<div dir="ltr"><div>Hi Michael,</div><div><br></div><div>so what you are looking for (and shouldn't be as a neutral chair!) is a system where the registrant is required to respond to these messages? Or else?<br></div><div>Do you have any idea how much problems such a process would cause? Apparently not...</div><div><br></div><div>No registrar has the capacity to trigger a verification process if such a process is triggered every time a registrant neglects to confirm his data as accurate. <br></div><div>Requiring registrants to click to confirm on messages in emails also goes against years of anti-phishing training.</div><div>Finally, the only sanction we as registrars have would be the suspension of the domain. Can you imagine how many domains would needlessly go dark over such a process that ultimately has no tangible benefits?</div><div><br></div><div>
You say you do not have trust
with the accuracy of the registrant data depending upon a malicious registrant being expected to tell the truth. Well, we don't either. No malicious registrant is going to tell the truth, ever. And no feasible process in the world we can conjure up is going to prevent them from finding ways around that process unless you are proposing to rewrite the entire internet ecosystem. <br></div><div><br></div><div>Following your statement: "
<span class="gmail-im"><span lang="EN-US"> I think it is fair to characterize
the Registrar’s position as follows", you are actually misrepresenting our position. Our position is that if there is evidence of a widespread accuracy issue, we are happy to investigate further. We do not see such an issue however, as the ARS clearly showed that the 2013 RAA has brought changes that over the course of the ARS have improved the accuracy of registrant data significantly. The data we have does not bear out the claims of widespread inaccuracy issues. And the data we have is also significantly outdated. If ICANN can find a way to restart ARS in a way that is compliant with GDPR and other applicable data protection laws, they should go for it. It would require them finally accepting that they are a data controller, but we would welcome that too. <br></span></span></div><div><span class="gmail-im"><span lang="EN-US"><br></span></span></div><div><span class="gmail-im"><span lang="EN-US">You then go on to state that "
<span class="gmail-im"><span lang="EN-US">What I find odd is the almost
universal support of Registries and Registrars to look at a DNS Abuse
subset of domains to make a “malicious / comprised” determination, yet
the mere suggestion that this same subset of data could be analyzed
through the lens of “accuracy” is somehow verboten.</span></span>". I am trying to wrap my head around that statement, but am failing. How can you find this odd? Domains flagged for DNS abuse are naturally considered to be either malicious or compromised. If they were not, they would not be flagged for DNS Abuse now, would they? That is just basic logic. But then to go ahead and propose we should be basing our view of the accuracy issue in a subset of domains that have been demonstrated to be problematic is disingenuous because that subset will always be skewed toward the inaccurate because of the facts outlined above. That is like bringing your own stacked decks or loaded dice to the casino. It does not provide a neutral and objective view of the overall status of accuracy in the gTLD DNS ecosystem. I do not think anyone can fail to see that. <br></span></span></div><div><span class="gmail-im"><span lang="EN-US"><br></span></span></div><div><span class="gmail-im"><span lang="EN-US">Finally, we need to come to an agreement on the definition of accuracy. Without first completing that work, all other discussions are futile as we will just be talking past each other. Our baseline is the definition that results from our contracts. Another workable definition would be accuracy in the context of the GDPR, e.g. accurately reflecting the data provided by the data subject. <br></span></span></div><div><span class="gmail-im"><span lang="EN-US"><br></span></span></div><div><span class="gmail-im"><span lang="EN-US">Our job as a scoping team is not to deliver what some groups may want, ut to provide a neutral and objective overall scope of the issue that can be the baseline for future policy work, if such work is required. This scope cannot be biased as that would compromise the entire subsequent work. <br></span></span></div><div><span class="gmail-im"><span lang="EN-US"><br></span></span></div><div><span class="gmail-im"><span lang="EN-US">Our work is simple:</span></span></div><div><span class="gmail-im"><span lang="EN-US">A) Define Accuracy</span></span></div><div><span class="gmail-im"><span lang="EN-US">B) Review status quo<br></span></span></div><div><span class="gmail-im"><span lang="EN-US">C) Identify issues with the status quo based on objective facts and data.<br></span></span>
