[Gnso-epdp-team] Notes and action items: EPDP Phase 2A Meeting #03 - 21 Jan 2021
Caitlin Tubergen
caitlin.tubergen at icann.org
Thu Jan 21 20:47:03 UTC 2021
Dear EPDP Team,
Please find below the notes and a link to the action items from today’s meeting.
As a reminder, ICANN org will be providing a presentation on the Legal v. Natural Study<https://community.icann.org/display/EOTSFGRD/Legal+v.+Natural?preview=/153518176/153518181/Rec17.2_Legal-Natural_8jul20.pdf> on Tuesday, 26 January at 14:00 UTC.
Best regards,
Marika, Berry, and Caitlin
Action Items
❗️Please refer to the Google Sheet<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> for Action Items. We will review the action items at the beginning of each call.❗️
Notes
EPDP Phase 2A - Meeting #03
Thursday 21 January 2021 at 14.00 UTC
1. Roll Call & SOI Updates
2. Welcome & Chair updates
1. Reminder to select your represented member on the Legal Committee
* The legal committee is expected to reconvene on 2 February, and there will be homework assignments in advance of that call. Support Staff is trying to schedule the first meeting of the Legal Committee, so please confirm your reps as soon as possible. Please remember to (re)confirm your group’s member on the legal committee as soon as possible. If your rep has not changed from phase 2, please let gnso-secs know.
* EPDP Phase 2A will be using a new tool for action items: on the screen is the Google sheet<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> that we are using to track action items: only members and alternates have access to this Google sheet. Support Staff is assigning the action items via this sheet. There is a differentiation b/w the different types of items seen on the sheet: meetings, action items. There is also a status column, which will show open or closed. Each action item will have a due date. If a date expires, the item will show as red (see for example, appoint members to the legal committee).
1. Vice-chair selection update
* Keith has reached out to Brian Beckham and requested that he provide further information to help inform the EPDP Team’s evaluation of his candidacy. At the same time, Council leadership has been informed of this possible path and the need for Council non-objection to this approach. A Council liaison has not been identified yet.
3. Review of Homework Assignments (75 minutes)
Feasibility of unique contacts (see https://docs.google.com/document/d/1weQemSQ0-884ILbhmR3OLzUWouyGXMKH/edit and https://docs.google.com/document/d/1e2-rVF2wh-821tct76O50QdWwn4ZcIqS/edit)
a. Review of proposed definitions and terminology:
· Review EPDP Team input
· Confirm common understanding of definitions / terminology
* As a reminder, Staff has inserted the relevant recommendations from phase 1 into the document. Alan G. raised a question on the status of implementation of recommendation #6, which recommends that registrars, as soon as commercially reasonable, must provide the opportunity for the RNH to provide its consent to publish redacted contact information, as well as the email address.
* Action: Support Staff to reach out to the Phase 1 Implementation Review Team staff support to request a written update on the status of Phase 1 recommendations, particularly Recommendation 6 and Recommendation 13.
* As agreed during the last call, the staff support team took a stab at deriving definitions and descriptions from the different materials available to the EPDP Team. Several team members have provided very helpful input and suggestions. Support Staff has highlighted in in yellow bracketed language or updates that aim to reflect the input that has been provided. Please take an opportunity to review to see if there are any concerns about these clarifications. At this stage, the main focus is to make sure everyone has the same thing in mind when using certain terms or concepts.
* An item Support Staff would like to flag is that some of the confusion seems to have arisen from the fact that the original language from the Annex to the Temporary Specification refers to an anonymized email address, while several Team members have pointed out that the actual question relates to pseudonymized email addresses (and not anonymized email addresses). The Legal Committee has already noted this, so perhaps the Team can consider using pseudonymized going forward.
* EPDP Team Feedback:
* The Team hasn’t completely agreed on terms (as noted in the feedback to the sheets); however, it is important that the Team is talking about the same thing when using the same words.
* Staff seemed to suggest that we’re talking about pseudonymization, but the memo seemed to suggest that even anonymized data is personal. Would like some clarity on the status of anonymization – is this allowed in the policy?
