Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en

Please select all panelists and attendees in order for everyone to see chat

Please note: the raised hand option has been adjusted to the bottom toolba

So sorry to hear that!

So sad to hear the news.

This is such terrible news. We will miss him!

My condolences to all of Ben’s friends and family. He will be dearly missed.

we will miss him, he was indeed a good guy

He will be missed.

Jan 23 is a Saturday?

21st

I thought it's the 21st

I think Brian Beckham would be great.

Brian is really great

I would like to see it run up the flagpole

with the Councikl

I also support Brian's candidacy. Was Rafik an EPDP member?

I'd like to hear from Brian about his experience and his expectations of remaining neutral

I support

@Laureen - Rafik was also the Council liaison and as such a member of the EPDP.

Similar to how we heard from potential chairs ahead of time

thanks

See the table in the charter that identifies members and count.

Charter link: https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-spec-gtld-rd-epdp-19jul18-en.pdf

Good question

right, probably better for VC to not be on the EPDP.

The charter language does force the ‘hats’ scenario: “Should at any point a vice-chair need to step into the role of Chair, the same expectations with regards to fulfilling the role of chair as outlined in this charter will apply”. But as Keith noted, it might be challenging.

We definitely need a common understanding on this point, thanks for raising it.

Who was speaking just then?

Melina Stroungi, GAC

Thankyou

+1 Sarah re: clarifying purpose/requirements

+1 Sarah

lol James

Great point James

I thought we were trying to solve for contractibility.

sorry, contactability

But we already have contactability, with the option of an email or a web form?

publishing PII indiscriminately Mark is very clearly illegal under GDPR

+1 Mark, but we’re already doing a lot of that.

No one said "indiscriminate", Milton

Mark if you publish a unique identifier with each domain registration, unreacted, it is indeed indiscriminate publication, which is unambiguously not an option legally

unreDACTED. sigh

I think our existing policy recs on contactability are sufficient

The web form is reliable and functional

We had to remove free form text due to rampant abuse and phishing.

so you’re saying the web forms work for contacting, but the constraints of some registrar implementations are not good, Brian?

https://domainnamewire.com/2020/10/02/domain-appraisal-scammers-try-to-abuse-new-godaddy-contact-system/

correlation = identification

This has been a cat-and-mouse issue since we deployed the webform, and we always prioritize protecting our customers from bad actors.

Contactability does not need pseudonymisation though

+1 to Milton

Correlation has very real and present dangers

correlation <> identification

Very real and present benefits as well Volker

I actually don't understand the use of <> in Mark's mmessage?

"not equal"

Thanks ok! (I would expect != for that)

personally I prefer "!="

I do think correlation can result in identification of the domain owner data subject

<> is math. != is code.

statistical analysis and research is another reason

It can result in a list of domain names - so how is that identification?

That's a good point

Milton +1

I don't think we're limiting this conversation to what can/must be published.

(My message was re Milton's point)

Lets not create a substitute for SSADF

If this isn't about what's published, then what is this about? What problem are we solving?

To me, pseudo- vs anony-mized is clear, but I don't know if we're limiting it to within one Rr / Ry or across all of them, and that's important

That is incorrect though. IP-Adresses are personal information regardless of who holds them

incorrect

Anyone can connect the dots. Maybe different dots

+1 Alan W

@Volker, I read a case that said IP addresses could be, in some cases, personal data.

Yes, DPIA is a great idea, let's do one! Let's do one for the whole SSAD, too!

The IP address whitelisted by a registry for your registrar's EPP connection, for example, is not personal data

@Brian, long since superseded by GDPR and EU case law

The case I read was post-GDPR :-)

In some cases it may not be, but for all intents and purposes comparable to registrant data, it is

Hi Brian, can you share the source. That sounds interesting.

anonymization does not require to be completely risk free. The ICO anonymization code of practice says 100% anonymization is the most desirable position, but it is not the test the DPAs require

I literally just said the web forms are not fine.

Web forms are problematic

I don't know that correlation meets the GDPR definition of profiling

+1 Mark

sure it does.

We really need to ask ourselves whether we can achieve the purpose without pseudonymization. If that is the case, we need to go for anonomyzation.

+1 Thomas

Re the webforms - have the issues with webforms been raised with ICANN compliance?

In relation to the memo recital 26 of GDPR clearly states that anonymous information is not personal information

And that brings us back to the purpose-question raised by Sarah.

Thanks for rescuing me from the observer channel!

