[Gnso-epdp-team] Notes and action items: EPDP P2A Meeting #06 - 11 Feb 2021

Thu Feb 11 17:37:37 UTC 2021

Dear EPDP Team:

Please find below the notes and action items from today’s call.

The next plenary meeting will be Thursday, 18 Feb at 1400 UTC.

Thank you.

Best regards,

Berry, Marika, and Caitlin

Action Items

Please remember to check for action items using the team’s Workplan and Action Items sheet: https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0.

EPDP Phase 2A - Meeting #06
Agenda
Thursday 11 February 2021 at 14.00 UTC

1.                            Roll Call & SOI Updates (5 minutes)

2.                            Welcome & Chair updates (Chair) (5 minutes)
a.       Membership update:
·         Welcome Steve Crocker as a new SSAC rep
b.      Legal committee update on status of questions being considered for external counsel
·         The legal committee met on Tuesday and is assessing a way to move more quickly through the questions so that more work can be accomplished in between meetings.
·         Note from Keith: If the group is not able to make progress in plenary meetings b/c legal committee feedback is needed, a plenary session can be repurposed for the legal committee so that work can move forward. This is an option available, if needed.

3.      Feasibility of unique contacts

a.       Definitions / Terminology – as proposed by Legal Committee (15 min)
·         Update from legal committee (Becky)
·         The legal committee had a good discussion on the definitions for feasibility of unique contacts. There was consensus that the use of the word anonymous is problematic in the sense that there is always someone who will be able to identify the registrant, and the definition of anonymization means information that cannot be reverse engineered so that even the data controller cannot identify that person. Both proposed mechanisms are pseudonymous; the difference is that one identifier is a one-time pseudonymous email, while the other is a persistent pseudonymous email. The Legal Committee will come back to the plenary team shortly with updated definitions.
·         EPDP Team input
·         The different treatment of pseudonymous emails can lead to different registrant behaviors
·         This a policy question not a legal question
·         Interesting that there is no such thing as an anonymous email. Effectively, we have a data set, and within that data set there is a domain name. That cannot be made anonymous due to internet functioning. Has the legal team looked at this question from the perspective of a third party, rather than the data controller?
·         This is an interesting and difficult question under European law and the ECJ has taken different positions in different cases. A technical reading would be: if anyone can identify the individual, including the data controller, it is not anonymous.
·         Thank you for the distinction and noting this is a policy question the group is faced with. Definitional discussions are unhelpful in answering the policy question. Could the team set aside, based on this legal input, that the word anonymous has implications and may not be correct? Can the team now agree that the issue is the applicability of the identifier to multiple registrations and the utilization of this identifier?
·         It is important for the legal committee to finalize the terms being used so that the team can have a common understanding of the terms.
·         Recommend sticking to the GDPR definitions
·         Obfuscation is a word that would help here b/c pseudonymization is being misused and conflated with anonymization. The team always talks about a registrant not wanting to be identified because they are doing something criminal, but that is not correct. It could be that someone is trying to protect a patent, for example. It is not a simple case of good guys vs. bad guys.
·         Agree that inclusion of the term obfuscation could be helpful.

·         Confirm next steps
·         Legal Committee will share the updated definitions with the plenary shortly.

