[Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Wed Feb 12 14:46:34 UTC 2014 

At the risk of not following protocols, I am going to plunge in.  First, please note that while I sit on the EWG, my views expressed are only mine, and they often tend to be minority views.  I am also a PhD student immersed in reading about the development of WHOIS from an information policy perspective, so may have additional somewhat nerdy minority views.  But here goes, inline:
On Feb 12, 2014, at 8:41 AM, Mike O'Connor <mike at haven2.com> wrote:

> hi all,
> 
> here’s a thread to talk about the SSAC comment on EWG initial report.
> 
> here are a few questions.  view them as a starting-point, not a rigid requirement.  if you have a comment that falls outside of these questions, please go ahead and make your post.  i’m just posting these to start conversation, not restrict it.
> 
> - what’s the current status of the EWG work?
There will be another open session in Singapore to discuss, the final report is due in June at the London meeting.  This is a strenuous deadline in my view, given research that ought to be done first.
> 
> - where are we in the process of establishing a registration data policy?
> 
> - who, if anybody, has taken these SSAC recommendations on board?
All the recommendations have certainly been looked at, but in my view there was so little detail in the first report that really folks had much more to get their teeth into in the November draft…and the comment period has not closed for that as yet.  Time to study those comments is too short, unless the EWG all quit their day jobs and go at it full time.  In the meantime of course, we have Brazil, so that is not happening.  The devil lies in the details, we need more time to look at comments on those details.
> 
> - is there anything that the GNSO, and/or the GNSO Council, should be doing in Singapore to help move this along?
Given the long history of WHOIS debate, should there not be a big public discussion at some future face to face meeting?  prior to the report going final?  
> 
> - are there any other questions people would like to raise about this comment?
> 
> SAC061:  SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services
> 
> http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf
> 
> Recommendation 1: SSAC reiterates its recommendation from SAC055: The ICANN Board should explicitly defer any other activity (within ICANN’s remit) directed at finding a ‘solution’ to ‘the WHOIS problem’ until the registration data policy has been developed and accepted in the community. The EWG should clearly state its proposal for the purpose of registration data, and focus on policy issues over specific implementations.
> 
> Recommendation 2: The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.
It is my view that the risk assessment should be a broad, multi-stakeholder impact assessment, with (of course) a full security assessment.  The NPL report on privacy/proxy abuse does not show disproportionate risk from privacy/proxy services, and in my view pushing for greater accuracy and transparency will drive bad actors to identity theft.  Most casual registrants (i.e. the general public who are non-expert) are not equipped to protect their data, responsiblisation of that community (i.e. pushing the burden of vigilance onto small business, small institutions and individuals) is neither responsible regulatory action nor good security.  
> 
> Recommendation 3: SSAC recommends that the EWG state more clearly its positions on the following questions of data availability:
> 
> A. Why is a change to public access justified?
> This explanation should describe the potential impact upon ordinary Internet users and casual or occasional users of the directory service.
This is true, we need a full impact assessment and consultation to figure out the impact.  It is presumptuous in the extreme for even ICANN alone, composed of certain stakeholders with vested interests, to attempt to speak for the global internet public.  We have to find a way to determine what the impact on end users, scaled out for potential new uses and applications and users over a ten year frame, is going to be.
> 
> B. Does the EWG believe that access to data currently accessible in generic Top Level Domain (gTLD) WHOIS output should become restricted?
> If so, what fields and to what extent exactly? Under the EWG proposal, queries from non- authenticated requestors would return only “public data available to anyone, for
Yes.
> 
> C. Should all gTLD registries be required to provision their contact data into the Aggregated Registration Data Service (ARDS)?  
> There may be jurisdictions that prohibit by law the export of personally identifiable information outside the jurisdiction. If so, the ARDS may not be a viable way to deliver data accuracy and compliance across all gTLDs.
Registrars and registries need to comply with data protection law.  The ARDS should only get data that is not protected, until the ARDS can be proven to screen all accredited users (e.g. law enforcement authorities, IP enforcement actors, security professionals) for limited actions that comply with due process requirements in the jurisdiction of the registrants/registrars/registries where the data protection law applies (this will vary).  Given the complexity and potential expense of sorting that one out, movement towards a single ARDS needs to be very slow and deliberate.  Thought to data anonymization protocols and pseudonymous data analytics, as is done in health research protocols, could be fruitful.
> 
> D. Does the EWG propose more types of sensitive registration data be provisioned into ARDS than are found in current gTLD WHOIS output? 
> 
> Recommendation 4: The SSAC suggests that the EWG address this recommendation from SAC058: “SSAC Report on Domain Name Registration Data Validation”3:
> As the ICANN community discusses validating contact information, the SSAC recommends that the following meta-questions regarding the costs and benefits of registration data validation should be answered:
> 
> • What data elements need to be added or validated to comply with requirements or expectations of different stakeholders?
> • Is additional registration processing overhead and delay an acceptable cost for improving accuracy and quality of registration data?
> • Is higher cost an acceptable outcome for improving accuracy and quality?
It has to be.  IF not, might as well remain with status quo.
> • Would accuracy improve if the registration process were to provide natural persons with privacy protection upon completion of multi-factored validation?
Who is going to do the multi factor validation?  what new risks/costs does this load on to the registrars, or the operators of an ARDS if the job falls to them?  Why only natural persons, this is one of the jurisdictional headaches in that legal persons have a right in some places to privacy protection.  Given that groups are often targets of hate crime (religious or ethnic groups, political dissidents, environmental activitists, etc.) if one were to do a risk analysis of stakeholders one might find that the registrants at highest risk are groups, not individuals (eg. reporters, in some jurisdictions).
The fact is that individuals have legal rights to privacy right now, which may not be uniformly enforced in some jurisdictions. 

I suspect this may be enough to kick off discussion, Mikey.
Kind regards,
Stephanie Perrin
> 
> _______________________________________________
> Gnso-ssr mailing list
> Gnso-ssr at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-ssr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ssr/attachments/20140212/e49654b5/attachment-0001.html>

More information about the Gnso-ssr mailing list