
32:43
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en

32:57
Please select all panelists and attendees in order for everyone to see chat

33:11
Please note: the raised hand option has been adjusted to the bottom toolba

33:31
So sorry to hear that!

34:05
So sad to hear the news.

34:42
This is such terrible news. We will miss him!

35:16
My condolences to all of Ben’s friends and family. He will be dearly missed.

35:31
we will miss him, he was indeed a good guy

36:13
He will be missed.

37:18
Jan 23 is a Saturday?

37:22
21st

37:23
I thought it's the 21st

38:56
I think Brian Beckham would be great.

39:19
Brian is really great

39:37
I would like to see it run up the flagpole

39:43
with the Councikl

39:50
I also support Brian's candidacy. Was Rafik an EPDP member?

39:51
I'd like to hear from Brian about his experience and his expectations of remaining neutral

39:55
I support

40:14
@Laureen - Rafik was also the Council liaison and as such a member of the EPDP.

40:26
Similar to how we heard from potential chairs ahead of time

40:29
thanks

40:33
See the table in the charter that identifies members and count.

42:05
Charter link: https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-spec-gtld-rd-epdp-19jul18-en.pdf

42:42
Good question

43:06
right, probably better for VC to not be on the EPDP.

44:03
The charter language does force the ‘hats’ scenario: “Should at any point a vice-chair need to step into the role of Chair, the same expectations with regards to fulfilling the role of chair as outlined in this charter will apply”. But as Keith noted, it might be challenging.

49:19
We definitely need a common understanding on this point, thanks for raising it.

52:49
Who was speaking just then?

53:08
Melina Stroungi, GAC

53:14
Thankyou

58:23
+1 Sarah re: clarifying purpose/requirements

58:38
+1 Sarah

58:43
lol James

59:36
Great point James

01:00:04
I thought we were trying to solve for contractibility.

01:00:22
sorry, contactability

01:00:40
But we already have contactability, with the option of an email or a web form?

01:01:17
publishing PII indiscriminately Mark is very clearly illegal under GDPR

01:01:48
+1 Mark, but we’re already doing a lot of that.

01:02:40
No one said "indiscriminate", Milton

01:03:25
Mark if you publish a unique identifier with each domain registration, unreacted, it is indeed indiscriminate publication, which is unambiguously not an option legally

01:03:38
unreDACTED. sigh

01:03:46
I think our existing policy recs on contactability are sufficient

01:03:54
The web form is reliable and functional

01:04:27
We had to remove free form text due to rampant abuse and phishing.

01:05:18
so you’re saying the web forms work for contacting, but the constraints of some registrar implementations are not good, Brian?

01:05:42
https://domainnamewire.com/2020/10/02/domain-appraisal-scammers-try-to-abuse-new-godaddy-contact-system/

01:06:15
correlation = identification

01:06:24
This has been a cat-and-mouse issue since we deployed the webform, and we always prioritize protecting our customers from bad actors.

01:06:33
Contactability does not need pseudonymisation though

01:06:53
+1 to Milton

01:07:01
Correlation has very real and present dangers

01:07:42
correlation <> identification

01:07:58
Very real and present benefits as well Volker

01:08:05
I actually don't understand the use of <> in Mark's mmessage?

01:08:11
"not equal"

01:08:20
Thanks ok! (I would expect != for that)

01:08:29
personally I prefer "!="

01:08:35
I do think correlation can result in identification of the domain owner data subject

01:08:50
<> is math. != is code.

01:08:51
statistical analysis and research is another reason

01:09:30
It can result in a list of domain names - so how is that identification?

01:09:35
That's a good point

01:10:01
Milton +1

01:10:07
I don't think we're limiting this conversation to what can/must be published.

01:10:08
(My message was re Milton's point)

01:10:16
Lets not create a substitute for SSADF

01:10:23
If this isn't about what's published, then what is this about? What problem are we solving?

01:11:17
To me, pseudo- vs anony-mized is clear, but I don't know if we're limiting it to within one Rr / Ry or across all of them, and that's important

01:12:22
That is incorrect though. IP-Adresses are personal information regardless of who holds them

01:13:02
incorrect

01:13:18
Anyone can connect the dots. Maybe different dots

01:13:25
+1 Alan W

01:13:28
@Volker, I read a case that said IP addresses could be, in some cases, personal data.

01:13:38
Yes, DPIA is a great idea, let's do one! Let's do one for the whole SSAD, too!

01:13:52
The IP address whitelisted by a registry for your registrar's EPP connection, for example, is not personal data

01:14:52
@Brian, long since superseded by GDPR and EU case law

01:15:26
The case I read was post-GDPR :-)

01:15:37
In some cases it may not be, but for all intents and purposes comparable to registrant data, it is

01:15:48
Hi Brian, can you share the source. That sounds interesting.

01:16:09
anonymization does not require to be completely risk free. The ICO anonymization code of practice says 100% anonymization is the most desirable position, but it is not the test the DPAs require

01:17:31
I literally just said the web forms are not fine.

01:17:50
Web forms are problematic

01:18:26
I don't know that correlation meets the GDPR definition of profiling

01:19:00
+1 Mark

01:19:06
sure it does.

01:19:35
We really need to ask ourselves whether we can achieve the purpose without pseudonymization. If that is the case, we need to go for anonomyzation.

01:19:47
+1 Thomas

01:19:54
Re the webforms - have the issues with webforms been raised with ICANN compliance?

