Logo

051040043 - EPDP-Phase 2A Team Call - Shared screen with speaker view
Terri Agnew
32:43
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en
Terri Agnew
32:57
Please select all panelists and attendees in order for everyone to see chat
Terri Agnew
33:11
Please note: the raised hand option has been adjusted to the bottom toolba
Brian King
33:31
So sorry to hear that!
margiemilam
34:05
So sad to hear the news.
Thomas Rickert (ISPCP)
34:42
This is such terrible news. We will miss him!
zzzLeón Felipe Sánchez Ambía (Alternate Board Liasion)
35:16
My condolences to all of Ben’s friends and family. He will be dearly missed.
Milton Mueller
35:31
we will miss him, he was indeed a good guy
Mark Svancarek
36:13
He will be missed.
Sarah Wyld (RrSG)
37:18
Jan 23 is a Saturday?
Berry Cobb
37:22
21st
Sarah Wyld (RrSG)
37:23
I thought it's the 21st
Brian King (IPC)
38:56
I think Brian Beckham would be great.
Margie Milam (BC)
39:19
Brian is really great
Milton Mueller (NCSG)
39:37
I would like to see it run up the flagpole
Milton Mueller (NCSG)
39:43
with the Councikl
Laureen Kapin (GAC)
39:50
I also support Brian's candidacy. Was Rafik an EPDP member?
Sarah Wyld (RrSG)
39:51
I'd like to hear from Brian about his experience and his expectations of remaining neutral
Mark Svancarek (BC)
39:55
I support
Marika Konings
40:14
@Laureen - Rafik was also the Council liaison and as such a member of the EPDP.
Sarah Wyld (RrSG)
40:26
Similar to how we heard from potential chairs ahead of time
Sarah Wyld (RrSG)
40:29
thanks
Marika Konings
40:33
See the table in the charter that identifies members and count.
Berry Cobb
42:05
Charter link: https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-spec-gtld-rd-epdp-19jul18-en.pdf
Sarah Wyld (RrSG)
42:42
Good question
Milton Mueller (NCSG)
43:06
right, probably better for VC to not be on the EPDP.
Marika Konings
44:03
The charter language does force the ‘hats’ scenario: “Should at any point a vice-chair need to step into the role of Chair, the same expectations with regards to fulfilling the role of chair as outlined in this charter will apply”. But as Keith noted, it might be challenging.
Sarah Wyld (RrSG)
49:19
We definitely need a common understanding on this point, thanks for raising it.
Sarah Wyld (RrSG)
52:49
Who was speaking just then?
Berry Cobb
53:08
Melina Stroungi, GAC
Sarah Wyld (RrSG)
53:14
Thankyou
Tara Whalen (SSAC)
58:23
+1 Sarah re: clarifying purpose/requirements
Thomas Rickert (ISPCP)
58:38
+1 Sarah
Milton Mueller (NCSG)
58:43
lol James
Sarah Wyld (RrSG)
59:36
Great point James
Milton Mueller (NCSG)
01:00:04
I thought we were trying to solve for contractibility.
Milton Mueller (NCSG)
01:00:22
sorry, contactability
Sarah Wyld (RrSG)
01:00:40
But we already have contactability, with the option of an email or a web form?
Milton Mueller (NCSG)
01:01:17
publishing PII indiscriminately Mark is very clearly illegal under GDPR
James Bladel (RrSG)
01:01:48
+1 Mark, but we’re already doing a lot of that.
Mark Svancarek (BC)
01:02:40
No one said "indiscriminate", Milton
Milton Mueller (NCSG)
01:03:25
Mark if you publish a unique identifier with each domain registration, unreacted, it is indeed indiscriminate publication, which is unambiguously not an option legally
Milton Mueller (NCSG)
01:03:38
unreDACTED. sigh
Sarah Wyld (RrSG)
01:03:46
I think our existing policy recs on contactability are sufficient
Sarah Wyld (RrSG)
01:03:54
The web form is reliable and functional
James Bladel (RrSG)
01:04:27
We had to remove free form text due to rampant abuse and phishing.
