Logo

051040043 - EPDP-Phase 2A Team Call - Shared screen with speaker view
Brian Gutterman (ICANN Org)
34:00
Greetings everyone,
Terri Agnew
35:54
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Berry Cobb
39:00
Link to Feasibility doc: https://docs.google.com/document/d/1lqLOkF1jaA2NK1hmYtG4jiY4x7V432maFh1Xlv5UeBM/edit
Sarah Wyld (RrSG)
49:26
In many cases sending messages to those privacy/proxy pseudonymized email addresses results in an autoresponder directing the user to use a webform instead, which reduces spam emails to domain owners.
Sarah Wyld (RrSG)
50:40
"don't work" would mean to me that the webform does not direct the message to the domain owner, which I think is not the case
Keith Drazek (Chair) (Verisign)
50:56
The focus on webforms should be handled in the EPDP Phase 1 IRT, and/or ICANN compliance. It's not the focus of 2A.
Terri Agnew
50:57
**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Margie Milam (BC)
51:00
You get a bounce back if the email isn’t valid
Sarah Wyld (RrSG)
51:05
If the domain has an invalid email address, there's a policy for that already
Sarah Wyld (RrSG)
52:17
Webforms should certainly accommodate that (whois accuracy policy requirements)
Steve Crocker (SSAC)
52:44
There’s a bit difference between individual registrars providing pseudo email addresses versus a uniform method across the entire system. It’s much easier for each registrar to update, monitor, etc. On the other hand, separate implementations by each registrar doesn’t work for correlations across registrars.
Hadia Elminiawi(ALAC)
53:37
Anonymized email addresses in relation to the public is feasible and possible. With the proper safeguards in place this should be a requirement
Sarah Wyld (RrSG)
53:46
Steve - agreed that is a big difference. A uniform method across the entire system is a huge red flag to me for privacy issues.
Brian King (IPC)
53:47
While most registrars do verify the email address, the WAPS allows you to verify phone number as an alternative.
Sarah Wyld (RrSG)
54:23
Brian that's true but I don't think it invalidates the requirement to maintain a valid email on the domain?
Brian King (IPC)
55:58
@Sarah, what I'm saying is that there is no requirement to maintain a valid email. WAPS merely requires that an email address be provided which is in proper format, not that it actually works.
Mark Svancarek (BC)
56:10
To ensure that I properly understand policy - if a message to the email address attached to a web form bounces back, is a registrar OBLIGED to verify accuracy as a result?
Margie Milam (BC)
57:34
+1 Alan
Volker Greimann (RrSG)
57:58
AlanG: it triggers an internal process, there is no requirement to relay it back
Manju Chen (NCSG)
58:00
webform is out of scope when we’re only discussing the feasibility of registration-based or registrant-based emails
Sarah Wyld (RrSG)
59:06
Brian's statement that there's no requirement for the RNH to provide a valid email concerns me but I cant do a deep dive into the RAA while also focusing on this call so I do just want to express my surprise about that
Alan Greenberg (ALAC)
59:17
#Volker, and the lack of that requirement is a REAL problem.
Sarah Wyld (RrSG)
59:40
markSV - Yes, whois accuracy program #4 - f Registrar has any information suggesting that the contact information specified in Section 1(a) through 1(f) above is incorrect (such as Registrar receiving a bounced email notification or non-delivery notification message in connection with compliance with ICANN's Whois Data Reminder Policy or otherwise) for any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar must verify or re-verify, as applicable, the email address(es) as described in Section 1.f (for example by requiring an affirmative response to a Whois Data Reminder Policy notice).
Volker Greimann (RrSG)
01:00:28
I do not see the problem. A dead drop email address is basically the same.
Brian King (IPC)
01:01:02
Fair enough, Keith. Thanks.
Brian King (IPC)
01:01:17
@Sarah, it concerns me too :-)
Alan Greenberg (ALAC)
01:02:25
@Keith, It is not a rathole! If we are ending up with web forms as THE method, then we need agreement from contracted parties that they agree to have the IRT SPECIFTY DEMONSTRABLE rules...
Owen Smigelski (RrSG)
01:03:09
@Alan- I’m still not clear how having a unique email will address the webform concern. Again, if webforms are not compliant, report them to ICANN.
Alan Greenberg (ALAC)
01:05:28
@Owen, compliant to WHAT???
Hadia Elminiawi(ALAC)
01:05:37
@Owen that is why we are saying let’s have an anonymous email address - we just need a tool that serves the purpose. We don’t want to file complaints
Mark Svancarek (BC)
01:06:00
A webform can be compliant yet effectively useless
Volker Greimann (RrSG)
01:06:23
What risk rhymes with Low? No!
Sarah Wyld (RrSG)
01:06:25
the risk CAN be low depending on the implementation, I think bottom left corner was disclosure in an SSAD context, is that desired?
