[Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

Alan Woods alan at donuts.email
Thu Feb 7 12:29:20 UTC 2019 

All,

We need to stop living in the land of 'What Ifs'. If the SSAC needs the
data from ICANN ORG, SSAC and ICANN org can figure this out and do a DPAI
as Controller - this is none of our concern.

If ICANN ORG (OCTO) wants to use the data for statistical or historical
research or even assuming the have the prerequisite basis to do so,
research in the 'public interest' ... then it is for ICANN as the
controller in this instance to figure it out, not the ePDP. This is along
the same lines as a registry or registrar who, as a business, may wish do
their own research and don't need nor want the ePDP to spoon feed them a
ready made 'purpose'. Again it's not necessary, and out of our sphere of
influence. Any responsible business processing data for research ought to
do an assessment, as controller, of the legal risks associated with the
research, the data used, the compatibility of the methods of collection,
the compatibility with the purposes, the legal basis, and implementation of
safeguards as expected by Art 89- they then do such research at their own
risk.

Again, to be clear, processing for the purposes of research, is processing
by the CONTROLLER. If the controller wishes a 3rd party to do such research
on their behalf, then they enter into an appropriate services contract with
them, with a iron clad DPA. Simple. And be it on both their heads if their
processing doesn't come up to par!

I therefore echo Marc and Ayden. We have need to move on!

Alan


[image: Donuts Inc.] <http://donuts.domains>
Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
------------------------------
The Victorians,
15-18 Earlsfort Terrace
Dublin 2, County Dublin
Ireland

<https://www.facebook.com/donutstlds>   <https://twitter.com/DonutsInc>
<https://www.linkedin.com/company/donuts-inc>

Please NOTE: This electronic message, including any attachments, may
include privileged, confidential and/or inside information owned by Donuts
Inc. . Any distribution or use of this communication by anyone other than
the intended recipient(s) is strictly prohibited and may be unlawful.  If
you are not the intended recipient, please notify the sender by replying to
this message and then delete it from your system. Thank you.


On Wed, Feb 6, 2019 at 8:28 PM Margie Milam <margiemilam at fb.com> wrote:

