Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Matt Serlin (RrSG)
35:09
Welcome to the party Becky :)
Becky Burr (ICANN Board Liaison)
36:17
Thanks Matt!
Brian King (IPC)
38:07
Thank you, Leon. Welcome, Becky. Will Becky be helping with the legal team then, or TBD?
Milton Mueller (NCSG)
38:15
Welcome Becky.
Becky Burr (ICANN Board Liaison)
38:24
I don’t think Leon is available
Becky Burr (ICANN Board Liaison)
39:03
I am happy to help with the legal committee
Becky Burr (ICANN Board Liaison)
40:51
I am not sure how the chair is selected
Becky Burr (ICANN Board Liaison)
41:30
I am willing to do so
Brian King (IPC)
42:06
Thanks, Becky. I would welcome Becky to do so.
Marc Anderson (RySG)
42:34
thanks Becky, no concerns from me, and I appreciate your willingness to volunteer
Hadia Elminiawi (ALAC)
42:37
Welcome Becky
Marika Konings
43:42
See also: https://docs.google.com/document/d/1N66JcJ_1C9agknQGfJ22BG2L564hBS-w3k8ItZIZ_ew/edit
Ashley Heineman (GAC)
47:00
I would just be worried about sending mixed signals.
Greg Aaron (SSAC)
47:14
Will ICANN understand what the group means by "field"? (It is not clear.)
James Bladel (RrSG)
47:36
Agree with Marc, the draft letter covers these questions, and more.
Margie Milam (BC)
47:56
I am not understanding why there would be 2 letters?
James Bladel (RrSG)
48:08
@Margie - that’s the question. I think there should just be one.
Margie Milam (BC)
48:27
@James - agree
Matt Serlin (RrSG)
48:37
The ultimate decision maker is the Board as they will vote on the recommendations so I think the letter would go directly to them and they can consult with Org as needed...
Brian King (IPC)
48:39
agree
Brian King (IPC)
48:55
(with Matt as well as James/Margie)
Hadia Elminiawi (ALAC)
49:42
Agree one letter is enough
Greg Aaron (SSAC)
49:45
Yeah. One comm. We need an authoritative answer, and somehow the Board needs to be aware of it.
Georgios Tselentis (GAC)
49:55
can we see the draft now to make an informed decision?
Brian King (IPC)
50:10
thanks to CPH for drafting. Let's review and decide as an EPDP team if any edits are needed
Farzaneh Badii (NCSG)
54:41
No sorry I didn’t have time I will have a look in a timely manner. I apologize.
Leon Sanchez
55:40
Hello everyone. My apologies for lateness. I am currently waiting for my wife to come out of surgery. Nothing serious but that’s the reason I missed being on time for our call. Again my apologies
Farzaneh Badii (NCSG)
57:14
wishing her a fast recovery Leon. Thanks for attending despite all that
Leon Sanchez
57:42
Thanks so much Farzi:-)
Matt Serlin (RrSG)
58:06
No need to apologize Leon…speedy recovery to her!
Leon Sanchez (ICANN Board Liaison)
58:29
Thanks so much Matt :-)
Farzaneh Badii (NCSG)
01:04:08
Necessity is a part of balancing test
Farzaneh Badii (NCSG)
01:04:43
yes totally Hadia. I agree.
Farzaneh Badii (NCSG)
01:05:07
how can they automate that? These tests have to be tried on each case.
Farzaneh Badii (NCSG)
01:05:23
I would like to know how it can happen. I am not opposing it for now.
Hadia Elminiawi (ALAC)
01:09:36
@Farzi yes you are correct it should be applied on a case by case basis but maybe similar cases could be grouped and treated similarly
Milton Mueller (NCSG)
01:11:25
Marika can oyu put a link to that doc in here?