b.       Introduction of proposals (see https://docs.google.com/document/d/1e2-rVF2wh-821tct76O50QdWwn4ZcIqS/edit) for options to require unique contacts to have a uniform anonymized email address across domain name registrations that would not result in being treated as publication of personal data (15 min)
·        Proponents to introduce proposal
o    Brian King
·         The proposal is third parties need an email that actually works.
·         Seems the concern is contactability.
·         Keep hearing third parties say that web forms are not a workable option, but have yet to understand why. Is it just the textual limits – what, precisely, is not working?
·         The web forms at some registrars limit the textual input to an unworkable character limit – for example, one registrar has a character limit of 100 words. Other large registrars only allow third parties to choose b/w a registrar-chosen drop down menu with no freeform field. Insistence on a web form was for IP owners to contact the registrant and describe the issue.
·         The web form came from the Temp Spec and the implementation from Phase 1 – is that a separate but related conversation for the Phase 1 IRT to have re: access and contactability? Is there an opportunity to make some improvements there?
·         This does not seem to be a proposal for how to make unique contacts work that complies with data protection law. The web form was already a requirement from Phase 1; do not think this proper use of this phase’s time. With respect to attachments, this a big security concern.
·         The web forms used to be workable solution, if there is gaming to these – this should be fixed rather than throwing the baby out with the bathwater. There can be rethinking of how web forms can work, but they have proven effective in protecting customers from spam and malware. If there are issues re: contactability, these can and should be fixed.
·         Web forms are not a requirement; it’s an option. In many cases, and including at many large registrars, not able to effectively communicate with registrants. WHOIS used to facilitate with the registrant; yes, this comes with the potential for spam. GDPR is no reason why there cannot be some sort of email address that facilitates communication.
o    Melina Stroungi, Chris Lewis-Evans
·         Is it feasible to use obfuscated or pseudonymized emails of registrants? We all agree that certain personal information – the registrar will always have re: the registrant. The question is – is it feasible for a third party perspective if the registrar publishes an obfuscated third party email.
·         The reason some have email and some have web forms is because of thick and thin registries. This could be taken as a question as to thick and thin because thin registries allow more direct communication with the customer.
·         The team is not thinking about what happens when someone has an anonymous email address and then the third party makes the same request to the SSAD. This appears to defeat the purpose of the SSAD, and the team should be mindful of the broader implications of this.
·        Q & A by EPDP Team
·        Confirm next steps

4.                            Legal vs. natural (30 minutes)

a.       Overview of Laureen’s Updated Proposal
·         Feedback from this group noted that the important distinction is b/w personal and non-personal data rather than legal v. natural. This rewrite keeps this distinction in mind. The process still starts with the question of legal v. natural. The other aspect of this proposal is mindful of resource issues and trying to leverage existing mechanisms rather than creating a lot of new mechanisms. The current process required under registrar agreements to verify accuracy of information could be leveraged as part of the confirmation process. Information should be quarantined before information is published. At the very end, there is a verification process (step 4). Tried to mitigate some of the concerns by baking in new safety valves and tried to include requirements into already existing mechanisms.
·         Thank you to those who have been doing work intersessionally.

b.       Jamboard Brainstorming Experiment

·         Explain Jamboard concept
·         Google Jamboard is a new tool that we have access to which is intended to facilitate online brainstorming and collaboration.
·         It is also a new tool for us so please bear with us if we don’t have all the answers, but we thought it might be worth exploring it as a way to promote and facilitate work in between calls.
·         For those of you have explored the Jamboard that we created, you may have seen that it is basically an online version of a whiteboard with sticky notes and markers.
·         The idea is that you get together with your group and review the proposals that have been put forward to date. You use a sticky note (click on the fourth symbol on the left-hand side) to write down your group’s concerns in combination with constructive suggestions for how these concerns can be addressed. Make sure to put the sticky note in the row that has been assigned for your group – to avoid confusion, you are also encouraged to add your group’s name to the sticky note.
·         Prior to the next meeting during which these proposals will be discussed, you are all expected to have reviewed the input provided by other groups and use the copy/paste function to duplicate on the right side of the Jamboard the concerns you share as well as the proposed suggestions for changes you support (you cannot pick your own proposals!). The idea is that this will give the proponents of the proposals further guidance on how to update their proposals until the group gets to a version that everyone feels comfortable with including in the Initial Report as a best practice to be recommended to Contracted Parties.
·         Important point – do homework intersessionally. We could consider creating small teams to work on proposals. Encourage folks to reach out to one another outside of meeting time, and bring proposals that have been worked through back to the plenary for discussion.

·         Test run Jamboard on proposal #1
·         Input from EPDP Team on this approach
·         Confirm next steps
·         Important point – please do homework intersessionally. We could consider creating small teams to work on proposals. Encourage folks to reach out to one another outside of meeting time, and bring proposals that have been worked through back to the plenary for discussion.

5.                            Wrap and confirm next EPDP Team meeting (5 minutes):
a.       Meeting #07 Thursday 18 February at 14.00 UTC.
b.       Confirm action items
c.       Confirm questions for ICANN Org, if any

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210211/cf46033c/attachment-0001.html>