[Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

Hadia Abdelsalam Mokhtar EL miniawi Hadia at tra.gov.eg
Thu Feb 7 13:52:28 UTC 2019


All,

First off we are not living in the land of 'What Ifs'. The truth of the matter ICANN research and Analytics which belongs to the CTO has a goal to providing trusted information to the Internet community regarding the Internet's system of Unique identifiers   https://www.icann.org/octo-research . The research purpose if you all recall was introduced a day or two before the posting of the initial report for public comments and therefore could not be discussed at this very late stage.
Also the situation with ICANN org research is very  different than that of a registry or a registrar that decides to do his own research because the registry/registrar does not operate in a multistakeholder model and does not need the community to develop or approve its policies/decisions.  What is currently being proposed is not a research purpose but is merely a recommendation that would allow us to investigate further if such a purpose is required or not furthermore, this proposal certainly falls within the remit of the EPDP work because it is a processing of the Registration Data. Again we are just opening the door and making it possible to pursue such a purpose if deemed necessary. Finally we cannot get into these controller/processor discussions now because the roles are not entirely finalized yet, which would be another reason to keeping the recommendation.

keeping the recommendation does not mean that we are going to have the research purpose it is just to make sure that this matter is not overlooked and if deemed necessary we could add the purpose rather than regretting it later. To this end I am with keeping the recommendation as agreed upon during the call and see no disadvantage to any of the stakeholders with that in place.

Hadia

From: Alan Woods [mailto:alan at donuts.email]
Sent: Thursday, February 07, 2019 2:29 PM
To: Margie Milam
Cc: Anderson, Marc; marika.konings at icann.org; Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

All,

We need to stop living in the land of 'What Ifs'. If the SSAC needs the data from ICANN ORG, SSAC and ICANN org can figure this out and do a DPAI as Controller - this is none of our concern.

If ICANN ORG (OCTO) wants to use the data for statistical or historical research or even assuming the have the prerequisite basis to do so, research in the 'public interest' ... then it is for ICANN as the controller in this instance to figure it out, not the ePDP. This is along the same lines as a registry or registrar who, as a business, may wish do their own research and don't need nor want the ePDP to spoon feed them a ready made 'purpose'. Again it's not necessary, and out of our sphere of influence. Any responsible business processing data for research ought to do an assessment, as controller, of the legal risks associated with the research, the data used, the compatibility of the methods of collection, the compatibility with the purposes, the legal basis, and implementation of safeguards as expected by Art 89- they then do such research at their own risk.

Again, to be clear, processing for the purposes of research, is processing by the CONTROLLER. If the controller wishes a 3rd party to do such research on their behalf, then they enter into an appropriate services contract with them, with a iron clad DPA. Simple. And be it on both their heads if their processing doesn't come up to par!

I therefore echo Marc and Ayden. We have need to move on!

Alan


[Image removed by sender. Donuts Inc.]<http://donuts.domains>

Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
________________________________
The Victorians,
15-18 Earlsfort Terrace
Dublin 2, County Dublin
Ireland

[Image removed by sender.]<https://www.facebook.com/donutstlds>  [Image removed by sender.] <https://twitter.com/DonutsInc>   [Image removed by sender.] <https://www.linkedin.com/company/donuts-inc>


Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful.  If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.


On Wed, Feb 6, 2019 at 8:28 PM Margie Milam <margiemilam at fb.com<mailto:margiemilam at fb.com>> wrote:

Hi All-



Hadia’s language makes sense to us.  I also wanted to share some additional information related to why this should continue to be discussed in Phase 2.



ICANN ORG staff – including the CTO’s office - supports and participates in SSAC.   SSAC conducts very valuable research on issues that touch upon and analyze WHOIS records as it relates to the security issues for which they make recommendations.  Look for example at these reports: SSAC 40 - Measures to Protect Domain Registration Services Against Exploitation or Misuse, SSAC 23 – Is the WHOIS Service a source for email addresses for spammers?  SSAC 024, Report on Domain Name Front-Running, to name a few.



