Logo

051040043 - EPDP-Phase 2A Team Call
Terri Agnew
37:34
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Sarah Wyld (RrSG)
54:28
I don't follow that argument that we're revising UDRP policy
Manju Chen (NCSG)
55:37
UDRP review belongs to RPM PDP phase 2
Keith Drazek (Chair) (Verisign)
56:35
Thanks Becky
Volker Greimann (RrSG)
57:07
@Margie: When will Facebook provide Facebook user whois?
Sarah Wyld (RrSG)
57:08
I thought we were tasked with determining if unique contacts are feasible, and what guidance to provide?
Volker Greimann (RrSG)
57:40
Is the user data not also necessary for the security, stability and resilience of Facebook?
Owen Smigelski (RrSG)
57:52
Rather than using a non-existing reverse whois search (which was never a thing) re: UDRP, how about searching public UDRP decisions?
Sarah Wyld (RrSG)
57:58
That sounds like reverse search, which I don't think has ever been a policy requirement?
Sarah Wyld (RrSG)
58:09
And is out of scope
Margie Milam (BC)
59:22
Its in scope if there is a unique contact that can enable the correllation
Brian King (IPC)
59:44
"uniform" is what makes correlation in scope
Brian King (IPC)
01:00:08
+1 MarkSv
Terri Agnew
01:02:39
**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Milton Mueller (NCSG)
01:03:03
oops
Sarah Wyld (RrSG)
01:05:02
Good point there Milton
Sarah Wyld (RrSG)
01:08:19
But if it's not published then you can go through SSAD and get the real actual email address for the domain owner
Milton Mueller (NCSG)
01:08:33
right sarah
Brian King (IPC)
01:09:01
Can I quote you on that, Sarah? Every time, regardless of CP?
Stephanie e Perrin (NCSG)
01:09:09
If you have a proven case of malware, you ought to have no problem getting a reverse search, no?
Sarah Wyld (RrSG)
01:09:14
I don't understand Brian's comment
Stephanie e Perrin (NCSG)
01:09:27
With a duly formatted request of course
Steve Crocker (SSAC)
01:09:31
Margie has exactly the right idea. The hurdle is there is no commitment to implement the reverse search
Sarah Wyld (RrSG)
01:09:45
My comment is assuming that there's a valid legal basis etc as laid out in the previous two phases
Margie Milam (BC)
01:09:58
+1 Steve
Steve Crocker (SSAC)
01:10:01
Use of the reverse search can be restricted to authorized requesters and subjected to appropriate auditing and enforcement.
Stephanie e Perrin (NCSG)
01:10:24
Which means a valid investigation based on a first case, right?
Brian King (IPC)
01:10:43
@Stephanie, yes.
Milton Mueller (NCSG)
01:10:49
also a question whether a cyber attack infrastructure using multiple automatically generated domains would end up with the same “anonymized” identifier anyway
Brian King (IPC)
01:11:14
@Milton, let's not let perfect be the enemy of the good
Milton Mueller (NCSG)
01:11:18
wouldn’t the bad guys find a way for them be counted as different registrants?
Brian King (IPC)
01:11:30
Maybe, but let's make them work for it
Margie Milam (BC)
01:11:51
Milton - you’d be surprised how often they use the same information or similar information
Sarah Wyld (RrSG)
01:11:55
Milton makes a good point; if preventing abuse is the reason for suggesting correlation, let's consider if it would even be effective?
Stephanie e Perrin (NCSG)
01:11:56
Are we not getting down to deeper levels of data access in such a situation?
Sarah Wyld (RrSG)
01:11:57
I'm not sure it would
Sarah Wyld (RrSG)
01:12:17
(Plus let's all remember the significant decrease in DNS Abuse after registration data was mostly redacted, as demonstrated by ICANN's data)
Steve Crocker (SSAC)
01:12:20
@Milton, you’re correct in observing the bad guys might simply use distinct names for registering their multiple domains. But not all of the bad guys will do this. Law enforcement catches a lot of bad guys because they’re not very clever.
Stephanie e Perrin (NCSG)
01:12:36
Exactly what data helps identify a malware producer?
