[gnso-rds-pdp-wg] Recordings, Attendance & AC Chat from Next-Gen RDS PDP Working group call on Tuesday, 3 October 2017 16:00 UTC
Julie Bisland
julie.bisland at icann.org
Tue Oct 3 21:46:31 UTC 2017
Dear All,
Please find the attendance of the call attached to this email, and the Adobe Connect chat, MP3 & Adobe Connect recording below for the Next-Gen RDS PDP Working group call held on Tuesday, 3 October 2017 at 16:00 UTC.
MP3: https://audio.icann.org/gnso/next-gen-rds-pdp-wg-03oct17-en.mp3
AC recording: https://participate.icann.org/p3pa4jai1i5/<https://participate.icann.org/p3pa4jai1i5/?OWASP_CSRFTOKEN=d048b2f398d46cdea54ea6b4051a716b3de18365239aaf918caedc1b891c5339>
The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:http://gnso.icann.org/en/group-activities/calendar<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-2Dactivities_calendar-23nov&d=DwMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=GJMkY4Fbi9sry9Z53DaSWJm-mHxMfFxg7MEVDf2JU90&s=FI3QJYH6DWWCDQir6NDMSjPkzdqfTTUmf9Ua-AYpc14&e=>
** Please let me know if your name has been left off the list **
Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
Wiki agenda page: https://community.icann.org/x/bWfwAw
Thank you.
Kind regards,
Julie
---------------
AC Chat Next-Gen RDS PDP WG Tuesday, 3 October 2017
Julie Bisland:Welcome to the GNSO Next-Gen RDS PDP Working Group teleconference on Tuesday, 03 October 2017 at 16:00 UTC
Julie Bisland:Agenda wiki page: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_bWfwAw&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=QiF-05YzARosRvTYd84AB_UYInlydmFcjNmBM5XgySw&m=yGuhVKm-I9WXOo-zhqiCeseRDHZc1ao16xVWoSIl9F0&s=1519OMlTf_qrfVlCmocb02VU9ZXzR357tbnJWvHRjiQ&e=
Krishna Seeburn - Kris:hi julie
Julie Bisland:Hello Kirs! Hope you are well :)
Julie Bisland:oh gosh, clearly I'm not well! KRIS
Julie Bisland::)
Krishna Seeburn - Kris:what's wrong?
Julie Bisland:I can't spell haha
Krishna Seeburn - Kris:health issue?
Krishna Seeburn - Kris:oh gosh....
Krishna Seeburn - Kris:hi steve
steve metalitz:hello
Chuck Gomes:Hi all
Krishna Seeburn - Kris:Hi chuck
Maxim Alzoba (FAITID):Hello All
Maxim Alzoba (FAITID):Hello ll
Tim O'Brien:Aello All, sorry for the absense - been on travel for the last two weeks
Nouradine Abdelkerim Youssouf:hello All
Maxim Alzoba (FAITID):Memorandum does not cover Escrow (offtopic)
Maxim Alzoba (FAITID):and Escrow related to storage
Lisa Phifer:Link to memo displayed: https://urldefense.proofpoint.com/v2/url?u=https-3A__gnso.icann.org_en_drafts_wsgr-2Dicann-2Dmemorandum-2D25sep17-2Den.pdf&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=QiF-05YzARosRvTYd84AB_UYInlydmFcjNmBM5XgySw&m=yGuhVKm-I9WXOo-zhqiCeseRDHZc1ao16xVWoSIl9F0&s=r8IaalEcQY758Fyu-SXx_NAQD6Ba--qrFhkIuTWYcgc&e=
Greg Shatan:If you don't tell your legal counsel what you want to accomplish, they won't help you accomplish it.
Maxim Alzoba (FAITID):agree
Vicky Sheckler:+1 greg
andrew sullivan:I agree with Greg S, which is I think the approach I suggested on the list last week
Ayden Férdeline:I might type
James Galvin (Afilias):how was the law firm selected?
Ayden Férdeline:just out of curiosity, could you please remind us, how was this law firm chosen? thank you!