Sarah Wyld (RrSG)
01:06:37
(right, not left, sorry)
Sarah Wyld (RrSG)
01:07:03
There remains risk to the registrar and the registrant. Correlation is not a policy that I'm aware of ?
Sarah Wyld (RrSG)
01:08:23
I am definitely open to discussing disclosing an anonymized email automatically via the SSAD (bottom right of the chart)
Manju Chen (NCSG)
01:10:34
simply because something was used to serve your interest doesn’t mean it was right to use it, let along letting you keep using it when registrant’s privacy are potentially compromised
Steve Crocker (SSAC)
01:11:12
@Jan, I think you’ve mentioned two distinct objectives. One is to provide a channel for contacting a registrant. The other is the ability to correlate multiple registrations. I think these are separate objectives and should be pursued separately. It is not necessary to have publicly available data in order to do correlation. It could also be done by trusted processes that have access to the full registration data base.
Keith Drazek (Chair) (Verisign)
01:11:40
As Steve noted earlier and above, there is a clear distinction between contactability and correlation. The first is generally addressed by a functioning webform or pseudonymized email and poses little risk of inadvertent disclosure of PII. The second is more challenging and I think is the policy question before us at this time.
Steve Crocker (SSAC)
01:11:43
@Alan +1
Margie Milam (BC)
01:12:15
The increase in UDRPS is due to the fact that you often can’t resolve the issue directly with the registrant because you can’t identify or reach them without taking the step of filing a UDRP.
Brian King (IPC)
01:13:13
+1 Alan +1 Margie
Margie Milam (BC)
01:13:33
+1 Alan
Volker Greimann (RrSG)
01:13:43
Just because I can does not mean I should…"
Sarah Wyld (RrSG)
01:14:39
+1 Man-ju. I also do not respond to every email I receive as a domain owner.
Alan Greenberg (ALAC)
01:15:00
There is big difference between gtd receipt and not being aware that as message was NOT delivered.
Sarah Wyld (RrSG)
01:15:17
I don't think you have guaranteed receipt in any case. I have some email addresses that I check only once or twice a year.
Sarah Wyld (RrSG)
01:16:25
Great points Thomas!
Alan Greenberg (ALAC)
01:17:10
Anon or Synon within a registrar does not need to rely on a single algorithm which could be reversed.
Mark Svancarek (BC)
01:17:22
+1 Alan
Hadia Elminiawi(ALAC)
01:17:42
@Thomas but the problem is that web forms do not work that is why we would like to use email addresses with appropriate safeguards
Thomas Rickert (ISPCP)
01:18:26
@Hadia. If there is an issue with implementation, that should be addressed, but that should not prevent us from doing the right thing when it comes to the policy.
Sarah Wyld (RrSG)
01:21:19
+1 Thomas
Thomas Rickert (ISPCP)
01:23:36
+1 Marc
Thomas Rickert (ISPCP)
01:23:41
Correlation is the issue
Alan Greenberg (ALAC)
01:23:44
Yes, many of us WANT correlation, but what we have now is an order of magnitude below what we often have now.
Hadia Elminiawi(ALAC)
01:25:26
We support pseudonyms but if not possible anonymous emails need to be a requirement.
Brian King (IPC)
01:25:30
Well said, Alan.
Stephanie Perrin (NCSG)
01:27:48
Pseudonymized emails: as far as guidance goes, we need to remind them that this is personal information.
Stephanie Perrin (NCSG)
01:28:16
Because a persistent identifier is PI
Sarah Wyld (RrSG)
01:28:31
Good point Stephanie
Thomas Rickert (ISPCP)
01:28:50
In deed, Stephanie
Mark Svancarek (BC)
01:29:37
Pedantically, a pseudonym is potentially but not inherently personal data, since not everyone has the capability of unmasking the pseudonym
Sarah Wyld (RrSG)
01:29:54
Is that true? My email has my real name in it, and it's associated with many accounts (so it's an important attack vector).
Volker Greimann (RrSG)
01:30:53
Brian, you mean like “Hostmaster@greimann.org”?
Sarah Wyld (RrSG)
01:30:59
I think that would be extremely confusing to registrants
Sarah Wyld (RrSG)
01:31:14
Use an email, but not one that is personal data. But every email that actually does reach a person IS personal data, so...
Brian King (IPC)
01:31:18
If registrants choose to use an email address that contains their name, that is a choice.
Sarah Wyld (RrSG)
01:31:39
I don't think it's fair of us to suggest that registrnats should have to go create a new email address in order to have their data be protected
Sarah Wyld (RrSG)
01:31:54
And with or without their name in the email itself, it is still personal data
Stephanie Perrin (NCSG)
01:32:06
abuse@company.com is personal data if it routes to an individual. I thought we had learned that about 4 years ago....
Thomas Rickert (ISPCP)
01:32:19
Right, Sarah and Stephanie
Manju Chen (NCSG)
01:32:51
why do i have to go extra miles to get a new email address just to register a domain??? and have to careful to not put my name or anything in that new email i might forget the password very soon because i use it only to register a domain???