</div><div><br></div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span lang="EN-US">-- <br>Volker A. Greimann<br>General Counsel and Policy Manager<br><b>KEY-SYSTEMS GMBH</b><br><br>T: +49 6894 9396901<br>M: +49 6894 9396851<br>F: +49 6894 9396851<br>W: </span><a href="http://www.key-systems.net/" style="color:rgb(17,85,204)" target="_blank"><span lang="EN-US">www.key-systems.net</span></a><span lang="EN-US"><br><br>Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835<br>CEO: Oliver Fries and Robert Birkner<br><br>Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.<br><br></span><span style="font-family:Roboto,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(248,249,250)">This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.</span></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 2, 2022 at 6:20 PM Michael Palage <<a href="mailto:michael@palage.com">michael@palage.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" lang="EN-US"><div class="gmail-m_-3469826471217625908WordSection1"><p class="MsoNormal">Sarah,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I think your response actually hits the nail on the head regarding the concerns of the BC, IPC, ALAC, SSAC, and GAC.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">When I get my annual notification from GoDaddy at my email address, I do nothing because I know the data is accurate and I know there is no need to respond. I think there is group consensus that this is the right outcome.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">However, when malicious registrant uses <a href="mailto:mickey.mouse@protonmail.com" target="_blank">mickey.mouse@protonmail.com</a> to register an abusive domain name, and their Registrar sends an annual email that does not bounce, under the contractual requirements in the 2013 RAA that data is deemed accurate. I think that is the break down between both camps. Further complicating matters is that a point in time operational verification of an email could have happened years in the past. Finally, I think the BC, IPC, ALAC, SSAC, and GAC also have a trust issue with the accuracy of the registrant data depending upon a malicious registrant being expected to tell the truth.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks for your contribution and moving this discussion forward. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Best regards,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Michael<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p class="MsoNormal"><b>From:</b> Sarah Wyld <<a href="mailto:swyld@tucows.com" target="_blank">swyld@tucows.com</a>> <br><b>Sent:</b> Wednesday, March 2, 2022 10:42 AM<br><b>To:</b> <a href="mailto:michael@palage.com" target="_blank">michael@palage.com</a>; 'Roger D Carney via GNSO-Accuracy-ST' <<a href="mailto:gnso-accuracy-st@icann.org" target="_blank">gnso-accuracy-st@icann.org</a>><br><b>Subject:</b> RE: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span lang="EN-CA">Hi Michael,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Indeed, if the data is accurate, the RNH has no obligation to respond. If it’s inaccurate they must update it. For all we know, you don’t check that account because it forwards to your primary email address. <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><pre><span lang="EN-CA"><u></u> <u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA">-- <u></u><u></u></span></pre><pre><b><span style="font-family:"Verdana",sans-serif" lang="EN-CA">Sarah Wyld</span></b><span style="font-family:"Verdana",sans-serif" lang="EN-CA">, CIPP/E<u></u><u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA"><u></u> <u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA">Policy & Privacy Manager<u></u><u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA">Pronouns: she/they<u></u><u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA"><u></u> <u></u></span></pre><pre><span lang="EN-CA"><a href="mailto:swyld@tucows.com" target="_blank"><span style="font-family:"Verdana",sans-serif">swyld@tucows.com</span></a></span><span style="font-family:"Verdana",sans-serif" lang="EN-CA"> <u></u><u></u></span></pre><p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><img style="width: 1.0416in; height: 0.25in;" id="gmail-m_-3469826471217625908Picture_x0020_3" src="cid:17f4cac253f4cff311" width="100" height="24" border="0"></span><span lang="EN-CA"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p class="MsoNormal"><b><span lang="EN-CA">From: </span></b><span lang="EN-CA"><a href="mailto:michael@palage.com" target="_blank">Michael Palage</a><br><b>Sent: </b>March 2, 2022 9:44 AM<br><b>To: </b><a href="mailto:swyld@tucows.com" target="_blank">'Sarah Wyld'</a>; <a href="mailto:gnso-accuracy-st@icann.org" target="_blank">'Roger D Carney via GNSO-Accuracy-ST'</a><br><b>Subject: </b>RE: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></span></p></div><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal">Hello Sarah,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Please correct me if I am wrong but the current requirement is for Registrars to send an annual email reminder, however, there is NO requirement for the Registrant to affirmatively respond. Moreover, if there is NO bounce the Registrar is permitted to assume that all is good. When I get my annual GoDaddy email I largely ignore it, and sometimes find it in my spam folder. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Therefore, if I was to register a domain name with the email <a href="mailto:MickeyMouse@protonmail.com" target="_blank">MickeyMouse@protonmail.com</a> and never check that email account, as long as the Registrar NEVER received a bounced email it would be considered accurate under your reference to the annual email notification. Would you agree with this statement?