Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Julf Helsingius (NCSG)
43:21
My apologies - I will have to leave after 45 minutes
Sarah Wyld (RrSG)
45:21
I agree that we should dedicate more meeting time to this topic as Marc described in his email
Volker Greimann (RrSG)
46:16
Someone is radioactive. Their Geiger counter is going wild
Laureen Kapin (GAC)
46:33
Hearing typing . . .
Julf Helsingius (NCSG)
46:38
I was going to ask if anyone else had the strange clicking sound
Amr Elsadr (NCSG)
46:54
I could have sworn that I only saw two EPDP meetings on the public schedule for ICANN67. Did I get that wrong?
Terri Agnew
46:59
Cracking is from Janis’s line
Berry Cobb
47:23
@Amr, yes 2 on schedule for week of Remote67.
Volker Greimann (RrSG)
47:26
No Amr, there are two sessions each week
Berry Cobb
47:42
the following two are 17th and 19th , typically a down week post physical meeting.
Amr Elsadr (NCSG)
48:19
I think the 4 meetings we’re planning on holding are a not a bad idea, anyway.
Brian King (IPC)
53:14
Completely agree on including Org, Marc. Great suggestion.
Steve DelBianco (BC)
53:24
Not just ICANN Org legal, but also OCTO representative on that small team
Steve DelBianco (BC)
55:04
I believe that Mark SV will want to be on that small team too.
Amr Elsadr (NCSG)
55:16
So we’re moving ahead with the small team, then?
Brian King (IPC)
55:29
Since he's not on the call, I note that Mark Svancarek would be great for this small team.
Volker Greimann (RrSG)
55:30
Apparently :-(
Volker Greimann (RrSG)
55:53
Since we do not have any other valid form of communication, apparently
Amr Elsadr (NCSG)
01:04:17
Personally, I don’t think the use of the word “masked” is necessarily relevant. The detailed descriptions are more helpful:
Amr Elsadr (NCSG)
01:04:41
(a) the same unique string would be used for multiple registrations by the data subject ('pseudonymisation'), or(b) the string would be unique for each registration ('anonymization').
Sarah Wyld (RrSG)
01:04:58
Agree with Amr
Sarah Wyld (RrSG)
01:05:08
I think the overall opinion is clear and the recommendation is appropriate
Amr Elsadr (NCSG)
01:05:26
@Sarah: +1. Recommendation is appropriate.
Sarah Wyld (RrSG)
01:05:48
I disagree that it is the same at all
Sarah Wyld (RrSG)
01:06:14
the anonymized email address would be the same across all domains belonging to the user, so it's clearly a connection and it becomes Personal Data
Milton Mueller (NCSG)
01:06:18
agree with sarah, allowing contact via an intermediary is not the same as publishing an email directly
Sarah Wyld (RrSG)
01:06:19
the web form can be unique per session
Sarah Wyld (RrSG)
01:06:29
(should be, maybe)
Julf Helsingius (NCSG)
01:06:42
+1 @Sarah
Sarah Wyld (RrSG)
01:06:50
And thank you Becky, yes.
Ben Butler (SSAC)
01:06:54
Agree
Amr Elsadr (NCSG)
01:08:23
Agree with Volker, but if I understood AlanG’s earlier comment, he’s right too. The net effect is the same, in terms of making contact with the registrant possible, only no personal information is being processed/published.
Sarah Wyld (RrSG)
01:08:27
I do agree with this recommendation
Volker Greimann (RrSG)
01:08:29
Yes we can
Amr Elsadr (NCSG)
01:08:32
I agree.
Sarah Wyld (RrSG)
01:08:46
Thank you to the Legal committee for their thoughtful work on this
Amr Elsadr (NCSG)
01:08:59
Thanks, Becky and legal team.
