[Ssr2-review] SSR2 action item: Review rec 29 markup
k claffy
kc at caida.org
Sun Oct 4 21:44:52 UTC 2020
Kerry-Ann,
Thanks.
The text you have below mostly makes sense, but the GAC missed my crucial
point, while ICANN obliquely makes it in response.
Those holding registration data are not qualified to "properly weigh
the public interest" for access to private data. Nor is ICANN able
to sufficiently represent the public interest in negotiations with
them; the conflict of interest is overwhelming.
So framing this recommendation around "ICANN should stay abreast
of the laws around the world" makes no sense to me.
I believe it is Europe (and any other government who wants
mandatory access to this data under specific circumstances)
who need their laws to catch up with reality on the ground.
This is the primary lesson of the EPDP -- ICANN process will
not thread this needle.
I think the sentiments below belong in a section on access to registration
data. As soon as someone lets me know where i can put text into that
section, I'll work on it. It is not a good use of SSR2 time to continue
this conversation until that section is done.
k
On Wed, Sep 30, 2020 at 11:04:28PM -0400, Kerry-Ann Barrett wrote:
> Dear KC
> Sorry for the late reply.
> I wanted to have given the opportunity to the other team members to respond but also wanted to reiterate, that while I agreed the current text and placement of the text needed to be re-written and updated, the issue of privacy and security are still interlinked. The on-going discussion on the issue of WHOIS, GDPR and the Disclosure Procedure, does make this issue no longer a future security challenge as it was three years ago.
>
> In the recent minority statement issued on August 24, 2020 by GAC, they stated and referenced the importance of this issue to security and stability.
>
> The GAC acknowledges that under applicable data protection rules, including the GDPR, contracted Parties will likely remain responsible for the decision whether to disclose domain name registration data, and may face certain liability risks related to that decision. The GAC understands that contracted Parties have therefore sought to maintain control over the decision whether to disclose domain name registration data. The GAC notes, however, that those decentralized decisions whether to disclose data are largely exempt from challenge and enforcement action, notably via ICANN Compliance. 11 Registration data is important for the security and stability of the DNS and there is a real concern that contracted parties may inadvertently or purposely not properly weigh the public interest for the requestor to obtain such data. ICANN???s CEO recently conveyed this very concern to the European Data Protection Board, pointing out that ???[d]ue to a lack of legal certainty, registrars, as controllers, are likely to evaluate privacy and data protection in absolute terms, without considering other rights and legitimate interests, to avoid possible regulatory sanctions or a judgment against them.???12 Denials of legitimate requests for access to domain name registration data have real consequences.
>
> A review of some of these pages and other resources would allow the SSR2 team to at least ensure we express an appreciation of the issue and not have it removed from the report, but better placed and maybe stated more succinctly (https://whois.icann.org/en/using-whois; https://gac.icann.org/statement/public/gac-minority-statement-epdp-phase2-24aug20.pdf; https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-phase-2-temp-spec-gtld-registration-data-2-31jul20-en.pdf;https://features.icann.org/compliance/dashboard/2020/0520/report)
>
> I would like to propose as we had agreed on the call that we could develop new text that would still capture the issues and the need for Compliance to have a stronger role in this process, which was the basis of this recommendation.
>
> The idea is not to make it a crime consideration but for security measures to be implemented for the security of data - of which data privacy is a subset.
I won???t be able to join tomorrow because I was asked to deliver a course ( this is a one off situation) but available if there is consensus on the way fwd.
Cheers
Kerry-Ann
> On Sep 29, 2020, at 12:56 AM, k claffy <kc at caida.org> wrote:
>
> ???
> Russ
>
> Yes, that's correct.
>
> We spent a lot of time talking about a lot of things
> that don't need to be in a report 3 years later.
>
> What does SSR2 want ICANN to do beyond what's here?
> https://www.icann.org/dataprotectionprivacy
> I think ICANN is "keeping up with GDPR and similar laws",
> in fact its CPs are arguably overcommitted to privacy
> (or at least "not sharing data for free") at the expense of
> security. So I don't think this advocacy is appropriate.
> We know these laws are up for interpretation, and that "keeping
> up w the laws" is not an SSR issue, it's how they are interpreted
> and accommodated that have SSR implications.
>
> Moreover, why are we asking ICANN to keep with privacy laws
> in an SSR review? Why not cybercrime laws?
> Or breach notification laws?
>
> If it's because lack of access to RDAP data
> is a security challenge, then we should advocate
> finding a way to overcome that security challenge.
>
> k
>
>
> On Mon, Sep 28, 2020 at 01:22:46PM -0400, Russ Housley wrote:
> KC:
>
> You seem to be advocating deleting all of the text related to Rec. 29. Is that right?
>
> We spent a lot of time talking about ICANN org keeping up with GDPR and similar laws. Where do you think that belongs?
>
> Russ
>
>
>> On Sep 23, 2020, at 10:32 AM, Jennifer Bryce <jennifer.bryce at icann.org> wrote:
>>
>> Dear SSR2 RT members,
>>
>> As discussed on the call today, please review the proposed markup of rec 29 (see page 59) here: https://docs.google.com/document/d/1WTnaEk2pW0V85FRXk1uUN4O-co7DcDIXb_9_-1MCqts/edit#heading=h.2nusc19 <https://docs.google.com/document/d/1WTnaEk2pW0V85FRXk1uUN4O-co7DcDIXb_9_-1MCqts/edit#heading=h.2nusc19>.
>>
>> Please share any comments/feedback ahead of the meeting next week.
>>
>> Best,
>> Jennifer
>>
>> --
>> Jennifer Bryce
>> Associate Project Manager, Review Support and Accountability
>> Internet Corporation for Assigned Names and Numbers (ICANN)
>>
>> Skype: jennifer.bryce.icann
>> Email: jennifer.bryce at icann.org <mailto:jennifer.bryce at icann.org>
>>
>> _______________________________________________
>> Ssr2-review mailing list
>> Ssr2-review at icann.org <mailto:Ssr2-review at icann.org>
>> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://www.icann.org/privacy/policy>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://www.icann.org/privacy/tos>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
More information about the Ssr2-review
mailing list