Ayden Férdeline:audio is bad on my end
Krishna Seeburn - Kris:how was the law firm chosen
Ayden Férdeline:yes
Marika Konings:not only staff recommended, the legal advisory group also suggested several law firms
Ayden Férdeline:thanks for that Chuck, sounds like a sound process was followed in selecting them
steve metalitz:The selectoin was made by the leadership team, not by the advisory group
Marika Konings:Sorry, unfortunately that was not the case as the contracting took longer than anticipated :-(
Fabricio Vayra:+1 Greg
Krishna Seeburn - Kris:+1 greg
Ayden Férdeline:useful for the skeptics and offensive to the DPAs...
Maxim Alzoba (FAITID):as I understand DPAs give paid advice only (fines and description of what went wrong)
Ayden Férdeline:but good to have sound legal advice now
Ayden Férdeline:Hi Maxim - the DPAs gave us free advice in and post-Copenhagen - and in writing
Maxim Alzoba (FAITID):it was broad and informal, it is not possible to use it in the court
Krishna Seeburn - Kris:am sure they charge per hour and per whoever is advising....
Vicky Sheckler:agree with greg re: need to seek advice at some point re: how to accomplish our objectives, not just the "what if" questiosn that were asked of the DPAs
Marika Konings:No, I don't believe so
Marika Konings:but I can double check
Maxim Alzoba (FAITID):for example we did not even ask about escrow - and the current implementation does not allow to properly process withdrawal of the consent of the person
Ayden Férdeline:Maxim - that is true, but that is the nature of their advice. i do not think European DPAs ordinarily give different advice than what we received which is, yes, informal. but i stand to be corrected
andrew sullivan:Wait, do I understand Chuck to be saying that the lawyers wanted responses to be confidential from the WG? If so, that's bizarre
andrew sullivan:Ok, I get it.
Maxim Alzoba (FAITID):I am not sure it is relevant to the current discussion
Maxim Alzoba (FAITID):we are not discussing the draft of the document, only the final version
Ayden Férdeline:it does not seem productive to me focusing so much on the thought process that went into the construction of this memo. we have the memo now. it is written. surely we are not going to spend weeks dissecting how it was produced? we should have some confidence in the leadership team and the firm that was chosen
andrew sullivan:+1 Ayden
Krishna Seeburn - Kris:+1 ayden
steve metalitz:The leadership team decided what questions to ask about the WSGR first draft though the advisory team was asked for any input.
Greg Shatan:We have found a rabbit hole in the weeds.
Fabricio Vayra:@Steve - How much did the advisory team feedback impact the ultimate questions?
Maxim Alzoba (FAITID):talking about THIN data - the advice of "it depends" might not be very helpful (p8 of the memo)
Vicky Sheckler:+1 maxim
steve metalitz:Chuck is referring to the questions posed to the data protection experts. Leaderhsip team decided that the same questoins would be posed to WSGR. I was referring in previous entry to the follow-up questoins posed after the WSGR draft was reviewed.
Fabricio Vayra:@Chuck - Thanks for clarifying.
Krishna Seeburn - Kris:can i suggest we table these opinions and views and move on and at the time we need to move back to these we do......need to....let's us respect a bit and have some faith
Vicky Sheckler:+1 chuck
Nick Shorey:Agree with Maxim. I found this document helpful. I don't think it necessarily tells us anything we didn't expect, but good exercise nonetheless. But there are clearly areas where we are dealing with new issues and we need to take a pragmatic, balanced and detailed look at these issues. Maybe this document enables us to focus our efforts more easily
Lisa Phifer:Handout: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_Handout-2DRDS-2DWG-2DCall-2D3Oct2017.pdf&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=QiF-05YzARosRvTYd84AB_UYInlydmFcjNmBM5XgySw&m=yGuhVKm-I9WXOo-zhqiCeseRDHZc1ao16xVWoSIl9F0&s=cUJZ1PU5NKl_5JkKjTQILRKNzq9ZZqjiNqH3Sq6vCf8&e=
Nick Shorey:I think the starting point could be to put meat on the bones of 'secondary purposes'
James Galvin (Afilias):handout link does not work on the Wiki page. Thanks Lisa for the link here.
James Galvin (Afilias):Actually, that does not work either. Or is it just me.
Marika Konings:link works for me
Susan Kawaguchi:link works for me
andrew sullivan:WFM too
James Galvin (Afilias):got it! not sure what happened but no worries.
