Good morning, all panelists and attendees!

Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.

Finally back to the charter… very good

Oops. We'll circle back to Caitlin for the ICANN Org feedback on legal/natural study questions. Sorry about that!

Has anyone the link to these documents readily available?

+1 Steve, that would be helpful and would be a light lift to implement

I missed some of what Steve was saying but it sounds similar to the current contactability-related requirements?

May I ask a question though: Are we burying this whois?

thick

Sorry to be late.

**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.

I didn't think that question (email address instead of web form) is in scope for this phase, we already have a rec about it

Agree with Sarah

We have had the webforms live for literal years and have not had complaints about it

+1 Sarah

Hadia, et al: I am proposing something slightly different and, I think, easier. I’m proposing a standard solution of “contact-<domain-name>@<registrar-email>. The registrar would then simply forward. No guarantees, and nothing complicated. The registrar presumably already has the registrant’s email, so this would not need for anyone to fill out an additional form.

I’m somewhat confused - if the address for everyone is “contact@2ldomain.1rstldomain” then isn’t some relay function required ? Or is this a suggestion that every registrant must create this email address?

Thanks for clarification above Steve. So it does involve a relay?

@Becky: Yes, the registrar would have to relay the email.

@Steve, yes this is different than what we are discussing now

Link to wiki where the responses are posted: https://community.icann.org/pages/viewpage.action?pageId=159482147

@Steve, how is that kind of email setup different from having a webform?

Link to previous B&B memos: https://community.icann.org/display/EOTSFGRD/EPDP+-P2+Legal+subteam

Staff will have the final questions to be submitted posted on the wiki shortly.

@Manu, my understanding of the complaints about the webform is some implementations didn’t allow for the sender to include any information. Also, webforms are *much* harder to deal with for the sender.

thanks for the explanation!

https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit

The Mark Monitor form has a 5-choice pull-down and a Comments text box which is useful. Many others have fewer choices and no free-text comments.

Not sure that's relevant here because that's not how to contact a MarkMonitor registrant

MarkSV is correct. MarkMonitor’s comment box allows roughly 250 characters. I’ve given to understand other webforms are more limited.

@Sarah for sure we do not want to tell the CPs how to implement the policy

thank you Terri!

Ah, right! That’s how two contact a MarkMonitor sales professional. Apologies for missing this detail

+1 Steve, in fact some registrar web forms don't allow any characters

Haha I missed that detail too, Steve

https://docs.google.com/document/d/1YyiBmtcpa5PxsPnKDXZFfU0WEPVhgjN5ySv9KvQb6Tw/edit#heading=h.gjdgxs

By all means, we can revisit this next week.

@Sarah the document shows we agree on the basics

Hadia - yes, the GDPR is a good basis for agreement :)

agree Sarah

I would happily volunteer to take a homework assignment to note how practical steps line up with these principles.

So we need to focus on what to expect - and leave out the when and how

And also keeping in mind that we have not yet agreed IF this distinction must happen

Indeed the distinction is irrelevant for many registrations. The operative question is, is there any personal information in this registration?

Thanks, Sarah. Let's finish up on if differentiation CAN happen, so we can get to discussion on whether it MUST.

+1 Melina

@Brian makes sense

@Brian my understanding that some CPs are already differentiating

Why doesn’t the BC take a homework assignment to come up with a template for businesses re how to register and affirm that there is no personal information contained in their registration?

We must remember that CPs already have the option to differentiate and for some of them the differentiation could make sense

As I keep saying, there needs to be an attestation on the part of any so called legal person that there is no personal data in there registration. How can that be made plausible and acceptable to those who must rely on it to manage their legal risk

Their no there

Stephanie, would you like to get in queue?

sure

We've discussed dealing with current registrations first, and then trying to formulate policies to deal with legacy registrations.

The whois accuracy program validation period is 15, days, did I hear 7?

I think Stepanie’s prescription is too narrow. Personal information should be perfectly ok to disclose if the affected person is informed and has agreed.

Stephanie

Steve - the domain owner already has the option to consent to publication of their registration data

that’s also why NCSG has a proposal of not differentiating but only asking for consent from the registrant, Steve

To Steve: yes, if the individual is truly informed and understands his/her risk in publishing his PI, fine then they can consent to disclosure.