Chris Disspain
01:10:09
greetings….Apologies for joining late
Milton Mueller (NCSG)
01:10:43
pretty clear that they are only needed for a limited number of use cases
Milton Mueller (NCSG)
01:10:52
(city field)
Milton Mueller (NCSG)
01:11:32
though I must admit that I am prejudiced against anything that involves “moe work”
Milton Mueller (NCSG)
01:12:33
more work!
Amr Elsadr (NCSG)
01:13:30
@AlanG: Yeah…, thanks for clarifying what I’m (we’re both) asking. Confirming that Alan’s question and mine are pretty much the same.
Amr Elsadr (NCSG)
01:15:14
Generic might not be the best descriptor. All-encompassing balancing test?
Sarah Wyld (RrSG)
01:18:44
I would agree to continue redaction of the city field from the public RDDS
Amr Elsadr (NCSG)
01:18:53
Disclosure of the city field on a case-by-case basis requires a balancing test, so let’s leave it at that.
Milton Mueller (NCSG)
01:19:31
no, Alan.
James Bladel (RrSG)
01:20:22
The email is changed often to prevent Spam
Milton Mueller (NCSG)
01:21:09
that’s an oxymoron (generic one-time balancing test)
Alan Greenberg (ALAC)
01:21:16
@James, yes, exactly.
Margie Milam (BC)
01:22:26
+1 Volker
Sarah Wyld (RrSG)
01:22:58
I would agree with Volker, either the CP should be able to decide for their own domains or everyone should redact the City field.
Alan Greenberg (ALAC)
01:23:22
@Milton, it may well be an oxymoron, but B&B *IS* referring to just such a process.
Milton Mueller (NCSG)
01:23:39
No. If it is redacted as a matter of policy, it can be disclosed to a requestor after a balancing test
Milton Mueller (NCSG)
01:23:58
And the CP will do the balancing test
Julf Helsingius (NCSG)
01:26:19
My apologies, but will have to leave for another meeting
Hadia Elminiawi (ALAC)
01:27:25
@Amr the city field is not defined as PI and therefore it is treated as personal information only when it leads to personal identification
Amr Elsadr (NCSG)
01:27:54
@Hadia: Reference?
Amr Elsadr (NCSG)
01:28:26
Why would the city field and street address field be treated any differently?
Volker Greimann (RrSG)
01:29:38
We could for example only disclose cities of certain size
Volker Greimann (RrSG)
01:29:56
Or disclose everything, if we have consent
Brian King (IPC)
01:30:56
+1 Volker
Brian King (IPC)
01:31:42
Or in jurisdictions not in the EEA, or for TLDs like .bank which don't have personal data in the RDS, or for...
Margie Milam (BC)
01:31:50
Yes- I'll do that
Hadia Elminiawi (ALAC)
01:32:43
@Amr reference ICO
Volker Greimann (RrSG)
01:32:47
I like flexibility
Amr Elsadr (NCSG)
01:33:16
@Hadia: ICO said that the city a data subject resides in is not personal information?
Berry Cobb
01:34:17
https://docs.google.com/document/d/174PSGgWB-UTTcqIA-NndIVDkP6WR701tzwjDsozVRXM/edit
Volker Greimann (RrSG)
01:35:13
If we ask OCTO the same question again and again, do we expect the answer to be different each time?
Alan Woods (RYSG)
01:36:42
OCTO literally just said that they didn't …..
Hadia Elminiawi (ALAC)
01:36:51
@Amr yes the city field is not personal information
Sarah Wyld (RrSG)
01:36:58
And Accuracy requirements alrady exist, I don't think changes are in scope
Amr Elsadr (NCSG)
01:37:24
@AlanW: “OCTO literally just said that they didn’t …..” - and not for the first time either!!
Amr Elsadr (NCSG)
01:37:37
@Hadia: Link?
Sarah Wyld (RrSG)
01:37:41
ICANN may test that escrow deposits are full and complete, but they must not access the escrowed data
Sarah Wyld (RrSG)
01:37:52
I don't think any of those purposes that Margie is listing out require ICANN to process the data
Amr Elsadr (NCSG)
01:38:12
@Sarah: +1 on the accuracy requirements.
