[Gnso-epdp-team] ICANN Purpose 2 from the Board

Becky Burr becky.burr at board.icann.org
Mon Mar 23 23:45:35 UTC 2020 

PURPOSE 2 DISCUSSION


Some members of the ePDP have asserted that the formulation of Purpose 2
that has been endorsed by the Board, (Contributing to the maintenance of
the security, stability, and resiliency of the Domain Name System in
accordance with ICANN’s mission) is problematic because the definition of
“security, stability, and resilience” (SSR) is overly broad and all
encompassing.   This note is intended to provide additional detail on the
concept of SSR in the context of ICANN and its processing of personal data
as a controller under GDPR.


SSR, as defined in the Bylaws, *is* ICANN’s mission.  Article 1, Section
1.1 of the ICANN Bylaws, clearly states that ICANN’s  mission is to ensure
the stable and secure operation (SSR) of the Internet's unique identifier
systems.  The Bylaws themselves go on to provide significant detail
regarding the scope of that mission in the context of names, the root
server system, numbers, and protocols.


*With respect to names*, ICANN’s mission is to coordinate the allocation
and assignment of names in the root zone of the DNS and the development and
implementation of policies concerning the registration of second-level
domain names in gTLDs. The Bylaws further specify that in this
role, ICANN's scope is to coordinate the development and implementation of
policies for which uniform or coordinated resolution is reasonably
necessary to facilitate the *openness, interoperability, resilience,
security and/or stability of the DNS**.  **In other words, in the context
of ICANN’s mission, SSR encompasses ICANN’s efforts to contribute to
the openness, interoperability, resilience, security and/or stability of
the DNS.*


But ICANN’s scope is further constrained by the requirement that Consensus
Policies must be developed through a bottom-up consensus-based
multistakeholder process and designed to ensure the stable and secure
operation of the Internet's unique names systems.

The Bylaws provide examples of the categories of issues that fall within
ICANN’s SSR mission.  These include:



   -  issues for which uniform or coordinated resolution is reasonably
   necessary to facilitate interoperability, security and/or stability of the
   Internet, registrar services, registry services, or the DNS
   - functional and performance specifications for the provision of
   registrar or registry services
   - policies reasonably necessary to implement Consensus Policies relating
   to a gTLD registry or registar
   - resolution of disputes regarding the registration of domain names (as
   opposed to the use of such domain names, but including where such policies
   take into account use of the domain names); or
   - restrictions on cross-ownership of registry operators and registrars
   or resellers and regulations and restrictions with respect to registrar and
   registry operations and the use of registry and registrar data in the event
   that a registry operator and a registrar or reseller are affiliated.

The Bylaws further provide examples of issues that would fall within those
categories, including:


   -  principles for allocation of registered names in a TLD (e.g.,
   first-come/first-served, timely renewal, holding period after expiration)
   - prohibitions on warehousing of or speculation in domain names by
   registries or registrars
   -  reservation of registered names in a TLD that may not be registered
   initially or that may not be renewed due to reasons reasonably related to
   (i) avoidance of confusion among or misleading of users, (ii) intellectual
   property, or (iii) the technical management of the DNS or the Internet
   (e.g., establishment of reservations of names from registration)
   - security and stability of the registry database for a TLD
   - maintenance of and access to accurate and up-to-date information
   concerning registered names and name servers;
   - procedures to avoid disruptions of domain name registrations due to
   suspension or termination of operations by a registry operator or a
   registrar, including procedures for allocation of responsibility among
   continuing registrars of the registered names sponsored in a TLD by a
   registrar losing accreditation; and
   - the transfer of registration data upon a change in registrar
   sponsoring one or more registered names.

*With respect to the DNS root name server system*, ICANN’s SSR mission
encompasses coordination of the operation and evolution of the DNS root
name server system.


*With respect to numbers*, ICANN’s SSR mission is to coordinate the
allocation and assignment at the top-most level of
Internet Protocol numbers and Autonomous System numbers.


*With respect to internet protocol standards*, ICANN’s SSR mission involves
the provision of  registration services and open access for registries in
the public domain requested by Internet protocol development
organizations.


Taken together, these provisions of the ICANN Bylaws articulate with
specificity the scope of ICANN’s SSR mission and by definition limit
ICANN’s authority to process personal data in pursuit of that mission. Access
to accurate and up-to-date registrant data is necessary for ICANN to
achieve its mission.  ICANN may need to process such information in order,
for example, to:


   -  Inform and support consensus policy development, implementation, and
   enforcement;
   -  Conduct research in order to identify and address, in accordance with
   its Bylaws, new, emerging, and evolving SSR issues within its remit;
   - Respond to and coordinate responses to SSR threats within its remit;
   - Enable the work of its Supporting Organizations, Advisory Committees,
   and standards development bodies with respect to SSR issues within ICANN’s
   remit;
   - Study emerging technologies and national/multi-national policy
   initiatives in order to educate the ICANN community as well as innovators
   and policy makers about the impact of such technologies and/or proposals on
   DNS SSR.

While it is impossible to specify all of the circumstances in which ICANN
may need to process personal registrant data in furtherance of its SSR
mission, its processing of personal data in furtherance of its SSR Mission
is further constrained in two ways.  First, the Bylaws expressly prohibit
ICANN from acting outside its mission.  Second, ICANN’s processing of
personal data contained in registrant records is constrained by applicable
data protection law.  Like every user of registrant data, ICANN is required
to limit its processing of personal data in accordance with fair
information practice principles of transparency and lawfulness, purpose
specification and limitation, accuracy, data minimization, storage
limitation, and data security.  It may process personal data subject to
GDPR and similar legislation only with the consent of the data subject or
as *necessary* in pursuit of its legitimate interest in DNS SSR and in
proportion to the interests and fundamental rights and freedoms of the data
subject.


Given the rapidly evolving nature of the DNS technology as well as SSR
threats, the Board believes that the formulation of Purpose 2 above
(Contributing
to the maintenance of the security, stability, and resiliency of the Domain
Name System in accordance with ICANN’s mission) is both necessary and
appropriate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200323/ead2942f/attachment-0001.html>

More information about the Gnso-epdp-team mailing list