Milton Mueller (NCSG)
01:12:55
malware
Steve Crocker (SSAC)
01:13:11
An FBI agent once introduced himself to a group of DARPA researchers in the following way: I’m from the FBI, and like all predators we go after the stupid and weak first.
Volker Greimann (RrSG)
01:13:28
heh
Milton Mueller (NCSG)
01:14:06
given the tradeoff (publishing everyone’s unique ID as well as the stupid and weak bad guys) I don’t think it is worth it
Stephanie e Perrin (NCSG)
01:14:33
How are these multiple registrations, whether or not they appear with same name, being paid for?
Stephanie e Perrin (NCSG)
01:14:46
Is the IP address any help?
Milton Mueller (NCSG)
01:14:48
indeed I think it’s tilted against good guys, because all good guys would have a single unique ID across all registrations and most of the bad guys wouldn’t, especially as the learning curve sets in
Thomas Rickert (ISPCP)
01:15:51
As mentioned in previous discussions, I think any identifier is best „per domain name“ to limit the risk of reverse engineering.
Stephanie e Perrin (NCSG)
01:15:57
What I am trying to get at is if you are really trying to get the bad guys, are you not looking for much deeper data that is held by the registrar or its resellers, not info that we are dealing with in the RDDS?
Margie Milam (BC)
01:16:59
+1 Brian
Volker Greimann (RrSG)
01:18:11
Bottom right, actually
Milton Mueller (NCSG)
01:18:12
correct, Stephanie, a C2 infrastructure of an APT would never have a real name or address associated with it, but the name of the registrar, the IP address, and the name server info would provide useful clues
Jan Janssen (IPC)
01:19:14
How can you say: so many risks, when the memo states that risks are low…
Stephanie e Perrin (NCSG)
01:19:18
And what is a C2 infrastructure of an APT when it is at home?
Chris Lewis-Evans (GAC)
01:19:28
but the registration of a c2 domain that nearly knocked the internet for a whole country was
Margie Milam (BC)
01:19:34
+1 Brian
Milton Mueller (NCSG)
01:19:39
sounds like an exercise in game theory
Becky Burr (ICANN Board Liaison)
01:20:18
Nothing from me
Berry Cobb
01:21:16
Link to Questions page: https://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit#
Sarah Wyld (RrSG)
01:21:44
Thanks to the screen-sharer for zooming in! More is always better!
Sarah Wyld (RrSG)
01:23:04
Redaction of data has been proven to reduce DNS Abuse
Volker Greimann (RrSG)
01:23:26
I must have missed those statistics
Margie Milam (BC)
01:23:29
Sarah - I
Margie Milam (BC)
01:23:49
M now aware of those statistics - please share
Sarah Wyld (RrSG)
01:24:08
Sure, Margie: https://ithi.research.icann.org/graph-m2.html
Sarah Wyld (RrSG)
01:24:18
ICANN's stats show a significant drop in DNS Abuse since registration data was redacted
Sarah Wyld (RrSG)
01:24:25
indeed I know that correlation is not causation but I do see a connection here.
Margie Milam (BC)
01:24:54
You’re making a correlation that’s not stated in that research - there’s lots of data that contradicts that conclusion
Laureen Kapin (GAC)
01:25:05
Agree wholeheartedly with Melina on issue of civil communications.
Owen Smigelski (RrSG)
01:25:26
For the record, I also agree with Volker about regulation. No need to do something through ICANN policy process about a potential regulation/law.
Milton Mueller (NCSG)
01:25:54
I disagree. ICANN needs to be setting policy on a global basis
Owen Smigelski (RrSG)
01:27:10
I’m still confused about the need for differentiation between legal and natural. Are there a massive number of legal persons that are engaged in abuse/infringement/general bad internet stuff? My understanding is that most of that is done by natural persons.
Owen Smigelski (RrSG)
01:27:38
I have reviewed quite a few UDRP decisions, and almost none were against registrants that were legal persons
David Cake (NCSG)
01:28:36
DNS Abuse is not AN issue. It is multiple issues lumped together in a group. Almost any statement about a single mechanism how DNS Abuse is combated, or mechanisms of DNS Abuse work, will be wrong thereby.