Sarah Wyld (RrSG)
01:38:14
and if ICANN Org needs to process data, they should be the ones telling us so
Milton Mueller (NCSG)
01:38:24
So Margie is telling OCTO and ICANN that she knows better what they need that they do?
Amr Elsadr (NCSG)
01:38:26
@Sarah: +1 on the other stuff too!!
Sarah Wyld (RrSG)
01:38:55
Maybe they're doing the valuable work of minimizing their data processing to the bare minimum
Margie Milam (BC)
01:39:38
I gave concrete examples
Margie Milam (BC)
01:40:01
that show ICANN DOES need a purpose
Sarah Wyld (RrSG)
01:40:05
+1 Volker
Margie Milam (BC)
01:40:30
ICANN is a controller
Volker Greimann (RrSG)
01:41:33
So what. A controller cannot do what it likes
Amr Elsadr (NCSG)
01:41:56
@Volker @AlanW: +1
Thomas Rickert (ISPCP)
01:42:12
Can we please stop speculating over what ICANN might need data for. If they do not speak up, we should move on.
Volker Greimann (RrSG)
01:42:22
Exactly, Thomas
Thomas Rickert (ISPCP)
01:42:39
As Alan said, they can ask for data later. It can be done later, if needed.
Sarah Wyld (RrSG)
01:42:39
Thanks for articulating this so well Alan W
Thomas Rickert (ISPCP)
01:43:22
Is it just me or are we rehearsing these arguments for the 10th time now...
Milton Mueller (NCSG)
01:43:41
yes, it’s allowed under current purposes…next
Margie Milam (BC)
01:44:30
+1 Alan G
James Bladel (RrSG)
01:44:32
Contracted parties can always refuse.
Alan Greenberg (ALAC)
01:45:00
@James, certainly, but far less likely if clear in contracts.
Margie Milam (BC)
01:45:22
@James - that's why a specific purpose is needed
Hadia Elminiawi (ALAC)
01:45:27
+1 Alan G @james if it is against the law they surely can.
Alan Greenberg (ALAC)
01:45:38
Being ALLOWED to process is moot if the data is not available.
James Bladel (RrSG)
01:45:47
ICANN authority is voluntary (contractual). We have rights under the contract, and our external legal obligations always supersede our contractual obligations. Also, if ICANN pushes the issues and we take them to arbitration, then the entire RAA could be invalidated.
Thomas Rickert (ISPCP)
01:45:56
GDPR is about the need to get data. If OCTO needed it, they would have told us so I am sure.
Sarah Wyld (RrSG)
01:46:00
+1 James
Margie Milam (BC)
01:46:28
Need a purpose specific to implementing consensus policies
Alan Greenberg (ALAC)
01:46:28
@Thomas, for example, ARS is not an OCTO function.
Alan Greenberg (ALAC)
01:46:37
It is GDD.
Sarah Wyld (RrSG)
01:47:01
agree with position that OCTO has not indicated need for Personal Data
Amr Elsadr (NCSG)
01:47:21
ARS not even a Consensus Policy. Not a suitable topic for this EPDP. Should be included in whatever replaces the next-gen RDS PDP.
Milton Mueller (NCSG)
01:47:41
seems to me Margie you are just asking for a purpose that offers a generalized “we can get any data for any reason"
Sarah Wyld (RrSG)
01:47:56
but OCTO said they do not need data, and ICANN Org says they have not identified purpsoes for access to data
Sarah Wyld (RrSG)
01:47:58
it says so right on the screen
Hadia Elminiawi (ALAC)
01:48:13
+1 Margie purpose 2 needs to be maintained
Volker Greimann (RrSG)
01:48:15
It is written
Thomas Rickert (ISPCP)
01:48:23
@Alan, part of my difficulty with this discussion is that ICANN will have to take responsiility for such processing. If they do not articularte their needs, we should not do that for them as it is obviously something they do not want and they might then even refuse to take the risk for it. Let‘s not dump purposes on them they do not want.