Are we not willing to recognize the value of these research activities?  Are we intending to limit the issues that SSAC might need to explore to address future work?



The recommendation is simply to explore this in Phase 2 further- which is reasonable in our view.



All the best,



Margie


From: "Anderson, Marc" <mcanderson at verisign.com<mailto:mcanderson at verisign.com>>
Date: Wednesday, February 6, 2019 at 11:27 AM
To: "marika.konings at icann.org<mailto:marika.konings at icann.org>" <marika.konings at icann.org<mailto:marika.konings at icann.org>>, "Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>" <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>>, Margie Milam <margiemilam at fb.com<mailto:margiemilam at fb.com>>, "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Subject: RE: [Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

All,

Registries are NOT supportive of this as an agreement or recommendation.

We have on multiple occasions discussed a possible purpose for OCTO with the same result.  ICANN has indicated that OCTO does not use personal data in their work and have not identified a need or purpose for them to do so.  Our task is to identify processing activities necessary for domain registrations and ensure those processing activities can be done in a manner compatible with GDPR.  We haven’t identified a processing activity for personal data related to OCTO so we can stop and move on.

It is beyond the scope of our PDP to create new requirements, obligations or purposes where currently none exist.

Best,
Marc



From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Marika Konings
Sent: Wednesday, February 06, 2019 7:44 AM
To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>>; Margie Milam <margiemilam at fb.com<mailto:margiemilam at fb.com>>; gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [EXTERNAL] Re: [Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

Hadia, all,

Please note that per yesterday’s agreement, the recommendation has been updated as follows:


The EPDP Team commits to considering in Phase 2 of its work whether additional purposes should be considered to facilitate ICANN’s Office of the Chief Technology Officer (OCTO) to carry out its mission (see https://www.icann.org/octo<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_octo&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=s4rjm6aG5YuV7KcK-ax-sww3LdbGi-8kAfe2reTCpVA&s=6xX7SbLunQSJCojMv5NTNDNgQ2bQ6Iw6CnBERorRZFw&e=>). This consideration should be informed by legal guidance on if/how provisions in the GDPR concerning research apply to ICANN Org and the expression for the need of such pseudonymized data by ICANN.



Best regards,



Caitlin, Berry and Marika


From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>>
Date: Wednesday, February 6, 2019 at 06:38
To: Margie Milam <margiemilam at fb.com<mailto:margiemilam at fb.com>>, "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Subject: Re: [Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

Hi all

Thank you Margie for your edits I would suggest a minor edit to the research purpose to read (my edits are in orange)

"The EPDP Team commits to  considering in Phase 2 of its work whether additional purposes should be considered to facilitate research ADD: [ and threat response] carried out by ICANN’s Office of the Chief Technology Officer (OCTO). This consideration should be informed by legal guidance on if/how provisions in the GDPR concerning research apply to ICANN Org and the need for the research purpose by ICANN org in accordance with the mission of ICANN’s Office of the Chief Technology Officer."

The reason for my edits is that we don't know yet the kind of data that would be required nor the means of implementation the whole purpose/idea is yet to be explored.


Hadia

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Margie Milam
Sent: Tuesday, February 05, 2019 4:03 AM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] Comments on Final Report & Additional Topics- Part 1

Hi-
Per Marika’s request, here are some language clarifications for your consideration, as well as additional topic submitted on behalf of the BC,  and developed in collaboration with the IPC.  New Text is in yellow highlight.
_________

Rec 1
Purpose 1(b):   Subject to the Registry and Registry Terms Conditions and Policies, and ICANN Consensus Policies – please ADD: { and relevant registry agreements and registrar accreditation agreements]

Purpose 2:  Footnote 6 needs to be moved to be linked to Purpose 2, not Rec 2.