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I guess the more important insight is what are the Registries and Registrars participating in the malicious v. compromises domain name study doing to make this determination. Could the Registrars and Registries perhaps share any insight on how this research is being undertaken?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Best regards,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Michael<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p class="MsoNormal"><b>From:</b> GNSO-Accuracy-ST <<a href="mailto:gnso-accuracy-st-bounces@icann.org" target="_blank">gnso-accuracy-st-bounces@icann.org</a>> <b>On Behalf Of </b>Sarah Wyld<br><b>Sent:</b> Wednesday, March 2, 2022 9:27 AM<br><b>To:</b> Roger D Carney via GNSO-Accuracy-ST <<a href="mailto:gnso-accuracy-st@icann.org" target="_blank">gnso-accuracy-st@icann.org</a>><br><b>Subject:</b> Re: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span lang="EN-CA">Hello all,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">There’s a lot going on in this thread which I am not able to respond to at this time, but I do want to respond to one specific suggestion:<br><br>> </span>Would it be that much of an additional burden to ask the Registrants if the information contained in the Whois/RDDS is accurate and share those results with the group?<span lang="EN-CA"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">There is an annual Whois data confirmation email sent out to all registrants, which includes the current registration data and asks them if it is accurate, along with an explanation that they are required to provide accurate and up-to-date information and instructions for how to update it if necessary. <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Does that not match up with this idea of asking Registrants if their Whois info is accurate? <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Thanks, <u></u><u></u></span></p><pre><span lang="EN-CA"><u></u> <u></u></span></pre><pre><span lang="EN-CA"><u></u> <u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA">-- <u></u><u></u></span></pre><pre><b><span style="font-family:"Verdana",sans-serif" lang="EN-CA">Sarah Wyld</span></b><span style="font-family:"Verdana",sans-serif" lang="EN-CA">, CIPP/E<u></u><u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA"><u></u> <u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA">Policy & Privacy Manager<u></u><u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA">Pronouns: she/they<u></u><u></u></span></pre><pre><span style="font-family:"Verdana",sans-serif" lang="EN-CA"><u></u> <u></u></span></pre><pre><span lang="EN-CA"><a href="mailto:swyld@tucows.com" target="_blank"><span style="font-family:"Verdana",sans-serif">swyld@tucows.com</span></a></span><span style="font-family:"Verdana",sans-serif" lang="EN-CA"> <u></u><u></u></span></pre><p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><img style="width: 1.0416in; height: 0.25in;" id="gmail-m_-3469826471217625908_x0000_i1026" width="100" height="24" border="0"></span><span lang="EN-CA"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p class="MsoNormal"><b><span lang="EN-CA">From: </span></b><span lang="EN-CA"><a href="mailto:michael@palage.com" target="_blank">Michael Palage</a><br><b>Sent: </b>March 2, 2022 9:10 AM<br><b>To: </b><a href="mailto:BBurr@hwglaw.com" target="_blank">'Becky Burr'</a>; <a href="mailto:Melina.STROUNGI@ec.europa.eu" target="_blank">'STROUNGI Melina'</a>; <a href="mailto:becky.burr@board.icann.org" target="_blank">'Becky Burr'</a><br><b>Cc: </b><a href="mailto:gnso-accuracy-st@icann.org" target="_blank">gnso-accuracy-st@icann.org</a><br><b>Subject: </b>Re: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></span></p></div><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal">Hello Becky,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">In my capacity as the Chair, I view my responsibilities as trying to balance the respective perspectives of all participants and making sure that we document all of these perspectives in our work product. As noted before, I would like to avoid some of the holes identified in the SSAD ODA, by making sure that we look at all sides of issues (both popular and unpopular).<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I think most will agree with me, that there have been some deeply held and divergent viewpoints that were crystal clear at the start of this Group’s work, see <a href="https://mm.icann.org/pipermail/gnso-accuracy-st/attachments/20211005/46ce22c7/AccuracyScopingTeam-InitialInput-5October2021-0001.pdf" target="_blank">https://mm.icann.org/pipermail/gnso-accuracy-st/attachments/20211005/46ce22c7/AccuracyScopingTeam-InitialInput-5October2021-0001.pdf</a> I think it is fair to characterize the Registrar’s position as follows: the 2013 RAA provides a black and white guidance as to the term accuracy; recent ICANN Compliance reports indicate that there are a de minimis number of accuracy complaints; therefore there is no problem let’s move on. I also think it is fair to characterize the BC, IPC, ALAC, SSAC and GAC respective positions as the 2013 RAA definition is over narrow; the recent ICANN Compliance reports are under-reporting inaccuracy because legitimate third party access has largely gone dark, therefore we need to reinitiate some type of accuracy survey to see the scope of the problem (if any) and propose a new definition (if necessary).