Logo

051040043 - EPDP-Phase 2A Team Call
Mark Svancarek
22:24
Good morning, all panelists and attendees!
Terri Agnew
24:27
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
vgreimann
25:29
Finally back to the charter… very good
Keith Drazek (Verisign / chair)
29:30
Oops. We'll circle back to Caitlin for the ICANN Org feedback on legal/natural study questions. Sorry about that!
Melina Stroungi (GAC)
33:04
Has anyone the link to these documents readily available?
Brian King (IPC)
35:26
+1 Steve, that would be helpful and would be a light lift to implement
Sarah Wyld (RrSG / Tucows)
35:27
I missed some of what Steve was saying but it sounds similar to the current contactability-related requirements?
Volker Greimann (RrSG)
36:46
May I ask a question though: Are we burying this whois?
Volker Greimann (RrSG)
36:58
thick
Alan Greenberg, ALAC
38:01
Sorry to be late.
Terri Agnew
38:09
**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Sarah Wyld (RrSG / Tucows)
39:14
I didn't think that question (email address instead of web form) is in scope for this phase, we already have a rec about it
Owen Smigelski (RrSG)
39:56
Agree with Sarah
Sarah Wyld (RrSG / Tucows)
40:27
We have had the webforms live for literal years and have not had complaints about it
Manju Chen (NCSG)
40:27
+1 Sarah
Steve Crocker (SSAC)
41:11
Hadia, et al: I am proposing something slightly different and, I think, easier. I’m proposing a standard solution of “contact-<domain-name>@<registrar-email>. The registrar would then simply forward. No guarantees, and nothing complicated. The registrar presumably already has the registrant’s email, so this would not need for anyone to fill out an additional form.
Becky Burr (ICANN Board)
41:15
I’m somewhat confused - if the address for everyone is “contact@2ldomain.1rstldomain” then isn’t some relay function required ? Or is this a suggestion that every registrant must create this email address?
Becky Burr (ICANN Board)
41:38
Thanks for clarification above Steve. So it does involve a relay?
Steve Crocker (SSAC)
41:39
@Becky: Yes, the registrar would have to relay the email.
Hadia Elminiawi (ALAC)
42:59
@Steve, yes this is different than what we are discussing now
Caitlin Tubergen
43:50
Link to wiki where the responses are posted: https://community.icann.org/pages/viewpage.action?pageId=159482147
Manju Chen (NCSG)
46:18
@Steve, how is that kind of email setup different from having a webform?
Berry Cobb
46:23
Link to previous B&B memos: https://community.icann.org/display/EOTSFGRD/EPDP+-P2+Legal+subteam
Berry Cobb
46:47
Staff will have the final questions to be submitted posted on the wiki shortly.
Steve Crocker (SSAC)
48:12
@Manu, my understanding of the complaints about the webform is some implementations didn’t allow for the sender to include any information. Also, webforms are *much* harder to deal with for the sender.
Manju Chen (NCSG)
50:12
thanks for the explanation!
Berry Cobb
51:25
https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit
Mark Svancarek (BC)
53:53
The Mark Monitor form has a 5-choice pull-down and a Comments text box which is useful. Many others have fewer choices and no free-text comments.
Brian King (IPC)
54:45
Not sure that's relevant here because that's not how to contact a MarkMonitor registrant
Steve Crocker (SSAC)
54:53
MarkSV is correct. MarkMonitor’s comment box allows roughly 250 characters. I’ve given to understand other webforms are more limited.
Hadia Elminiawi (ALAC)
54:54
@Sarah for sure we do not want to tell the CPs how to implement the policy
Milton Mueller (NCSG)
55:28
thank you Terri!
Steve Crocker (SSAC)
55:33
Ah, right! That’s how two contact a MarkMonitor sales professional. Apologies for missing this detail
Brian King (IPC)
55:35
+1 Steve, in fact some registrar web forms don't allow any characters
Mark Svancarek (BC)
56:27
Haha I missed that detail too, Steve
Berry Cobb
56:34
https://docs.google.com/document/d/1YyiBmtcpa5PxsPnKDXZFfU0WEPVhgjN5ySv9KvQb6Tw/edit#heading=h.gjdgxs
Keith Drazek (Verisign / chair)
01:00:14
By all means, we can revisit this next week.
Hadia Elminiawi (ALAC)
01:01:30
@Sarah the document shows we agree on the basics
Sarah Wyld (RrSG / Tucows)
01:01:41
Hadia - yes, the GDPR is a good basis for agreement :)
Manju Chen (NCSG)
01:05:24
agree Sarah
Brian King (IPC)
01:06:11
I would happily volunteer to take a homework assignment to note how practical steps line up with these principles.