Christian Dawson (ISPCP)
01:29:07
+1 David Cake
Milton Mueller (NCSG)
01:29:13
correct, David
Laureen Kapin (GAC)
01:30:20
Thank you Melina for this very constructive summary.
Chris Lewis-Evans (GAC)
01:31:47
@Owen Registration data is not just used for finding bad people it is also used for contacting possible victims
Stephanie e Perrin (NCSG)
01:32:00
Volker’s point on hosting companies is spot on.
Chris Lewis-Evans (GAC)
01:32:11
...many of those being legal persons
Brian King (IPC)
01:32:12
I apologize if it appeared that I was not supportive of Volker's proposal to automate legal person disclosure via the SSAD - of course we are (we proposed it in Phase 2 in fact). We just think that is not the full solution for 2A.
Volker Greimann (RrSG)
01:32:24
Chris: Would you not like to have the same for hosting?
Stephanie e Perrin (NCSG)
01:32:51
Release for the benefit of the individual is not a problem in data protection, providing the requestor is authenticated.
Brian King (IPC)
01:32:54
To be clear, hosting is out of scope for ICANN. Let's stay focused.
Melina Stroungi (GAC)
01:32:59
indeed Milton, let's try to do that
Volker Greimann (RrSG)
01:33:13
But it is on focus for any argument contained in NIS2
David Cake (NCSG)
01:33:26
While correlation does not always mean correlation, it makes a pretty decent choice for a hypothesis for overall effect. If redaction of data has resulted in a reduction in DNS Abuse statistics, the onus is those who think redaction is bad for DNS Abuse to show why. When we tease the DNS Abuse issue apart it will have multiple effects, but overall redaction seems at a first pass helpful.
Volker Greimann (RrSG)
01:33:31
If you use NIS2 as justification, the inconsistency is glaring
Stephanie e Perrin (NCSG)
01:33:35
Fine Brian, but if we are talking about government regulation, that is where the focus ought to be
Christian Dawson (ISPCP)
01:33:56
To build on David Cake’s comments about how complicated it is, the idea of the public benefit of domain registration data is equally complicated - it is clear that there are many abuse vectors for published data, including spam, prolifieration of malware and other forms of abuse, doxxing, and worse. My point is only that the mere notion that any type of disclosure is in the public interest is in itself very complicated. Which is why we need to work extra hard to listen to each other and try to understand each other, not talk part or about one another.
Owen Smigelski (RrSG)
01:34:13
@Chris- I’m really confused. How are victims contacted through registration data?
Alan Woods (RySG)
01:34:27
So sorry all. I have to drop early today due to an unavoidable clash.
Volker Greimann (RrSG)
01:34:31
No child abuse is due to a domain name. It is always the hosting
Tara Whalen (SSAC)
01:34:37
I need to drop early — handing off to Steve for the remainder of the call. Thanks all for such a helpful discussion!
Volker Greimann (RrSG)
01:34:41
Cerime on the internet is due to bad hosting
Christian Dawson (ISPCP)
01:35:06
I’m afraid I also need to depart early today, a conflict has arisen. Thanks to all.
Volker Greimann (RrSG)
01:35:09
Anyone demanding regulation for domains must explain why the same does not apply to hostijng
Milton Mueller (NCSG)
01:35:40
ICANN doesn’t have authority over hosting (thank god)
Chris Lewis-Evans (GAC)
01:35:43
@Owen - via email / phone
Sarah Wyld (RrSG)
01:36:31
I'm not sure I agree that differentiation is feasible. (I think Keith just said that?)
Milton Mueller (NCSG)
01:36:54
>So sorry all. I have to drop early today due to > an unavoidable clash.