Marika Konings
01:11:35
https://community.icann.org/display/EOTSFGRD/e.+Building+Blocks
Milton Mueller (NCSG)
01:11:41
th
Milton Mueller (NCSG)
01:11:44
x
Hadia Elminiawi (ALAC)
01:13:41
@Farzi The balancing test balances the interests of the third party with the interests of the data subject. The necessity is a separate required test
Marika Konings
01:13:46
See also https://docs.google.com/document/d/13boFDslLC00MpuIhQV7yhwq0LPjZ-gz79pTmL-jyfus/edit
Farzaneh Badii (NCSG)
01:14:27
Yes you are right Hadia., These are the legitimate interest impact assessment tests
Brian King (IPC)
01:15:09
Are we starting with "i" or "l"?
Brian King (IPC)
01:15:20
Thanks
Farzaneh Badii (NCSG)
01:16:53
Only ONE year Mark? One long year with thousands of hours
Farzaneh Badii (NCSG)
01:16:55
you are a pro
Mark Svancarek (BC)
01:16:59
lol
Ayden Férdeline (NCSG)
01:17:50
i prefer to leave this to the disclosing entity to make the decision. We should not be so prescriptive
Margie Milam (BC)
01:21:18
From the BC Proposal: • Accredited access shall not be rate-limited or otherwise restricted except where the requester poses a demonstrable threat to a properly resourced system.
Mark Svancarek (BC)
01:21:29
It's trivially easy to block someone but possibly hard to convince an operator to unblock someone once blocked. Need to ensure that the process is not asymmetric and inherently stacked against requestors.
Brian King (IPC)
01:21:42
Agreed, limits should be based on preventing or addressing abuse, while not preventing legitimate queries, even if the volume is subjectively high
Matt Serlin (RrSG)
01:21:51
I think we would have a difficult time defining the entirely of what abuse of this system might look like
Matt Serlin (RrSG)
01:22:24
I think providing some principles is good and ultimately the operator will need to define exactly what qualifies as abuse
Alex Deacon (IPC)
01:22:29
The concept of predictability is also important here. e.g. we need be prescriptive enough to ensure predictability.
James Bladel (RrSG)
01:22:42
@Brian / @Margie - but there is also the issue of equitably sharing a common resource. If Facebook floods the system with millions of automated requests, then that effectively blocks smaller users (also legitimate) from a timely response.
Ashley Heineman (GAC)
01:23:15
Perhaps guidelines could be specified regarding what should *not* be considered abuse? Just a thought.
Stephanie Perrin (NCSG)
01:23:32
+1 Ashley
Stephanie Perrin (NCSG)
01:23:45
Much easier job, I would add
Margie Milam (BC)
01:24:44
the common resource needs to accommodate the volume necessary to meet the legitimate needs
Hadia Elminiawi (ALAC)
01:25:17
@Matt maybe we need to highlight that the volume of requests alone is not considered an abusive request
Farzaneh Badii (NCSG)
01:25:52
+1 Ashley. And Stephanie.
Matt Serlin (RrSG)
01:26:25
But it *could* be abusive Had…if an entity submits a high volume of clearly illegitimate requests, that would be abusive
Matt Serlin (RrSG)
01:26:32
Hadia :)
James Bladel (RrSG)
01:27:01
High Volume of rejected requests.
Matt Serlin (RrSG)
01:28:25
Maybe it’s a percentage threshold…if X percentage of your requests are rejected it would be considered abuse of the system
Alex Deacon (IPC)
01:28:48
@matt - that depends on how we define “rejected”.
Alan Greenberg (ALAC)
01:29:32
I don't see how a single definition can work with different types of requestors and different motivations.
Margie Milam (BC)
01:29:38
If CPH are worried about the volume -- ICANN can hold the data
James Bladel (RrSG)
01:30:42
@Margie - some CP’s are more technically capable than ICANN…
Hadia Elminiawi (ALAC)
01:30:50
@James limitations to a great extent will also depend on who makes the disclosure and the system's capabilities
Brian King (IPC)
01:31:02
The system simply has to be sufficiently provisioned to handle the required volume of legitimate requests
Margie Milam (BC)
01:31:22
CPH have SLAs they need to abide by
Farzaneh Badii (NCSG)
01:31:26
Less capacity I’d say
Volker Greimann (RrSG)
01:32:08
Greg, please realize how this business works.