Lisa Phifer:@Jimk link on wiki now fixed, thanks for flagging
Lisa Phifer:The link in the meeting materials worked - it was the link in the agenda body 5a that was broken
Maxim Alzoba (FAITID):12.a effectively means that non-EU companies will not be able to pass EU citizens info to their local LEA , even if requested properly under the national law ... and it means not to be compliant with the local law ... deadlock
Maxim Alzoba (FAITID):and the outcome of 12.a is to not to have any of EU citizens data ... orEU residents (which is worse)
Herb Waye Ombuds:Must drop out for a medical appointment... Regards all, Herb
Ayden Férdeline:Court of Justice
Vicky Sheckler:Maxim - i'm not followign you
Maxim Alzoba (FAITID):@Vicky, if you have a non-EU company - you have to comply with the local law , and your local Law enforcement exemtions will not apply under GDPR ... so either you follow local law in part of disclosure info to the local Law Enforcement , and be fined for that by EU, or you follow GDPR and have issues with the local laws regulating disclosure of info to national law enforcement
Greg Shatan:I think you end up in court in one or both countries....
Lisa Phifer:Green check if you agree: existing gTLD registration directory services policies sufficiently address compliance with applicable data protection, privacy, and free speech laws within each jurisdiction
Maxim Alzoba (FAITID):and the only way out is not to have info of EU citizens or residents in your system (the latter can not be identified ... imagine one who spends 180 days in EU and will be a resident after that period)
Ayden Férdeline:Maxim - you are making a good case for why the RDS should not contain any personally identifiable information
Ayden Férdeline:about domain name registrants
Maxim Alzoba (FAITID):THIN whois might be the fast solution :)
Vicky Sheckler:Ayden - how does that help the public at all?
andrew sullivan:Thin whois doesn't solve the other problems we have identified
Maxim Alzoba (FAITID):it solves part of the problems on the Registry level, but I agree that it is not enough
steve metalitz:Questoin: aren';t we polling "principle 3.e," not question 5.1?
Vicky Sheckler:agree with metalitz - GDPR does not apply to all personal data
Ayden Férdeline:Vicky - What do you mean that GDPR does not apply to all personal data? GDPR does not apply to all data (i.e. non-personal data), but I thought it did apply to personal data?
Maxim Alzoba (FAITID):do we know the position of ICANN at the moment , who is the controller? (I think ICANN is... but what is the current position of ICANN?)
Nick Shorey:+1 Greg I was thinking the same
James Galvin (Afilias):@maxim - I would say that the way contracts and relationships are currently setup then ICANN has to be the data controller. So, the question to ask is if that is the way we want things structured going forward. I think we could make a case either way on that.
Maxim Alzoba (FAITID):@James, I think it is an important question (it changes the logic of the answer, if , for some reason ICANN is not a data controller)
Maxim Alzoba (FAITID):I ment the reading of the memo depends on who the controller is
Ayden Férdeline:GDPR is already in force as a legal act; it is only compliance that comes into effect next year.
Nick Shorey:+1 Ayden this is why my answer is: No
Maxim Alzoba (FAITID):@Ayden, amount of the fee is the major differentiator (20M) ...
Krishna Seeburn - Kris:enforcement of gdpr 28th may 2018
James Galvin (Afilias):@maxim - agree. the "solution" will be different based on who/where the data controller is.
Maxim Alzoba (FAITID):and in Netherlands GDPR is enforced , and .amsterdam and .frl already have issues
Krishna Seeburn - Kris:exactly
James Galvin (Afilias):i'm sorry folks but I need to drop off here at the top of the hour
James Galvin (Afilias):+1 to andrew though
James Galvin (Afilias):seems to me we have thoroughly covered this issue - time to move on
Greg Shatan:Chuck, My logic is (a) the "Whois conflicts with local law" policy is a gTLD registration policy, (b) it can be used to address compliance with these laws, therefore (c) existing policies sufficiently address compliance with these laws.