> Hi All-
>
>
>
> Hadia’s language makes sense to us.  I also wanted to share some
> additional information related to why this should continue to be discussed
> in Phase 2.
>
>
>
> ICANN ORG staff – including the CTO’s office - supports and participates
> in SSAC.   SSAC conducts very valuable research on issues that touch upon
> and analyze WHOIS records as it relates to the security issues for which
> they make recommendations.  Look for example at these reports: SSAC 40 -
> Measures to Protect Domain Registration Services Against Exploitation or
> Misuse, SSAC 23 – Is the WHOIS Service a source for email addresses for
> spammers?  SSAC 024, Report on Domain Name Front-Running, to name a few.
>
>
>
> Are we not willing to recognize the value of these research activities?
> Are we intending to limit the issues that SSAC might need to explore to
> address future work?
>
>
>
> The recommendation is simply to explore this in Phase 2 further- which is
> reasonable in our view.
>
>
>
> All the best,
>
>
>
> Margie
>
>
>
>
>
> *From: *"Anderson, Marc" <mcanderson at verisign.com>
> *Date: *Wednesday, February 6, 2019 at 11:27 AM
> *To: *"marika.konings at icann.org" <marika.konings at icann.org>, "
> Hadia at tra.gov.eg" <Hadia at tra.gov.eg>, Margie Milam <margiemilam at fb.com>, "
> gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
> *Subject: *RE: [Gnso-epdp-team] Comments on Final Report & Additional
> Topics- Part 1
>
>
>
> All,
>
>
>
> Registries are NOT supportive of this as an agreement or recommendation.
>
>
>
> We have on multiple occasions discussed a possible purpose for OCTO with
> the same result.  ICANN has indicated that OCTO does not use personal data
> in their work and have not identified a need or purpose for them to do so.
> Our task is to identify processing activities necessary for domain
> registrations and ensure those processing activities can be done in a
> manner compatible with GDPR.  We haven’t identified a processing activity
> for personal data related to OCTO so we can stop and move on.
>
>
>
> It is beyond the scope of our PDP to create new requirements, obligations
> or purposes where currently none exist.
>
>
>
> Best,
>
> Marc
>
>
>
>
>
>
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Marika
> Konings
> *Sent:* Wednesday, February 06, 2019 7:44 AM
> *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>; Margie
> Milam <margiemilam at fb.com>; gnso-epdp-team at icann.org
> *Subject:* [EXTERNAL] Re: [Gnso-epdp-team] Comments on Final Report &
> Additional Topics- Part 1
>
>
>
> Hadia, all,
>
>
>
> Please note that per yesterday’s agreement, the recommendation has been
> updated as follows:
>
>
>
> *The EPDP Team commits to considering in Phase 2 of its work whether
> additional purposes should be considered to facilitate ICANN’s Office of
> the Chief Technology Officer (OCTO) to carry out its mission (see
> https://www.icann.org/octo
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_octo&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=s4rjm6aG5YuV7KcK-ax-sww3LdbGi-8kAfe2reTCpVA&s=6xX7SbLunQSJCojMv5NTNDNgQ2bQ6Iw6CnBERorRZFw&e=>).
> This consideration should be informed by legal guidance on if/how
> provisions in the GDPR concerning research apply to ICANN Org and the
> expression for the need of such pseudonymized data by ICANN. *
>
>
>
> Best regards,
>
>
>
> Caitlin, Berry and Marika
>
>
>
> *From: *Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of
> Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> *Date: *Wednesday, February 6, 2019 at 06:38
> *To: *Margie Milam <margiemilam at fb.com>, "gnso-epdp-team at icann.org" <
> gnso-epdp-team at icann.org>
> *Subject: *Re: [Gnso-epdp-team] Comments on Final Report & Additional
> Topics- Part 1
>
>
>
> Hi all
>
>
>
> Thank you Margie for your edits I would suggest a minor edit to the
> research purpose to read (my edits are in orange)
>
>
>
> "The EPDP Team commits to  considering in Phase 2 of its work whether
> additional purposes should be considered to facilitate research ADD: [
> and threat response] carried out by ICANN’s Office of the Chief
> Technology Officer (OCTO). This consideration should be informed by legal
> guidance on if/how provisions in the GDPR concerning research apply to
> ICANN Org and the need for the research purpose by ICANN org in
> accordance with the mission of ICANN’s Office of the Chief Technology
> Officer."
>
>
>
> The reason for my edits is that we don't know yet the kind of data that
> would be required nor the means of implementation the whole purpose/idea is
> yet to be explored.
>
>
>
>
>
> Hadia
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org
> <gnso-epdp-team-bounces at icann.org>] *On Behalf Of *Margie Milam
> *Sent:* Tuesday, February 05, 2019 4:03 AM
> *To:* gnso-epdp-team at icann.org
> *Subject:* [Gnso-epdp-team] Comments on Final Report & Additional Topics-
> Part 1
>
>
>
> Hi-
>
> Per Marika’s request, here are some language clarifications for your
> consideration, as well as additional topic submitted on behalf of the BC,
>  and developed in collaboration with the IPC.  New Text is in yellow
> highlight.
> * _________*
>
>
>
> *Rec 1*
>
> *Purpose 1(b):*   Subject to the Registry and Registry Terms Conditions
