[Gnso-epdp-team] Notes and action items from EPDP Team Phase 2 Meeting #11 - 1 August 2019 - ALAC Online buyers Use Case

[Amr Elsadr]

Hi Hadia,

It’s difficult not to debate wether or not protecting Internet users from online fraud is within the scope of ICANN’s mission, since this is key to the topic and use case we’re discussing.

I’m also not seeing how I’ve conflated any issues. Apologies if I’m failing to understand this, and am happy to be corrected, if I am mistaken. There doesn’t seem to be anything in the section of the AoC that you referenced, which contradicts what I’ve said either. Describing the Internet as a transformative technology that empowers people, spurs innovation, facilitates trade and commerce is one thing. I pretty much agree with this statement, but it doesn’t suggest that every aspect of the Internet and its benefits to society is within ICANN’s mission and scope to meddle in. Aren’t references to the AoC a little outdated, anyway?

I’m also aware of the work that took place in Work Stream 1 of the CCWG on Enhancing ICANN Accountability (specifically, on ICANN’s mission, commitments and core values, and the changes to the ICANN Bylaws that occurred as a result of it. For instance, a quick read of [Article 1  Sections 1.1(b) and (c)](https://www.icann.org/resources/pages/governance/bylaws-en/#article1) say:

> (b) ICANN shall not act outside its Mission.
>
> (c) ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet's unique identifiers or the content that such services carry or provide, outside the express scope of Section 1.1(a). For the avoidance of doubt, ICANN does not hold any governmentally authorized regulatory authority.

Thanks.

