[gnso-rds-pdp-wg] Notes from RDS PDP WG Meetings at ICANN58 (reformatted)
Lisa Phifer
lisa at corecom.com
Tue Mar 21 05:45:05 UTC 2017
Dear all - (Apologies, this reformatted email replaces previous
Outlook-mangled message)
Below please find notes from the two RDS PDP WG F2F meetings at ICANN58.
To recap action items:
Action Item #1: Staff to investigate additional techniques to draw WG member
attention to Action Items and Poll Invitations.
Action Item #2: WG members assigned to ask questions of data commissioners
on Monday.
Action Item #3: Test by polling the three above-proposed updates to the
draft Statement of Purpose. Staff to launch the poll after the conclusion
of RDS PDP WG F2F meetings.
Action Item #4: All WG members to participate in the poll before COB
Saturday 26 March. Poll results to be reviewed during the 28 March WG
meeting.
Action Item #5: Peter Kimpian to gather answers to the 19 WG questions from
the panelists and provide them (if possible) prior to the next WG call on 28
March 2017.
This week's poll link: <https://www.surveymonkey.com/r/D6SP37R>
https://www.surveymonkey.com/r/D6SP37R (closes COB 26 March)
Best regards,
Lisa
Notes - RDS PDP WG Meetings at ICANN58
These high-level notes are designed to help PDP WG members navigate through
the content of these meetings and are not meant as a substitute for the
transcripts and/or recordings. The MP3, transcript, and Adobe Connect
recording are provided separately and are posted on the wiki here:
Saturday 11 March: <http://sched.co/9npN> http://sched.co/9npN and
<https://community.icann.org/x/GbLRAw> https://community.icann.org/x/GbLRAw
Wednesday 15 March: <http://sched.co/9npc> http://sched.co/9npc and
<https://community.icann.org/x/HbLRAw> https://community.icann.org/x/HbLRAw
Many WG members also attended a cross-community discussion with Data
Commissioners. The MP3, transcript, and Adobe Connect recording of that
session can be found here: <http://sched.co/9nnl> http://sched.co/9nnl
Notes - RDS PDP WG Meeting - Saturday 11 March, 2017
1. Introductions
* Please state your name before speaking and remember to mute your
microphones when not speaking
* WG members in attendance introduced themselves
2. PDP Work Plan, Progress, and Status
* Briefly introduced work plan (
<https://community.icann.org/x/oIxlAw>
https://community.icann.org/x/oIxlAw), recent progress, and current task:
o Task 12.a: Deliberate on Possible Fundamental Requirements for these
charter questions:
* Users/Purposes: Who should have access to gTLD registration data and
why?
* Data Elements: What data should be collected, stored, and disclosed?
* Privacy: What steps are needed to protect data and privacy?
* Review of work plan and overview of progress to date/current status
including:
* Focus on "thin" data
* Deliberation on possible fundamental requirements regarding
users/purposes
* What data elements should be collected, stored and disclosed
* Privacy and data protection considerations
* Results of polls used to determine rough consensus among WG members
- interim conclusion reached with no final decisions yet made
. As per the work plan, initial report on phase 1 of the PDP will use
rough consensus to determine 5 fundamental requirements
. Noted that we are starting with Key Concepts - latest version of
this working document is always posted at
<https://community.icann.org/x/p4xlAw> https://community.icann.org/x/p4xlAw
. Highlighted initial points of rough consensus reached since
ICANN57, reflected in that working document. Refer to
<https://community.icann.org/download/attachments/64074265/ICANN58-RDS-PDP-W
G-Slides-FinalRev.pdf?version=1&modificationDate=1489227048000&api=v2>
ICANN58-RDS-PDP-WG-Slides-Final.pdf (slides 4-8)
. Regarding agreement #14, on what basis did the group conclude that
existing policies do NOT sufficiently address compliance with laws about
purpose? What jurisdiction was assumed? No jurisdiction was assumed, but we
know that in some jurisdictions, policy is not compliant, so therefore we
need to do more (that is, current policy is not sufficient for all
jurisdictions).
. When was agreement #14 discussed? In the February 14 call, followed
by a poll in which 86% agreed with this statement. However, note that some
WG members missed that call due to conflicting meetings.