<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So as Chair, I started out with the proposition that the 2013 RAA was a rebuttal status quo baseline for defining accuracy. Initially, there were several groups that rebutted that definition. In fact, the push back was so hard we did not even use the term “definition” for a couple of weeks. However, after ICANN Compliance provided their feedback it was clear that the scope of accuracy was not simply a 2013 RAA black and white syntactical and operational exercise. My job as Chair was then to help define the scope of that “grey” for purposes of our working definition as well as potential studies that might be undertaken to help document any accuracy problem. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">In response to calls from a number of members that wanted to restart the ARS, which was unilaterally suspended by ICANN Org after the GDPR went into effect, my job as Chair was to help find a potential middle ground if possible. While being respectful of contracting parties data privacy concerns, including the lack of no DPA with ICANN, I wanted to find the optimal path forward for a potential new ARS that would be in compliant with Article 6.1.(f) of the GDPR: <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" style="margin-left:0.5in">processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So instead of processing data from a universe of over 200 million gTLD domain registrations, I thought ICANN Org would be able to maximize its legitimate interest (while also taking into account the interests of the registrant) by focusing on a much narrower class of domain names associated with documented DNS abuse. Now there is almost universal recognition that there is a DNS Abuse problem, see DNS Abuse Institute, topDNS, Global Cyber Alliance, EU DNS Abuser Report, and CoCCA DSI. In fact the Registries and Registrars are both supportive of the upcoming DNS Abuse session that will undertake an analysis between maliciously registered domain names and compromised domain names. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">What I find odd is the almost universal support of Registries and Registrars to look at a DNS Abuse subset of domains to make a “malicious / comprised” determination, yet the mere suggestion that this same subset of data could be analyzed through the lens of “accuracy” is somehow verboten. I think you would agree with me that to an objective outside observer, the Registrar pushback appears less likely tied to statistical purity and potentially more likely because of what those results may reveal. To those Registries and Registrars that may be participating in the malicious v compromised domain name study, I assume you are contacting Registrants. Would it be that much of an additional burden to ask the Registrants if the information contained in the Whois/RDDS is accurate and share those results with the group? <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">In respond to your comment about “understand[ing] the interest in asking ICANN about its legal advice, but I am skeptical that will prove particularly enlightening.” Perhaps if ICANN Legal just provided a legal basis to the community instead of making self-serving proclamations about its role that would help out from a trust building exercise. These are the concerns that I heard on the call last week when Thomas raised the issue about the lack of a DPA and Stephanie’s repeated request for ICANN to file a DPIA over the past several years. Additionally, there have been other members that have raised similar concerns, so as Chair I will continue to push for these voices within the Working Group to be heard and to obtain the data for this group to make a factual determination.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Best regards,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Michael<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p class="MsoNormal"><b>From:</b> Becky Burr <<a href="mailto:BBurr@hwglaw.com" target="_blank">BBurr@hwglaw.com</a>> <br><b>Sent:</b> Tuesday, March 1, 2022 1:29 PM<br><b>To:</b> 'STROUNGI Melina' <<a href="mailto:Melina.STROUNGI@ec.europa.eu" target="_blank">Melina.STROUNGI@ec.europa.eu</a>>; 'Becky Burr' <<a href="mailto:becky.burr@board.icann.org" target="_blank">becky.burr@board.icann.org</a>>; <a href="mailto:michael@palage.com" target="_blank">michael@palage.com</a><br><b>Cc:</b> <a href="mailto:gnso-accuracy-st@icann.org" target="_blank">gnso-accuracy-st@icann.org</a><br><b>Subject:</b> Re: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></p></div></div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><div id="gmail-m_-3469826471217625908divtagdefaultwrapper"><p><span style="color:black">Re "clearing the bar" for legitimate interests not outweighed by the data subjects' privacy rights, what I think is probably not particularly relevant. In the end, it will fall to the party granting access to the data (i.e., the Contracted Party) to make that call. But in general I do agree that processing based on a specific cause for concern will usually be easier to justify under GDPR.