Amr

> On Aug 29, 2019, at 1:09 AM, Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg> wrote:
>
> Hi Amr,
>
> First let me confirm that the ALAC case is about giving the online Internet buyers their right granted to them under the GDPR. As to your point about this case not abiding by ICANN's mission let me briefly explain how you are conflating two different issues.
>
> In 2009 ICANN published the Affirmation of Commitments, where its said
>
> “The Internet is a transformative technology that will continue to empower people around the globe, spur innovation, facilitate trade and commerce”
>
> It also said
>
> “This document affirms key commitments by DOC and ICANN, including commitments to: (a) ensure that decisions made related to the global technical coordination of the DNS are made in the public interest and are accountable and transparent; (b) preserve the security, stability and resiliency of the DNS; (c) promote competition, consumer trust, and consumer choice in the DNS marketplace; and (d) facilitate international participation in DNS technical coordination”
>
> (Examples of consumer protection would include protecting trademark rights holders from domain name abuses.)
>
> However, according to how we understand ICANN’s role in relation to the Internet and the public interest some might see that protecting Internet users from online fraud is not within ICANN’s mission. So let us not debate this part and move on.
>
> In accordance to Annex G-1 of ICANN’s mission, ICANN is responsible for the maintenance and access to accurate and up-to-date information concerning registered names and name servers. Now many stakeholders have claimed that WHOIS is one of the first tools that they would use in identifying wrongdoers or protecting Internet users. In addition, some surveys have also indicated that Internet users most often use legal persons’ contact information when dealing with small online businesses. Moreover, although complaints like Malware, Phishing, Web hosting, Website content and Spam are handled by other organizations, these organizations rely on the registration data maintained by ICANN. For that, it is ICANN’s responsibility to maintain a registration data system that is not only accurate and up to date but also useful and fair to all stakeholders. ICANN in its role in coordinating the DNS acts for the benefit of the global Internet users. The policy recommendation regarding the online Internet consumers that we are talking about is in relation to the role of the gTLD registration data in serving the online community and maintaining a healthy Internet ecosystem, which is strictly within ICANN’s mission.
>
> ​
>
> Best
>
> Hadia
>
> ________________________________
> From: Amr Elsadr <aelsadr at icannpolicy.ninja>
> Sent: 28 August 2019 21:30
> To: King, Brian
> Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team at icann.org
> Subject: RE: [Gnso-epdp-team] Notes and action items from EPDP Team Phase 2 Meeting #11 - 1 August 2019 - ALAC Online buyers Use Case
>
> Hi Brian,
>
> I'm not sure that it makes a difference - wether disclosure can or cannot be presupposed as an outcome. If we, as a Team developing gTLD policy recommendations, tackle an issue concerning web content, reach a conclusion (any conclusion) on it, send a recommendation to the GNSO Council, which is adopted and then sent to the ICANN Board, which adopts it yet again, then what is the outcome? To me, the answer to that question would be that the EPDP Team, the GNSO Council and the ICANN Board have all contributed to creating contractual obligations on Contracted Parties that ICANN should have no business creating.
>
> To me, this is also a means of pulling topics out-of-scope of ICANN's mission in to it, because although this scope is defined by the Bylaws, there are also Bylaws granting the GNSO responsibility for developing gTLD policy. Would create a bit of a messy constitutional sort of situation, I think.
>
> Also, at some point in the future, the Consensus Policy we are in the process of developing recommendations for will be reviewed, and amendments may be sought. Reviewing Consensus Policies could potentially be initiated by either the GNSO or GDD (if you're following the current Council conversation on reviews of implemented Consensus Policies). So even if we are not presupposing any outcome of disclosure in this use case now, we open the door to further policy development on this topic at some point in a future iteration. On a topic that should have been flagged as out-of-scope of ICANN's mission to begin with!!
>
> Ideally, we would not submit any recommendations concerning web content at all. If we did, it'd be nice to know that there are checks and balances in place that initiate some kind of course correction. For instance, the GNSO Council or the ICANN Board would respond saying, wait a minute, why are you sending us a policy recommendation on a topic outside of ICANN's scope?! Speaking for myself, unfortunately, I very much doubt that would happen.
>
> It's probably also noteworthy that even if we, as an EPDP Team, reject this use case, and do not address the topic in our recommendations, there is still nothing preventing an Internet user from requesting information about a website they might do business with from a registrar, as you suggest. Our use of these use cases should focus on helping respondents to disclosure requests understand how best to deal with whatever disclosure requests they receive. We can't cover every single potential use case anyway, so the ones we do work out should at least provide some guidance on how to deal with unforeseen circumstances. With that in mind, I believe there is value in addressing this use case, and rejecting it, as opposed to not looking at it at all.
>
> This is my personal perspective, and apologies if it was slightly lengthier than it needed to be, but you asked. ;-)
>
> Thanks.
>
> Amr
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, August 28, 2019 8:25 PM, King, Brian <Brian.King at markmonitor.com> wrote:
>
> Hey Amr and all,
>
> I can’t speak authoritatively for ALAC’s intent, but I read this use case as allowing internet users to request (not have an entitlement to receive) information about a website they might do business with, a link they might click, etc.
>
> I think we’re merely talking about allowing an internet user to ask the question, without presupposing any access outcome. Does that change your perspective?
>
> I’m sympathetic to concerns raised about the bounds of ICANN’s remit, and I might find those concerns more persuasive if we were talking about guaranteed access in this case.
>
> Brian J. King
> Director of Internet Policy and Industry Affairs
>
> T +1 443 761 3726
> markmonitor.com<http://www.markmonitor.com>
>
> MarkMonitor
> Protecting companies and consumers in a digital world
>
> From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Amr Elsadr
> Sent: Tuesday, August 27, 2019 7:28 AM