Hadia Elminiawi (ALAC)
01:08:42
So we need to focus on what to expect - and leave out the when and how
Sarah Wyld (RrSG / Tucows)
01:08:42
And also keeping in mind that we have not yet agreed IF this distinction must happen
Stephanie Perrin (NCSG)
01:10:07
Indeed the distinction is irrelevant for many registrations. The operative question is, is there any personal information in this registration?
Brian King (IPC)
01:11:09
Thanks, Sarah. Let's finish up on if differentiation CAN happen, so we can get to discussion on whether it MUST.
Margie Milam (BC)
01:11:27
+1 Melina
Hadia Elminiawi (ALAC)
01:11:37
@Brian makes sense
Hadia Elminiawi (ALAC)
01:12:20
@Brian my understanding that some CPs are already differentiating
Stephanie Perrin (NCSG)
01:13:19
Why doesn’t the BC take a homework assignment to come up with a template for businesses re how to register and affirm that there is no personal information contained in their registration?
Hadia Elminiawi (ALAC)
01:14:12
We must remember that CPs already have the option to differentiate and for some of them the differentiation could make sense
Stephanie Perrin (NCSG)
01:14:24
As I keep saying, there needs to be an attestation on the part of any so called legal person that there is no personal data in there registration. How can that be made plausible and acceptable to those who must rely on it to manage their legal risk
Stephanie Perrin (NCSG)
01:14:41
Their no there
Keith Drazek (Verisign / chair)
01:14:42
Stephanie, would you like to get in queue?
Stephanie Perrin (NCSG)
01:14:55
sure
Laureen Kapin (GAC)
01:16:33
We've discussed dealing with current registrations first, and then trying to formulate policies to deal with legacy registrations.
Sarah Wyld (RrSG / Tucows)
01:17:27
The whois accuracy program validation period is 15, days, did I hear 7?
Steve Crocker (SSAC)
01:20:21
I think Stepanie’s prescription is too narrow. Personal information should be perfectly ok to disclose if the affected person is informed and has agreed.
Steve Crocker (SSAC)
01:20:26
Stephanie
Sarah Wyld (RrSG / Tucows)
01:20:40
Steve - the domain owner already has the option to consent to publication of their registration data
Manju Chen (NCSG)
01:22:25
that’s also why NCSG has a proposal of not differentiating but only asking for consent from the registrant, Steve
Stephanie Perrin (NCSG)
01:22:49
To Steve: yes, if the individual is truly informed and understands his/her risk in publishing his PI, fine then they can consent to disclosure.
Christian Dawson (ISPCP)
01:22:52
To Stephanie’s point, as a small side business owner, the first thing I did when I had the idea to form my company was to purchase the domain name, and later got a federal tax ID, an office, etc.. In this case I suppose my domain eventually went from being controlled by a natural person with the intention of being owned by a legal one. Such complications seem common,
Sarah Wyld (RrSG / Tucows)
01:22:57
Right, we have not agreed that the differentiation is necessary or should be required
Sarah Wyld (RrSG / Tucows)
01:23:42
The guidance on screen is for how to differentiate IF the Registrar chooses to
Stephanie Perrin (NCSG)
01:23:50
Exactly Christian. And you may hold plenty of names you are not currently using, which you may hold personally in case you want to dissolve the company and start a new one.
Margie Milam (BC)
01:24:17
+1 Melina
Sarah Wyld (RrSG / Tucows)
01:24:44
I strongly disagree with the idea that this distinction MUST happen.
Brian King (IPC)
01:24:45
We agree, Melina.
Stephanie Perrin (NCSG)
01:24:49
I would contest the assertion that publishing personal information is in the public interest.
Jan Janssen (IPC)
01:24:49
+1 Melina
Sarah Wyld (RrSG / Tucows)
01:25:02
+1 Stephanie
Steve Crocker (SSAC)
01:25:06
I think we’re all in agreement. I was responding the exact wording Stephanie was saying.
Margie Milam (BC)
01:25:24
We’re also waiting on legal advice from B&B that will give more insight on the level of risk in making the distinction
Stephanie Perrin (NCSG)
01:25:44
I was just interrupted by a cellphone call, allegedly from a commissioner of Service Canada, demanding money.
Mark Svancarek (BC)
01:27:12
Is the contact information for commissioners of service Canada verifiable?
Owen Smigelski (RrSG)
01:27:25
Business risks are acceptable if there is some benefit to us or to our customers. Here the benefits are to 3rd parties. So any non-zero risk is therefore unacceptable.
Stephanie Perrin (NCSG)
01:27:33
Any privacy officer spends a heck of a lot of time educating their clientele NOT to respond to all the scams going on. How can we in this group, after years of arguing about this stuff, not concede that protecting personal contact data, including address information given the ubiquitous use of geo locational data, is important?