Volker Greimann (RrSG)
01:32:17
there are registrars out there that have three staff
Ashley Heineman (GAC)
01:32:23
So... we should have single entity responsible for taking in requests in an SSAD. :-)
Farzaneh Badii (NCSG)
01:32:28
Smaller companies have less capacity, it might take longer to disclose
Volker Greimann (RrSG)
01:32:31
so if you send them a thousand requests, you will wait!
Farzaneh Badii (NCSG)
01:32:32
doesn’t mean they won’t
Margie Milam (BC)
01:32:40
+1 Ashley
Volker Greimann (RrSG)
01:32:43
and you will keep everyone else waiting
Matt Serlin (RrSG)
01:33:11
This conversation clearly illustrates the challenges of this question without knowing the specific model this system will take on…
Matt Serlin (RrSG)
01:33:29
Without the needed feedback from the Board about what’s acceptable, this discussion is premature IMO
Ashley Heineman (GAC)
01:33:34
zoom needs emojis.
Ashley Heineman (GAC)
01:33:39
+1 Matt
Volker Greimann (RrSG)
01:33:46
^_^ Ashley +1
Georgios Tselentis (GAC)
01:33:47
+1 Matt
Milton Mueller (NCSG)
01:33:53
don't forget wildebeests and leopards
Ashley Heineman (GAC)
01:34:05
Greg... mute your line. :-)
Ayden Férdeline (NCSG)
01:34:41
Well and clearly said @James
Hadia Elminiawi (ALAC)
01:34:43
+1 Matt
Hadia Elminiawi (ALAC)
01:35:16
@James true there are many elements to consider
James Bladel (RrSG)
01:36:15
Ah, good point Milton. But that still favors the larger (and presumably deep-pocketed) requestors.
James Bladel (RrSG)
01:36:28
But let’s not design in a “Tragedy of the Commons”
Milton Mueller (NCSG)
01:37:06
right, tragedy of commons is inevitable if it's free
Margie Milam (BC)
01:37:53
@ Milton - we put similar concepts in the BC accreditation model regarding financial issues: Applicants for Regular Access Accreditation would be required to post a bond or evidence of insurance to secure their obligations, and may be subject to higher accreditation fees;
Brian King (IPC)
01:38:12
That homework was a long time ago and I believe was about the use case template itself.
Brian King (IPC)
01:38:20
I think we've moved past this now
Brian King (IPC)
01:38:48
Marc's memory might be better than mine on this
Marc Anderson (RySG)
01:39:20
I agree, I think we've moved past this
Alex Deacon (IPC)
01:39:56
Thinking aloud - I wonder if we can simplify by combining a) and b)
Thomas Rickert (ISPCP)
01:40:32
Hi all, sorry for joining late.
Matt Serlin (RrSG)
01:40:50
@Alex I think that makes sense just not he face of it
Matt Serlin (RrSG)
01:41:13
On the face of it…
Milton Mueller (NCSG)
01:42:19
yes, a and b do seem redundant almost
Brian King (IPC)
01:42:49
they do seem redundant, or at least combinable
Milton Mueller (NCSG)
01:43:01
b says "monitor and take appropriate action..."
Chris Lewis-Evans(GAC)
01:43:01
Can we also swap them round, just my ocd
Matt Serlin (RrSG)
01:43:06
monitor and act…
Marc Anderson (RySG)
01:43:32
I agree they are different in nature - good point about switching the order
Mark Svancarek (BC)
01:43:59
@James, I volunteer to work with you on the homework
Margie Milam (BC)
01:44:22
I have to go offline to drive, but will remain on the call
Alex Deacon (IPC)
01:44:24
+1 Greg
Milton Mueller (NCSG)
01:46:20
+1 James. good point
Milton Mueller (NCSG)
01:46:36
although that problem goes away if there is a charge
Mark Svancarek (BC)
01:46:51
A charge for public data?
