[Gnso-epdp-team] Notes and action items - EPDP Phase 2A Meeting #18 - 29 Apr 2021
caitlin.tubergen at icann.org
Thu Apr 29 22:00:04 UTC 2021
Dear EPDP Team,
Please find below the notes and action items<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> from today’s EPDP Phase 2A Team meeting.
The next EPDP Phase 2A meeting will be Tuesday, 4 March 2021 at 14:00 UTC.
Berry, Marika, and Caitlin
🚨🚨🚨 Action Items 🚨🚨🚨
Please refer to the project spreadsheet<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> for action items.
EPDP Phase 2A - Meeting #18
Thursday 29 April 2021 at 14.00 UTC
1. Roll Call & SOI Updates (5 minutes)
2. Welcome & Chair updates (Chair) (5 minutes)
3. Legal vs. natural (75 minutes)
i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
ii. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.
Consideration of question i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
a. Each group to provide a high-level summary of responses to questions (seehttps://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit__;!!PtGJab4!q955v0VHL7ex3iogHClg6g7mZHThbjv8q-mxcBzKkF9jutHRkkmgXR8K_A3EDz4MccWdwJAi0ZU$>):
- Each group will have five minutes without interruption to respond to the questions. Respectfully ask the groups not sharing to listen respectfully and not intervene in chat during the presentations.
- Note that there may be additional Phase 1 changes as a result of this discussion, for example, should there be an additional legal/natural field
- This is an opportunity to have groups put all of their cards on the table. This will assist in documentation for the Initial Report.
- In order to consider the answer to this question, we need to rely on the information we have received: (i) B&B memo and (ii) ICANN Study. The B&B memo notes that in certain circumstances, if CPs differentiate, it would reduce their liability, and the liability would only be in relation to a CP’s failure to respond to a complaint. In relation to practical implementation, the ICANN study goes into this. In addition to consent, it would be helpful to differentiate between the registrant types – as a requirement, not an option. Differentiation b/w registrant type alone does not put any additional risk to CPs. ALAC sees no reason to differentiate first b/w the registrant type before differentiating b/w data type. Differentiation b/w data type may be optional.
- During Phase 2, the team discussed the way in which queries would be processed. CPs noted they could not look at data before determining if the query has a valid legal basis. The B&B memo says the opposite of that. If there is a legal entity, the data should not be released, it should be made public. There may have to be a multi-year process for existing registrations, but this process needs to start. For new registrations, this needs to be done at registration time. The RAA makes is clear that responsibility needs to be passed to the resellers.
- The DNS is critical infrastructure, and, as such, the ownership of the critical infrastructure should be as transparent as possible. The majority or significant majority of domain names are owned by legal persons. In the interest of transparency, the data of these domain names owned by legal persons should be published. A global policy would result in the most consistency. The NIS-2 has further convinced the BC of this fact. However, this has been the BC position all along.
- In terms of requirement, the BC stands behind the requirement of publication of data that relates to legal persons. As we’ve gone through this work, understand that where someone has self-designated as a legal person, all of their contact information should be published unless there is natural person data associated with it. There should also be a mechanism to correct the self-designation. For example, if there is a problem with a registration (such as WHOIS inaccuracy or DNS abuse notification), that may serve as a trigger point to reevaluate the initial designation.
- The GAC’s position is fairly consistent with ALAC and BC colleagues. Would like to emphasize that if we take a few steps back, recognize that information is currently masked that is not protected by the GDPR. This starting point is foundational – the current policy protects information that should be public. How can we move forward in a way that is consistent with the law but that also serves the public interest for protecting against cybercrime, investigating criminal behavior, etc. The Team can debate about statistics, but that is not productive. With respect to flexibility about business models and timing, this needs to take into account the realities of when things happen with the contracted party that is actually collecting the information and interacting with the registrant. Understand that this is almost always done during a registration; therefore, that would be the best time to deal with this. If there is a registrar that has a reseller, it still seems to point to at registration.
- A distinction needs to be made because the data is useful, it’s in the public interest, and it’s largely unavailable without justification. From the CP perspective, concerned about secondary liability. Concerned about an outcome that results in CPs being liable for the bad things that happen on websites. The availability and access to WHOIS data has historically been the reason that CPs have not been held liable for this. Concern that if CPs say that they cannot make a distinction and redact all data, that will not play well.