<u></u><u></u></span></p><p><span style="color:black"><u></u> <u></u></span></p><p><span style="color:black">That said, I do agree with the CPs who expressed concern about skewed results. If we want to actually understand the volume and nature of inaccuracy across the entire data set and we wanted an answer that cannot be dismissed by one group of stakeholders or another, then a proactive audit that looks at registrant data across domains and across sponsoring registrars is likely necessary. I'm not a statistics guru, but I suspect you could design a study that looked at a subset of the data, but looking only at the subset of data that has already been identified as inaccurate seems very problematic to me.<u></u><u></u></span></p><p><span style="color:black"><u></u> <u></u></span></p><p><span style="color:black">I understand the interest in asking ICANN about its legal advice, but I am skeptical that will prove particularly enlightening. <u></u><u></u></span></p><p><span style="color:black"><u></u> <u></u></span></p><p><span style="color:black">While I'd prefer to use the actual language from the 6.1(f) exception (legitimate interests not overridden by the interests/rights/freedoms of the data subject) using "under the GDPR" rather than "proportionate" also works.<u></u><u></u></span></p><p><span style="color:black"><u></u> <u></u></span></p><div id="gmail-m_-3469826471217625908Signature"><div id="gmail-m_-3469826471217625908divtagdefaultwrapper"><p><b><span style="font-family:"Franklin Gothic Medium",sans-serif;color:rgb(0,111,201)">J. Beckwith Burr</span></b><span style="color:black"><u></u><u></u></span></p><p><span style="font-family:"Franklin Gothic Medium",sans-serif;color:rgb(0,111,201)">HARRIS, WILTSHIRE & GRANNIS </span><span style="font-size:9pt;font-family:"Franklin Gothic Medium",sans-serif;color:rgb(0,111,201)">LLP</span><span style="color:black"><u></u><u></u></span></p><p><span style="font-family:"Franklin Gothic Medium",sans-serif;color:rgb(0,111,201)">1919 M Street NW/8th Floor</span><span style="color:black"><u></u><u></u></span></p><p><span style="font-family:"Franklin Gothic Medium",sans-serif;color:rgb(0,111,201)">Washington DC 20036</span><span style="color:black"><u></u><u></u></span></p><p><span style="font-family:"Franklin Gothic Medium",sans-serif;color:rgb(0,111,201)">202.730.1316 (P) 202.352.6367 (M)</span><span style="color:black"><u></u><u></u></span></p><p><span style="color:black"><u></u> <u></u></span></p></div></div></div><p class="MsoNormal" style="text-align:center" align="center"><span style="font-size:12pt;font-family:"Times New Roman",serif"><img style="width: 3.625in; height: 0.0277in;" id="gmail-m_-3469826471217625908_x0000_i1025" width="348" height="3" border="0"></span><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u><u></u></span></p><div id="gmail-m_-3469826471217625908divRplyFwdMsg"><p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> GNSO-Accuracy-ST <</span><span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:gnso-accuracy-st-bounces@icann.org" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">gnso-accuracy-st-bounces@icann.org</span></a></span><span style="color:black">> on behalf of Michael Palage <</span><span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:michael@palage.com" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">michael@palage.com</span></a></span><span style="color:black">><br><b>Sent:</b> Tuesday, March 1, 2022 12:14:56 PM<br><b>To:</b> 'STROUNGI Melina'; 'Becky Burr'<br><b>Cc:</b> </span><span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:gnso-accuracy-st@icann.org" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">gnso-accuracy-st@icann.org</span></a></span><span style="color:black"><br><b>Subject:</b> Re: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org</span><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p></div></div><div><div><p class="MsoNormal"><span style="font-size:12pt">Hello Becky,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">I think we are in agreement that the processing/disclosing of non-public PII involves a two part test: legitimate interest and proportionate interest. As you and others may recall this is why I have proposed that any limited restart of the ARS program involve a sampling of the data from the monthly DAAR reporting. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">From a legitimate interest standpoint, the domains reported in DAAR (e.g. malware, phishing, SPAM) are clearly involved in illegal activity in most jurisdictions. I do not see any situation in which ICANN would not easily clear this bar. Would you agree?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">With regard to the proportionality (balancing test), as will be discussed in the upcoming ICANN73 meeting, there are two types of potential registrations involving abusive domains, maliciously registered domain names and compromised domain names. From a “balancing test” ICANN easily clears any proportionality bar when looking at maliciously registered domain names. Would you agree? <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">With regard to compromised domains, while this balancing test is a little more substantive than with malicious domain names, I believe this is a bar that ICANN Org and the Contracting Parties should easily be able to clear in almost every scenario. Unlike the old Whois/RDDS that made registrant data publicly available for scraping, this proposed audit would be limited to a restrictive number of parties, ICANN, third-party vendor, and contracting party. Would you agree?