Farzaneh Badii (NCSG)
01:47:14
so are they gonna charge like a buffet (all you can eat?) or for each piece they should pay (increases price incrementally)
Milton Mueller (NCSG)
01:47:19
if you go through the SSAD to get it, yes, there will be because it will be linked to the disclosure process
Farzaneh Badii (NCSG)
01:47:50
Well you want the public data to be disclosed in batch with private data and come as a package. Certainly this seems valuable to you.
Brian King (IPC)
01:49:32
It sounds like a nightmare to need to write a C&D letter and get the country and state/province fields from one source and the postal address from another source
Brian King (IPC)
01:49:45
at scale especially
Volker Greimann (RrSG)
01:49:54
public data = bottled water? Do you mean we should sell it at ridiculous prices?
Farzaneh Badii (NCSG)
01:50:03
yep. It’s a nightmare for registrars to give it altogether as well.
Mark Svancarek (BC)
01:50:05
Please don't
Milton Mueller (NCSG)
01:50:08
Brian: That can be done as an application on the user end
Hadia Elminiawi (ALAC)
01:50:10
+1 Alan
Volker Greimann (RrSG)
01:50:38
You can get this data for free, but you can also pay for a curated, quality copy that will cost you a buck a request...
James Bladel (RrSG)
01:50:41
Volker - if we are bottling tap water and selling it, people can choose to buy, or drink from the public drinking fountain. And this metaphor has probably run its course.
Chris Lewis-Evans(GAC)
01:51:42
+1 Alan if the request just has public data decline this as not a valid request and reroute it elsewhere
Farzaneh Badii (NCSG)
01:51:45
yep. Whether bottle water is better than tap water is completely up to the buyer. You need a curated one then you should pay .
James Bladel (RrSG)
01:51:55
@mark sv - I would hope that is the case. But as Milton noted, we can address this with fees.
Farzaneh Badii (NCSG)
01:52:42
It costs to curate it. Also, the more data you have to be able to relate the more privacy of domain name registrant might be at risk (I am guessing)
Milton Mueller (NCSG)
01:54:10
Oh Alex, I will explain what we get from separate systems
Farzaneh Badii (NCSG)
01:55:58
I don’t think registrars are opposing it for fun. It is gonna cost
Milton Mueller (NCSG)
01:56:17
Whois is not SSAD
Alex Deacon (IPC)
01:56:22
Registrars are returning public data today via RDAP.
James Bladel (RrSG)
01:56:25
Greg - not correct. The fees are paid to SSAD operator
Farzaneh Badii (NCSG)
01:56:30
No we want to stop the abuse as well by charging
Volker Greimann (RrSG)
01:57:37
Sounds like a reasonable limit
Milton Mueller (NCSG)
01:58:23
rate limiting of public whois data is a policy problem for Whois, perhaps, but not for SSAD
Ashley Heineman (GAC)
01:58:24
How about, the response "can" provide public information.
Mark Svancarek (BC)
01:58:50
Volker, clarifying - 1 per minute is a "reasonable limit" for public data?
Matt Serlin (RrSG)
01:58:55
Rate limiting of public data seems outside the scope of what we should be discussing here…
Alex Deacon (IPC)
01:59:06
@ashley - that would negate any chance for predictability in the system.
Farzaneh Badii (NCSG)
01:59:11
How about we look at Ashley’s suggestion?
Volker Greimann (RrSG)
01:59:11
yes, since it prevents harvesting, which has been a problem
Farzaneh Badii (NCSG)
01:59:18
sounds reasonable to me
Brian King (IPC)
01:59:19
Matt it seems in scope if the rationale for not producing the public data is SSAD is that it's available outside of SSAD
Mark Svancarek (BC)
01:59:25
That is absurd.
Volker Greimann (RrSG)
01:59:56
since you only need the data for domains where you have evidence of malfeasance, and that review will likely take more time than a minute per domain, that sounds fair
Mark Svancarek (BC)
02:00:14
We are asking about public data - 1 per minute?
Greg Aaron (SSAC)
02:00:39
Nope, Milton. Don't attribute that motivation to people.
