[RDS-WHOIS2-Safeguard] Work plan for Safeguard Registrant Data

Alan Greenberg alan.greenberg at mcgill.ca
Wed Feb 14 03:56:22 UTC 2018 

During the last plenary meeting, there was a discussion of one of the 
items I lead - Safeguarding Registrant Data.

Two issues were raised.

1. Given the number of data breaches that we regularly hear about, 
the question was raised about whether we should look into the ICANN's 
Escrow facilities, most likely focusing on the main provider, Iron 
Mountain. I think this is a valid point. I would propose that we 
first talk to someone from the ICANN Global Domains Division who is 
knowledgeable on the Escrow rules and procedures. Presumably they can 
also provide some documentation. Following that, we should interview 
someone from Iron Mountain so that we understand how data is 
transferred to them, how it may be retrieved in disaster-like 
circumstances, and how the data is protected. When Iron Mountain 
started, I suspect the bulk of their business was transporting and 
storing magnetic takes. Now I presume it is all online and 
potentially vulnerable.

In addition to this, perhaps we might also want to talk to a sampling 
of registrars and registries (if we can find any who are willing!). 
Although WHOIS data is currently public, perhaps we want to ask about 
how well it is protected from being changed or erased.

2. Lisa (I think) raised the issue that the Terms Of Reference, as 
decided in Brussels identifies several parts to this overall study:
    (a) identifying the lifecycle of registrant data,
    (b) determining if/how data is safeguarded in each phase of that 
lifecycle,
    (c) identifying high-priority gaps (if any) in safeguarding 
registrant data, and
    (d) recommending specific measurable steps (if any) the team 
believes are important to fill gaps.

In the work statement/plan, I wrote:

Items a, c and d are being covered in both the ongoing NextGen RDS 
PDP and efforts to address laws related to the European GDPR. I do 
not believe that there is any merit in us replicating these.
b) Currently all Whois data is made available publicly. Although this 
will surely change with regard to natural persons, and likely other 
groups as a result of the ongoing efforts, currently there is no protection.

On reviewing this, I still largely stand by what I wrote, although 
subject to the additions in 1 above. Going in the details of the 
lifecycle and the various stages (other than making sure data is not 
lost of changed as per #1), does not sound like a productive way to 
spend our time in light of the other work that is ongoing.

Comments?

More information about the RDS-WHOIS2-Safeguard mailing list