<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!--[if gte mso 9]>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
<![endif]-->
<style type="text/css">* a:hover{cursor:pointer;}</style>
<style>body {-webkit-animation:bugfix infinite 1s;}@-webkit-keyframes bugfix {from {position:relative;}to {position:relative;}}</style>
</head>
<body style="word-wrap:normal; word-break:break-word;">
<style>a {word-wrap:normal;word-break:break-word;}.background-contain {background-size:contain;}@media only screen and (max-width:600px) {.container {-webkit-text-size-adjust:none !important;}.container,.palm-one-whole {width:100% !important;min-width:100% !important;}.palm-one-half {width:50% !important;min-width:50% !important;box-sizing:border-box;}blockquote .container,blockquote .container div,blockquote .container table {width:auto !important;min-width:0 !important;position:relative !important;}img {max-width:100%;}.border-outer,.border-middle,.border-inner,.inner,[title="separator"] {width:100% !important;}.innercell {padding:8px !important;}.palm-block {display:block !important;}td.palm-one-whole {display:inline-block !important;padding:0;}td.palm-one-whole:first-child:not(:only-child) {margin-bottom:16px;}td.hostname {padding-top:3px !important;}}@media only screen and (min-width:601px) {.preview-card {max-width:600px !important;}}@media only screen and (min-device-width :320px) and (max-device-width :568px),only screen and (min-device-width :768px) and (max-device-width :1024px),only screen and (max-device-width:640px),only screen and (max-device-width:667px),only screen and (max-width:480px){.container {width:100% !important;min-width:100% !important;}.p,.small,li,font[size="2"],font[size="3"] {font-size:1em !important;}}@media only screen and (min-device-width :320px) and (max-device-width :568px),only screen and (min-device-width :768px) and (max-device-width :1024px),only screen and (min-device-width :1224px) {.message-wrapper {padding-top:6px;}.apple-only[style] {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}.no-apple {display:none !important;}form {font-size:inherit;}input[type="text"] {height:43px;padding-left:4px !important;}button:hover {cursor:pointer;}}@media only screen and (min-device-width :1224px) {.apple-mail-form {display:block !important;background-color:white !important;}}* [office365] .outlook-com-hidden {display:none !important;}* [office365] .outlook-com-button {display:block;}* [office365] .outlook-com-only {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}</style>
<!--[if (gte mso 9)|(IE)]>
<style>a,body {font-family:'Calibri',Arial,sans-serif;}img {border:none !important;-ms-interpolation-mode:bicubic;}td {mso-line-height-rule:exactly !important;}.mso-card-inner table {border-collapse:collapse !important;mso-table-lspace:0pt;mso-table-rspace:0pt;vertical-align:top;}.outlook-com-only {display:none !important;font-size:0 !important;}#mso-one-whole {width:100% !important;}.border-outer,.border-middle,.border-inner {border:none !important;}.border-middle,.border-inner {width:100% !important;}.mso-border-outer,.mso-border-middle,.mso-border-inner {padding:1px;}.mso-border-outer {background-color:rgb(245,255,255);}.mso-border-middle {background-color:rgb(223,246,255);}.mso-border-inner {background-color:rgb(153,176,225);}</style>
<![endif]-->
<table class="container" lang="container" border="0" cellpadding="0" cellspacing="0" valign="top" style="width:100%; margin-top:6px;">
<tr>
<td valign="top" class="message-wrapper" style="line-height: 1.31; color: #222; font-family: arial, sans-serif;">
<!--[if mso]><table border="0" cellpadding="0" cellspacing="0" valign="top" style="border-collapse:separate;"><tr><td valign="top"><![endif]-->
<div>Thanks for your comments, Greg. Without wanting to dive too deep into our deliberations, I would just like to briefly comment on this:<br></div><div><br></div><blockquote style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; padding-top: 0px; padding-bottom: 0px;"><div>The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost.</div></blockquote><div><br></div><div>I do not think it is reasonable to make such an assumption. Privacy proxy services have not reached critical mass, as most domain names are not protected through such cloaks. </div><div><br></div><div>In addition, the subscription cost of such services must be seen as relative to local incomes and the ability to make a purchase in a foreign currency. It is not easy for everyone in every country to purchase goods online; not everyone has access to a credit card, and in many regions payment processors do not accept all currencies. And while US$7.00 per year may not be a lot to you or I, it is a significant amount of money to some. </div><div><br></div><div>When I was living in Argentina in 2014, the government imposed restrictions on online purchases as part of efforts to prevent foreign currency reserves from dwindling. At one stage, I believe that Argentine credit cards were limited to making no more than US$25 per month in foreign transactions. In such a case a dissent group would have to choose carefully how to allocate their resources. Do they buy Skype credit to make calls abroad? Do they buy a privacy proxy cloak? Do they purchase literature from abroad that cannot be purchased locally?</div><div><br></div><blockquote style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; padding-top: 0px; padding-bottom: 0px;"><div><font>Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint.</font></div></blockquote><div><br></div><div>This operates on the assumption that due process is followed. A privacy service provider is not a court and, as far as I am aware, there is no binding entitlement to domain name registrants to a fair and public hearing within a reasonable time by an independent, competent, and impartial tribunal as to whether the registrant's data should be released to that government authority?</div><div><br></div><div>This also assumes that the data is requested and not simply taken<em class="scribe-marker" style="display: none;"></em><em class="scribe-marker" style="display: none;"></em><em class="scribe-marker" style="display: none;"></em><em class="scribe-marker" style="display: none;"></em>. Given efforts are underway globally to restrict encryption, we cannot presume that all governments worldwide will follow due process if the data they desire exists in some form where it can somehow be extracted.</div><div><br></div><div>Best wishes,</div><div><br></div><div>Ayden</div><img align="left" width="0" height="0" style="border:0; width:0px; height:0px;" src="https://app.mixmax.com/api/track/v2/kx9U8hRTnl1i6hk4p/i02bj5SZulGblRmclZGQu5WYjlmI/icmcv5ibuF2YpB0Z31CckBXLzRmct82cudmI/icmcv5ibuF2YpB0Z31CckBXLzRmct82cudmI?sc=false" alt="">
<!--[if mso]></td></tr></table><![endif]-->
</td>
</tr>
</table>
<div>
<div>
<p data-m-apply-default-font="true"><br></p>
<div class="gmail_extra">
<p data-m-apply-default-font="true"><br></p>
<div class="gmail_quote">
