[Ssr2-review] Privacy protections answer

Jennifer Bryce jennifer.bryce at icann.org
Thu Mar 21 13:48:32 UTC 2019 

Dear SSR2 Review Team members,

Please see the below response from ICANN org to initial and follow-up questions from the SSR2 Review Team regarding GDPR.

Review Team volunteers: Eric, Norm, Laurin, Kerry-Ann, Noorul
Workstream: Future Challenges
Topic: Privacy protections (DNS over TLS / over HTTPS; Circular dependencies between WebPKI and DNSSEC; Impact on Proactive anti-abuse and investigations)

Response from ICANN org:
ICANN’s achievement of recent GDPR-related milestones, including the (a) the Board’s approval of the Temporary Specification<https://www.icann.org/news/announcement-2018-05-17-en> for gTLD Registration Data (Temp Spec) and (b) the GNSO Council’s 4 March 2019 adoption<https://www.icann.org/news/announcement-2019-03-04-en> of the Final Recommendations of the Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (Final Recommendations), is the product of an unprecedented investment of ICANN org, Board, and community resources. Reaching these milestones was a notable accomplishment, but ICANN’s work related to GDPR is by no means complete.

ICANN org provides this answer, which is focused on GDPR-related impacts on the availability of registration directory data, in response to the SSR2 Review Team’s initial and follow-up questions, as follows:


  *   How will ICANN continue to follow up on the GDPR and related decisions?
  *   What is ICANN’s response to GDPR in the spirit of ensuring facilitation of investigation and research?
  *   How will the work of the e-PDP working group be synergised with the recommendation of the various working groups releasing recommendations that it would impact at the same time?
  *   The German Appellate Court decision on ICANN Request to Preserve WHOIS Data is one of the cases in point. This case was highly publicized when the GDPR came into effect however, since then, how these decisions are catalogued and analyzed to inform policy is not clear. This is what we refer to as ‘related decisions’.

ICANN’s GDPR Follow-Up
The ICANN Board will continue to oversee ICANN org’s efforts related to GDPR, as we rapidly approach the 20 May 2019 expiration of the Temp Spec. ICANN org executives manage subject-matter experts from various departments who are supporting the community’s efforts, including through the anticipated implementation of the policy and contractual changes included in the EPDP Team’s Final Recommendations.

ICANN org will continue to engage in a range of forums and with a range of stakeholders on GDPR-related issues that are relevant to ICANN's mission, including privacy and law enforcement.  ICANN org will continue to engage with the European community (including the European Data Protection Board), data protection agencies, and other relevant stakeholders to gain a better understanding of the relevant aspects of GDPR related to the work of ICANN org and its contracts with registry operators and registrars.

In terms of cataloguing relevant judicial developments, ICANN org tracks and posts GDPR-related judicial decisions in which ICANN is involved on this webpage<https://www.icann.org/resources/pages/data-protection-announcements-2017-12-08-en>. This page is a resource for ICANN org and the broader community to inform all of our activities, including as a resource for policy development. ICANN org’s <https://www.icann.org/legislative-report-2019> Global Legislative and Regulatory Tracking report<https://www.icann.org/legislative-report-2019> is another source of information for the community on relevant developments in other jurisdictions, as we understand that the landscape outside of Europe is also undergoing change. ICANN org also recently released its draft<https://www.icann.org/en/system/files/files/proposed-org-engagement-govt-standards-charter-25feb19-en.pdf> charter<https://www.icann.org/en/system/files/files/proposed-org-engagement-govt-standards-charter-25feb19-en.pdf> for engagement on legislative and regulatory activity, describing the types of educational efforts that ICANN org will undertake (where appropriate) in order to allow lawmakers to understand the potential impacts on ICANN’s mission.

Recommended New gTLD Registration Data Policy
In working to address GDPR, ICANN org’s goal has been to preserve WHOIS to the greatest extent possible while also complying with applicable laws.