Milton Mueller (NCSG)
01:05:18
so you’re saying the web forms work for contacting, but the constraints of some registrar implementations are not good, Brian?
James Bladel (RrSG)
01:05:42
https://domainnamewire.com/2020/10/02/domain-appraisal-scammers-try-to-abuse-new-godaddy-contact-system/
Milton Mueller (NCSG)
01:06:15
correlation = identification
James Bladel (RrSG)
01:06:24
This has been a cat-and-mouse issue since we deployed the webform, and we always prioritize protecting our customers from bad actors.
Volker Greimann (RrSG)
01:06:33
Contactability does not need pseudonymisation though
Manju Chen (NCSG)
01:06:53
+1 to Milton
Volker Greimann (RrSG)
01:07:01
Correlation has very real and present dangers
Mark Svancarek (BC)
01:07:42
correlation <> identification
Chris Lewis-Evans (GAC)
01:07:58
Very real and present benefits as well Volker
Sarah Wyld (RrSG)
01:08:05
I actually don't understand the use of <> in Mark's mmessage?
Mark Svancarek (BC)
01:08:11
"not equal"
Sarah Wyld (RrSG)
01:08:20
Thanks ok! (I would expect != for that)
Mark Svancarek (BC)
01:08:29
personally I prefer "!="
Sarah Wyld (RrSG)
01:08:35
I do think correlation can result in identification of the domain owner data subject
James Bladel (RrSG)
01:08:50
<> is math. != is code.
Hadia Elminiawi (ALAC)
01:08:51
statistical analysis and research is another reason
Margie Milam (BC)
01:09:30
It can result in a list of domain names - so how is that identification?
Sarah Wyld (RrSG)
01:09:35
That's a good point
Volker Greimann (RrSG)
01:10:01
Milton +1
Brian King (IPC)
01:10:07
I don't think we're limiting this conversation to what can/must be published.
Sarah Wyld (RrSG)
01:10:08
(My message was re Milton's point)
Volker Greimann (RrSG)
01:10:16
Lets not create a substitute for SSADF
Sarah Wyld (RrSG)
01:10:23
If this isn't about what's published, then what is this about? What problem are we solving?
Sarah Wyld (RrSG)
01:11:17
To me, pseudo- vs anony-mized is clear, but I don't know if we're limiting it to within one Rr / Ry or across all of them, and that's important
Volker Greimann (RrSG)
01:12:22
That is incorrect though. IP-Adresses are personal information regardless of who holds them
Volker Greimann (RrSG)
01:13:02
incorrect
Volker Greimann (RrSG)
01:13:18
Anyone can connect the dots. Maybe different dots
Sarah Wyld (RrSG)
01:13:25
+1 Alan W
Brian King (IPC)
01:13:28
@Volker, I read a case that said IP addresses could be, in some cases, personal data.
Sarah Wyld (RrSG)
01:13:38
Yes, DPIA is a great idea, let's do one! Let's do one for the whole SSAD, too!
Brian King (IPC)
01:13:52
The IP address whitelisted by a registry for your registrar's EPP connection, for example, is not personal data
Volker Greimann (RrSG)
01:14:52
@Brian, long since superseded by GDPR and EU case law
Brian King (IPC)
01:15:26
The case I read was post-GDPR :-)
Volker Greimann (RrSG)
01:15:37
In some cases it may not be, but for all intents and purposes comparable to registrant data, it is
Thomas Rickert (ISPCP)
01:15:48
Hi Brian, can you share the source. That sounds interesting.
Hadia Elminiawi (ALAC)
01:16:09
anonymization does not require to be completely risk free. The ICO anonymization code of practice says 100% anonymization is the most desirable position, but it is not the test the DPAs require
Brian King (IPC)
01:17:31
I literally just said the web forms are not fine.
Margie Milam (BC)
01:17:50
Web forms are problematic
Mark Svancarek (BC)
01:18:26
I don't know that correlation meets the GDPR definition of profiling
Margie Milam (BC)
01:19:00
+1 Mark
Milton Mueller (NCSG)
01:19:06
sure it does.