Amr Elsadr (NCSG)
01:49:00
Agree with Janis. We seem to be conflating topics.
Volker Greimann (RrSG)
01:49:15
Wrong question Margie
Volker Greimann (RrSG)
01:49:29
Jut because someone did it before does not make it viable now
Alan Woods (RYSG)
01:49:30
because they are not allowed to change their mind.
Amr Elsadr (NCSG)
01:49:45
@Margie: How many times do we need to ask OCTO the same question?!?! They won’t give us a different answer just because we keep asking over and over again!!
Berry Cobb
01:49:52
OCTO response from Phase 1.
Berry Cobb
01:49:54
3. Further input is requested to explore how WHOIS was used before the Temp Spec was adopted, in OCTO's activities. The original Org response does not address that issue. For example, did OCTO use WHOIS in its law enforcement training and outreach activities, or engagement with the cybersecurity community, or to facilitate or respond to large scale botnet attacks, such as Conficker or Avalanche? Individual members may follow up with the CTO for follow up questions, if available at ICANN63.Regarding the EPDP Team’s follow-up question on how OCTO used WHOIS data for training and outreach activities, prior to the effective date of the Temporary Specification, use of WhOIS data to identify the registrant and the technical data related to a domain name was part of the training materials. The training showed how one could use WHOIS data to attempt to contact a registrant or the hosting provider in cases of compromised machines, etc. Since the Temporary Specification became effective, the training no longer shows
Brian King (IPC)
01:50:11
@Amr, we're proposing to ask them a different question: what did they do previously?
Amr Elsadr (NCSG)
01:50:26
@Brian: We already asked that question!!
Brian King (IPC)
01:51:16
@Amr, sorry I didn't see an answer. I note that Berry's message above is helpful. Where did that come from?
Caitlin Tubergen
01:51:50
https://community.icann.org/display/EOTSFGRD/Input+from+ICANN+Org
Caitlin Tubergen
01:52:19
Please refer to the category, “Use of data by ICANN Org”
Volker Greimann (RrSG)
01:52:45
And then they can expand their purpose, if needed
Alan Woods (RYSG)
01:52:52
no body is doing that.... and that was not stated Brian
Amr Elsadr (NCSG)
01:53:58
@Caitlin: That’s lightening-fast turnaround on that!! Thanks!! :-)
Milton Mueller (NCSG)
01:54:17
od please do close it
Berry Cobb
01:54:18
I'm not sure there's more that staff can do here. All of this is documented in the workbook.
Brian King (IPC)
01:54:32
Thank you Caitlin and Berry
Margie Milam (BC)
01:54:38
thank you
Margie Milam (BC)
01:54:39
yes
Milton Mueller (NCSG)
01:54:55
yay
Amr Elsadr (NCSG)
01:55:02
Yaaaay!!
Berry Cobb
01:55:09
https://67.schedule.icann.org/meetings/1152557
Volker Greimann (RrSG)
01:55:12
Local time means Cancun local?
Milton Mueller (NCSG)
01:55:22
“exhausted” our agenda a good choice of words, Janis
Sarah Wyld (RrSG)
01:55:40
Yes Volker. And Cancun does not do the time change this weekend
Berry Cobb
01:55:45
yes. UTC is the same.....except the 12 March session to avoid conflict.
Sarah Wyld (RrSG)
01:55:59
Thanks, all
Amr Elsadr (NCSG)
01:56:02
Thanks all. Bye.
Alan Woods (RYSG)
01:56:02
thanks all
Hadia Elminiawi (ALAC)
01:56:07
bye
Thomas Rickert (ISPCP)
01:56:12
bye all!