Milton Mueller (NCSG)
01:37:08
“unavoidable clash” sounds like EPDP
Melina Stroungi (GAC)
01:37:21
+ 1 Alan. Let's at least agree on Milton's 1st principle
Brian King (IPC)
01:37:32
I feel very unpopular as I do not have a conflict and have no better place to be than schlepping through EPDP :-)
Stephanie e Perrin (NCSG)
01:37:51
Milton’s view is his personal view, not yet an NCSG position
Milton Mueller (NCSG)
01:38:32
The point of the principles is that we would have to agree on all of them to have an agreement
Jan Janssen (IPC)
01:38:39
+1 Alan
Brian King (IPC)
01:39:10
Sorry to be blunt but we do not have time for personal views. I'd respectfully request that in the interest of efficiency we present formal/official views of our groups as much as possible.
Sarah Wyld (RrSG)
01:39:30
Thanks
Melina Stroungi (GAC)
01:40:37
indeed Thomas, agree
Melina Stroungi (GAC)
01:40:44
let's focus on Milton's principles
Melina Stroungi (GAC)
01:40:54
sorry I meant Alan :P
Brian King (IPC)
01:41:17
We are also happy to work from Milton's principles. In fact, I recall agreeing with several of them.
Alan Greenberg (ALAC)
01:42:17
@Thomas, the B&B memo clearly gives us a safe path with regard to Legal Person registration that may include personal data.
Alan Greenberg (ALAC)
01:43:41
The SSAD proposal adds time, complexity and costs where none are necessary.
Thomas Rickert (ISPCP)
01:44:06
@Alan - I am suggesting to focus on personal vs. Non-personal as that seems to get traction. We should pursue ideas that potentially lead the group towards consensus.
Hadia Elminiawi (ALAC)
01:44:39
@Thomas we have all agreed that we need two types of differentiation. One is the registrant type which does not necessary lead to the publication of the data and the second is the data type of the legal registrant which ultimately determines the decision.
Hadia Elminiawi (ALAC)
01:44:58
At least I think we have all realized this
Volker Greimann (RrSG)
01:46:00
NIC says non-personal data. I am offering non personal data
Margie Milam (BC)
01:46:03
As I recall - SSAD hasnt been approved & can’t evolve to meet new regulations
Volker Greimann (RrSG)
01:46:22
NIS says publish - I offer publication
Volker Greimann (RrSG)
01:46:29
Why are you not happy?
Margie Milam (BC)
01:46:36
The ODP may end up with a recommendation not to proceed
Volker Greimann (RrSG)
01:46:41
My proposal implements NIS2 to the letter
Steve Crocker (SSAC)
01:47:32
SSAD vs RDAP? The common issue is defining the purposes, establishing the credentials, etc. When those are defined, they can be used either directly with RDAP or via SSAD. It’s actually possible to move incrementally with RDAP and transition into SSAD.
Sarah Wyld (RrSG)
01:47:43
Seems to me that if the outcome here is that we may but are not required to differentiate, that would be as influential on NIS2 as if we come to agreement that we must differentiate. I'm not clear about this influencing argument
Volker Greimann (RrSG)
01:47:57
Steve: RDAP will still exist, but it will only include the bare minimum
Volker Greimann (RrSG)
01:48:11
SSAd ill be the buffet, RDAP the manu
Volker Greimann (RrSG)
01:48:19
menu
Stephanie e Perrin (NCSG)
01:48:27
Just pointing out the advice of the EDPS on the directive https://edps.europa.eu/system/files/2021-03/21-03-11_edps_nis2-opinion_en.pdf
Stephanie e Perrin (NCSG)
01:48:36
We don’t seem to be addressing it.
Steve Crocker (SSAC)
01:49:19
I believe RDAP is extensile. Moreover, the implementation of SSAD rests on RDAP.
Sarah Wyld (RrSG)
01:50:08
Well, I do agree with Melina's point that registrant self-identification has risks to the registrar. I'm not sure about the rest of the comments though.
Thomas Rickert (ISPCP)
01:50:25
@Laureen - you misheard.
Thomas Rickert (ISPCP)
01:51:20
No consent required for legal persons. There must not be consent where it is not needed.
Margie Milam (BC)
01:51:50
+1 Thomas
Laureen Kapin (GAC)
01:52:14
Happy to see your clarification Thomas.