> and Policies, and ICANN Consensus Policies – please ADD: { and relevant
> registry agreements and registrar accreditation agreements]
>
>
>
> *Purpose 2:*  Footnote 6 needs to be moved to be linked to Purpose 2, not
> Rec 2.
>
>
>
> *Research purpose:*  The EPDP Team commits to  considering in Phase 2 of
> its work whether additional purposes should be considered to facilitate
> research ADD: [ and threat response] carried out by ICANN’s Office of the
> Chief Technology Officer (OCTO). This consideration should be informed by
> legal guidance on if/how provisions in the GDPR concerning research apply
> to ICANN Org and the expression 426for the need of such data by  ICANN
>
>
>
> *Footnote 7/8*  should not be a footnote but moved up to the body of the
> report.  These footnotes are substantive recommendations and commitments
> that should not be buried in a footnote.
>
>
>
> *Rec 7:*   Replace “ICANN Compliance”with ”ICANN Organization” to be
> consistent with other recommendations.
>
> Delete  the quote in  Footnote 12 on page 24, since this is inconsistent
> with Purpose 5.
>
>
>
> *Additional Topics:*
>
>
>
> *INFORMATION TO BE PROVIDED TO THE REGISTRANT:*
>
> Page 16- where there is the quote from the EDPB:
>
>  *It should therefore be made clear, as part of the registration process,
> that the registrant is free to (1) designate the same person as the
> registrant (or its representative) as the administrative or technical
> contact; or (2) provide contact information which does not directly
> identify the administrative or technical contact person concerned
> (e.g. admin at company.com <admin at company.com>). For the avoidance of doubt,
> the EDPB recommends explicitly clarifying this within future updates of the
> Temporary Specification*”.
>
>
>
> We believe it is important to follow the EDPB’s advice and propose
> including a recommendation regarding informed consent, in light of the
> legal advice received, as follows:
>
>
>
> The EPDP recommends that as part of the registration process, the
> Registrar shall offer the registered name holder the option to (1)
> designate the same person as the registrant or its representative as the
> technical contact; or (2) provide contact information which does not
> directly identify the technical contact person, but instead uses a generic
> or role-based email  (e.g.admin at company.com).
>
>
>
> *OPTIONAL TECH CONTACT DISCUSSION:*  We do not support making the Tech
> Contact optional  at the registrar level or registry level and believe that
> more discussion is needed.  For example, we have not discussed what happens
> to existing Tech contacts in the legacy registrations.  Shouldn’t there be
> a similar transitional process to what has been developed for the
> ORGANIZATION field?   In any event, this obligation must be requieeed for
> the registries since they should receive the tech contact data for those
> registrants who have provided consent.
>
>
>
> *RECOMMENTATION  REGARDING CONSENT* Page 19 – Line 549  please delete
>  “as soon as commercially reasonable”.  Instead, this recommendation should
> track the dates for implementation under the transition plan that James and
> the registrars proposed in Toronto.
>
>
>
> *Rec 4:* THICK WHOIS: we do not support the deletion of THICK WHOIS as a
> consensus policy, and believe that this goes beyond the scope of this EPDP.
>
>
>
> *Rec 8:*  GLOBAL REDACTION vs. OPTIONAL AT THE REGISTRAR---  We do not
> agree with global application of the REDACTION, and believe  that this
> recommendation goes well beyond the Temp Spec, which at a minimum allows
> the registrars/registries to CHOOSE a different application, especially
> because of differing legal regimes.  Our policy needs to be flexible enough
> to account for laws beyond GDRP, such as the possible US legislation
> related to WHOIS.  Similarly, we do not believe that the redaction should
> apply to legal persons.  We recall James suggesting that we could consider
> an approach similar to the approach taken for the ORGANIZATION Field, and
> thus we would like to further explore it in Phase 2.
>
>
>
> *Footnote 15* is a recommendation that should be moved into the body of
> the Final Report & not be buried in a footnote.   Also- it needs to exclude
> registrations with privacy/proxy services and those for which the
> registrant has provided consent.
>
>
>
> *PAGE 27*:  REDACTION OF CITY– we don’t agree with the redaction of CITY
> and are awaiting legal advice from Ruth on the issue. As a result, it is
> premature to make a recommendation that it be redacted now.  This should be
> a Phase 2 discussion
>
>
>
> *REC 9:*   Instead of a “via a process that can be determined by each
> registrar”   we should have concrete steps that can be enforced by ICANN.
> Could the registrars identify some reasonable steps for this process?
>
>
>
> ADD:  After the implementation phase-in period, the ORG FIELD will no
> longer be REDACTED by either the registry or registrar.
>
>
>
> We are still working through the remainder of the Final Report, and will
> follow up this email with additional comments.
>
>
>
> All the best,
>
> Margie
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190207/046319c0/attachment-0001.html>

More information about the Gnso-epdp-team mailing list