Logo

051040043 - EPDP-Phase 2A Team Call - Shared screen with speaker view
Terri Agnew
31:19
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Steve Crocker (SSAC)
36:08
What’s a scenario for a registration to happen without any interaction with the registrant?
Sarah Wyld (RrSG)
36:29
when a domain is registered through a reseller of a wholesale registration provider, it is common for the registrant to not interact with the registrar
Sarah Wyld (RrSG)
37:05
The reseller requires the registrant to accept the registrar's terms of service, so the registrant should be aware of the registrar's existence (but they often don't understand fully)
Margie Milam (BC)
37:21
They can’t — the RAA requires the registrar to comply
Sarah Wyld (RrSG)
37:22
And this is not new
Margie Milam (BC)
37:32
And make sure the reseller complies
Steve Crocker (SSAC)
38:38
Maybe I’m just a simple-minded person, but it seems to me if a reseller is empowered to create a registration on my behalf, I’m interacting with an agent of the registrar. That’s functionally equivalent to interacting with the registrar, isn’t it?
Sarah Wyld (RrSG)
38:57
I don't see it as the same (to Steve's point).
Sarah Wyld (RrSG)
39:03
The business relationships are different
Melina Stroungi (GAC)
39:33
@Sarah, what is the business relationship between the registrar and the reseller? Is it subcontracting?
Sarah Wyld (RrSG)
39:48
That depends on the given registrar's reseller agreement, right?
Owen Smigelski (RrSG)
39:49
Registrars have always had to follow the RAA and cannot escape compliance by using 3rd parties. I have no idea why this is a concern. When at ICANN Compliance, I took action multiple times against registrars because of actions by their resellers.
Margie Milam (BC)
39:49
From the RAA: 3.12 Obligations Related to Provision of Registrar Services by Third Parties. Registrar is responsible for the provision of Registrar Services for all Registered Names that Registrar sponsors being performed in compliance with this Agreement, regardless of whether the Registrar Services are provided by Registrar or a third party, including a Reseller. Registrar must enter into written agreements with all of its Resellers that enable Registrar to comply with and perform all of its obligations under this Agreement.
Keith Drazek (Chair) (Verisign)
40:19
All, please feel free to get in queue rather than relying only on chat.
Stephanie Perrin (NCSG)
43:00
And as a co-controller, ICANN’s obligation seems to me to be met by the language in the RAA.
Mark Svancarek (BC)
43:43
Has ICANN actually agreed that they are a co-controller? I know it has been discussed...
Stephanie Perrin (NCSG)
43:46
Those obligations are already laid out clearly in the GDPR. Each registrar, as a controller, is obligated to set in place agreements that comply with the obligations. We certainly do not need to set out guidance for those agreements, that would be intruding into the area of providing legal advice IMHO as a non-lawyer....
Stephanie Perrin (NCSG)
44:39
Repeating an earlier comment which I posted only to panelists: The whole area of resellers is certainly something that, from the point of view of an individual not experienced in the DNS intricacies which we debate here, is problematic. I am of course looking at the matter from a rights perspective. However, it seems to be out of scope for this group to explore it.
Brian King (IPC)
45:03
+1 I also don't understand why this is being discussed to the extent it is
Sarah Wyld (RrSG)
45:24
MarkSV - I think that's still an open issue with the Roles & Responsibilities team?
Sarah Wyld (RrSG)
45:34
They're working on the data protection agreements recommended by phase1
Stephanie Perrin (NCSG)
45:35
Mark SV, if ICANN has not agreed to being a co-controller by now me might as well pack up and go home.
Hadia Elminiawi (ALAC)
45:58
+1 this is guidance, but that does not change the fact there will need to be a way through which CPs are able to contact their registrants.
Stephanie Perrin (NCSG)
45:58
We not me, although that was probably a fredian slip.
Stephanie Perrin (NCSG)
46:37
Freudian not Fredian.
Brian King (IPC)
47:23
clever suggestion, MarkSv
Sarah Wyld (RrSG)
48:23
What if the second italicized section just loses the last few words, and is "or at the first opportunity after registration." and ends there?