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">I am also in agreement with your comments distinguishing between targeted processing/disclosure versus bulk processing/disclosure. This is why I made the specific proposal to restart ADR on a limited scale targeting just Abusive Domain Names reported via DAAR. This targeted focus should address your bulk processing claims. Would you agree? <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">What I found disappointing when I brought this to the consideration of the entire Working Group is that several Contracting Parties opposed this potential reasonable path forward because they thought that this would potentially skew the accuracy results. These Contracting Parties instead were adamant that any survey would need to involve the entire data set. My concern with this position is that any demands to include the entire set is potentially a non-start for processing in a legal compliant manner per the GDPR. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">In order to further explore your claim that the DPA is a red hearing, perhaps the Registry and Registrars representatives could go back to their respective stakeholders groups and ask for scenarios in which they would be willing to transfer data to ICANN or a designated vendor to check the accuracy of data. Would you agree with me that this data point would be extremely helpful in resolving potential ambiguity between the parties and their respective roles?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12pt">In closing, I want to thank both Becky and Melina for your respective feedback and I look forward to additional constructive feedback going forward.</span><span class="gmail-m_-3469826471217625908hgkelc"><span style="font-family:"Times New Roman",serif" lang="EN-CA"><u></u><u></u></span></span></p><p class="MsoNormal"><span class="gmail-m_-3469826471217625908hgkelc"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></span></p><p class="MsoNormal"><span class="gmail-m_-3469826471217625908hgkelc"><span style="font-size:12pt;font-family:"Times New Roman",serif">Best regards,<u></u><u></u></span></span></p><p class="MsoNormal"><span class="gmail-m_-3469826471217625908hgkelc"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></span></p><p class="MsoNormal"><span class="gmail-m_-3469826471217625908hgkelc"><span style="font-size:12pt;font-family:"Times New Roman",serif">Michael</span></span><span lang="EN-CA"><u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><div><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p class="MsoNormal"><b>From:</b> STROUNGI Melina <<span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:Melina.STROUNGI@ec.europa.eu" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Melina.STROUNGI@ec.europa.eu</span></a></span>> <br><b>Sent:</b> Tuesday, March 1, 2022 11:13 AM<br><b>To:</b> Becky Burr <<span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:becky.burr@board.icann.org" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">becky.burr@board.icann.org</span></a></span>>; <span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:michael@palage.com" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">michael@palage.com</span></a></span><br><b>Cc:</b> <span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:gnso-accuracy-st@icann.org" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">gnso-accuracy-st@icann.org</span></a></span><br><b>Subject:</b> RE: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></p></div></div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Dear Becky, all,<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">many thanks for your additional suggestions.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">my two cents on the below:<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">I support the distinction proposed by Becky, but would recommend replacing ‘proportionate’ with ‘under the GDPR’ so we are fully covered.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">The original question raised was “<i>Is ICANN able to access registration data <u>under the GDPR</u> on the basis that it has a legitimate interest in checking the accuracy of the data? “</i><u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">The reference alone to the GDPR means that indeed the balancing test has been taken into account. As you rightly point out the GDPR requires a balancing test when ‘legitimate interests’ is used as a legal basis. So in my view as long as there is a reference to the GDPR there is no need to explicitly add the proportionate part. It is already implied. Plus, a more general reference is more encompassing in the sense that it takes into account the totality of the balancing test (i.e., data subjects’ interests etc.)<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Having said that I am all supportive of asking all of these questions (in general I am in favor of asking as many questions as we can think of as this is at the heart of our scoping tasks), but I would maintain –on top of what you suggest –the specific question on whether ICANN ever received or plans to receive legal advice on this particular topic.