* The document isn’t complete. It’s clear from our discussions to date that the Team is not using the terms in the same way. Would it be possible to ask for a small team of volunteers to work on the definitions and finalize them? May be helpful to have a separate definitions document.
* There is a clear incongruity b/w uniform and unique contracts.
* This is language that comes from the legal committee’s question to legal counsel. Perhaps the legal committee could look at this inconsistency. Additionally, other language comes from previous language from the EPDP Team. It may be helpful so that the group could add further comments or concerns, and based on that, the Team can make further changes or create a small team.
* Definitions also define the scope of what the team is working on, so it’s important that everyone is on the same page. As an example, uniform pseudonymized email notes “a given registrar” is consistent with the scope of Phase 2A, but at the same time, would this definition serve the purpose of correlation? Have to distinguish anonymized and pseudonymized from the side of the controller and third parties. An important question is will these emails be anonymized from the side of the third party.
* This discussion of definitions is unnecessary and beside the point: what the team is doing is having a debate about the amount of information that is published. Some groups are having issues with webforms; we are now discussing whether we will move from webforms to some sort of email address. The legal advice from Phase 2 has already told us that a unique email address that can be correlated, that is personal information and it is illegal to publish. This is really a policy discussion about contact information; arguing endlessly about definitions is futile.
* In having the discussion, if the team is using certain words, the team needs to use them consistently. Personal data does not necessarily imply that it can’t be processed.
* Rec. 13 of Phase 1 already establishes the use of an email address or a webform; most CPs have decided to use webforms, but the use of email addresses is already established.
b. Review of problem statement:
* Review EPDP Team input
* CPH looked at the instructions from the GNSO Council to see what this Phase 2A team is expected to solve. As noted earlier, CPs may use an email address. If the CP does implement an email address, should the CP be required to use certain guidance, what is that guidance expected to be?
* There has been some further information imported from Staff from team members during the call.
* From a staff perspective, the work done here is not incompatible. However, as noted, the team needs to focus on the question Council asked that the team is expected to respond to.
* Confirm common understanding of problem statement / problems that are expected to be resolved
* The staff support team used as a starting point the input that was provided during the last meeting and several Team members have added further details to the identified objectives of contactability and correlation. One more objective was proposed, namely research – processing for research or statistical purposes.
* In addition, the CPH team has provided a proposed problem statement that seems to be focused on the questions that the EPDP Team is expected to answer, in line with the instructions that the Council provided.
* If there is general agreement about what the underlying objectives may have been, maybe moving forward the group can start focusing again on the actual question and the instructions that the Council has provided for how it expects this question to be resolved?
* Some did note specific issues with the use of webforms and although that is not the focus of this group, maybe it is something that Contracted Parties can take back to share with their group to see if there are ways to address these issues and/or share best practices?
EPDP Team Feedback:
* This problem statement does not address the correlation issues that some groups have noted is important.
* Need more time to review this. What is pseudonymized for CPs could be anonymized for third parties.
* Where did this concept of correlation come from? What is the providence of this concept of correlation, given what the GNSO has asked the team to do?
* Correlation is in reference to uniform anonymized email addresses. The second question is worded – is the team intentionally ignoring the fact that members of the team have said that webforms do not work. Some of the webforms are not even fillable. Would like to have a constructive conversation going forward.
* Is the webform a compliance concern for ICANN?
* If the webform is not working or is not implemented properly, that is more of an ICANN compliance issue, rather than an EPDP P2A issue. The webforms have been horrendously abused; they have been scripted and spammed. Trying to balance operational contactability against abuse. Some registrars use a menu system, rather than a freeform response.
* If the webform is not being relayed to the registrant, that is a compliance issue. However, the team did not specify what the webform should contain.
* If there is a stated problem, such as contactability, there is no reason this should not be clarified in policy. Specificity is needed here. Problem with Chair’s intervention driving the conversation.
* If one of the issues is contactability, or there needs to be a possibility of directly contacting the registrant; another is to make it anonymous to third parties. As a minimum, maybe it should be possible to contact the registrant to anonymously contact the registrant.
* Rec. 13 reconfirms the Temp Spec approach: email address or webform to facilitate communication with a registrant. If there are concerns with the webforms, perhaps this could be brought to the Phase 1 IRT.