. Request to highlight action items and poll invitations to help WG
members notice them amongst all the long email threads (e.g., separate
mailing list, actions at top of meeting notes)
Action Item #1: Staff to investigate additional techniques to draw WG member
attention to Action Items and Poll Invitations, such as including them at
the top of emails containing WG meeting notes.
. Has the WG developed criteria for what makes a purpose legitimate
yet? No. So far we have discussed only legitimate purposes for COLLECTION of
THIN DATA. However, we still need to get to KEY CONCEPTS around what makes a
purpose legitimate (criteria, etc.)
. It is difficult to reach agreement on purposes without a better
feeling for the consequences of identifying purposes as legitimate,
primary/secondary, etc. Is this putting the cart before the horse? Hoping to
get answers to these questions from data commissioners panel.
.
<http://www.theiacp.org/Portals/0/documents/pdfs/2016%20FINAL%20Resolutions.
pdf> International Association of Chiefs of Police (IACP) member introduced
the IACP's recent resolution on WHOIS
<http://www.theiacp.org/Portals/0/documents/pdfs/2016%20FINAL%20Resolutions.
pdf> - was an update to the IACP's last resolution, issued 5 years ago. The
WG chair encouraged the IACP to join the WG and participate in this PDP.
3. PDP Working Session
a. Finalize WG preparations for Cross-Community session with Data
Commissioners
<https://community.icann.org/download/attachments/64072843/RDSPDP-QuestionsF
orDataCommissioners-7March2017.pdf?version=1&modificationDate=1488916433480&
api=v2> RDSPDP-QuestionsForDataCommissioners-7March2017.pdf
. Overview of 19 questions developed to present during
cross-community session with data commissioners (Monday, 13 March)
. Questions sent to Becky Burr who will be moderating the
cross-community session
. Working group members assigned to questions for data commissioners
- monitor whether or not questions were asked and answered during the
session (or perhaps answered without being directly asked)
. Discussion with data commissioners will continue during session on
Wednesday, 15 March
Action Item #2: WG members assigned to ask questions of data commissioners
on Monday:
. Tim Chen: Purpose
. Rod Rasmussen: Registration Data Elements
. Alex Deacon: Access to Registration Data for Criminal and Abuse
Investigations
. Vicky Sheckler: Personal Privacy/Human Rights
. Kiran Malancharuval: Jurisdiction
. Susan Kawaguchi: Compliance with Applicable Laws
. Ayden Ferdeline: Consumer Protection
b. Continue deliberation on Purpose:
Question 2.3: What should the over-arching purpose be of collecting,
maintaining, and providing access to gTLD registration (thin) data?
* Review results of 7 March Poll on Purpose:
<https://community.icann.org/download/attachments/64074265/SummaryResults-Po
ll-on-Purpose-from-7MarchCall.pdf?version=1&modificationDate=1489222898000&a
pi=v2> SummaryResults-Poll-on-Purpose-from-7MarchCall.pdf
* Q2: primary point of disagreement is about whether data is
authoritative or RDS is authoritative source of data
. "Authoritative" has a technical meaning - access to the real
database, not a copy of it
. Does authoritative imply a requirement to validate the data? No,
there are separate 2013 RAA requirements on validation.
. Technically it's impossible for the authoritative data to be
inaccurate with respect to the underlying repository (unless it is
inaccurate on purpose -- e.g. anonymization)
. From Chat: COMMENT: We debated this at length at the EWG.
Recreating the wheel here. Also, per Article 29 WP 76 Opinion 2/2003, the
data needs to be accurate, which during the EWG, we deferred to THICK data.
. The Thick WHOIS WG used this working definition: "Authoritative,
with respect to provision of Whois services, shall be interpreted as to
signify the single database within a hierarchical database structure holding
the data that is assumed to be the final authority regarding the question of
which record shall be considered accurate and reliable in case of
conflicting records; administered by a single administrative [agent] and
consisting of data provided by the registrants of record through their
registrars."
. Should we be distinguishing between an 'authoritative source of the
gTLD registration data' and 'authoritative gTLD registration data'?