Brian King (IPC)
50:33
+1 to Sarah's suggestion
Brian King (IPC)
51:01
I'd also strike "or at the first opportunity after registration" but don't let that detract from my support of Sarah's suggestion
Hadia Elminiawi (ALAC)
51:55
The problem is still with "the first opportunity "
Sarah Wyld (RrSG)
52:00
What about: "Registrars must ensure this option to self-identify as natural or legal persons is conveyed to Registrants at the time of registration or at the soonest opportunity after registration."
Hadia Elminiawi (ALAC)
52:02
what does this mean
Mark Svancarek (BC)
53:27
maybe "reseller partners". If the business relationship is considered a partnership
Sarah Wyld (RrSG)
53:42
"Registrars must ensure this option to self-identify as natural or legal persons is conveyed to Registrants at the time of registration or without undue delay after registration."
Mark Svancarek (BC)
53:59
+1 Sarah
Sarah Wyld (RrSG)
54:10
It is important to maintain an ability to do this after registration and not only at the time of.
Melina Stroungi (GAC)
54:11
my preference would be to stop 'at the time of registration'
Brian King (IPC)
54:22
+1 Melina
Mark Svancarek (BC)
55:55
To be clear, I also prefer the distinction to be made at the time of registration. But if that will not be the guidance, I think Sarah's edit is good.
Stephanie Perrin (NCSG)
56:10
Would “through any agents” be better than naming resellers specifically
Melina Stroungi (GAC)
57:36
indeed good suggestion Laureen. We could write "at the time of registration or, in cases where this is not feasible, within X days after registration"
Stephanie Perrin (NCSG)
57:48
When did we get to “must”?
Stephanie Perrin (NCSG)
58:01
Isn’t should better in a guidance doc?
Hadia Elminiawi (ALAC)
58:24
"registrars or their resellers should convey this option for registrants to self-identify as natural or legal at the time of registration" - or ""registrars or their resellers should convey this option for registrants to self-identify as natural or legal" another option would be as Laureen said mentioning an exact period like 15 days
Sarah Wyld (RrSG)
58:45
oh yeah, should, please, thank you
Sarah Wyld (RrSG)
58:56
Screen sharer please change mine from must to should? thank you
Stephanie Perrin (NCSG)
59:02
Remembering that the obligation to ensure that individuals who wish to provide consent to disclosure of personal info is a separate obligation
Laureen Kapin (GAC)
59:14
That's a helpful explanation Sarah -- thanks for mentioning the scenario where the Rgr provides the opportunity for consent to publish their personal info.
Sarah Wyld (RrSG)
59:28
Laureen, glad that was helpful!
Hadia Elminiawi (ALAC)
59:32
+1 Melina or after 15 days
Sarah Wyld (RrSG)
59:55
not allow them ??
Stephanie Perrin (NCSG)
01:01:08
Rushing registrants into making a decision at registration strikes me as bad advice. Most of us who click on things at the time we want something never ever go back to check until something hits the fan. Better to have the registrar manage this over time, with followup
Brian King (IPC)
01:01:08
I suppose registrants should be able to update this at any time, especially if they have made a mistake.
Sarah Wyld (RrSG)
01:01:15
Ah, I thought Brian was saying the current language did not allow the Registrar to gather this info at the time of registration, but I must have misunderstood.
Sarah Wyld (RrSG)
01:01:23
Yes, registrants must be able to update this at any time after it is set
Sarah Wyld (RrSG)
01:01:36
Stephanie, good point re rushing leading to bad decisions
Brian King (IPC)
01:02:02
I suppose I'd be ok with allowing registrants to make the distinction at registration AND again afterwards.
Brian King (IPC)
01:02:21
the OR scenario is not as good guidance
Sarah Wyld (RrSG)
01:02:27
+1 Marc
Keith Drazek (Chair) (Verisign)
01:02:35
Just a reminder that all existing registrations will need the flexibility to have "post-registration" self-determination from registrants.
Stephanie Perrin (NCSG)
01:02:48
This is why we have fought this whole obligation…(Milton of course would disagree with me here) in that in my opinion most folks do not understand what their status is in terms of their personal commercial relationships.
