability to verify their DN’s record
The bylaws define, 4.6(e)(i) “Subject to applicable laws, ICANN shall use commercially reasonable efforts to enforce its policies relating to registration directory services and shall work with Supporting Organizations and Advisory Committees to explore structural changes to improve accuracy and access to generic top-level domain registration data, as well as consider safeguards for protecting such data.”
There are different ways of viewing security and stability, and from the registrant’s perspective this purpose goes directly to security and stability

Individual Internet Use
DT2 Answers: Domain Name Management and Individual Internet Use 

WG Response:
Primary focus is identification and not contact
Contact in the case of fraud may not be useful – contact might occur through other channels
Would the average Internet user actually use WHOIS for this purpose?
Should not be encouraging consumers to do this, but rather provide other consumer protection mechanisms
Some users DO query WHOIS for this purpose – knowledgeable users are valid too
WHOIS Review Team studied this very question. There is a study, including video footage, showing Internet users trying to find a domain name owner.  The majority went to a website or search engine – WHOIS was not used.  Since we paid for this study, we could use it. – RT4 – this question was part of this exercise.  The majority went to the website or google.  To say that WHOIS came up little if not at all.  Perhaps we could retrieve this data for this purpose. For further information, please refer to the WHOIS Review Team’s Final Report
When you’re engaged in a commercial transaction, you want tools to learn who you’re dealing with, and why rob users of this tool? (imperfect or not)

Domain Name Certification
DT3 Answers: DT3AnswerstoQuestions-8March.pdf 

WG Response:
Who is the certifying agent? The CA itself
This purpose is only relevant to those registrants that want a certificate; access could be provided by some kind of one-time-use token and not publication of data
When DN is sold, is the certificate revoked?
ICP in China and SSL: having public email makes it much easier. We face difficulties with .co.uk to get SSL validation, because email is not available in WHOIS by design
In cases where email address is published in WHOIS, obtaining a certificate may be easier, but email-based validation is not the only method available and not having an email address doesn’t prevent obtaining a certificate
If a CA (other than the CA run by the registrar) wants access to data to provide their service they could pay the registrar to get access.  These kinds of business model issues are out of scope of this PDP.

Technical Issue Resolution 

DT1 Answers: Technical Issue Resolution 

WG Response:
Registrars do not want to be the first point of contact for Tech Issue Resolution – go to the hosting provider (or the Registrant/contact) first. All the Registrar can do is take the DN down. The web host is in a much better position to disable access to the hostname (not the DN)
There are registrars whose business model includes serving as Tech Contact (value add)
Is the entity you want to reach for tech issue resolution sometimes or always the account holder? Probably not since several different entities are enumerated in the DT’s answer, but this deserves further discussion
DNS OARC meeting example – DNSSEC validation – need to contact operators of the DN, to help resolve issue, not take the entire DN down
What is the role of the Reseller in this purpose?
It is not necessary that Registrants understand the technical issue – the “mechanics of the Internet” need to understand/resolve the issue being reported
You only need the help of a domain contact when the IP isn’t resolving
Nameservers will not always lead to the hosting provider
Hosting is not regulated by ICANN – that other part of the Internet community cannot be addressed by RDS policy
Contacting the domain holder can also be useful if the site is partially pirated, to warn the owner. no need for the host to shut down the site, but for the domain holder to clean its database

DNS Research
DT1 Answers: Academic or Public Interest DNS Research 
WG Response:
Note that #2, benefit to prospective buyer doesn’t belong in this purpose – it’s another purpose
What is “public interest” research?  Too open ended
Universities typically apply a rigid protocol to research involving humans
Do you need data associated with individuals for this purpose? Can’t you just use aggregate data? Depends on the study – for example WHOIS Misuse study, WHOIS Accuracy study both used individual registrant and contact data to study misuses and inaccuracies to inform policy development, to the benefit of future registrants

5. Confirm Action Items and Proposed Agreements
No proposed agreements were identified
DT5 Regulatory and ICANN Contractual Enforcement, DT6 Legal Actions, and DT7 Criminal Investigation/DNS Abuse Mitigation Investigation, Notification, and Reputation should be prepared to present at Wednesday’s F2F (Wednesday 14 March from 15.15 - 18.30 local time)

Meeting Materials (posted at https://community.icann.org/x/ygi8B)
Meeting Slides PDF and PPT
List of Drafting Teams: https://community.icann.org/x/q5BEB
Answers to questions from each Drafting Team
KeyConceptsDeliberation-WorkingDraft-13Feb2018.docx and PDF 
RDS PDP - Newsletter - March 2018 v3.pdf
Adobe Chat 10 March F2F ICANN61.pdf
Consolidated PDF of all DT Answers as of 8 March (v2)
DT1 Answers: Technical Issue Resolution PDF and DOC
DT1 Answers: DNS Research PDF and DOC
DT2 Answers: Domain Name Management and Individual Internet Use PDF and DOC
DT3 Answers: Domain Name Certification PDF and DOC
DT4 Answers: Domain Name Purchase/Sale PDF and DOC
DT5 Answers: Regulatory Enforcement PDF and DOC
DT5 Answers: ICANN Contractual Enforcement PDF and DOC
DT6 Answers: Legal Actions PDF and DOC
DT7 Answers: Criminal Activity/DNS Abuse - Investigation, Notification, and Reputation PDF and DOC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180312/3c203e0b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4621 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180312/3c203e0b/smime-0001.p7s>