Sarah Wyld (RrSG)
01:54:18
Also on this topic raised by Laureen I would ask the team to review Volker's email on the topic from April 20, thank you
Laureen Kapin (GAC)
01:55:41
Volker transmitted 4 emails that day ;-).
Sarah Wyld (RrSG)
01:55:54
Good point...
Milton Mueller (NCSG)
01:56:15
but limiting use to accredited users is a feature not a bug
Stephanie e Perrin (NCSG)
01:57:01
Section 3.3 for folks not wishing to read all the comment…
Stephanie e Perrin (NCSG)
01:57:33
Not the emphasis on personal data, not the distinction between legal and natural
Berry Cobb
01:57:39
Phases 1 & 2 were record time.....believe it or not. ;-)
Stephanie e Perrin (NCSG)
01:57:54
Note, not not
Sarah Wyld (RrSG)
01:58:18
The email I was referring to: https://mm.icann.org/pipermail/gnso-epdp-team/2021-April/003816.html
Steve Crocker (SSAC)
01:58:24
The issue isn’t accreditation vs no accreditation. Accreditation is tied to which requests are authorized. Some accreditations permit more access than others. “No accreditation” is just the bottom of the hierarchy, I.e. the least knowledge about the requester, the fewest rules about what can be done with the data, and the least data.
Steve Crocker (SSAC)
01:59:09
I need to drop off sharply at the bottom of the hour
Laureen Kapin (GAC)
01:59:20
MM is correct about the prevalence of ways to find out Personal Information in the real world.
Melina Stroungi (GAC)
02:00:30
Absolutely Milton. And I agree also with your second principle
Melina Stroungi (GAC)
02:01:12
And precisely because of this grey area, this is why this 2 step approach is so important
Laureen Kapin (GAC)
02:01:14
Also agree that any system needs to take into account educating registrants on consequences of identifying as a legal entity and incorporating protections for certain categories of registrants that have add'l protections under GDPR.
Brian King (IPC)
02:01:31
+1 Melina, Laureen
Milton Mueller (NCSG)
02:01:54
right, huge gray area
Brian King (IPC)
02:02:13
(and therefore +1 Milton, but with the Royals in 1st place you don't need my love)
Milton Mueller (NCSG)
02:02:36
KC shall rise again
Melina Stroungi (GAC)
02:03:25
@Volker, it would be the registrant making the self-identification of natural/legal
Steve Crocker (SSAC)
02:05:05
Apologies. I must drop off.
Milton Mueller (NCSG)
02:05:54
some of these things have been said before??? what?!?
Milton Mueller (NCSG)
02:06:00
;-)
Sarah Wyld (RrSG)
02:06:06
We have provided input re the writeup on list this morning
Sarah Wyld (RrSG)
02:06:18
The RrSG-proposed was not fully incorporated and we are hoping to get that rectified
Stephanie e Perrin (NCSG)
02:06:31
We are certainly restating what has been said before. We need to provide the possibility for the contracted parties to overrule a designation in the direction of protection, in cases where they doubt the accuracy or ability of the registrant to identify PI
Volker Greimann (RrSG)
02:06:36
I am legally a person, :-)
Hadia Elminiawi (ALAC)
02:06:41
@Volker and Stephani - some changes already need to be made to the registration system so adding the natural/legal distinction is not a significant addition to what needs to be done. Also registrants are not stupid
Terri Agnew
02:07:07
The GNSO Temp Spec gTLD RD EPDP – Phase 2A call is scheduled on Tuesday, 27 April 2021 at 14:00 UTC for 90 minutes.
Stephanie e Perrin (NCSG)
02:07:07
I am a registrant and I am quite stupid
Sarah Wyld (RrSG)
02:07:12
Hadia it is a significant change with a lot of owrk
Sarah Wyld (RrSG)
02:07:16
please do not dismiss that information
Volker Greimann (RrSG)
02:07:19
You know how dumb the average citizen is, Hadia? Statistically, half of them are dumber
Hadia Elminiawi (ALAC)
02:07:23
@Sarah noted
Melina Stroungi (GAC)
02:07:26
thank you everyone