- There should be as much uniformity in the treatment of registration data as possible. Registrants should be protected irrespective of where they are. If there is a standardized process, a distinction can be made. However, the distinction b/w legal and natural may not be the appropriate distinction. The starting point should be personal data v. no personal data being present. Since GDPR is the highest common denominator, do not share the position that the risk is not just with CPs – it is also with ICANN org. Need to make sure we do not create legal issues or exposure for ICANN org.
- From the perspective of running an ISP, a broadband connection can be used for nefarious purposes. There is not currently a requirement to delineate b/w a business of personal account, nor to publish legal person details for a broadband connection. For that reason, cannot in good faith support this type of requirement. As ISPs aware of fluidity of technology, may use broadband connection for business and personal use. When it comes down to it, domain names may not be used for a fixed use. 99% or more businesses are small, so legal v. natural person data is oftentimes the same. 97% of companies are sole proprietorships. Usage is full of grey areas and it is often hard to distinguish.
- The preference of the NCSG is clear – do not believe that there should be a requirement for differentiation. However, there is a willingness to move from this position in the interest of consensus. If guidance is produced regarding non-mandatory differentiation, we have two ideas – one would allow registrants to self-designate as legal so long as consequences are clear. NCSG is flexible on the nature of the guidance but the main interest is finding consensus agreement because if nothing changes, NCSG is OK with that.
- NCSG is OK with “optional”. NCSG is divided with the topic of providing guidance; some think registrants are easily able to make the distinction between legal and natural persons. The default should be on protection; a valid request will mean info will be disclosed.
- Members of RrSG will continue to participate in good faith. Members of the RrSG have voiced strong opposition to mandatory differentiation. Have heard vocal support for a mandatory differentiation from other groups, but the RrSG has not heard a reason that is compelling. It has become clear through this process that there should be no requirement. Continue to believe guidance for registrars who wish to differentiate is a valuable and helpful exercise. Reject the notion that the majority of domain names are registered by legal persons.
- Understand the task to review the study and the legal guidance. The study by ICANN identified pros and cons of differentiating and the legal guidance noted that there are steps that CPs can undertake to reduce risks, but that the risk still remains with the contracted party. Do not think updates are required. The existing language regarding permitting differentiation is appropriate based on the ICANN org study and B&B guidance. Understand why it is desirable for some groups to have free and unfettered access to domain name registration data, but believe status quo is appropriate based on what was heard so far.
- If this will be a mandatory policy, we will need to make sure that the policy is tested with the EDPB.
- Strongly in favor of the maximum amount of data available and yet the question regarding mandatory requirement is a distraction. It should be desirable to differentiate and it should be mandatory to include a field to record the distinction, but also to include “unknown” as an intermediate for existing domain names. Recognize that the larger purpose is how to fulfill the various needs like security and public interest – that rests on access to non-public data. Efficient and effective differentiated access must be in the plan at some sort of date certain.
- We have a couple of variables that are still unknown in terms of their ultimate impact: (i) the final disposition of the NIS-2 proposed directive; (ii) status of the SSAD recommendations. These are two variables where we need to see where they end up. As we consider the current state of our landscape, it may be that within one year or 18 months, we will have a greater understanding of NIS-2 and SSAD. One or both of the those could change the dynamics of the group.
- Need to be exceptionally clear that when we reference CPs, it is not just a CP – it about how a registrar can respond and a registry can respond. This is very layered. If the registry is trying to decide or delineate b/w what is legal or natural, have to rely on contractual partners (registrars). If it’s optional, the registry can choose or not to rely on statements by registrars. When it comes to the registry – how feasible is it for registries to mandatorily do this or whether there is actually a need for this if it’s being done at a registry level.
- As NCSG indicated, the status quo is perfectly fine with NC users as a whole. But, there is concern that simply saying the CPs can do this in whatever they want. Most CPs in this EPDP team are very privacy friendly and want to comply with data protection law. However, there are registrars what do not. Some kind of guidance would be preferable so long as it’s the right kind of guidance.
- Some NCSG members believe that providing guidance on this difficult matter gets too far into providing advice to registrants regarding their legal situation and this is fraught with peril. This is easy for some, and not easy for others and can range across a variety of domain names. The default must be sent on protection and if guidance is going to push to automated disclosure, do not provide guidance under the policy. Does not mean no guidance can be provided, but not under this policy.
- If the Team is talking about guidance to a registrar for how it could or should consider differentiate – there is a concern that the guidance doesn’t stray into advice to a registrant.
- The ALAC firmly believes that we should be differentiating – immediately for new registrations and have a plan for existing registrations. If we can’t get agreement on that, it’s essential that we provide guidance. Do not understand why when we talk about guidance the critical part of how to present these questions so that registrars, particularly the smaller ones, don’t have to reinvent this from scratch.