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">If I recall correctly this had been discussed in our accuracy scoping meeting of 17 February and was proposed as a question to be addressed to Brian so he can forward it to ICANN compliance.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">In order to be able to progress with our discussions, it is important to know where exactly ICANN would base their assessment on these questions (i.e., whether they have received specific in-house or external legal advice, including but not limited to any correspondence with the EDPB). <u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">I have now tried to integrate Becky’s suggestion to the original questions. Hope this helps.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><u><span style="font-size:12pt;font-family:"Times New Roman",serif">Question 1<u></u><u></u></span></u></p><ol type="1" start="1"><li class="gmail-m_-3469826471217625908MsoListParagraph">Does ICANN have a legitimate interest under the GDPR in accessing <i>domain name registration data in response to complaints</i> that the data is inaccurate? Has ICANN ever received or plans to receive legal advice on this particular topic? <u></u><u></u></li><li class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">Does ICANN have a legitimate interest under the GDPR in <i>proactively </i>acquiring <i>bulk access</i> to domain name registration data to undertake an accuracy audit, even with respect to data for which it has no basis to question its accuracy? Has ICANN ever received or plans to receive legal advice on this particular topic? <u></u><u></u></span></li></ol><p class="MsoNormal"><u><span style="font-size:12pt;font-family:"Times New Roman",serif">Question 2<u></u><u></u></span></u></p><p class="MsoNormal"><u><span style="font-size:12pt;font-family:"Times New Roman",serif">For either scenario a or b under question 1</span></u><span style="font-size:12pt;font-family:"Times New Roman",serif">: Does ICANN believe that a Data Protection Agreement between itself and the Contracted Parties is a necessary legal requirement for requesting and receiving this data, and if so for what legal reason? What happens if the registrar receiving the access request disagrees with ICANN's application of the balancing test, i.e., does ICANN have the contractual authority to enforce its access request? <u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Best,<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Melina<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><b>From:</b> GNSO-Accuracy-ST <<span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:gnso-accuracy-st-bounces@icann.org" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">gnso-accuracy-st-bounces@icann.org</span></a></span>> <b>On Behalf Of </b>Becky Burr<br><b>Sent:</b> Tuesday, March 1, 2022 4:27 PM<br><b>To:</b> <span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:michael@palage.com" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">michael@palage.com</span></a></span><br><b>Cc:</b> <span style="font-size:12pt;font-family:"Times New Roman",serif"><a href="mailto:gnso-accuracy-st@icann.org" target="_blank"><span style="font-size:11pt;font-family:"Calibri",sans-serif">gnso-accuracy-st@icann.org</span></a></span><br><b>Subject:</b> Re: [GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org<u></u><u></u></p><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">Michael -<u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">Respectfully, and without taking a position on whether these questions are relevant or timely, I think the questions need to be more nuanced to produce useful answers.<u></u><u></u></span></p></div><div><ol type="1" start="3"><li class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">Does ICANN have a legitimate <b>and proportionate </b>interest in accessing <i>individual registration records in response to credible complaints</i> that the data is inaccurate? If so, is a DPA required to access data in such situations? What happens if the registrar receiving the access request disagrees with ICANN's application of the balancing test, i.e., does ICANN have the contractual authority to enforce its access request? <u></u><u></u></span></li><li class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">Does ICANN have a legitimate <b>and proportionate</b> interest in <i>proactively </i>acquiring <i>bulk access</i> to registrant data to undertake an accuracy audit, even with respect to data for which it has no basis to question its accuracy? If so, is a DPA necessary to do so? What happens if the registrar receiving the access request disagrees with ICANN's application of the balancing test, i.e., does ICANN have the contractual authority to enforce its access request?