Thomas Rickert (ISPCP)
01:19:35
We really need to ask ourselves whether we can achieve the purpose without pseudonymization. If that is the case, we need to go for anonomyzation.
Sarah Wyld (RrSG)
01:19:47
+1 Thomas
Alan Woods (RYSG)
01:19:54
Re the webforms - have the issues with webforms been raised with ICANN compliance?
Hadia Elminiawi (ALAC)
01:20:00
In relation to the memo recital 26 of GDPR clearly states that anonymous information is not personal information
Thomas Rickert (ISPCP)
01:20:03
And that brings us back to the purpose-question raised by Sarah.
stephanieeperrin
01:21:02
Thanks for rescuing me from the observer channel!
Andrea Glandon
01:21:45
You’re welcome, Stephanie!
Milton Mueller (NCSG)
01:22:14
yes, Hadi, anonymization is not per se illegal
Milton Mueller (NCSG)
01:22:27
but pseudonymization clearly is
Alan Woods (RYSG)
01:22:32
but they are identifiable under GDPR definitions- I'm not sure of the point
Hadia Elminiawi (ALAC)
01:26:48
The ICO anonymization code of practice say that anonymization does not need to be 100% anonymized
Sarah Wyld (RrSG)
01:28:42
+1 to "everyone is trying really hard"
Milton Mueller (NCSG)
01:28:46
oh so writing a paper will prevent us from talking past each other? Doesn’t seem to have worked in the past
Volker Greimann (RrSG)
01:28:47
Let’s try a masking exercise: who does not know whose this email address belongs to? v*****@g*******.d*
Hadia Elminiawi (ALAC)
01:29:08
The ICO also says DPA does not require anonymization to be completely risk free
Volker Greimann (RrSG)
01:29:10
Whose email this is ;-)
Milton Mueller (NCSG)
01:29:22
so several weeks of verbal nitpicking ?
Volker Greimann (RrSG)
01:29:33
Hadia: we require it to be risk free...
Sarah Wyld (RrSG)
01:30:02
I thought it was just an example that B&B provided
Mark Svancarek (BC)
01:30:04
Volker, everyone on this call already has both pieces of the information. If you published that pseudonym on the open internet, it would not represent prsonal data for the vast majority of the world
Stephanie Perrin (NCSG)
01:30:09
As a data protection technique. Sure the ICO is correct. As to whether or not it removes the data’s character as personal data, sorry, wrong.
Margie Milam (BC)
01:32:18
Not true Milton — for example, if it relates to data that is NOT personal information. - such as that of a legal person
Stephanie Perrin (NCSG)
01:33:24
I am proposing it, Milton, because we clearly do not agree/accept the facts of this debate. Those who are raising the questions are not alone, I would argue that this is an area that is being debated. Certainly those of us who have been engaged in this debate for years are sick of it, but that does not mean we do not need to walk this through.
Milton Mueller (NCSG)
01:33:50
Margie that is just not correct
Volker Greimann (RrSG)
01:34:43
Yes, let’s design the thing we will perhaps never build
Hadia Elminiawi (ALAC)
01:35:01
when it comes to anonymization and pseudonymization its all about implementation
Brian King (IPC)
01:35:03
To be clear, we shouldn't throw out the concept of pseudonymization. Yes, in some cases pseudonymized data can be personal data, and personal data may be processed lawfully. We're also not limited to discussing this in terms of publication.
Hadia Elminiawi (ALAC)
01:35:32
however certainly we need to agree on the purpose first
Sarah Wyld (RrSG)
01:35:54
" We're also not limited to discussing this in terms of publication." In what other context are we discussing this?