To Stephanie’s point, as a small side business owner, the first thing I did when I had the idea to form my company was to purchase the domain name, and later got a federal tax ID, an office, etc.. In this case I suppose my domain eventually went from being controlled by a natural person with the intention of being owned by a legal one. Such complications seem common,

Right, we have not agreed that the differentiation is necessary or should be required

The guidance on screen is for how to differentiate IF the Registrar chooses to

Exactly Christian. And you may hold plenty of names you are not currently using, which you may hold personally in case you want to dissolve the company and start a new one.

+1 Melina

I strongly disagree with the idea that this distinction MUST happen.

We agree, Melina.

I would contest the assertion that publishing personal information is in the public interest.

+1 Melina

+1 Stephanie

I think we’re all in agreement. I was responding the exact wording Stephanie was saying.

We’re also waiting on legal advice from B&B that will give more insight on the level of risk in making the distinction

I was just interrupted by a cellphone call, allegedly from a commissioner of Service Canada, demanding money.

Is the contact information for commissioners of service Canada verifiable?

Business risks are acceptable if there is some benefit to us or to our customers. Here the benefits are to 3rd parties. So any non-zero risk is therefore unacceptable.

Any privacy officer spends a heck of a lot of time educating their clientele NOT to respond to all the scams going on. How can we in this group, after years of arguing about this stuff, not concede that protecting personal contact data, including address information given the ubiquitous use of geo locational data, is important?

Mark actually yes, unfortunately our CRTC gave the telcos another year to stop that glitch that permits number spoofing.

We are on a finite and VERY controlled time-line. We cannot defer the decision on whether to require differentiation too long or we will be told we are not making sufficient headway and risk being terminated.

"Flags" are a huge technical change to the whole domain system

(Don’t ask me the technical details, but my own landline is being scammed to do visa fraud, and the telco will do nothing about it)

@Stephanie you mention in the chat: "I would contest the assertion that publishing personal information is in the public interest."No one said that. I was talking about non personal data

I don't see why Walmart's consent is needed to publish contact data for Walmart.com

What is the risk for the registrant Milton if you only publish non-personal data? If they are natural person, you publish nothing, if they are legal you give them the choice to not disclose personal data and only publish the non personal data.

Thanks for that clarification Melina.

Walmart’s employees ought to have no problem filling out the template that I am suggesting the BC develop.

@ Milton -- Melina's views are perfectly in line with the GDPR. To be clear, the GDPR has weighed and balanced what information should be protected and what should not -- non-personal information is not protected. We are trying to develop a process that creates safeguards to promote only the disclosure of non-personal information.

i think that’s the problem when we get to fixated to this proposal 1a. we did have other proposals but until now we’re talking about this one as if it’s the only proposal and as if we’ve already agreed to differentiate. which we have definitely not

@Stephanie, I agree but I thought we were told last week that creating wireframes was out of scope :(

+1 Sarah

To be clear: I am all for allowing the differentiation between personal and non-personal data and providing guidance for that to create an industry standard.

https://docs.google.com/document/d/1Hf-Nt-VMznpGE4WZ7wWaHF8pXdm8qA28OW7Mjr4MH_A/edit#

I oppose the requirement to do so because of the lack of a need for it

+1 Volker

hand

Thanks Volker. There is a need to set this requirement- if you leave this optional and no one differentiates you risk having zero information on whois

This is why NIS legislation is coming in force

to prevent exactly this risk

But anyone who needs that registration data can stll obtain it in a timely manner via the SSAD or direct from the Registrar

And NIS2 will not override the GDPR

@Melina - it is not accurate to say you risk having zero information in whois - there is a good deal of information that is always required in whois.

+1 Marc

@Marc, thanks. Please do not take it to the letter, but this is the broader picture and an existing and very real risk

We'll get into details next week, as we await feedback from B&B on the legal questions.

Melina - so you're balancing the risk to a third party of delay in obtaining registration data against the risk to the Registrar in publishing personal data without a lawful basis. I come out with a different result in that assessment than you do, I think.

(And to be clear, that delay can't be long because we have policy about when the data must be provided, how emergency circumstances work, etc. And Registrars provide data immediatley to LEA in exigent circumstances)

Thanks, Berry!

All good. thx

Many thanks everyone! and please do not hesitate to reach out for further discussion/clarifications :)

Thank you all bye