. Statement of purpose should not imply a particular model for
storage of data or movement of data between storage locations
. Registration data disseminated through the RDS should be
authoritative (in the technical sense). That is, the data should be obtained
from the source considered to be authoritative.
Proposed WG Agreement #1: Replace purpose 2) "A purpose of RDS is to
provide an authoritative source of information about, for example, domain
contacts, domain names and name servers for gTLDs, [based on approved
policy]" with "A purpose of RDS is to facilitate dissemination of
authoritatively-sourced gTLD registration data, such as domain names and
their domain contacts and name servers, in accordance with applicable
policy."
. Q3: Anything that needs to be added to the statement of purpose?
. Somewhere along the line we seem to have lost the point that the
RDS provides the information about the registry's view of the
technically-required data for domain name resolution.
Proposed WG Agreement #2: Replace purpose 1) "A purpose of gTLD
registration data is to provide information about the lifecycle of a domain
name" with "A purpose of gTLD registration data is to provide information
about the lifecycle of a domain name and its resolution on the Internet."
. Regarding comment "d" - The RDS is a directory service. Protecting
privacy would be a potential feature available.
. Chat proposal to add the following: Purpose of RDS is to support
domain name registration and maintenance by providing appropriate access to
registration data to enable a reliable mechanism for identifying,
establishing and maintaining the ability to contact Registrants.
. For specific purpose 5, we are conflating issues of purpose and
requirements to fulfill a purpose.
Proposed WG Agreement #3: Replace purpose 5) "A purpose of RDS policy is to
facilitate the accuracy of gTLD registration data." with "A purpose of RDS
policy is to facilitate fulfilling requirements for the accuracy of gTLD
registration data."
Action Item #3: Test by polling the three above-proposed updates to the
draft Statement of Purpose. Staff to launch the poll after the conclusion
of RDS PDP WG F2F meetings.
Action Item #4: All WG members to participate in the poll before COB
Saturday 26 March. Poll results to be reviewed during the 28 March WG
meeting.
. The following agenda items were deferred to next meeting (28 March)
. Finalize Statement of Purpose
. Move on to next topic of deliberation by expanding our focus from
"thin data" collection to "thin data" access: Question 2.2: For what
specific (legitimate) purposes should gTLD registration thin data elements
be made accessible?
4. Confirm action items and proposed decision points
Action Item #1: Staff to investigate additional techniques to draw WG member
attention to Action Items and Poll Invitations.
Action Item #2: WG members assigned to ask questions of data commissioners
on Monday.
Action Item #3: Test by polling the three above-proposed updates to the
draft Statement of Purpose. Staff to launch the poll after the conclusion
of RDS PDP WG F2F meetings.
Action Item #4: All WG members to participate in the poll before COB
Saturday 26 March. Poll results to be reviewed during the 28 March WG
meeting.
Action Item #5: Peter Kimpian to gather answers to the 19 WG questions from
the panelists and provide them (if possible) prior to the next WG call on 28
March 2017.
Proposed WG Agreement #1: Replace purpose 2) "A purpose of RDS is to
provide an authoritative source of information about, for example, domain
contacts, domain names and name servers for gTLDs, [based on approved
policy]" with "A purpose of RDS is to facilitate dissemination of
authoritatively-sourced gTLD registration data, such as domain names and
their domain contacts and name servers, in accordance with applicable
policy."
Proposed WG Agreement #2: Replace purpose 1) "A purpose of gTLD
registration data is to provide information about the lifecycle of a domain
name" with "A purpose of gTLD registration data is to provide information
about the lifecycle of a domain name and its resolution on the Internet."
Proposed WG Agreement #3: Replace purpose 5) "A purpose of RDS policy is to
facilitate the accuracy of gTLD registration data." with "A purpose of RDS
policy is to facilitate fulfilling requirements for the accuracy of gTLD
registration data."
Meeting Materials: https://community.icann.org/x/GbLRAw
.