ICANN’s mission and mandate, as stated in ICANN’s Bylaws, led to WHOIS obligations encapsulated in ICANN consensus policies and agreements that ICANN org has with registry operators and registrars. In the pre-Temp Spec environment, these policies and contractual obligations set the minimum requirements governing the collection, retention, escrow, transfer, and display of registration data, which included contact information of the registrant, administrative, and technical contacts as well as technical information associated with a domain name. The GDPR imposed new obligations that would have made it impossible, without a step such as adoption of the Temp Spec, for ICANN org, registry operators, and registrars to continue to comply with ICANN org agreements and the law. This would have resulted in the inability of ICANN org to enforce its contracts. This would also have resulted in each registry operator and registrar making its own determination regarding what gTLD registration data should be collected, transferred, and published, leading to a fragmentation of the globally distributed WHOIS system. Fragmentation of the WHOIS system would jeopardize the availability of registration data, which is essential to ensuring the security and stability of the Internet, including to mitigate attacks that threaten the stable and secure operation of the Internet.

The consensus policy recommendations of the EPDP Team will, provided such recommendations are approved by the Board, become a new gTLD Registration Data Policy (Policy). This Policy will require registry operators and registrars to collect, retain, and publish a reduced amount of registrant data, compared to ICANN’s pre-GDPR requirements. This Policy will reduce the amount of registration data that contracted parties will be required to make available to third parties, including those involved in investigations and research. However, pending additional work by the EPDP Team on access to gTLD registration data in Phase 2, this Policy will require registry operators and registrars to publish, in a publicly accessible section of their websites, the mechanism and process for submitting requests for lawful disclosure of nonpublic registration data (See EPDP Team Recommendation 18<https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-gtld-registration-data-specs-final-20feb19-en.pdf>).

The EPDP Team is expected to consider in Phase 2 whether a standardized model for lawful disclosure of non-public registration data should be adopted, and, if such a system is adopted, the specifics about who would have access to that system and what registration data would be made available (See EPDP Team Recommendation 3<https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-gtld-registration-data-specs-final-20feb19-en.pdf>). In this context, the EPDP Team will consider, among other issues, disclosure in the context of intellectual property infringement and DNS abuse cases. The EPDP Team recognized that ICANN has a responsibility to foster openness, interoperability, resilience, security, and/or stability of the DNS in accordance with its stated mission. The EPDP Team also recognized that ICANN may have a purpose to require actors in the ecosystem to respond to data disclosure requests that are related to the security, stability, and resilience of the system. The EPDP Team is expected to consider in Phase 2 whether additional purposes should be considered to facilitate ICANN org’s Office of the Chief Technology Officer to carry out its mission (See EPDP Team Recommendation 2<https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-gtld-registration-data-specs-final-20feb19-en.pdf>).




From: ssr2-coordination <ssr2-coordination-bounces at icann.org> on behalf of "Barrett, Kerry-Ann" <kabarrett at oas.org>
Date: Saturday, March 9, 2019 at 5:27 AM
To: Russ Housley <housley at vigilsec.com>
Cc: ssr2-coordination <ssr2-coordination at icann.org>
Subject: Re: [Ssr2-coordination] [EXT] KERRY-ANN: Clarification request: Privacy protections question

Hi Russ

See clarification below. Please let me know if there has been progress on the ICANN GDPR track I’m unaware of but I just did a search before writing the response and couldn’t find anything publicly available .
Sincerely,
Kerry-Ann Barrett
Cybersecurity Policy Specialist
Organization of American States

On Mar 8, 2019, at 11:48 PM, Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>> wrote:
Kerry-Ann:

Can you provide clarification?

Russ



From: Eric Osterweil <eric at osterweil.net<mailto:eric at osterweil.net>>
Subject: Re: ERIC: Clarification request: Privacy protections question
Date: March 8, 2019 at 11:14:13 PM EST
To: Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>>
Cc: ssr2-coordination <ssr2-coordination at icann.org<mailto:ssr2-coordination at icann.org>>



I looked at this question and I think this is more in Kerry-Ann’s bailiwick than mine.  Can we ask her to weigh in so that we don’t lose the goal of the question?