<u></u><u></u></span></li></ol><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">It is important to keep in mind that a legitimate interest is necessary <i>but not sufficient</i> under GDPR. The processing necessary to satisfy a legitimate interest must be proportionate, i.e., not outweighed by the privacy rights of the individual data subject(s). As a result, the two situations (access to a single record based on reasonable grounds to believe the data is inaccurate v. proactive access without individualized suspicion) are quite different from a data protection perspective, with the first being far less complicated to defend. In addition, a CP's contractual obligations, e.g., under the RAA, may be different in those situations.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">FWIW, I think the DPA issue is a bit of a red herring here. Presumably, ICANN's requests for one-off data can be handled in the same way that anyone else's access request is handled, e.g., if the data is to be transferred outside of the EU by imposing controller to controller Standard Contractual Clauses as the terms and conditions of such access on a case-by-case basis. If the EDPB were to confirm that ICANN's<i> bulk access</i> to data for proactive checking was legitimate and proportionate, it's clear to me that a narrowly focused DPA between ICANN and CPs applicable to data access for the specific purpose of checking accuracy (e.g., prohibiting onward transfer, etc.) could be crafted. The real question is whether (i) the temp spec /epdp phase 1 policy obligating CPs to provide reasonable access for legitimate and proportionate purposes encompasses bulk access or (ii) some other provision of the agreements produces an obligation to provide bulk access. <u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">Apologies for being pedantic here. None of us can say with any certainty what GDPR does or does not permit as that determination is ultimately made by individual data protection authorities and/or the EDPB. We are asking ICANN for its views on what GDPR would permit in specific circumstances, so the relevant circumstances should be articulated precisely to produce useful answers. <u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">b<u></u><u></u></span></p></div></div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div></div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><div><div><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif">On Thu, Feb 24, 2022 at 5:12 PM Michael Palage <<a href="mailto:michael@palage.com" target="_blank">michael@palage.com</a>> wrote:<u></u><u></u></span></p></div><blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt"><div><div><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">Hello Everyone,<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">Over the past couple of weeks there has been a recurring theme in our calls and in some of the side discussions that I have had with some members regarding about how the potential lack of a Data Processing Agreement between ICANN Org and the Contracting Parties might negatively impact our future work and/or recommendations.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">Therefore I would like to propose to the group for their consideration the following additional questions that we may want to propose to ICANN Org as we continue our work:<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">• “Is ICANN able to access registration data under the GDPR on the basis that it has a legitimate interest in checking the accuracy of the data? Has ICANN ever received or plans to receive legal advice on this particular topic? <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">• Does ICANN believe that the Data Protection Agreement between itself and the Contracted Parties is a necessary legal requirement for requesting and receiving this data, and if so for what legal reason?" <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">As always I welcome any thoughts and or considerations?<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">Best regards,<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif">Michael<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.2in"><span style="font-size:12pt;font-family:"Times New Roman",serif"> <u></u><u></u></span></p></div></div></blockquote></div></div></div><p class="MsoNormal" style="margin-left:4.8pt"><span style="font-size:12pt;font-family:"Times New Roman",serif">_______________________________________________<br>GNSO-Accuracy-ST mailing list<br><a href="mailto:GNSO-Accuracy-ST@icann.org" target="_blank">GNSO-Accuracy-ST@icann.org</a><br><a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-accuracy-st__;!!DOxrgLBm!UNIutLhtKN79DDAyXMFbwLBM5YmXBcSEX_Z4GrdQYmzW9hzoy8-8tEvp-nQ58gfd3kyLTw-r$" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-accuracy-st</a><br><br>_______________________________________________<br>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!UNIutLhtKN79DDAyXMFbwLBM5YmXBcSEX_Z4GrdQYmzW9hzoy8-8tEvp-nQ58gfd3uHvF4Qg$" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!UNIutLhtKN79DDAyXMFbwLBM5YmXBcSEX_Z4GrdQYmzW9hzoy8-8tEvp-nQ58gfd3p4iJdXc$" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif" lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p></div></div>_______________________________________________<br>
GNSO-Accuracy-ST mailing list<br>
<a href="mailto:GNSO-Accuracy-ST@icann.org" target="_blank">GNSO-Accuracy-ST@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-accuracy-st" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-accuracy-st</a><br>
<br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div>