Research purpose:  The EPDP Team commits to  considering in Phase 2 of its work whether additional purposes should be considered to facilitate research ADD: [ and threat response] carried out by ICANN’s Office of the Chief Technology Officer (OCTO). This consideration should be informed by legal guidance on if/how provisions in the GDPR concerning research apply to ICANN Org and the expression 426for the need of such data by  ICANN

Footnote 7/8  should not be a footnote but moved up to the body of the report.  These footnotes are substantive recommendations and commitments that should not be buried in a footnote.

Rec 7:   Replace “ICANN Compliance”with ”ICANN Organization” to be consistent with other recommendations.
Delete  the quote in  Footnote 12 on page 24, since this is inconsistent with Purpose 5.

Additional Topics:

INFORMATION TO BE PROVIDED TO THE REGISTRANT:
Page 16- where there is the quote from the EDPB:
 It should therefore be made clear, as part of the registration process, that the registrant is free to (1) designate the same person as the registrant (or its representative) as the administrative or technical contact; or (2) provide contact information which does not directly identify the administrative or technical contact person concerned (e.g. admin at company.com<mailto:admin at company.com>). For the avoidance of doubt, the EDPB recommends explicitly clarifying this within future updates of the Temporary Specification”.

We believe it is important to follow the EDPB’s advice and propose including a recommendation regarding informed consent, in light of the legal advice received, as follows:

The EPDP recommends that as part of the registration process, the Registrar shall offer the registered name holder the option to (1) designate the same person as the registrant or its representative as the technical contact; or (2) provide contact information which does not directly identify the technical contact person, but instead uses a generic or role-based email  (e.g.admin at company.com<mailto:admin at company.com>).

OPTIONAL TECH CONTACT DISCUSSION:  We do not support making the Tech Contact optional  at the registrar level or registry level and believe that more discussion is needed.  For example, we have not discussed what happens to existing Tech contacts in the legacy registrations.  Shouldn’t there be a similar transitional process to what has been developed for the ORGANIZATION field?   In any event, this obligation must be requieeed for the registries since they should receive the tech contact data for those registrants who have provided consent.

RECOMMENTATION  REGARDING CONSENT Page 19 – Line 549  please delete  “as soon as commercially reasonable”.  Instead, this recommendation should track the dates for implementation under the transition plan that James and the registrars proposed in Toronto.

Rec 4: THICK WHOIS: we do not support the deletion of THICK WHOIS as a consensus policy, and believe that this goes beyond the scope of this EPDP.

Rec 8:  GLOBAL REDACTION vs. OPTIONAL AT THE REGISTRAR---  We do not agree with global application of the REDACTION, and believe  that this recommendation goes well beyond the Temp Spec, which at a minimum allows the registrars/registries to CHOOSE a different application, especially because of differing legal regimes.  Our policy needs to be flexible enough to account for laws beyond GDRP, such as the possible US legislation related to WHOIS.  Similarly, we do not believe that the redaction should apply to legal persons.  We recall James suggesting that we could consider an approach similar to the approach taken for the ORGANIZATION Field, and thus we would like to further explore it in Phase 2.

Footnote 15 is a recommendation that should be moved into the body of the Final Report & not be buried in a footnote.   Also- it needs to exclude registrations with privacy/proxy services and those for which the registrant has provided consent.

PAGE 27:  REDACTION OF CITY– we don’t agree with the redaction of CITY and are awaiting legal advice from Ruth on the issue. As a result, it is premature to make a recommendation that it be redacted now.  This should be a Phase 2 discussion

REC 9:   Instead of a “via a process that can be determined by each registrar”   we should have concrete steps that can be enforced by ICANN.  Could the registrars identify some reasonable steps for this process?

ADD:  After the implementation phase-in period, the ORG FIELD will no longer be REDACTED by either the registry or registrar.

We are still working through the remainder of the Final Report, and will follow up this email with additional comments.

All the best,
Margie








_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190207/9e4078ad/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190207/9e4078ad/WRD000-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 407 bytes
Desc: image001.jpg
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190207/9e4078ad/image001-0001.jpg>


More information about the Gnso-epdp-team mailing list