Eric


On Mar 8, 2019, at 11:46 AM, Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>> wrote:

Eric:

I think your paper is now behind you.  No one else has spoken up, so will you please send a response to Jennifer.

Russ



On Feb 24, 2019, at 1:19 PM, Russ Housley <housley at vigilsec.com<mailto:housley at vigilsec.com>> wrote:

Eric:

Once your paper is behind you, if one of the others has not spoken up, please offer a clarification for the Review Team to consider.

Russ



On Feb 22, 2019, at 5:07 AM, Jennifer Bryce <jennifer.bryce at icann.org<mailto:jennifer.bryce at icann.org>> wrote:

Dear SSR2 Review Team,

Some clarification is sought on the below question. Would volunteers from the group asking the question please review the below request and provide further guidance?

Review Team volunteers: Eric, Norm, Laurin, Kerry-Ann, Noorul
Workstream: Future Challenges
Topic: Privacy protections (DNS over TLS / over HTTPS; Circular dependencies between WebPKI and DNSSEC; Impact on Proactive anti-abuse and investigations)

Q: How will ICANN continue to follow up on the GDPR and related decisions?

Clarification requested from ICANN org:

In providing our response:


  1.  Is there an expectation for us to look into each of the technical topics, i.e.:
•         DNS over TLS/over HTTPS;
•         Circular dependencies between WebPKI and DNNSEC; and
•         Impact on Proactive anti-abuse and investigations.


 NO, THIS WAS NOT THE INTENT OF THE QUESTION. WHILE SPECIFIC RECOMMENDATIONS RELATED TO GDPR AND DNS MAY BE MADE ONCE THE REVIEW IS COMPLETE.


OR


  1.  Is the SSR2 RT looking for a more general, broad response i.e. what ICANN is doing re: GDPR; and how ICANN will continue to follow up/keep abreast on GDPR developments.
YES, IN PART.  But more specifically in an effort to avoid liability under the GDPR, registrars are refraining from publishing WHOIS information. Instead, under the temporary specification developed by ICANN, many are providing a randomized email address or web-based contact only, which can be used to contact the registrant anonymously.

The temporary specification also requires each registrar to determine, on a case-by-case basis, whether the party requesting the personal information has a legitimate interest in the information and whether it outweighs the privacy interests of the registrant. This has hampered many law enforcement investigations and the work of researchers as well. Why is this relevant? The absence of a clear way forward hampers protections from an investigative and compliance perspective. Therefore the questions seeks to ask ‘ what is ICANNs response to GDPR in the spirit of ensuring facilitation of investigation and research?’/ ‘how will the work of the e-PDP working group synergised with the recommendation of the various working groups releasing recommendations that it would impact at the same time’



2. What does GDPR and “related decisions” specifically mean in this context?

THE German Appellate Court decision on ICANN Request to Preserve WHOISData is one of the case in point. This case was highly publicized when the GDPR came into effect however since then, how these decisions are catalogued and analyzed to inform policy is not clear. This is what we refer to as ‘related decisions’.

Thank you,
Jennifer
--
Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)

Email: jennifer.bryce at icann.org<mailto:jennifer.bryce at icann.org>
Skype: jennifer.bryce.icann
www.icann.org [icann.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.icann.org_&d=DwMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=dd3XdrKvugTkoUcuCqykpYVQ9UxbxxfBUHvO7emHWcA&s=7GhK68VU8T68rbwOe3TaWexv6QToX6TdSFNL0_ZsJ9s&e=>
_______________________________________________
Ssr2-review mailing list
Ssr2-review at icann.org<mailto:Ssr2-review at icann.org>
https://mm.icann.org/mailman/listinfo/ssr2-review




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190321/ed9f4bee/attachment.html>

More information about the Ssr2-review mailing list