> To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> Cc: gnso-epdp-team at icann.org
> Subject: Re: [Gnso-epdp-team] Notes and action items from EPDP Team Phase 2 Meeting #11 - 1 August 2019 - ALAC Online buyers Use Case
>
> Hi,
>
> The issue many of us have with this use case isn’t that Internet users should not be entitled to know who they elect to do business with over the web, so I don’t believe it is necessary to keep pushing that point. The issue is that in situations where entities conducting commerce over the Web do not have their contact information readily published on their websites, ICANN/gTLD policy is an inappropriate substitute to resolve this, due to ICANN’s narrow mission.
>
> Speaking for myself, even if it were legal for ICANN to adopt policies that are beyond the scope of its mission (which I don’t think is the case here), it is undesirable for it to do so. Not having a clearly drawn line in the sand on what ICANN can regulate online via contractual compliance with Registries and Registrars, including selling and purchasing goods and services, is a prospect that I find to be very unappealing. It creates a great deal of uncertainty for both Contracted Parties providing domain name registration services, as well as registrants who utilize these services.
>
> My interpretation of consumer protection from an ICANN perspective is that registrants are THE consumers of services in the ICANN context. In that context, proposing policy recommendations beyond the scope of ICANN’s mission is bad, not good, for consumer protection.  …, and like I said…, I don’t believe it to be complaint with data protection regulation, such as the GDPR, anyway.
>
> Thanks.
>
> Amr
>
> On Aug 26, 2019, at 5:37 PM, Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>> wrote:
>
> Hello All,
>
> The ALAC online buyers online case is a real life scenario for why there needs to be a distinction between natural and legal persons. I shall not get into this debate. However, I note that consumers identity and even location is now available to buyers through many online applications, GDPR protects personal information of natural persons and not legal persons. It is only fair to Internet end users to allow them to have the contact information of the online businesses. This is particularly important in case Internet end users are dealing with small businesses online. You can find online businesses  contact details now through some existing applications. What and who are we trying to protect by not allowing this use case. Commercial websites should be encouraged to indicate who they are and publish their information. The architecture of the web inherently does not require real identity, but having a complete anonymous system is always an invitation to problems, making people feel less accountable and diminishing the trust in the network. A survey conducted by Bright Local showed that 60%  of customers prefer to call small businesses on the phone. The survey also showed that consumers now look beyond websites, RDS is only one tool of many however, prohibiting it to exist works against the norm. I also note that getting clarity in relation to the contracted parties liability in this regard is very important and if implemented information should only be provided if the case is absolutely clear.
>
> I attach the updated user case, which is also available through the google doc
>
> Best
>
> Hadia el-Miniawi
>
> From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Mueller, Milton L
> Sent: Monday, August 19, 2019 5:27 PM
> To: Tara Whalen; gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
> Subject: Re: [Gnso-epdp-team] Notes and action items from EPDP Team Phase 2 Meeting #11 - 1 August 2019 - ALAC Online buyers Use Case
>
> Tara:
>
> Responses inline below:
>
>  1.  The ICANN Board resolved in May to have the ePDP “determine and resolve the Legal vs. Natural issue in Phase 2."   https://www.icann.org/resources/board-material/resolutions-2019-05-15-en#1.b<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources_board-2Dmaterial_resolutions-2D2019-2D05-2D15-2Den-231.b&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=B8MS1O2ZkevjBW6hFhUe1Tfw1xhaFLotkSAAZ3g3DYQ&s=IAoMV6Yy5PfTOTRJ7D6oVAm1m5bFZMOIZHmnJjr4Gnk&e=>  Because the issue is not decided.
>
> Not quite correct. The Board noted that EPDP’s own Recommendation said that we would resolve the issue in Phase 2. The board did not tell us to do so. The resolution also notes the “Potential liability of a registered name holder's incorrect self-identification of a natural or legal person, which ultimately results in public display of personal data.” This concern was one of several that motivated our reluctance to attempt differentiation.
>
>  1.  The EWG recommended a differentiation solution -- that registrants be required to identify as a Registrant Type, with Legal Person and Natural Person among the options.  It also required that a mandatory Business PBC be published for “Registrants that self-identify as Legal Persons engaged in commercial activity"  (pages 42-44 of final report).
>
> This option _was_ discussed and discarded in Phase 1. It was noted that to the vast majority of ordinary people the distinction between legal and natural has no meaning, and that there would be liability consequences if there were incorrect identification (see above). And besides, the recommendation of the EWG was made prior to GDPR and has no bearing on EPDP.
>
>  1.  ICANN’s Procedure for Handling WHOIS Conflicts with Privacy Law was reviewed by the GNSO and revised in mid-2017.  A goal of the Procedure was “to resolve the problem in a manner that preserves the ability of the registrar/registry to comply with its [current] contractual WHOIS obligations to the greatest extent possible”.  So -- to publish as much data as possible as allowed by law.
>
> Now you are way off base. Contractual Whois obligations in 2017 were not compliant with GDPR. The Conflicts with Privacy Law procedure is completely irrelevant to our proceedings.
>
>  1.  Under that Procedure, about the only precedent was the .TEL case, which addressed concerns raised by UK privacy law. In that case, the WHOIS service was made to differentiate between natural and legal persons.  Some public WHOIS data was limited for natural persons who had elected to withhold their personal information from disclosure by the WHOIS service, records for Legal Persons had to return full and complete WHOIS data (including applicable personal data), and Legal Persons were not permitted to opt out of disclosing such information. The GDPR is definitely a different law and may yield a different policy.  But the .TEL case did show that it’s possible to tell the difference between a natural person’s data and a legal person’s data, and to control where that data appears.
>
> Same comment as above.
>
> <Consumer_Protection_Use_Case_ALAC - Online buyers_Update_2.docx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190829/f70e7ce3/attachment-0001.html>