[Gnso-epdp-team] Notes and action items - EPDP Phase 2A Meeting #05 - 4 Feb 2021
Caitlin Tubergen
caitlin.tubergen at icann.org
Thu Feb 4 17:11:52 UTC 2021
Dear EPDP Team:
Please find below the notes and action items from today’s EPDP Phase 2A meeting.
The next meeting of the Legal Committee will be Tuesday, 9 February at 1400 UTC, and the next plenary meeting will be Thursday, 11 February at 1400 UTC.
Thank you.
Best regards,
Berry, Marika, and Caitlin
Action Items
Please refer to the Google Sheet<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> for Action Items. We will review the action items at the beginning of each call.
Notes
EPDP Phase 2A - Meeting #05
Thursday 4 February 2021 at 14.00 UTC
1. Roll Call & SOI Updates
2. Welcome & Chair updates (Chair)
a. EPDP Phase 2A project package overview (Berry)
* The EPDP Team provides a monthly status report to the Council re: the progress of the group. What you see on the screen is the first status report that will be sent to the Council. This will be the commitment to the plan that the Team is required to provide to the Council, including being committed to the delivery dates. The Team does have flexibility in terms of project change requests.
* The first slide is a “poor man’s Gantt chart” or the summary timeline that includes delivery dates. This was first presented in early January and showed the original plan to deliver a report by 31 March. The key takeaway for the summary timeline is that the delivery date of the Initial Report has been extended to the end of May. The Chair’s update to the Council is still likely to occur at the ICANN70 virtual meeting, as it is still a requirement for Keith to provide this update on where the Team stands from a probability of meaningful progress perspective.
* The reason why the plan has been extended by two months is partly b/c the Team got a slower start than anticipated, and there is greater demand from a legal advice perspective. It also takes into account that the Team is operating under a slower pace (one meeting per week), though, in effect, with the legal committee, there are now two meetings per week.
* It should be noted that even though there are now two additional months, there is still very little meeting time, and the Team needs to be aggressive in its work and leverage offline interactions to meaningfully progress its work.
* From a project manager perspective (not trying to presuppose an outcome), the plan is built to the end of a recommendations report being delivered to the Council.
* This will be sent to the Council on Monday; it will likely be an AOB item during the Council’s next meeting on 18 Feb.
* The other work products under PDP 3.0 include the PCST (project cost support team); because there is not a dedicated budget for this short-term effort, expenses are not tracked, and this will not be included in this project package.
* There is also a situation report – the core of this document to understand is the status and health of the project.
* The Gantt chart project plan looks like an eyesore on this screen, but it breaks down all of the Team’s work.
* The last part of the package is the Google sheet<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> to track meetings and action items. Please regularly check in on this, with particular attention to the open action items.
* Follow-up question: the chair is still on the hook to give an update to the Council in March, but based on the progress we’re making so far, the Initial Report is targeted for May, and we are asking the Council to approve that as the team’s timeline?
* Yes. As part of PDP 3.0, current and future working groups are required to commit to a set of target delivery dates, and this is the plan the leadership team agreed to. The update to the Council in March was a requirement from the beginning.
* Is there anything the team should review or comment on re: the project package?
* No, it’s pretty finalized, but the Team is welcome to ask questions or spot inconsistencies. In terms of the substance and target dates, those are set in stone – this is more of an FYI of what will be sent to the Council.
* Regarding the March timeline, it’s not a formal consensus call, it’s rather a chance or probability of consensus determination from the chair – this is in line with GNSO Council’s requirement.
b. Vice-chair confirmation (see https://mm.icann.org/pipermail/gnso-epdp-team/2021-January/003650.html)
* We received one expression of interest for a vice-chair from Brian Beckham. Brian submitted his EOI to the group. Historically, the vice-chair has been a member of the EPDP Team, and the team’s charter is unclear as to whether the vice-chair needs to be part of the team.
* Accordingly, Keith will go to the Council for its non-objection to Brian being vice-chair as the Team has expressed no objection to the Brian’s appointment.
c. Update from legal committee (Becky)
* The Legal Committee met and started working its way through the draft questions received from the plenary. The approach is whether the Team has already received sufficient advice from B&B to answer the questions. If not, do the questions relate to items in scope of the EPDP Team? If so, would the question further the work of the group? So far, the Legal Committee is working on refining the questions received.