* Helpful to receive an update on webforms for Phase 1 IRT
* Current text from Recommendation 13 for the Phase 1 IRT: Where a Registrar redacts the data element values listed in Section 10.3.1.8 or 10.3.1.12, in lieu of “REDACTED”, Registrar MUST Publish an email address or a link to a web form for the Email value to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself. [Rec 13]
* Might be better to request an update from the IRT staff lead
c. Practical application of pseudonymization
· CPH Teams to share examples, if available, of how pseudonymization is used in practice providing input on questions such as do the different registrars communicate at the time of registration and exchange this unique string along with other personal data of the registrant? Or is there a common database where all strings corresponding to each registration are listed?
· Q & A by EPDP Team
EPDP Feedback:
* Surprised at this question. Why would registrars share their customer data with competitors? There is no shared database of contacts b/w registrars, and there is no functional or policy reason for this.
* Not aware of any registrars using pseudonymization for contacts and it may be difficult to find an example when not currently aware of any.
* One should not be expected to share data with competitors but could share a pseudonymized algorithm across registrars.
* Question of are their practical examples of this in the wild – the answer today seems to be no.
* There was a previous conversation whether this exists in the wild. There are some privacy services that offer functionality for pseudonymization. In terms of sharing this across registrars – this does not exist, other than sharing to a thick registry.
* Registrars do need to share info with the registries – there may be a handle that registrars share – is this generated in a pseudo-anonymous way that may be further investigated
* Examples of pseudonymization are beside the point as this would ultimately be illegal publication.
* Do CPs not use pseudonymization at all
* There is no requirement that emails remain protected when there is no personally-identifiable data associated with it. The email could be available upon request, rather than published. One could make a request for a domain name with a phishing attack. One could then ask for all other domain name associated with that email address.
* With respect to the information registrars send to registries – when registrars create a registration with a registry, they are required to create a unique identifier, but that is tied to the domain registration, not the contact info. If the domain is transferred to another contact, that unique identifier does not change.
* In looking at the B&B memo, this is not an outright exclusion of using pseudonymized techniques. The memo refers to risk reduction. The study that was referenced (ENISA) – it is all about pseudonymization and the techniques and analysis that must be used so that the public cannot decode it. As a starting point, do not believe this is illegal – rather, how to reduce the risk that the data is anonymized vis-à-vis the public.
* This group is supposed to talk about data published in the RDS or requested via the SSAD. Everything else can be requested through a subpoena but has nothing to do with this group’s work. Need to make sure that when the team talks about this topic – the group needs to talk about only what the RDS and SSAD require. For example, if one wants correlation data, there is a way to get that – it is called a subpoena that can allow a database query.
* This team is paying the price for not having done the DPIA and roles/responsibilities assessment. Even if emails are pseudonymized, you are achieving contact, which is an intrusion.
* The team has identified that there is a distinction b/w contactability and correlation. A fundamental question of publishing a pseudonymized or anonymized email address. Reminder for everyone to review the charter what is required. Review the Council instructions – the background briefing paper should include all of this.
d. Confirm assignments for clarifying questions
· Review input received
· Confirm assignments
* No input was received on the assignments – this leaves questions 6 – 10 for feasibility without assignment at the moment. The staff support team would like to suggest to assign these questions to the legal committee for further review as these are mostly related to the memos – not all of these seem to be questions that may need to go back to Bird & Bird, but the legal committee may benefit from the input provided to determine what questions, if any, need to go back to legal counsel.
* If the group agrees with this, the staff support team will go ahead and compile the questions for the legal committee so it can already start its consideration online to be able to make progress ahead of the legal committee meeting. Will proceed the same way for legal v. natural in the interest of time.
4. Wrap and confirm next EPDP Team meeting (5 minutes):
1. Meeting #04 Thursday 28 January at 14.00 UTC.
2. Confirm action items
1. Confirm questions for ICANN Org, if any
* This meeting is expected to focus on legal / natural to allow the EPDP Team to debrief from the webinar on the ICANN org study and further focus on the proposals that have been put forward for potential guidance to registrars and registries.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210121/a631f2a1/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list