[Gnso-epdp-team] language re: affiliated privacy/proxy companies

Anderson, Marc mcanderson at verisign.com
Wed Dec 19 17:08:48 UTC 2018


Hi all,



James makes a good point, I support his edit.





Caitlin's proposed text has a typo showing "proxy/proxy" where I assume "privacy/proxy" is intended.





I have concerns with the text "...Registrar MUST return in response to any query full WHOIS data..."  More specifically, I don't think "any" actually means "any" in this context, "full" is undefined and should more appropriately be "unredacted" and WHOIS should be replaced with RDS or RDDS.  I suggest:  "...Registrar MUST return unredacted data in response to RDDS queries... "





I understand the reason for this recommendation is so that Registrars do not redact registration data that is already protected by a known Privacy or Proxy service.  If the Privacy/Proxy service is operating as intended than personally identifiable information of the registrant has already been removed from the RDDS record and so further redacting it is redundant and creates an unnecessary hurdle for a requestor with a legitimate need to access the actual registration data behind the service.  While Caitlin's proposed language is generally clear, sometimes an explanation of the intent can be helpful in particular when it comes time to implement the policy.  I suggest adding text along these lines:



The intent of the working group in making this recommendation is that Registrars should not redact registration data that is already protected by a known Privacy/Proxy service.  Redacting the RDS data of a Privacy/Proxy service provider shouldn't be necessary for GDPR compliance and creates an unnecessary hurdle for a requestor with a legitimate need to access the actual registration data behind the service.





On our Tuesday call we discussed the fact that it is not always know to the registrar that the registration is from a privacy/proxy service.  I used the words "known Privacy or Proxy service" while Caitlin uses "offered or made available by Registrar or its Affiliates".  I'm not sure which is better and perhaps this is a question for registrars.  I'm sensitive to registrars potentially getting sideways with compliance over this.  On last Thursday's (meting #34) call, Marika talked to us about the "policy change impact" section of the report which could include information on how to measure compliance.  While we agreed on Thursday's call to table that until we are a little further along in our policy recommendations, that does have me wondering if there is language we could add so that Registrars and compliance are on the same page as to how this should be implemented and enforced?





We also spoke about the currently on hold Privacy/Proxy implementation effort.  I understand them to be on hold waiting our final policy recommendations as that may inform or otherwise impact their work.  I am maybe being overly cautious here, but I want to make sure nothing in our recommendations conflicts with or constrains the Privacy/Proxy group.  Our group is responsible for GDPR compliance, their group for implementing a Privacy/Proxy policy.  Some overlap may be unavoidable but we should leave Privacy/Proxy policy to them.  I'm thinking adding language that this recommendation is subject to that policy might be prudent.  If there is no conflict then this recommendation stands, but if it conflicts with their policy, then their policy takes precedent.





Thanks,
Marc









From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of James M. Bladel
Sent: Wednesday, December 19, 2018 8:15 AM
To: Caitlin Tubergen <caitlin.tubergen at icann.org>; GNSO EPDP <gnso-epdp-team at icann.org>
Subject: [EXTERNAL] Re: [Gnso-epdp-team] language re: affiliated privacy/proxy companies



Hi All-



This language is mostly ok (thanks Caitlin!), but the parenthetical example sideswipes the natural vs. legal debate.   Recommend we change this:



 (e.g. where data associated with a natural person is masked)



To this:

 (e.g. where data associated with the Privacy/Proxy customer is masked)



Thanks-



J.



-------------

James Bladel

GoDaddy

  _____

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Caitlin Tubergen <caitlin.tubergen at icann.org<mailto:caitlin.tubergen at icann.org>>
Sent: Tuesday, December 18, 2018 18:48
To: GNSO EPDP
Subject: [Gnso-epdp-team] language re: affiliated privacy/proxy companies



Dear All,



Following up on an action item from today's EPDP call, please find draft language regardingregistrar disclosure of privacy/proxy data to a requestor (section 2.6 of Appendix A of the Temp Spec).For ease of reference, the updated language is italicized.



The EPDP Team recommends that in the case of a domain name registration where a Privacy/Proxy service,offered or made available by Registrar or its Affiliates in connection with a registration isused, (e.g. where data associated with a natural person is masked), Registrar MUST return in response to any query full WHOIS data, including the existing proxy/proxy pseudonymized email. (emphasis added)



Please respond to the list if you have any issues with the above draft language.



Best regards,



Marika, Berry, and Caitlin







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181219/8ff923e6/attachment.html>


More information about the Gnso-epdp-team mailing list