Stephanie Perrin (NCSG)
01:32:58
I have a very firm recollection of Becky doing a talk at one of our real meetings, and pointing this out. I cheered.
Stephanie Perrin (NCSG)
01:33:53
Several of us are behind in our feedback, apologies.
Sarah Wyld (RrSG)
01:34:01
to Manju's point, creating a unique email for a domain registration also makes it more likely that the RNH won't return to that email and will miss communications about the domain
David Cake (NCSG)
01:35:04
(many other email systems allow the same trick as gmail, many geeks use it to organise their email)
Manju Chen (NCSG)
01:35:30
thanks Sarah, excellent point!
Sarah Wyld (RrSG)
01:41:57
The understanding was that the real registration data would be disclosed via the SSAD
Sarah Wyld (RrSG)
01:42:04
I am open to discussing disclosure of pseudonymized data
Laureen Kapin (GAC)
01:42:39
@ Alan -- I had assumed that the SSAD disclosed the actual personal data (agree with Sarah's understanding).
Sarah Wyld (RrSG)
01:42:43
Recommendation #12. Disclosure Requirement12.1. The EPDP Team recommends:Contracted Parties:12.1.1. MUST only disclose the data requested by the Requestor;12.1.2. MUST return current data or a subset thereof (no historic data);
Alan Greenberg (ALAC)
01:42:45
@Sarah, if you are correct, fine, but I don't recall any such discussion.
Sarah Wyld (RrSG)
01:42:53
"current data" suggests to me real registration data
Brian King (IPC)
01:43:05
It is real registration data
Sarah Wyld (RrSG)
01:43:06
I think we just didn't discuss the idea of disclosing anything other than the real data ?
Hadia Elminiawi(ALAC)
01:43:53
Automatic disclosures of pseudonyms emails through SSAD could be an option
Alan Greenberg (ALAC)
01:44:24
@Sarah, the problem with relying on that is that in Phase 1, we defined the contact email as anon or web form. That is the defined field. In retrospect, we probably should have included the real email address as a redacted field.
Laureen Kapin (GAC)
01:45:26
@ Hadia -- that seems inconsistent with the purpose of the SSAD which was to create a process for access to the domain name registration data (not something less than that).
Sarah Wyld (RrSG)
01:46:44
@AlanG Phase 1 Rec 10 does include the email as a redacted field, I'm not following you
Alan Greenberg (ALAC)
01:51:03
@Sarah, yes and it does not include the original REAL address as an RDDS field. The SSAD reveals RDDS info (redacted and public). But how can the latter include the real address if it is not actually a field?
Volker Greimann (RrSG)
01:51:06
Yeah, let’s not do that
Sarah Wyld (RrSG)
01:52:07
AlanG I don't understand what you mean that the real email is not required to be disclosed via SSAD. I think the expectation is that the real email is included in those disclosures
Alan Greenberg (ALAC)
01:52:26
Fields specifying whether specific data items in the RDDS seem to be adding unneeded complexity but may be used at the registrar level.
Sarah Wyld (RrSG)
01:52:58
That's a good point AlanW
Hadia Elminiawi(ALAC)
01:55:45
Just to note this suggestion to remove the scenarios depends on what is included in the previous points
Alan Greenberg (ALAC)
01:56:48
URL of this doc?
Hadia Elminiawi(ALAC)
01:57:22
@Laureen agree that the SSAS is for more than that
Caitlin Tubergen (ICANN Org)
01:58:11
The document on screen is the agenda that was circulated yesterday.
Volker Greimann (RrSG)
01:58:23
We made that distinction by redacting everything
Volker Greimann (RrSG)
01:58:42
Protect everything equally and personal info is protected bty defauklt
Brian King (IPC)
02:00:22
My understanding was that the NCSG's position was the opposite - that registrars should NOT be determining whether there is personal data
Alan Greenberg (ALAC)
02:01:29
URL please?
Alan Greenberg (ALAC)
02:01:41
ok
Berry Cobb
02:02:05
As part of the Agenda. Staff will connect back with the notes and revised writeup to be sent later today.
Caitlin Tubergen (ICANN Org)
02:02:28
All relevant URLs will be posted in the action items.
Manju Chen (NCSG)
02:02:48
@Brian, that’s Milton’s position. As Stephanie suggested, we’re still debating about it within NCSG. hopefully we’ll resolve around that and decide on a unified position soon
Terri Agnew
02:03:21
The GNSO Temp Spec gTLD RD EPDP – Phase 2A call is scheduled on Thursday, 06 May 2021 at 14:00 UTC for 90 minutes.
Brian King (IPC)
02:03:22
We need to know all groups' official positions as early as possible, please.
Hadia Elminiawi(ALAC)
02:03:58
Thank you all bye
Melina Stroungi (GAC)
02:03:58
thank you everyone