<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:236016874;
mso-list-type:hybrid;
mso-list-template-ids:767831410 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hey everyone,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m starting a thread for topics from public comments that need to be discussed by the DG. Please see the three main topics below. Regarding ICANN Legal’s brief, the guidance can be integrated within the report either within Section 3.6
Benefits, Potential Harms, and Privacy Considerations of Proposed Methods or as an addendum. The report does not specifically prescribe data collection methods for the TRT but does offer guidance on some available methods. Based on the legal brief, it seems
that the DG <u>may</u> be able to meet the legal basis. Data minimization, transparency, and security would be requirements of ICANN org and the TRT. I’ve summarized key sections from the brief, but the link is below as well. Please provide your thoughts and
feedback on these comments so we can properly respond to them and make any necessary changes to the report.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks!<o:p></o:p></p>
<p class="MsoNormal">Michael Puckett<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">IPV6 support to CI:
<o:p></o:p>
<ol style="margin-top:0in" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1">(Rubens Kuhl): The dichotomy suggested in the report between IPv6 and Controlled Interruption is not based on fact-based finding, but on lack of testing. ::1 (meaning ::1/128 as in
IPv6 there is no localhost subnet, only a localhost) is a perfectly good solution to add IPv6 support to Controlled Interruption, targeting IPv6-only hosts. I support doing a study with a few key operating systems to confirm its usefulness and lack of side
effects before the final report is published, so it gets quicker to a name collision framework without reconvening NCAP DG.<o:p></o:p></li></ol>
</li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Level of specificity on guidance to ICANN Board/org re: TRT operationalization and risk assessment framework implementation:<o:p></o:p>
<ol style="margin-top:0in" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1">Has ICANN org risk management been addressed? Should it be? Are there any community groups or partners that should be called out to aid in providing guidance?<o:p></o:p></li></ol>
</li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Legal/privacy concerns for VI/VIN (<a href="https://itp.cdn.icann.org/public-comment/proceeding/Draft%20NCAP%20Study%202%20Report%20and%20Responses%20to%20Questions%20Regarding%20Name%20Collisions-19-01-2024/submissions/ICANN%20org/Visible%20Interruption%20(VI)%20and%20Visible%20Interruption%20and%20Notification%20(VIN)%20-%20Privacy%20and%20data%20protection%20review-26-02-2024.pdf">Brief</a>
from ICANN Legal):<o:p></o:p>
<ol style="margin-top:0in" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1">“Entities conducting VI/VIN could mitigate these risks by implementing appropriate steps such as identifying a suitable legal basis for the processing of personal data, applying data
minimization measures, ensuring transparency about their practices (including, clearly formulated notices), implementing appropriate security measures and conducting a data protection impact assessment, as might be required under applicable data protection
laws such as the GDPR. Generally, compliance with the relevant data protection laws will be key to mitigate privacy and liability risks.
<o:p></o:p></li></ol>
</li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in">However, due to the unpredictable nature of the data collected and the potentially high residual risks associated with data collection and further processing, implementing these privacy safeguards appears
to be challenging, if not impossible. This situation may lead to potential legal and reputational consequences for the entities conducting VI/VIN.” (p. 3)<o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<ol style="margin-top:0in" start="2" type="a">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1">4 issues at hand:<o:p></o:p></li></ol>
</ol>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Legal basis – Legitimate interest and balancing test (of risks/benefits) is “the most likely legal basis for processing personal data in the context of VI/VIN.”<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Data minimization – May be a mitigating factor by “reducing the risk of data breaches and privacy violations,” but this may be challenging with VI/VIN because these techniques
require “collecting and processing data that may not be strictly necessary for the intended purpose.” Viable steps include: (1) “implementing appropriate data protection measures to limit access to personal data,” (2) “regularly reviewing and deleting personal
data that is no longer necessary” or (3) “processing the data without retaining it in the first place [the data is deleted immediately after it has been written in the system memory]”
<o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<ol style="margin-top:0in" start="2" type="a">
<ol style="margin-top:0in" start="2" type="i">
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level4 lfo1">Implementation difficulty is rated as medium to high since “While it might be possible to conduct VI/VIN without retaining the personal data that might be processed, it remains that
an unpredictable amount of personal data would be processed.” Additionally, “Implementing the other safeguards to limit the amount of personal data processed would require knowing in advance what data would be collected when conducting VI/VIN, which is impossible.”<o:p></o:p></li></ol>
</ol>
</ol>
</ol>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>iii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Transparency – “If the entity conducting the assessment is not transparent about their data collection practices, this could be seen as invasive and raise concerns about data
privacy.” Since “the VIN sinkhole server will listen on the appropriate TCP port for HTTP requests so that it can respond with a human-readable message” and “HTTP requests often include parameters, and some of these parameters could include sensitive information,”
“there is a risk of disclosure of sensitive/confidential information.” Regarding transparent data practices by entities, “Entities conducting VI/VIN should be transparent about their data collection practices, how the data will be used, and who will have access
to it. They should also clearly communicate their privacy notices and policies to end-users to avoid confusion or concern.”
<o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<ol style="margin-top:0in" start="2" type="a">
<ol style="margin-top:0in" start="3" type="i">
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level4 lfo1">The implementation difficulty is high since “It seems impossible to provide sufficiently clear, detailed and informed transparency notices to all any/all individuals that may get their
data processed in the context of VI/VIN.”<o:p></o:p></li></ol>
</ol>
</ol>
</ol>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo1">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>iv.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>Data security: While “Processing the data without retaining it (the data is deleted immediately after it has been written in the system memory) would already mitigate the risk
of a breach,” the data collected must be properly secured.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>