Sarah Wyld (RrSG)
01:36:10
So far I heard it's re publication because the web form has limitations and there is a desire to correlate registrations
Milton Mueller (NCSG)
01:36:11
it’s all about publication, Brian. If we create a pseudonymized email that is not published, what is the point? We are just duplicating the registrant’s real email
Sarah Wyld (RrSG)
01:36:29
If it's not re publication, it's re SSAD disclosure? But in that context the expectation is to get the real data
Milton Mueller (NCSG)
01:37:20
exactly, Sarah
Milton Mueller (NCSG)
01:38:13
Asking us to spend weeks exploring how a pseuodonymized system would work when we know by definition that it is not going to be legal to publish it strikes me as the very definition of wasting time
Brian King (IPC)
01:38:38
I'm open to discussing disclosure/access to pseudonymized or anonymized email addresses.
Sarah Wyld (RrSG)
01:38:50
That's a very new topic
Brian King (IPC)
01:39:14
This is a very new EPDP phase :-)
Milton Mueller (NCSG)
01:39:20
Brian. Hello. If you’re disclosing something on SSAD you don’t need pseudonyms or anonymity
Sarah Wyld (RrSG)
01:40:04
I'm open to discussing the idea of disclosing pseudonymized data instead of real data
Brian King (IPC)
01:40:07
Why wouldn't we explore "a valuable privacy-enhancing technique"?
Laureen Kapin (GAC)
01:40:10
A standalone session on the Study would be helpful.
Sarah Wyld (RrSG)
01:40:18
I'm just surprised, because I didn't see that as a proposal in the homework files
Stephanie Perrin (NCSG)
01:41:33
Milton, I think that arguing about the matter of pseudonymization here spares us arguing about it later in the IRT. Join the IRT if you meed further explanation of why here is better. I would like to put a stake through the heart of this too, but clearly a legal memo and an authoritative view of the Art 29 group has not done that. The IRT certainly will not enhance the clarity on the issue in my view.
Sarah Wyld (RrSG)
01:43:01
If the suggestion was to provide pseudonymized data via the SSAD, can someone point me to where that was provided in the homework inputs? Thanks!
Hadia Elminiawi (ALAC)
01:43:46
Do any of the CPs already offer the registrants the possibility to provide consent?
Brian King (IPC)
01:44:01
@Sarah I just thought of it
Sarah Wyld (RrSG)
01:44:18
Ah ok
Tara Whalen (SSAC)
01:44:28
Yes, it’s primarily “bringing to your attention” a proposal that is under development.
Laureen Kapin (GAC)
01:45:07
From proposed EU legislation: Member States shall ensure that the TLD registries and the entities providing domain nameregistration services for the TLD publish, without undue delay after the registration of adomain name, domain registration data which are not personal data.
Sarah Wyld (RrSG)
01:45:45
Publishing non-personal data is not the problem here though
Margie Milam (BC)
01:45:52
+1 Melina & Laureen
Sarah Wyld (RrSG)
01:46:08
and NIS2 does (of course) include that Controllers must continue to follow the relevant data protection laws, including not publishing personal data
James Bladel (RrSG)
01:46:27
Need to drop a bit early. T hanks all.
Stephanie Perrin (NCSG)
01:50:32
How ICANN/registrars would handle the large volume is of legacy data strikes me as an issue. If the data is grandfathered in the upcoming regulation, it creates a policy problem for us.
Hadia Elminiawi (ALAC)
01:54:26
+1 Kieth to Brian providing his SOI
Marika Konings
01:55:01
Rafik was the GNSO Council Liaison to the EPDP Team (which is considered a member per the charter)
Sarah Wyld (RrSG)
01:55:08
But Rafik was from a GNSO context, right? And Brian is not a SO/AC/SG member? (Not necessarily meaning he shouldn't be vice chair, just, a difference)
Brian King (IPC)
01:57:25
@Sarah indeed he was. If the chair is neutral, perhaps that doesn't matter?
Marika Konings
01:57:51
None here :-)
Sarah Wyld (RrSG)
01:57:53
Maybe! I'd expect both Keith and Brian (or whoever) to be neutral, of course
Sarah Wyld (RrSG)
01:57:56
Thanks, all!
Brian King (IPC)
01:58:04
Agreed.
Brian King (IPC)
01:58:08
Thanks
Hadia Elminiawi (ALAC)
01:58:32
Thanks all bye