Farzaneh Badii (NCSG)
02:00:55
some people have created business out of this public data. That is fine, but charging for requests to prevent abuse is not?
Alex Deacon (IPC)
02:00:57
@milton - please stop putting words in my mouth
Farzaneh Badii (NCSG)
02:00:57
Why ?
Ashley Heineman (GAC)
02:00:59
So, if the concern is that it is hard for CPs, if we have single entity providing disclosure, can't they rely on RDAP and provide this information without undue burden on the CPs? Am I missing something? I just don't know why this is an issue.
Volker Greimann (RrSG)
02:01:01
unless you wish to harvest the database or clone it, any one user should not have legitimate use for faster access
Farzaneh Badii (NCSG)
02:01:30
Greg you have been attributing many motivations to people just on this call. And to domain name registrants (apparently they are mostly criminals)
Ashley Heineman (GAC)
02:01:54
And... I retract my "can" proposal. :-)
Alan Greenberg (ALAC)
02:02:02
Proposal: The response must include the public data elements related to the domain name registration associated with the requested non-public data.
James Bladel (RrSG)
02:02:19
I think I have a solution. *ducks*
Volker Greimann (RrSG)
02:02:39
the routine should alsways be:1. Determine need for any one domain records2. Verify that need2. Make request for that record
Brian King (IPC)
02:02:40
+1 Alan G
Ashley Heineman (GAC)
02:02:50
I would like to come back to my "let's take a leap of faith" proposal from LA.
Farzaneh Badii (NCSG)
02:03:04
I think Ashley’s suggestion was a good one
Ashley Heineman (GAC)
02:03:13
What about me Janis? :-)
Farzaneh Badii (NCSG)
02:03:44
Can someone listen to Ashley for a minute? :)
Volker Greimann (RrSG)
02:04:54
James +1
Janis Karklins (Chair)
02:05:32
Ashley is in the quai
Milton Mueller (NCSG)
02:06:56
I think I could accept James's proposal as long as there are per-requests fees associated with SSAD queries
Mark Svancarek (BC)
02:06:57
James's suggestion is how assumed SSAD worked in the first place - hence my concerns. I can agree with James' suggestion, of course.
Ashley Heineman (GAC)
02:07:50
I need an emoji. YES JAMES!
James Bladel (RrSG)
02:08:09
Sorry, I didn’t think it was obvious. I
Ashley Heineman (GAC)
02:08:11
+1
Brian King (IPC)
02:08:44
I think we'd support James' proposal
James Bladel (RrSG)
02:09:57
Run Ashley! :)
Farzaneh Badii (NCSG)
02:12:29
How machine makes the decisions by the way have to be made through a transparent policy
Milton Mueller (NCSG)
02:14:40
Our support for this is still contingent on a per query fee
Hadia Elminiawi (ALAC)
02:14:45
great
Volker Greimann (RrSG)
02:16:35
even when making bulk requests, the requester needs to justify the request for each single domain name
Becky Burr (ICANN Board Liaison)
02:17:17
I am transitioning to audio only
Volker Greimann (RrSG)
02:17:40
and there needs to be a balancing test for each request, not a bulk balancing test.
Milton Mueller (NCSG)
02:18:08
It does need to be explicitly stated
Alex Deacon (IPC)
02:18:13
balancing test only applies to 61f.
margiemilam
02:18:27
There can be categories of requests where there can be automated responses, even with a 61f
Farzaneh Badii (NCSG)
02:18:28
61f applies to most of the cases if not all
Alex Deacon (IPC)
02:18:45
right - not all.
Alan Greenberg (ALAC)
02:19:30
Balancing test only needed when GDPR applies. Our polict allows redation in many non-GDPR cases (as described by Alan W).
Alex Deacon (IPC)
02:19:53
@alan - yep.
Volker Greimann (RrSG)
02:20:02
and where it does not apply, the review of the justification must still be performed.
Margie Milam (BC)
02:20:21
the review can be automated
Mark Svancarek (BC)
02:21:10
Clarifying - not "random"
Alan Greenberg (ALAC)
02:21:18
No one said the set of names is "random".