Ayden Férdeline:Greg, can you please point to me of an example where the WHOIS Conflicts with Local Law procedure has been utilised, in practice, in any jurisdiction? Thank you
Maxim Alzoba (FAITID):@Greg, the issue is that current policies does not allow to resolve the issue before your company violate the law, and in case of GDPR the fine is huge and effectively can kill almost all registries and registrars
steve metalitz:+1 Fabricio re implementation v. policy
Greg Shatan:We were asked about policy, not practice. In theory, there is no difference between theory and practice. In practice, there is.
Vicky Sheckler:agree w/ Fabrizio, and i think this answers Aden's question too
Greg Shatan:practice = implementation....
Ayden Férdeline:I see. a question of semantics
andrew sullivan:The policy as it is written is tightly bound to the extreme limitations of whois-the-protocol, which is part of the problem
andrew sullivan:If people are confused about that, then I would like to propose to rewrite the existing policies using RDAP as the model protocol, and then we can do a clear list of all the features of RDAP that the new policy can't use
Greg Shatan:Semantics, noun: the branch of linguistics and logic concerned with meaning.
Maxim Alzoba (FAITID):whois does not allow instant removal of data and the same for escrow ... so the current tech system is incompatible with GDPR (instant removal is needed to process consent withdrawal)
andrew sullivan:indeed, that problem was exposed by the original proposed RDAP test implementation ICANN org staff proposed. I wouldn't even be involved in this PDP if that weren't the case
Fabricio Vayra:3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating:3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended;3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator);3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4.
Fabricio Vayra:3.7.8 Registrar shall comply with the obligations specified in the Whois Accuracy Program Specification .... [and] [i]n the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.
andrew sullivan:I don't see how escrow has anything to do with this. It follows from the SRS, not the RDS
Fabricio Vayra:Just for examples of how the policy complies ... but I don't think the implimentation of these polices have followed well
Maxim Alzoba (FAITID):@andrew, escrow data is compared to WHOIS and not to SRS
Greg Shatan:Did they go beyond the current implementations in order to critique the policies?
Greg Shatan:The "existing system" is an implementation.
Maxim Alzoba (FAITID):and both groups of registries and registrars escrow data
andrew sullivan:@Maxim: yes, and that's yet another failure of spec writing because people have been used to the whois being open
andrew sullivan:but since the point of escrow has been to recreate registration data (i.e. what has to go into the SRS), the tests are the wrong ones
andrew sullivan:The RDS is apparently a downstream system from the SRS, or at least that's what people concluded when I poked at these definitions before
Maxim Alzoba (FAITID):@andrew, two different SRS will have two diffrent structures (when not based on the same backend), and inheriting old data structure (it should be processed fast) does not give much, while having WHOIS compatible set of data helps
andrew sullivan:The SRS protocol for gTLDs is EPP. They therefore have the same representation, and the escrow format was designed to be compatible with that
Maxim Alzoba (FAITID):@andrew, ask registrars about 'standard EPP' among reistries :) also there are EPP extenstions, and reistries/registrars do not have to implement other's extensions
andrew sullivan:I am aware of the problems with consistency across EPP implementations
Nick Shorey:Please let me hear Fabricio
Greg Shatan:Fab's point is that the policy is flexible enough to allow for, e.g., a request for purposes.
Greg Shatan:I think.
Maxim Alzoba (FAITID):if we do not find the way to make RDS compatible with GDPR , registrars and registries will have not to follow RDS
Greg Shatan:Maybe the question should be "Do the existing implementations of gTLD policy sufficient address compliance....?
Maxim Alzoba (FAITID):current policies violate GDPR for EU citizens - example CL&D
Greg Shatan:Is that non-compliance due to the policy not allowing compliance, or the implementation being non-compliant?
Maxim Alzoba (FAITID):both might have issues
Greg Shatan:@Maxim, what is the policy issue?
Greg Shatan:As opposed to the issue with current implementations?
Maxim Alzoba (FAITID):CL&D policy for example demands publishing of the personal info
Maxim Alzoba (FAITID):and when such info is of EU citizen or EU resident - it creates issue with GDPR
Lisa Phifer:Chuck's proposal: Do existing gTLD registration directory services policies and/or implementations sufficiently address compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
Ayden Férdeline:i just wanted to comment on something mentioned a few minutes ago -- GDPR has a harmonisation process, with the intent that its implementation across the EU be consistent across the member states
andrew sullivan:I think the point is "sufficiently address compliance" is mystifying -- why not "do they comply"?