Brian King (IPC)
01:03:12
I disagree, Stephanie. I think people know if they are a human or not.
Stephanie Perrin (NCSG)
01:03:36
That would be great if that were what we are talking about Brian
Sarah Wyld (RrSG)
01:03:37
Brian, as Stephanie has said in previous meetings, people definitely know if they are human but many people do not understand what a "legal person" is
Hadia Elminiawi (ALAC)
01:03:38
More sense is to have it at the time of registration. Why do registrars need to put extra burden on themselves and their registrants?
Stephanie Perrin (NCSG)
01:03:39
We are not
Brian King (IPC)
01:03:58
Then we should not ask the question in those terms
Sarah Wyld (RrSG)
01:03:59
Hadia we are saying that in some cases requesting it during registration and not after IS more burden
Brian King (IPC)
01:04:18
Fortunately we have guidance that says to make the distinction and the consequences clear
Hadia Elminiawi (ALAC)
01:04:28
+1 Steve differentiation needs to happen at the time of registration
Sarah Wyld (RrSG)
01:04:56
Alan, the reseller may be the one asking that, though
Sarah Wyld (RrSG)
01:05:10
and it may not be offered at the time of registration, there's no obligation to offer a privacy service
Hadia Elminiawi (ALAC)
01:05:24
@Sarah and still why can't this happen at registration time?
Owen Smigelski (RrSG)
01:05:42
Also, registrars may offer privacy/proxy for free (mine does)
Sarah Wyld (RrSG)
01:06:05
As we've said, it *could* happen at registration time, but I don't see that it *must*. It might make more sense to collect it after the registration is completed.
Owen Smigelski (RrSG)
01:06:38
Supporting Stephanie, I am aware of companies that register domain names that want to be private- developing a name, mark, product without wanting the rest of the world knowing in advance
Sarah Wyld (RrSG)
01:06:57
+1 AlanW
Stephanie Perrin (NCSG)
01:07:02
Precisely, plus 100 Owen
Hadia Elminiawi (ALAC)
01:07:22
@Sarah this is only a guide so there are no musts, the guide should refer to the best practices.
Sarah Wyld (RrSG)
01:07:48
Right, and the best practice might be different for different registrars depending on their business model, so shouldn't we cover all the options here?
Manju Chen (NCSG)
01:08:07
Sorry guys! forgot to set my msg to all panelists and attendees :)
Brian King (IPC)
01:08:08
The best guidance is to allow the registrant to self-designate at the time of registration, and to correct any erroneous self-designation at any time thereafter.
Sarah Wyld (RrSG)
01:08:21
Again, to the screen sharing person, please update my proposal to only start with "should" (no "must")
Brian King (IPC)
01:08:24
happy to move along
Sarah Wyld (RrSG)
01:08:36
Thank you
Steve Crocker (SSAC)
01:09:44
@Sarah, to my mind, the distinction necessarily happens at registration time. If the registrant responds later, that’s effectively a change to the registration. As I said in my intervention, if you take the position that the registrant can respond later, how does the registrar decide how to respond to requests after registration but before the registrant has declared?
Hadia Elminiawi (ALAC)
01:11:23
@Sarah can we consider putting an extra step on the reseller and the registrant as a best practice?
Hadia Elminiawi (ALAC)
01:11:36
* how can we
Berry Cobb
01:11:37
https://docs.google.com/document/d/1uA_gEGmfyokKOP0Xft7q__RXVK1Ns_IXzSRoPKusm_E/edit
Sarah Wyld (RrSG)
01:12:19
@Steve, this is the same issue that any Rr who does not choose to differentiate would run into, and as the data controller, they'd have to figure out how to handle it.
Berry Cobb
01:12:29
Wrong link above. https://docs.google.com/document/d/1Dl-71SsX_OqDNpvN-rQ9K_wJnevEVW0V0oH32xYl2nA/edit#
Sarah Wyld (RrSG)
01:12:35
@Hadia, I am not sure we should create best practices for resellers at all.
