Logo

051040043 - EPDP-Phase 2A Team Call
Terri Agnew
41:32
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en
Terri Agnew
41:55
Members: lease select all panelists and attendees in order for everyone to see chat. Attendees and note, the raised hand option has been adjusted to the bottom toolbar.
Berry Cobb
42:08
https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0
Sarah Wyld (RrSG)
44:25
I'm sorry, what is the WBS column?
Volker Greimann (RrSG)
45:09
I am the human sacrifice of the RRSG to the legal team
Sarah Wyld (RrSG)
46:56
Thanks Berry. I continue to marvel at and try to learn from your spreadsheets
Berry Cobb
49:08
Since the Council meeting is later today, we're hopeful we can do the approval over the Council mailing list as to expedite this task.
Sarah Wyld (RrSG)
50:47
Sorry, the CPH to provide an update on IRT status?
Marika Konings
51:08
@Sarah - an update on the status of implementation of rec #6.
Sarah Wyld (RrSG)
51:18
Thanks Marika
Berry Cobb
56:38
Link to goog doc: https://docs.google.com/document/d/1weQemSQ0-884ILbhmR3OLzUWouyGXMKH/edit
Marika Konings
57:06
The aim of the yellow highlighted text was to translate the input provided in the comments. But of course, if we’ve missed something, please speak up.
Sarah Wyld (RrSG)
58:54
+1 Marc
Terri Agnew
01:00:27
Reminder: please select all panelists and attendees in order for everyone to see chat
Marika Konings
01:02:55
Especially those definitions that were derived from legal committee materials :-)
Hadia Elminiawi (ALAC)
01:03:14
@marika it makes sense reviewing these definitions first by the legal committee
Hadia Elminiawi (ALAC)
01:04:27
we need to be clear on the definitions in order to be clear on the legal impact
Sarah Wyld (RrSG)
01:06:29
I'm troubled by the idea of creating a definition with the goal of a specific outcome (correlation)
Hadia Elminiawi (ALAC)
01:06:37
@Melina, I agree anonymized in relation to whom?
Mark Svancarek (BC)
01:07:23
It will be important to ensure definitions we agree on are used not only during our work in the EPDP but also in the IRT and beyond.
Alan Woods (RYSG)
01:09:17
Agree Sarah.
Sarah Wyld (RrSG)
01:09:40
To Milton's point, I would draw the team's attention to the CPH suggested problem statement, lower down in this document
Milton Mueller (NCSG)
01:10:44
agreed sarah it is all about what problem we are dealing with and what is the acceptable way to solve it
Milton Mueller (NCSG)
01:11:29
it cannot be published
Milton Mueller (NCSG)
01:11:37
if it is not anonymized
Sarah Wyld (RrSG)
01:11:43
Agree, email is there as an option. I think our job here is to provide guidance on how one could implement an email address while adhering to data protection requirements. Not to require an email address in all cases.
Manju Chen (NCSG)
01:12:20
agree Sarah
Marc Anderson (Verisign / RySG)
01:12:58
link to instructions from GNSO council that Sarah mentioned:https://community.icann.org/pages/viewpage.action?pageId=150177878
Sarah Wyld (RrSG)
01:13:41
Lost Markia there
Hadia Elminiawi (ALAC)
01:16:50
+1 Margie we need some more time to react to this
Manju Chen (NCSG)
01:18:11
i would love that if we just follow what Bird & Bird suggested as definitions in their legal memo: if its the same email used for multiple entries from one person, its pseudynomized; if it's one address for one entry and never repeated, it's anonymized. why did we ask for legal advice and not listening to them?
Milton Mueller (NCSG)
01:18:42
+1000 Manju
Laureen Kapin (GAC)
01:19:07
I ask the same thing about the advice provided with regard to the Legal/Natural issues ;-).
Sarah Wyld (RrSG)
01:19:34
+1 ALan
Milton Mueller (NCSG)
01:21:08
“uniform” means the same for each individual registrant?
Sarah Wyld (RrSG)
01:22:04
Are there forms that do not comply with the policy requirements set out in phase 1?
Sarah Wyld (RrSG)
01:22:11
Is that the issue? noncompliance?
Brian King (IPC)
01:25:11
"contactability" without being able to fill in a web form is a glorified Facebook poke
Sarah Wyld (RrSG)
01:25:54
If the form is not being relayed that's certainly a Compliance problem
Milton Mueller (NCSG)
01:27:35
Seems like we have heard a lot from stakeholders telling us this is a problem
Milton Mueller (NCSG)
01:27:58
I don’t see any driving of us toward conclusions, quite the contrary
Milton Mueller (NCSG)
01:28:32
I see endless repetitions of the same debate and no motion toward conclusion. unfair to suggest Keith’s handling of this is biased
Marika Konings
01:29:47
As recommendation #13 is still in the implementation phase, doesn’t further guidance on web forms not belong in the IRT discussions?
Manju Chen (NCSG)
01:30:17
agree Marika
Milton Mueller (NCSG)
01:32:49
obviously an IRT issue
James Bladel (RrSG)
01:33:07
Folks, I just sent a sample relay to the ePDP list. These forms (at least at my Registrar) are functioning as intended. If other registrars cannot provide the same functionality, it should be raised with Compliance.