Maxim Alzoba (FAITID):@Ayden, as I understand it is not limited to EU
Lisa Phifer:The question could be inverted: Do existing gTLD registration directory services policies and/or implementations PREVENT compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
Nick Shorey:Will retry my mic one sec
Ayden Férdeline:Maxim - I am only commenting on a comment made a few minutes ago that GDPR could be differently interpreted throughout the member states. that should not be the case. it should be applied consistently by the DPAs.
andrew sullivan:@Lisa: that's helpful
Lisa Phifer:I think the point of the questions is to help the WG identify deficiencies that need to be addressed through changes to policy
Krishna Seeburn - Kris:its an EU accepted way forward and all EU member states cannot do differently
Greg Shatan:Not developed for the purpose of obtaining legal advice on how to accomplish the objectives of WHOIS while complying with GDPR.
Marika Konings:Note that WSGR did not respond to the questions that are in this document - these are questions that the WG identified as sub-questions to help address the overarching charter questions. The principles that you see were derived from the memo as aiming to assist in responding to these questions.
Vicky Sheckler:the questions asked were for the DPAs, and rightly or wrongly, were politicized. they didn't ask what is the best way to address the objectives of the RDS
Maxim Alzoba (FAITID):@Ayden, if you are outside of EU - you can pick one you like (if you provid services to citizens of all EU states)
Lisa Phifer:Is there anyone who would answer this yes: Do existing gTLD registration directory services policies and/or implementations PREVENT compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
Ayden Férdeline:Maxim - i am not and have not been commenting on those outside of the EU. i was responding to a comment that the EU member states may interpret GDPR differently in terms of enforcement for non-compliance.
Greg Shatan:Need to answer separately for policy and for implementations for this to be useful.
Nick Shorey:Mic's playing up - my thoughts are: The question we asked isn't great, but the discussion has helped us identify several different elements we need to look at in more depth in light of the feedback we've received
Greg Shatan:@Nick, yes, the questions and answers are good conversation-starters....
Maxim Alzoba (FAITID):about procedures for WHOIS conflict with law - the current procedure does not allow to prevent registry / registrar to breach the law (you need to be in the litigation process and in GDPR it means fine)
Lisa Phifer:@Maxim, I think you are right - if the question is inverted, then the part that falls within the PDP's remit is policy: Do existing gTLD registration directory services POLICIES PREVENT compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
Fabricio Vayra:+1 Andrew. I like that suggestion. Will flesh out where policy or implimentation needs to change
Nick Shorey:+1 Andrew sounds like a plan, and in addition, consider any changes depending on who the data controller is
Alex Deacon:working code even....
Maxim Alzoba (FAITID):pity we will not be able to finish it all before the end of the may 2018 :)
Nick Shorey:@Maxim Oh ye of little faith!
Maxim Alzoba (FAITID):good discussion though
Greg Shatan:I think we identified some fundamental gaps in how we
Greg Shatan:have framed the problem.
Fabricio Vayra:+1 Greg
Nick Shorey:+1 Greg
Julie Bisland:will do, chuck.
Maxim Alzoba (FAITID):+1 Greg
Julie Bisland:Next WG meeting: Tuesday, 10 October 2017 at 16:00 UTC for 90 minutes
Maxim Alzoba (FAITID):bye all
Fabricio Vayra:Thanks, Chuck, et al!
Greg Shatan:We're halfway into the woods, Chuck.
Nathalie Coupet:Adobe froze
Nick Shorey:1. Does the policy work with legislation? If no, why?
Nathalie Coupet:Bye all
Marika Konings:Nope, not from my side
Vicky Sheckler:thx
Ayden Férdeline:thanks all
andrew sullivan:Thanks & bye
Greg Shatan:Bye all!
Nick Shorey:Cheerio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171003/d0065239/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Attendance RDS 3 Oct.pdf
Type: application/pdf
Size: 341878 bytes
Desc: Attendance RDS 3 Oct.pdf
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171003/d0065239/AttendanceRDS3Oct-0001.pdf>
More information about the gnso-rds-pdp-wg
mailing list