* Feedback: last time around, the legal committee worked under an unanimity basis – is the methodology the same this time around?
* The team was not looking for unanimity, but rather consensus of the small group.
3. Legal vs. natural
a. Proposed approach for reviewing and refining proposals
* See https://mm.icann.org/pipermail/gnso-epdp-team/2021-January/003654.html
* Team is asked to review the proposals and opine on the following questions in a constructive manner:
* What concerns do you have about this proposed best practice? How could this concern be mitigated?
* If there is support for the guidance provided (either in this form or modified form), what incentives could be provided to encourage the adoption by Contracted Parties of this guidance?
* Does this guidance provide sufficient risk mitigation to consider changing the EPDP Phase 1 recommendation? If not, why not and what further risk mitigation would be needed to change your opinion? (Note: this column is meant to be filled out later in the process following assessment of the proposed risk mitigation.)
* EPDP Team input & suggestions
* This seems to focus only on guidance, but what the team should be focusing on is consensus policy.
* Note: the rightmost column of the Google doc<https://docs.google.com/document/d/1N-3HyLJZTBq6tCVB4Ig3ws2Tfjb08RGFP1NTNe1MEGI/edit> is reserved for consensus policy considerations, but leadership would like the team to first focus on best practices and guidance so that the team is better positioned to assess whether the best practices/guidance should become consensus policy.
b. Continued introduction of proposals for guidance that can be provided to Registrars and Registries who differentiate or want to differentiate between registrations of legal and natural persons
· Proponents to introduce proposal (see https://docs.google.com/document/d/1QlM4O_vwx7cQ11DJ_Lx2kqhyyRgDkMXG/edit)
* Laureen Kapin (proposal #6)
* This part of the proposal deals with whether the registrant provides personal information or not. It is proposing to leverage existing mechanisms that registrars use to communicate with their clients – education, clarification, confirmation, and ability to correct.
* In terms of the discussion going on in the legal committee, Volker had suggested perhaps one option to deal with the risk of inadvertently disclosing personal information is to deal with this information via automatic disclosure through the SSAD.
* Feedback: making the differentiation b/w personal data vs. legal v. natural is a more constructive approach. Most registrants have automatic renewal set up without anyone ever noticing anything. The more interaction that is required, the more disruptions that occur. In terms of voluntary updates the customer can make, that could be included in the WHOIS Data Reminder Policy (WDRP), that could work. As soon as this becomes a requirement where the customer has to react and do something, this creates chaos.
* It only takes one or two issues before there is an existential business problem. Not every registrant pays attention to their domains or manages them as closely as they probably should. Instead of focusing on how to safely disclose data that is redacted, we could focus on building a mechanism for legal entities or natural persons who consent to publication to get them into a declaration state and focus on a path of mandatory redaction and build a safe publication process.
* It’s impossible to prevent all registrants from making a mistake, and that is not the team’s goal. The goal is to put CPs in the best possible position to put the risk at near zero so that a registrant doesn’t have a case if data is disclosed because they were properly put on notice of the disclosure risks.
* The voluntary publication is already part of Phase 1 – had previously asked if registrars already do this. The Team needs to understand if this is already being done. The question is: is this in place now, or has it been not implemented?
* There will have to be some form of standardization because registrars still have to upload the data to some of the registries. If there is something in place industry-wide, there needs to be standardization. Registrars are dealing with a whole infrastructure that has to be taken into account.
* The Phase 1 IRT is still doing its work re: Phase 1 recommendations.
* Believe registrars already have implemented this, but it’s likely a bespoke process for each registrar.
* The legal committee is discussing considering these recommendations via the SSAD in order to minimize risk – want to ensure this is captured as a discussion item.
* Tara Whalen (proposal #8)
* SSAC is looking for ways to publish appropriate data to help fight cyber-crime.
* SSAC reviewed how this is done in other parts of the industry – particularly RIPE NCC and ARIN.
* RIPE NCC’s registrants are legal persons, however sometimes natural persons data is published – RIPE NCC provides mechanisms for the removal and correction of personal data and created an acceptable use policy in line with this.
* RIPE NCC needs to ensure contactability, which underpins their approach. The approach states that having contact details responsible for internet number resources facilitates internet coordination and is necessary when something goes wrong.
* Proposal is to examine at the permission-based grant to see if this can be used for ICANN’s purposes.