01:20:00
In relation to the memo recital 26 of GDPR clearly states that anonymous information is not personal information

01:20:03
And that brings us back to the purpose-question raised by Sarah.

01:21:02
Thanks for rescuing me from the observer channel!

01:21:45
You’re welcome, Stephanie!

01:22:14
yes, Hadi, anonymization is not per se illegal

01:22:27
but pseudonymization clearly is

01:22:32
but they are identifiable under GDPR definitions- I'm not sure of the point

01:26:48
The ICO anonymization code of practice say that anonymization does not need to be 100% anonymized

01:28:42
+1 to "everyone is trying really hard"

01:28:46
oh so writing a paper will prevent us from talking past each other? Doesn’t seem to have worked in the past

01:28:47
Let’s try a masking exercise: who does not know whose this email address belongs to? v*****@g*******.d*

01:29:08
The ICO also says DPA does not require anonymization to be completely risk free

01:29:10
Whose email this is ;-)

01:29:22
so several weeks of verbal nitpicking ?

01:29:33
Hadia: we require it to be risk free...

01:30:02
I thought it was just an example that B&B provided

01:30:04
Volker, everyone on this call already has both pieces of the information. If you published that pseudonym on the open internet, it would not represent prsonal data for the vast majority of the world

01:30:09
As a data protection technique. Sure the ICO is correct. As to whether or not it removes the data’s character as personal data, sorry, wrong.

01:32:18
Not true Milton — for example, if it relates to data that is NOT personal information. - such as that of a legal person

01:33:24
I am proposing it, Milton, because we clearly do not agree/accept the facts of this debate. Those who are raising the questions are not alone, I would argue that this is an area that is being debated. Certainly those of us who have been engaged in this debate for years are sick of it, but that does not mean we do not need to walk this through.

01:33:50
Margie that is just not correct

01:34:43
Yes, let’s design the thing we will perhaps never build

01:35:01
when it comes to anonymization and pseudonymization its all about implementation

01:35:03
To be clear, we shouldn't throw out the concept of pseudonymization. Yes, in some cases pseudonymized data can be personal data, and personal data may be processed lawfully. We're also not limited to discussing this in terms of publication.

01:35:32
however certainly we need to agree on the purpose first

01:35:54
" We're also not limited to discussing this in terms of publication." In what other context are we discussing this?

01:36:10
So far I heard it's re publication because the web form has limitations and there is a desire to correlate registrations

01:36:11
it’s all about publication, Brian. If we create a pseudonymized email that is not published, what is the point? We are just duplicating the registrant’s real email

01:36:29
If it's not re publication, it's re SSAD disclosure? But in that context the expectation is to get the real data

01:37:20
exactly, Sarah

01:38:13
Asking us to spend weeks exploring how a pseuodonymized system would work when we know by definition that it is not going to be legal to publish it strikes me as the very definition of wasting time

01:38:38
I'm open to discussing disclosure/access to pseudonymized or anonymized email addresses.

01:38:50
That's a very new topic

01:39:14
This is a very new EPDP phase :-)

01:39:20
Brian. Hello. If you’re disclosing something on SSAD you don’t need pseudonyms or anonymity

01:40:04
I'm open to discussing the idea of disclosing pseudonymized data instead of real data

01:40:07
Why wouldn't we explore "a valuable privacy-enhancing technique"?

01:40:10
A standalone session on the Study would be helpful.

01:40:18
I'm just surprised, because I didn't see that as a proposal in the homework files

01:41:33
Milton, I think that arguing about the matter of pseudonymization here spares us arguing about it later in the IRT. Join the IRT if you meed further explanation of why here is better. I would like to put a stake through the heart of this too, but clearly a legal memo and an authoritative view of the Art 29 group has not done that. The IRT certainly will not enhance the clarity on the issue in my view.

01:43:01
If the suggestion was to provide pseudonymized data via the SSAD, can someone point me to where that was provided in the homework inputs? Thanks!

01:43:46
Do any of the CPs already offer the registrants the possibility to provide consent?

01:44:01
@Sarah I just thought of it

01:44:18
Ah ok

01:44:28
Yes, it’s primarily “bringing to your attention” a proposal that is under development.

01:45:07
From proposed EU legislation: Member States shall ensure that the TLD registries and the entities providing domain nameregistration services for the TLD publish, without undue delay after the registration of adomain name, domain registration data which are not personal data.

01:45:45
Publishing non-personal data is not the problem here though

01:45:52
+1 Melina & Laureen

01:46:08
and NIS2 does (of course) include that Controllers must continue to follow the relevant data protection laws, including not publishing personal data

01:46:27
Need to drop a bit early. T hanks all.

01:50:32
How ICANN/registrars would handle the large volume is of legacy data strikes me as an issue. If the data is grandfathered in the upcoming regulation, it creates a policy problem for us.

01:54:26
+1 Kieth to Brian providing his SOI

01:55:01
Rafik was the GNSO Council Liaison to the EPDP Team (which is considered a member per the charter)

01:55:08
But Rafik was from a GNSO context, right? And Brian is not a SO/AC/SG member? (Not necessarily meaning he shouldn't be vice chair, just, a difference)

01:57:25
@Sarah indeed he was. If the chair is neutral, perhaps that doesn't matter?

01:57:51
None here :-)

01:57:53
Maybe! I'd expect both Keith and Brian (or whoever) to be neutral, of course

01:57:56
Thanks, all!

01:58:04
Agreed.

01:58:08
Thanks

01:58:32
Thanks all bye