Hadia Elminiawi (ALAC)
01:15:06
@Sarah if we are not creating a best practice to resellers. then lets change the text to say "registrars should convey this option for registrants to self-identify as natural or legal at the time of registration"
Stephanie Perrin (NCSG)
01:15:44
Steve, this determination is optional. Opting in to making a decision later, is an addition and it may of course change the actions taken by the registrar, but does this make it a change? Asking because I do not fully understand how we define “change”
Keith Drazek (Chair) (Verisign)
01:16:04
Thanks for the correction, Caitlin!
Sarah Wyld (RrSG)
01:16:12
Hadia, the change to "registrars should ensure this is conveyed" is to allow them to require their resellers to do so, if it is more appropriate in the business flow. I think this is a good change.
Sarah Wyld (RrSG)
01:16:39
(So in my proposed language, either the registrar OR the reseller could convey it, as long as someone does)
Keith Drazek (Chair) (Verisign)
01:18:15
Correct
Sarah Wyld (RrSG)
01:19:38
ALan G I am just curious which domain did you try to contact and had this experience with the web form?
Sarah Wyld (RrSG)
01:19:58
I would love to see what kind of form they are offering and compare it to the ones I've encountered, which do allow sending a plaintext message to the domain owner
Sarah Wyld (RrSG)
01:20:19
Why would that not be enough content? It sounds to me like those are fairly appropriate messages to send to th domain owner
Sarah Wyld (RrSG)
01:20:38
As a domain owner, I would much prefer to get limited form messages instead of allowing every random person on the internet to send me abusive messages with no limitations.
Sarah Wyld (RrSG)
01:20:57
Shouldn't ALAC be considering the experience of the average person who owns a domain name and how to protect them from abuse and spam?
Stephanie Perrin (NCSG)
01:20:58
+1 Sarah
Alan Woods (RYSG)
01:21:23
+1 Sarah
Margie Milam (BC)
01:21:34
@Sarah — its not enough room to send a proper ceae & desist to lay out the information related to trademarks & other rights being infringed
Steve Crocker (SSAC)
01:22:36
@Stephanie, I think it helps to look at this operationally. The only reason for asking the question is to affect what data elements are provided in response to requests about the domain name registration. If a registrar chooses not to ask the question at all, it means the registrar’s response to a request will be the same no matter whether the registrant is a natural or legal person. However, if the registrar intends to give different responses depending on the registrant’s status, then it’s essential to say what the response will be if the registrant hasn’t specified their status. The registrar might choose to treat the lack of specification the same as a natural person, the same as a legal person, or something else entirely. Any of these is logically possible. As a consequence, as soon as the registrar is willing to respond to requests for information about the domain name registration, there is some sort of de facto determination. As I said, it might be natural, legal or “unknown.”
Manju Chen (NCSG)
01:22:45
squeezing in webform in this P2A is the real far push imho
Alan Woods (RYSG)
01:22:58
Can we please refrain from imputing motives on the CPs please.
Steve Crocker (SSAC)
01:23:05
If the registrant supplies an answer later, that’s effectively a change.
Owen Smigelski (RrSG)
01:25:15
Agree with Man-ju. I don’t see how webforms have anything to do with unique contacts. Completely out of scope.
Hadia Elminiawi (ALAC)
01:25:32
Phase 2A is discussing how to contact registrants, and since IRT cannot put policy, this group could specify what the webforms should look like.
Sarah Wyld (RrSG)
01:25:51
I do not agree that this is in scope for this phase
Margie Milam (BC)
01:26:03
+1 Brian
Stephanie Perrin (NCSG)
01:26:24
I see your point Steve, and I agree that in plain language any addition of data points is a change. However, I just wondered if “change” meant material change in name, address, contact points, etc. Change in decision as to what to disclose in the SSAD is rather separate from the registration conditions, depending on how this policy is to be implemented in the RAA and a lot depends on ICANN’s role as a co-controller IMHO
Sarah Wyld (RrSG)
01:27:54
Good point Marc
Tara Whalen (SSAC)
01:28:16
Sadly, I need to drop off the call now — handing off to Steve C. Thanks, all!
Keith Drazek (Chair) (Verisign)
01:28:28
Thanks Tara
Brian King (IPC)
01:29:13
For the record, nobody's arguing that registrars shouldn't be able to prevent abuse of the web forms.