Sarah Wyld (RrSG)
01:34:15
Where a Registrar redacts the data element values listed in Section 10.3.1.8 or 10.3.1.12, in lieu of “REDACTED”, Registrar MUST Publish an email address or a link to a web form for the Email value to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself. [Rec 13]
Berry Cobb
01:36:53
We have the Webinar next Tuesday on L vs. N, and yes the agenda next Thursday will focus more on that topic.
Laureen Kapin (GAC)
01:36:57
@Keith -- much appreciated. Want to make sure we have sufficient opportunity to deal with both anonymized emails and the treatment of legal information.
Brian King (IPC)
01:36:58
@James: missing from many registrars' forms is the possibility of "facilitating email communication" - surely merely delivering a non-message via email as a protocol does not achieve the intended outcome of being able to write an email to the registrant
Brian King (IPC)
01:37:19
happy to move along for today, and unfortunately I need to drop at the top of the hour. Thanks all.
James Bladel (RrSG)
01:38:13
Good points, Sarah.
Sarah Wyld (RrSG)
01:39:04
That is maybe a thing that could exist but it certainly does not at this time
Sarah Wyld (RrSG)
01:39:11
(Alan G's suggestion)
Volker Greimann (RrSG)
01:39:53
There is no reason for it to exist
Margie Milam (BC)
01:40:07
That’s right Sarah- we can certainly talk about whether it should be addressed in the policy
Sarah Wyld (RrSG)
01:40:18
Right - it goes back to agreeing on a problem statement and what is in scope for this phase
James Bladel (RrSG)
01:44:03
@Milton - as mentioned earlier, it essentially becomes a “tracking cookie” for the DNS
Milton Mueller (NCSG)
01:45:06
exactly, so why are we considering it
Alan Woods (RYSG)
01:46:12
That is a huge conflation of client data and registrant data -
Alan Woods (RYSG)
01:46:35
We are talking about the latter only surely?
Sarah Wyld (RrSG)
01:46:35
I'm not sure what this has to do with our work here, but maybe that's because the problem statement is as yet unclear
Sarah Wyld (RrSG)
01:47:00
And, didn't James just explain that in some privacy/proxy services we see pseudonymization in the public-facing email address? I do think that's a good example
Milton Mueller (NCSG)
01:48:16
so as I predicted, Margie is arguing for correlation, this is really about correlation, not about the definitions
Sarah Wyld (RrSG)
01:48:34
Is revisiting the SSAD response requirements in scope for this phase?
Volker Greimann (RrSG)
01:48:47
You mean by subpoena?
Milton Mueller (NCSG)
01:49:10
so if we want to make progress, we have a debate about whether correlation of published contact data is legal.
Manju Chen (NCSG)
01:49:52
if you can get it upon request that means you’re getting from the SSAD? what is it to do with publishing?
Sarah Wyld (RrSG)
01:50:20
Good question there Manju
Chris Lewis-Evans (GAC)
01:52:27
@Mark Thanks so it is the domain name that generates (has generated) another unique string that stays with it.
Sarah Wyld (RrSG)
01:52:29
We need to understand if this is in scope
Stephanie Perrin (NCSG)
01:53:16
My hand is up
Alan Woods (RYSG)
01:53:21
Also where data is released via the SSAD - this undermines all anonymization and psedonymization - we need to consider the ling tail of such efforts with all processes considered - not just the mere act of ‘correlation’
Alan Woods (RYSG)
01:53:28
*long
Stephanie Perrin (NCSG)
01:54:36
+1 Alan
Sarah Wyld (RrSG)
01:56:10
RIght! I thought our job here was to provide guidance on how to do this pseudonymization or anonymization properly, for those cases where the CP has decided to do so according to Rec 13
Milton Mueller (NCSG)
01:56:13
ENISA: “there is still a large threat of re-identification..."
Sarah Wyld (RrSG)
01:56:28
Agree = IF published, how to do it right
Milton Mueller (NCSG)
01:57:17
Sounds like Laureen is agreeing that pseudonymized email is a major identification risk and special measures would be needed to reduce risks.
James Bladel (RrSG)
01:59:11
Hi folks…need to drop a few minute early. Thanks.
Hadia Elminiawi (ALAC)
01:59:16
+1 safeguards are required and just to note there is no such thing as risk free and DPAs are not looking for 100% anonymization
Margie Milam (BC)
01:59:24
Laureen was talking about reducing risk through pseudonymized emails -- which make sense.
Hadia Elminiawi (ALAC)
01:59:35
+1 Margie
Laureen Kapin (GAC)
02:00:01
Perhaps a bit more nuanced Milton -- I agree that the real issue is how to mitigate the risk of identification IF the anonymized/pseudonymized data is published.
Keith Drazek (Chair /Verisign)
02:04:26
Thanks Marika for the clarification. Yes, the guidance from Council, not just the original charter.
Berry Cobb
02:04:51
https://docs.google.com/document/d/1e2-rVF2wh-821tct76O50QdWwn4ZcIqS/edit#heading=h.gjdgxs
Berry Cobb
02:05:32
https://docs.google.com/document/d/1QlM4O_vwx7cQ11DJ_Lx2kqhyyRgDkMXG/edit#heading=h.gjdgxs
Berry Cobb
02:07:23
to the list.
Sarah Wyld (RrSG)
02:07:46
Thanks, all
Hadia Elminiawi (ALAC)
02:07:56
Thank you all - bye for now
Manju Chen (NCSG)
02:07:58
Thank you all!