- Guidance does not constitute legal advice – that is an invalid assertion. It is already established policy that CPs have the discretion to differentiate – the question is do we include guidance or have no guidance and leave this for registrars to do this on their own? Cannot understand why anyone would argue for no guidance.
- There is a thin line between providing guidance to registrars; however, there are many that will pick the easiest default which would be disclosure. Should be protecting registrants and default should be on protection not disclosure.
- Arguing for the right type of guidance. There should be guidance.
- The key question around guidance – there is a distinction b/w existing registrations and new registrations. If we look at over the next 2-3 years, what guidance could we be telling registrars to consider in terms of their practices to best differentiate at their choice or prepare for the future in the event it becomes a requirement.
- The phrase “data will be available upon request” does not land well with those who have worked hard on SSAD to increase the access. The data suggests that the data is not available upon request.
- Have heard about the difficulty of differentiation. Have heard about small registrars with no legal counsel. This all points in the direction of providing guidance.
- Requiring a field for designation and enlarging the set of values possible in the field “unknown” will lay the foundation for evolution over time.
- The issue of how to deal with existing registrations is an important one – the “unknown” field would be helpful for existing registrations but not for new registrations – it might be counterproductive for new registrations. There is a strong difference of opinion over what should be mandatory and what could be guidance. Should be focusing guidance on what could be mandatory. The guidance should be mandatory, should be clearly identified so that we can get public comment on that issue.
- Need to be clear when talking about mandatory guidance – a public comment does not make guidance legal. Not saying that we cannot go down that road but if there will guidance, this should not be mandatory. We should not be stating that if you follow this guidance, you will not run afoul of the law. Art. 36 prior consultation – there is a method and means to go to the EDPB. We should do this – can we give this out as guidance? Would this pass muster? As a group outside of the EPDP, we should be looking at an Art. 40 so that everyone can work together and help ICANN sort this issue out appropriately under the law.
- We either have requirements that are mandated by a policy or guidance. Mandatory guidance is conflating separate terms.
b. EPDP Team to consider next steps to develop response to question i.
- Helpful if all follow-up emails include a reminder – here is the spreadsheet for action items.
- Could consider putting the most recent version on top
c. Confirm next steps
4. Reminder of Homework assignments (5 minutes)
· By Friday 30 April<x-apple-data-detectors://5>, please put forward your group’s proposed response to the feasibility of unique contacts questions (i. Whether or not unique contacts to have a uniform anonymized email address is feasible, and if feasible, whether it should be a requirement. ii. If feasible, but not a requirement, what guidance, if any, can be provided to Contracted Parties who may want to implement uniform anonymized email addresses). Please note here that we have been given specific advice from B&B with a risk continuum, so we will work within that, and we will not entertain discussions seeking to obviate risk altogether. The staff support team has set up a google doc to provide your suggestions (see https://docs.google.com/document/d/1lqLOkF1jaA2NK1hmYtG4jiY4x7V432maFh1Xlv5UeBM/edit?usp=sharing [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1lqLOkF1jaA2NK1hmYtG4jiY4x7V432maFh1Xlv5UeBM/edit?usp=sharing__;!!PtGJab4!q955v0VHL7ex3iogHClg6g7mZHThbjv8q-mxcBzKkF9jutHRkkmgXR8K_A3EDz4MccWdnp7_ImU$>). Based on the input received, leadership with the support of the staff support team will aim to develop proposed draft language for inclusion in the Initial Report.
· By Friday 30 April, please finalize your review and input on the remaining edits / suggestions that were provided on the write up (#16 – 22 + RrSG table & GAC updated proposal that can be found at the end of the document). If you disagree with a comment or proposed addition, please provide a proposed update that factors in the concern identified. As always, please provide updates in comment form. See https://docs.google.com/document/d/1mHNvYWeyTGFhb--yDfWfTYNx_RVe1Bkl/edit [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1mHNvYWeyTGFhb--yDfWfTYNx_RVe1Bkl/edit__;!!PtGJab4!q955v0VHL7ex3iogHClg6g7mZHThbjv8q-mxcBzKkF9jutHRkkmgXR8K_A3EDz4MccWdQ-hcUTc$>
5. Wrap and confirm next EPDP Team meeting (5 minutes):
a. EPDP Team Meeting #19 Tuesday 4 May at 14.00 UTC
b. Confirm action items
a. Confirm questions for ICANN Org, if any
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team