<https://community.icann.org/download/attachments/64072843/RDSPDP-QuestionsF
orDataCommissioners-7March2017.pdf?version=1&modificationDate=1488916433480&
api=v2> RDSPDP-QuestionsForDataCommissioners-7March2017.pdf and
<https://community.icann.org/download/attachments/64072843/RDSPDP-QuestionsF
orDataCommissioners-7March2017.docx?version=1&modificationDate=1488916450802
&api=v2> RDSPDP-QuestionsForDataCommissioners-7March2017.docx
. 11MarchMeeting-Handout:
<https://community.icann.org/download/attachments/64074265/ICANN58-RDS-PDP-W
G-Slides-FinalRev.pdf?version=1&modificationDate=1489227048000&api=v2>
ICANN58-RDS-PDP-WG-Slides-Final.pdf and
<https://community.icann.org/download/attachments/64074265/ICANN58-RDS-PDP-W
G-Slides-FinalRev.pptx?version=1&modificationDate=1489227119000&api=v2> ppt
.
<https://community.icann.org/download/attachments/56986791/KeyConceptsDelibe
ration-WorkingDraft-7March2017.pdf?version=3&modificationDate=1489036968927&
api=v2> KeyConceptsDeliberation-WorkingDraft-7March2017.pdf and
<https://community.icann.org/download/attachments/56986791/KeyConceptsDelibe
ration-WorkingDraft-7March2017.docx?version=3&modificationDate=1489036982656
&api=v2> doc
. 7 March Call Poll on Purpose -
. Link to participate: <https://www.surveymonkey.com/r/WLMXDJG>
https://www.surveymonkey.com/r/WLMXDJG
. PDF of Poll Questions:
<https://community.icann.org/download/attachments/64072843/Poll-on-Purpose-f
rom-7MarchCall.pdf?version=1&modificationDate=1488938315379&api=v2>
Poll-on-Purpose-from-7MarchCall.pdf
. SurveyMonkey PDF Summary Poll Results:
<https://community.icann.org/download/attachments/64074265/SummaryResults-Po
ll-on-Purpose-from-7MarchCall.pdf?version=1&modificationDate=1489222898000&a
pi=v2> SummaryResults-Poll-on-Purpose-from-7MarchCall.pdf
. SurveyMonkey ZIP of Raw Poll Results:
<https://community.icann.org/download/attachments/64074265/RawResults-Poll-o
n-Purpose-from-7MarchCall.zip?version=1&modificationDate=1489222956000&api=v
2> RawResults-Poll-on-Purpose-from-7MarchCall.zip
Notes - RDS PDP WG Meeting - Wednesday 15 March, 2017
1. Introductions: Guest presenters were introduced to RDS PDP WG:
. Joe Cannataci, UN Special Rapporteur on the right to privacy
. Peter Kimpian, Data Protection Unit of the Council of Europe
2. Data Protection Expert - Q&A session
. The WG chair briefly introduced our charter and current areas of
deliberation
. Preface from Joe Cannataci: With regard to future interaction, we
need to consider sustainability; may wish to set up a group to invite
experts to join WG discussion formally
. Guest presenters discussed the WG's list of questions:
<https://community.icann.org/download/attachments/64072843/RDSPDP-QuestionsF
orDataCommissioners-7March2017.pdf?version=1&modificationDate=1488916433480&
api=v2> RDSPDP-QuestionsForDataCommissioners-7March2017.pdf
. Discussion with Joe Cannataci on purpose of a next generation RDS,
including:
. What specifying purpose entails
. Where purpose of data will and will not apply in the RDS
. Criteria that apply to legitimate purposes
. Publication of data elements in the RDS
. Feedback on the WG's specific purpose #1:
"A purpose of gTLD registration data is to provide information about the
lifecycle of a domain name and its resolution on the Internet."
. Applicability to "thin" versus "thick" data elements
. Differentiation between primary and secondary purposes
. Notes below provide a brief overview of points raised during
discussion; refer to the
<http://schd.ws/hosted_files/icann58copenhagen2017/d0/Transcript%20RDS%2015%
20March%20Copenhagen.pdf> Transcript for a complete recap of this Q&A
session
Q1. What do you mean when you tell ICANN to specify the purpose of WHOIS?
. Test for purpose should be based on use studies or case studies.
. Whenever you have someone stipulate they want to collect data, you
must ask why.
. Example of applying for a bank loan or insurance policy to assess
risk.
. Each bit of information must be in line with purpose.