On Tue, Jul 26, 2016 2:10 PM, Greg Aaron <span dir="ltr"> <a href="mailto:gca@icginc.com" target="_blank">gca@icginc.com</a></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div>
<p><a name="_MailEndCompose"><span style="font-family:"Calibri",sans-serif">Here are three cases that are variations of the scenario that Ayden presented.
<o:p></o:p></span></a></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<p style="text-indent:-.25in;mso-list:l1 level1 lfo2"><span style="mso-bookmark:_MailEndCompose"><![if !supportLists]><span style="font-family:"Calibri",sans-serif"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Calibri",sans-serif">Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is
inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying
registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service
provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government).<o:p></o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<p style="text-indent:-.25in;mso-list:l1 level1 lfo2"><span style="mso-bookmark:_MailEndCompose"><![if !supportLists]><span style="font-family:"Calibri",sans-serif"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Calibri",sans-serif"> </span></span><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif">Instead of a gTLD domain, member of the dissident group chooses to register
a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government
authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country.<o:p></o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<p style="text-indent:-.25in;mso-list:l1 level1 lfo2"><span style="mso-bookmark:_MailEndCompose"><![if !supportLists]><span style="font-family:"Calibri",sans-serif"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Calibri",sans-serif">Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request
the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government.
<o:p></o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif">These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant
to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP.<o:p></o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif">All best,<o:p></o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-family:"Calibri",sans-serif">--Greg<o:p></o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<p><span style="mso-bookmark:_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></span></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org]
<b>On Behalf Of </b>Ayden Férdeline<br>
<b>Sent:</b> Monday, July 25, 2016 6:41 PM<br>
<b>To:</b> gnso-rds-pdp-wg@icann.org<br>
<b>Subject:</b> [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information<o:p></o:p></span></p>
</div>
</div>
<p><o:p> </o:p></p>
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<div>
<p><span style="font-family:"Calibri",sans-serif">Hello all,<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif">I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. <o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif">The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement,
or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is
not aware of the existence of privacy proxy services at the time they register their domain name.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Misuse Case:</span></b><span style="font-family:"Calibri",sans-serif"> The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group,
and this could result in their voices being silenced through legal, political, or physical means.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Main Misuse Case:
</span></b><span style="font-family:"Calibri",sans-serif">An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers
and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and
contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently
published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. <o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Primary Actor:
</span></b><span style="font-family:"Calibri",sans-serif">Government or other entity wanting to censor a dissident group.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Other stakeholders:</span></b><span style="font-family:"Calibri",sans-serif"> Domain name registrant.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Scope:</span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Level:</span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Data Elements:</span></b><span style="font-family:"Calibri",sans-serif"> In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever.
The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields:
name servers, and the auth-code.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Story: </span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<ul type="disc">
<li style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:"Calibri",sans-serif">A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address
of the registrant.<o:p></o:p></span></li><li style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="font-family:"Calibri",sans-serif">The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using
the Internet to convey to the public important information.<o:p></o:p></span></li></ul>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Privacy implications:
</span></b><span style="font-family:"Calibri",sans-serif">Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference
and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly,
the RDS must only collect and store data for limited, lawful, and appropriate purposes.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Who has control of and access to the data:
</span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif"> </span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Conditions under which the data are accessible:
</span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">How data can be accessed:
</span></b><span style="font-family:"Calibri",sans-serif">At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p><b><span style="font-family:"Calibri",sans-serif">Other?</span></b><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif">As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could
be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead.
I'll revise this use case once I understand this exercise a bit better.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif">Thank you for your time, consideration, and feedback.<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif">Best wishes,<o:p></o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p><span style="font-family:"Calibri",sans-serif">Ayden Férdeline<o:p></o:p></span></p>
</div>
<p><img src="https://compose.mixmax.com/img/blank.png" align="left"><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p><o:p> </o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<br><br><div>Ayden Férdeline</div><div><a href="https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI" style="background-color: white;">Statement of Interest</a></div>
</body>
</html>