You’re welcome, Stephanie!

yes, Hadi, anonymization is not per se illegal

but pseudonymization clearly is

but they are identifiable under GDPR definitions- I'm not sure of the point

The ICO anonymization code of practice say that anonymization does not need to be 100% anonymized

+1 to "everyone is trying really hard"

oh so writing a paper will prevent us from talking past each other? Doesn’t seem to have worked in the past

Let’s try a masking exercise: who does not know whose this email address belongs to? v*****@g*******.d*

The ICO also says DPA does not require anonymization to be completely risk free

Whose email this is ;-)

so several weeks of verbal nitpicking ?

Hadia: we require it to be risk free...

I thought it was just an example that B&B provided

Volker, everyone on this call already has both pieces of the information. If you published that pseudonym on the open internet, it would not represent prsonal data for the vast majority of the world

As a data protection technique. Sure the ICO is correct. As to whether or not it removes the data’s character as personal data, sorry, wrong.

Not true Milton — for example, if it relates to data that is NOT personal information. - such as that of a legal person

I am proposing it, Milton, because we clearly do not agree/accept the facts of this debate. Those who are raising the questions are not alone, I would argue that this is an area that is being debated. Certainly those of us who have been engaged in this debate for years are sick of it, but that does not mean we do not need to walk this through.

Margie that is just not correct

Yes, let’s design the thing we will perhaps never build

when it comes to anonymization and pseudonymization its all about implementation

To be clear, we shouldn't throw out the concept of pseudonymization. Yes, in some cases pseudonymized data can be personal data, and personal data may be processed lawfully. We're also not limited to discussing this in terms of publication.

however certainly we need to agree on the purpose first

" We're also not limited to discussing this in terms of publication." In what other context are we discussing this?

So far I heard it's re publication because the web form has limitations and there is a desire to correlate registrations

it’s all about publication, Brian. If we create a pseudonymized email that is not published, what is the point? We are just duplicating the registrant’s real email

If it's not re publication, it's re SSAD disclosure? But in that context the expectation is to get the real data

exactly, Sarah

Asking us to spend weeks exploring how a pseuodonymized system would work when we know by definition that it is not going to be legal to publish it strikes me as the very definition of wasting time

I'm open to discussing disclosure/access to pseudonymized or anonymized email addresses.

That's a very new topic

This is a very new EPDP phase :-)

Brian. Hello. If you’re disclosing something on SSAD you don’t need pseudonyms or anonymity

I'm open to discussing the idea of disclosing pseudonymized data instead of real data

Why wouldn't we explore "a valuable privacy-enhancing technique"?

A standalone session on the Study would be helpful.

I'm just surprised, because I didn't see that as a proposal in the homework files

Milton, I think that arguing about the matter of pseudonymization here spares us arguing about it later in the IRT. Join the IRT if you meed further explanation of why here is better. I would like to put a stake through the heart of this too, but clearly a legal memo and an authoritative view of the Art 29 group has not done that. The IRT certainly will not enhance the clarity on the issue in my view.

If the suggestion was to provide pseudonymized data via the SSAD, can someone point me to where that was provided in the homework inputs? Thanks!

Do any of the CPs already offer the registrants the possibility to provide consent?

@Sarah I just thought of it

Ah ok

Yes, it’s primarily “bringing to your attention” a proposal that is under development.

From proposed EU legislation: Member States shall ensure that the TLD registries and the entities providing domain nameregistration services for the TLD publish, without undue delay after the registration of adomain name, domain registration data which are not personal data.

Publishing non-personal data is not the problem here though

+1 Melina & Laureen

and NIS2 does (of course) include that Controllers must continue to follow the relevant data protection laws, including not publishing personal data

Need to drop a bit early. T hanks all.

How ICANN/registrars would handle the large volume is of legacy data strikes me as an issue. If the data is grandfathered in the upcoming regulation, it creates a policy problem for us.

+1 Kieth to Brian providing his SOI

Rafik was the GNSO Council Liaison to the EPDP Team (which is considered a member per the charter)

But Rafik was from a GNSO context, right? And Brian is not a SO/AC/SG member? (Not necessarily meaning he shouldn't be vice chair, just, a difference)

@Sarah indeed he was. If the chair is neutral, perhaps that doesn't matter?

None here :-)

Maybe! I'd expect both Keith and Brian (or whoever) to be neutral, of course

Thanks, all!

Agreed.

Thanks

Thanks all bye