* This may already have been subject to previous guidance from B&B. See this memo: https://community.icann.org/display/EOTSFGRD/EPDP+-P2+Legal+subteam?preview=/111388744/126428940/ICANN%20memo%2013%20March%202020%20-%20consent.docx).
* Just b/c another guy jumps off a tenth-floor window, we shouldn’t do the same.
* The language from the previous phase is helpful, but this question still merits further review.
* Are there examples of actual legal actions against companies?
* When we’re talking about new regulations, it’s difficult to have this certainty. In terms of increased risk, this is very subjective, and it may not be productive to ask this question.
* Could there be data breaches b/c of registrant conduct? Yes, there can. But there can be transparency that mitigates this risk.
* These are legally-speaking, very separate analyses. The previous memo deals with consent, and we agree that is a problem. That is a very different question than looking at it through a lens of identification of a legal entity. It would be useful to keep in mind that these are two separate questions.
* Action to take this back to the legal committee.
* Melina Stroungi (proposal #10)
* The proposal is at the core of what the team is discussing – in order to assess whether this is feasible, it would be helpful to have a cost-benefit analysis. The question is what the risks and costs are. Laureen’s proposal, for example, shows how to mitigate the liability risks. There are not only risks when implementing something; there are also risks in not differentiating between legal and natural persons. This has not been included in the cost-benefit analysis.
* The group needs to consider how the cost-benefit analysis should be structured and to assess whether this is reasonably possible within the timeframe the team has.
* Milton Mueller (proposal #3)
* Milton was not present on this call, so this proposal was not discussed.
* Other
* In terms of preliminary discussion going on in the legal committee, does the disclosure of legal person’s data through the SSAD help mitigate the risk of improper disclosure?
* The risk is different from disclosure through the SSAD vs. the publication in WHOIS, such as harvesting of data. When the team looks at the disclosure of information – the ways it can be possible is better within SSAD instead of outside of it.
* This would mitigate the risk of an inadvertent disclosure, but from the perspective of ensuring that non-personal information has no basis to be shielded, this still has an above-and-beyond layer, which means this proposal still suffers from the same risks as the status quo that data that is not entitled to protection is protected. Do acknowledge that automated disclosure is more streamlined, but this is still an overprotection of information since GDPR does not protect legal person data.
* Whether this is outside of GDPR, if there is still a high risk that the data is inside GDPR, this may be a safeguard that we can consider, but we need to look at if the data is protected.
* This proposal does not satisfy the needs of other stakeholders in that there is no ability to use the public information to do correlation. Doing a single query via the SSAD will not provide what is necessary to protect victims of a phishing attack.
* An additional proposal developed by EWG, which is a verified contact approach, is something the team should consider.
* In Phase 2, the team decided the minimum data that should be public.
* It is not this team’s job to determine what is allowed with public data; there are certain freedoms that we have no control over. Using the SSAD to get legal data is something the Team discussed in Phase 2, but CPs noted this is still processing of data and therefore could not be automatically disclosed.
* What correlation means is – when identifying potentially infringing domain names, there is a challenge to prioritize what to go after first – if a registrant has several infringing domain names, the problems can be more efficiently addressed. This kind of correlation is perfectly legal and is a useful practice that is no longer possible b/c of how ICANN has treated registration data post-GDPR.
* The point is that others can use the same tools to figure out who owns a domain name that is politically inconvenient or persecuted speech in certain parts of the world. Cannot allow the case where registrants might get hurt from the same tools when used for evil instead of good.
* The minimum data set was decided in Phase 1. During Phase 1, it was decided that differentiation would be decided later. That is what the team is dealing with now.
· Q & A by EPDP Team
· Confirm next steps
4. Feasibility of unique contacts (see https://docs.google.com/document/d/1e2-rVF2wh-821tct76O50QdWwn4ZcIqS/edit) – if time allows
a. Introduction of proposals for options to require unique contacts to have a uniform anonymized email address across domain name registrations that would not result in being treated as publication of personal data
· Proponents to introduce proposal
* Brian King
* Melina Stroungi, Chris Lewis-Evans
· Q & A by EPDP Team
· Confirm next steps
5. Wrap and confirm next EPDP Team meeting (5 minutes):
1. Meeting #06 Thursday 11 February at 14.00 UTC.
2. Confirm action items
3. Confirm questions for ICANN Org, if any
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210204/09a4b605/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list