Stephanie Perrin (NCSG)
01:28:44
Mark actually yes, unfortunately our CRTC gave the telcos another year to stop that glitch that permits number spoofing.
Alan Greenberg (ALAC)
01:28:59
We are on a finite and VERY controlled time-line. We cannot defer the decision on whether to require differentiation too long or we will be told we are not making sufficient headway and risk being terminated.
Sarah Wyld (RrSG / Tucows)
01:28:59
"Flags" are a huge technical change to the whole domain system
Stephanie Perrin (NCSG)
01:29:18
(Don’t ask me the technical details, but my own landline is being scammed to do visa fraud, and the telco will do nothing about it)
Melina Stroungi (GAC)
01:29:54
@Stephanie you mention in the chat: "I would contest the assertion that publishing personal information is in the public interest."No one said that. I was talking about non personal data
Mark Svancarek (BC)
01:31:56
I don't see why Walmart's consent is needed to publish contact data for Walmart.com
Melina Stroungi (GAC)
01:32:16
What is the risk for the registrant Milton if you only publish non-personal data? If they are natural person, you publish nothing, if they are legal you give them the choice to not disclose personal data and only publish the non personal data.
Stephanie Perrin (NCSG)
01:33:01
Thanks for that clarification Melina.
Stephanie Perrin (NCSG)
01:33:39
Walmart’s employees ought to have no problem filling out the template that I am suggesting the BC develop.
Laureen Kapin (GAC)
01:33:52
@ Milton -- Melina's views are perfectly in line with the GDPR. To be clear, the GDPR has weighed and balanced what information should be protected and what should not -- non-personal information is not protected. We are trying to develop a process that creates safeguards to promote only the disclosure of non-personal information.
Manju Chen (NCSG)
01:34:03
i think that’s the problem when we get to fixated to this proposal 1a. we did have other proposals but until now we’re talking about this one as if it’s the only proposal and as if we’ve already agreed to differentiate. which we have definitely not
Mark Svancarek (BC)
01:34:26
@Stephanie, I agree but I thought we were told last week that creating wireframes was out of scope :(
Stephanie Perrin (NCSG)
01:36:09
+1 Sarah
Volker Greimann (RrSG)
01:36:25
To be clear: I am all for allowing the differentiation between personal and non-personal data and providing guidance for that to create an industry standard.
Berry Cobb
01:36:37
https://docs.google.com/document/d/1Hf-Nt-VMznpGE4WZ7wWaHF8pXdm8qA28OW7Mjr4MH_A/edit#
Volker Greimann (RrSG)
01:36:41
I oppose the requirement to do so because of the lack of a need for it
Sarah Wyld (RrSG / Tucows)
01:36:47
+1 Volker
Berry Cobb
01:37:29
hand
Melina Stroungi (GAC)
01:38:24
Thanks Volker. There is a need to set this requirement- if you leave this optional and no one differentiates you risk having zero information on whois
Melina Stroungi (GAC)
01:38:33
This is why NIS legislation is coming in force
Melina Stroungi (GAC)
01:38:37
to prevent exactly this risk
Sarah Wyld (RrSG / Tucows)
01:39:41
But anyone who needs that registration data can stll obtain it in a timely manner via the SSAD or direct from the Registrar
Sarah Wyld (RrSG / Tucows)
01:40:00
And NIS2 will not override the GDPR
Marc Anderson (RySG / Verisign)
01:41:03
@Melina - it is not accurate to say you risk having zero information in whois - there is a good deal of information that is always required in whois.
Sarah Wyld (RrSG / Tucows)
01:41:34
+1 Marc
Melina Stroungi (GAC)
01:42:12
@Marc, thanks. Please do not take it to the letter, but this is the broader picture and an existing and very real risk
Keith Drazek (Verisign / chair)
01:43:24
We'll get into details next week, as we await feedback from B&B on the legal questions.
Sarah Wyld (RrSG / Tucows)
01:45:42
Melina - so you're balancing the risk to a third party of delay in obtaining registration data against the risk to the Registrar in publishing personal data without a lawful basis. I come out with a different result in that assessment than you do, I think.
Sarah Wyld (RrSG / Tucows)
01:46:34
(And to be clear, that delay can't be long because we have policy about when the data must be provided, how emergency circumstances work, etc. And Registrars provide data immediatley to LEA in exigent circumstances)
Mark Svancarek (BC)
01:46:41
Thanks, Berry!
Berry Cobb
01:48:52
All good. thx
Melina Stroungi (GAC)
01:48:54
Many thanks everyone! and please do not hesitate to reach out for further discussion/clarifications :)
Hadia Elminiawi (ALAC)
01:49:06
Thank you all bye