Volker Greimann (RrSG)
02:21:26
"can", but likely won't
James Bladel (RrSG)
02:21:51
Note: I have a hard stop at the top of the hour (11CDT)
Farzaneh Badii (NCSG)
02:22:49
Alan this has to be a global policy. And the policy we come up with applies to all. you can’t deprive people of data protection because GDPR is not applicable to them
Margie Milam (BC)
02:23:01
The rules engine can help define the criteria for where things can be automated; some of the pilots are already doing it - like the WIPO one
Farzaneh Badii (NCSG)
02:23:47
Rules engine?
Brian King (IPC)
02:23:47
@Farzaneh the European Court of Justice disagrees with you
Farzaneh Badii (NCSG)
02:24:25
European Court of Justice could. ICANN policies are global. You want global access, we want global data protection. I think it is fair enough
Stephanie Perrin (NCSG)
02:24:32
One of the beauties of GDPR, possibly unappreciated by many in this group, is that it attempts to take a harmonized approach. IF we develop good criteria for the balancing test, which many of us do not think can be easily automated, it will suffice for most laws. We need to harmonize at a high, simplest possible level.
Volker Greimann (RrSG)
02:25:20
agreed, lets move on!
Mark Svancarek (BC)
02:25:27
lol
Farzaneh Badii (NCSG)
02:25:31
Access to personal info of people anywhere in the world is not anyone’s right.
Margie Milam (BC)
02:25:33
a rules engine can be built to automate 61f requests where possible
James Bladel (RrSG)
02:25:34
Hah. Brian, your mother is calling you home for dinner.
Milton Mueller (NCSG)
02:25:50
There's James and there's King James
Brian King (IPC)
02:26:11
Good, I'm hungry.
Farzaneh Badii (NCSG)
02:26:18
I have to drop off. Goodbye.
Stephanie Perrin (NCSG)
02:27:10
Good call James
Marika Konings
02:28:01
It may also be worth for everyone to review the SSAD worksheet info as that is where the EPDP Team further scoped the work and questions to be addressed.
Thomas Rickert (ISPCP)
02:28:13
I thought my reasoning was quite compelling
James Bladel (RrSG)
02:28:22
Marika - Can you send the link?
Thomas Rickert (ISPCP)
02:28:24
:-)
James Bladel (RrSG)
02:28:40
Thomas strongly agrees with Thomas. :)
Marika Konings
02:28:49
The relevant part of the worksheet has also been included at the bottom of every building block google dock
Marika Konings
02:29:12
So if you scroll down in this document, you see it there: https://docs.google.com/document/d/13boFDslLC00MpuIhQV7yhwq0LPjZ-gz79pTmL-jyfus/edit
James Bladel (RrSG)
02:32:33
Again, one of those things that sounds painfully obvious. But other products (SSL? Hosting?) may have valid & legitimate reasons to share data outside of SSAD.
James Bladel (RrSG)
02:33:29
@Thomas - Your argument seems to be that “old WHOIS didn’t offer these functions, so it is out of scope to discuss them here.” But others seem to be saying that it is out of scope to PROHIBIT these things. (Unless I”m misunderstanding) So let’s tee that up for next time.
Marika Konings
02:33:55
As a reminder, the charter includes section c that focuses on ‘terms of access and compliance with terms of use'
James Bladel (RrSG)
02:33:58
Thanks Janis & Staff. Bye all.
Brian King (IPC)
02:34:00
thanks all
Hadia Elminiawi (ALAC)
02:34:03
Thank you all
Matt Serlin (RrSG)
02:34:04
thanks all
Chris Lewis-Evans(GAC)
02:34:04
Thanks Everyone, Bye
Marika Konings
02:34:11
C1) what rules/policies will govern users' access to the data.
Alan Greenberg (ALAC)
02:34:17
When will Tuesday's agenda be sent?
Thomas Rickert (ISPCP)
02:34:19
thanks, James. let’s continue the conversation
Rafik Dammak (GNSO Council Liaison)
02:34:20
Thanks all