. Purpose cannot be general or just in case.
. Can only keep records for as long as needed for purpose.
. Purpose questions (and answers) will change over time.
. If you are a bank or telecom developing a new service you must
define your primary purpose.
. A secondary purpose might be a different service marketed to the
same client later on.
. It would be good to get definitions for "primary purpose" and
"secondary purpose."
. From chat: Australian Privacy Act 1988: "Use or disclosure of
personal information for a purpose other than the primary purpose of
collection (being a 'secondary purpose') is permitted under specific
exceptions where that secondary use or disclosure is ... in the conduct of
surveillance activities, intelligence gathering activities or monitoring
activities, by a law enforcement agency"
. The purpose must be clear - for example "in order to enable
enforcement of specific law"
. If a purpose is provided for by law then a purpose is legitimate.
. For example, the purpose of collection of registrant data might be
to ensure that the DNS works. There is a belief by some that there should be
access to that data by others (e.g., those investigating cybercrime). Are
those secondary purposes? The WG must decide.
. Do you need separate purposes for collection, access, and display?
Absolutely yes.
Q2. Under what circumstances might the publication of registration data
elements that are personal data be allowable?
. Why do you want to publish information? What is the public interest
in publishing that data?
. For example, why is information about the lifecycle of domain in
the public interest?
. If data is easily linked to an individual, then it is personal
data.
. Just because it is personal data doesn't mean it cannot be in a
WHOIS record
. No data protection law prohibits publication of personal data for
legitimate purposes
Q5. Do you believe that any of the following THIN data elements are
considered personal information under the General Data Protection Directive,
and why?
. In this case (thin data example in #5) the data is not personal
data, but in other cases it might be
. If an individual registers their own name as a domain name, is the
domain name personal data? WG view: In this case, the individual has chosen
to publish their name in the DNS. A domain name is required for DNS
resolution and as the key to the WHOIS record.
. Why is expiration date published in a directory service? Isn't that
just of interest to the subscriber? Why is it of legitimate interest to
others?
. Analogy with telephone directory - in most countries, subscribers
can opt out of being in the phone directory; why doesn't that apply here?
. There may be other analogies that are more appropriate than a
telephone directory
3. Deferred: Continuation of Saturday F2F session deliberation, time
permitting
4. Conclusions and Adjourn
. Plan is to collect answers to the WG's questions (all 19) from the
data protection experts who participated in the Monday cross-community
session.
. In principle, there is broad agreement amongst panelists on the
answers to the WG's questions. Responses from data commissioners may be
published on the WG's wiki, if helpful.
. Reminder for all WG members to participate in this week's poll no
later than COB 26 March.
Action Item #5: Peter Kimpian to gather answers to the 19 WG questions from
the panelists and provide them (if possible) prior to the next WG call on 28
March 2017.
Meeting Materials: <https://community.icann.org/x/HbLRAw>
https://community.icann.org/x/HbLRAw
.
<https://community.icann.org/download/attachments/64072843/RDSPDP-QuestionsF
orDataCommissioners-7March2017.pdf?version=1&modificationDate=1488916433480&
api=v2> RDSPDP-QuestionsForDataCommissioners-7March2017.pdf and
<https://community.icann.org/download/attachments/64072843/RDSPDP-QuestionsF
orDataCommissioners-7March2017.docx?version=1&modificationDate=1488916450802
&api=v2> RDSPDP-QuestionsForDataCommissioners-7March2017.docx
. 11MarchMeeting-Handout (primarily slides 28-37):
<https://community.icann.org/download/attachments/64074269/ICANN58-RDS-PDP-W
G-Slides-FinalRev2.pdf?version=1&modificationDate=1489578526000&api=v2>
ICANN58-RDS-PDP-WG-Slides-Final.pdf and
<https://community.icann.org/download/attachments/64074269/ICANN58-RDS-PDP-W
G-Slides-FinalRev2.pptx?version=1&modificationDate=1489578497000&api=v2> ppt
(updated 15 March)
. KeyConceptsDeliberation-WorkingDraft - see
<https://community.icann.org/x/p4xlAw> https://community.icann.org/x/p4xlAw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170320/c7236e6e/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list