Sarah Wyld (RrSG)
01:29:28
The issue of phishing/cyber-attacks is an important one (thanks Marc)
Brian King (IPC)
01:30:43
Need to drop for another call. Thanks all.
Owen Smigelski (RrSG)
01:31:16
In my former life as an IP attorney, I found that registrants routinely ignored cease and desist letters that I sent to their email addresses. So even if webforms were within our remit (they are not), spending time making them conform to the needs of some participants will not do anything to improve abilities to make legal threats via webform.
Steve Crocker (SSAC)
01:31:54
@Stephanie, it seems to me a change from/to natural, legal, unknown is just as material as a change of name, address, etc.
Stephanie Perrin (NCSG)
01:33:09
Perhaps it is. I am really fishing for information about how those negotiations on the RAA are going, because the language in there has an impact on how we decide this question.
Stephanie Perrin (NCSG)
01:33:14
Picket fence and all that
Owen Smigelski (RrSG)
01:33:18
Scope for Phase 2A: Following the Council discussion on 20 August 2020 and a decision on 21 October 2020, Council decided to connue the EPDP onRegistraon Data for dealing with the remaining priority 2 items. The two remaining issues to be within scope of deliberaons:1. Differenaon between Legal vs. natural persons data2. Feasibility of unique contacts to have a uniform anonymized email address
Owen Smigelski (RrSG)
01:33:37
I do not see webforms in the scope at all
Marc Anderson (RySG)
01:34:16
May 19th
Marc Anderson (RySG)
01:34:21
(next IRT meeting)
Hadia Elminiawi (ALAC)
01:34:59
@Stephanie so why are we referring to rec13 in our report if it is out of scope?
Owen Smigelski (RrSG)
01:36:38
+100 Man-ju
Sarah Wyld (RrSG)
01:36:46
+1 Man-Ju
Mark Svancarek (BC)
01:43:12
I still maintain that there is nothing for Compliance to enforce, so no surprise that no one is submitting complaints to them
Alan Greenberg (ALAC)
01:46:06
@Mark, correct. Compliance does not know about this because there is NO policy that is not being followed. Even if Phase 1 was implemented, there would be no policy that is not being followed.
Sarah Wyld (RrSG)
01:48:04
+1 Owen
Mark Svancarek (BC)
01:48:33
-1 Owen. There are two uses for the email.
Alan Greenberg (ALAC)
01:48:38
@Owen, correlation would be useful, but that is not the only reason for having contact info.
Sarah Wyld (RrSG)
01:49:49
The option to do a forwarder email is already there, but many providers chose a web form in order to reduce spam and other opportunities to abuse the information
Steve Crocker (SSAC)
01:50:59
@Sarah, isn’t it possible to use the same techniques in a forwarding system for reducing spam, etc?
Sarah Wyld (RrSG)
01:51:07
And I think B&B said that forwarding is a risk? Didn't they?
Sarah Wyld (RrSG)
01:51:26
Steve - I don't think so? How would you implement a capcha in a forwarding email address?
Sarah Wyld (RrSG)
01:51:54
+1 re spam via the forwarding email
Owen Smigelski (RrSG)
01:52:33
Alan, webform requirements are NOT in our scope. Sorry to keep repeating this.
Keith Drazek (Chair) (Verisign)
01:53:34
@Alan: If a registrant can't be contacted, that's clearly a violation of the policy recommendation and ripe for ICANN compliance investigation, and/or further implementation guidance/work.
Mark Svancarek (BC)
01:53:52
Need to drop
Melina Stroungi (GAC)
01:54:46
thanks everyone
Terri Agnew
01:54:50
The GNSO Temp Spec gTLD RD EPDP – Phase 2A call is scheduled on Tuesday, 18 May 2021 at 14:00 UTC for 90 minutes.
Hadia Elminiawi (ALAC)
01:55:05
Thanks all bye for today
Steve Crocker (SSAC)
01:55:29
@Sarah, now I understand the point. Thanks. That said, it seems to me the way webforms have been implemented as created unnecessary hassles. But I think that’s well below the level of policy development. One could still have mail forwarding with the additional requirement of going through a captcha process.