Logo

Julie Bisland's Personal Meeting Room
Thomas Rickert (ISPCP)
40:18
hi all
James Bladel (RrSG)
40:56
Only 10 minutes with “Strawberry”?
Marika Konings
41:17
@James - note this is for the plenary session.
Marika Konings
41:30
If the team wants more time F2F with the strawberry team this can of course be scheduled
Rafik Dammak (GNSO Council Liaison)
42:00
Plenary is the new name of cross community session :)
Marika Konings
42:07
As a reminder, this plenary session was requested by the GAC and the GNSO.
James Bladel (RrSG)
42:07
Got it. Thanks Rafik.
James Bladel (RrSG)
42:14
& Janis
Thomas Rickert (ISPCP)
43:37
what again was the time slot for sunday?
Hadia Elminiawi (ALAC)
44:08
I lost the sound
Hadia Elminiawi (ALAC)
44:19
back again
Marika Konings
46:16
Staff will circulate after this call a list of all the EPDP Team meetings at ICANN66
Brian King (IPC)
46:38
Thank you, Marika
Marika Konings
47:11
All the building blocks google docs are publicly available, although in view only mode it may not be possible to see redline and comments (one of the google doc limitations)
Caitlin Tubergen
51:25
Does ICANN have a clear preference on whether or not it will:1. Field these requests for non-public data2. Maintain its own RDS replica database3. Make a/the determination of the validity of the request4. Assume responsibility for this decision, in any scenario where ICANN doesn’t hold the data directly and must require a Contracted Party to respond to the Requestor (even if the Contracted Party disputes ICANN’s determination).
Marc Anderson (Verisign / RySG)
51:29
found the link
Marc Anderson (Verisign / RySG)
51:30
https://docs.google.com/document/d/1N66JcJ_1C9agknQGfJ22BG2L564hBS-w3k8ItZIZ_ew/edit
Matt Serlin (RrSG)
53:18
No objection to sending the questions as posed above…seems reasonable. And agree with the points Goergios is making as well.
Stephanie Perrin (NCSG)
53:47
Apologies for being late. Late election results last night kept us Canadians up….
Alan Woods (RySG)
54:17
Noting that EPDP are not asking the questions … Janis is
Alan Woods (RySG)
54:36
So I'm OK with it.
Matt Serlin (RrSG)
54:41
Exactly Alan…not coming from the group in this case
Alex Deacon (IPC)
01:03:33
@janis - I’ll wait for that update before I submit my comments.
Amr Elsadr (NCSG)
01:15:12
@Alan: +1 on all points.
Alan Woods (RySG)
01:19:51
I do think so. Because if that new processor felt that further disclosure was necessary without stating that as a purpose … so another person gets it … as long as it is connected to 'a trademark that someone holds' ….
Thomas Rickert (ISPCP)
01:20:04
Not only CAN the requestor become the controller. The requestor IS then the controller for what he is doing with the data.
Thomas Rickert (ISPCP)
01:22:41
Thanks, Stephanie!
Mark Svancarek (BC marksv)
01:24:22
Everyone is making good points, but I think the theoretical nature of this discussion is blocking resolution. When we have defined that language which will be presented to the registrant, and when we have discussed some examples of compatible/incompatible, this will be more clear.
Stephanie Perrin (NCSG)
01:25:46
The Equifax case was anything but theoretical.
Alan Woods (RySG)
01:26:18
+1 Stephanie. Although there are not enough hours in the day . I'm happy to help Amr
Alan Woods (RySG)
01:27:32
agree with that Amr - if subsequent to disclosure, the proposed processing changes, then another request should be made on that 'case' or in that 'request file' - but an assessment by the primary controller should occur.
Brian King (IPC)
01:27:48
@Amr I have an idea that might help too, and I'd be happy to work with Amr, Margie, AlanW
Mark Svancarek (BC marksv)
01:27:49
The non-theoretical nature of the Equifax case allows us to clearly discuss if the likely processing was disclosed to the data subject or if the processing was compatible. we don't have such details here.
Alex Deacon (IPC)
01:31:39
@hadia - the accreditation framework we discussed allows for what you are describing . e.g. multiple “authorization credentials” can be associated with a single “identity credential”.
Amr Elsadr (NCSG)
01:32:18
Thanks to everyone willing to help on “c”. Happy for any additional assistance, or alternatively, could just send this back to the full Team.
Laureen Kapin (GAC)
01:35:02
Seems like we are discussing two separate issues: 1) the ability of the requester to identify more than one purpose (which folks seem to agree on) ; and 2) the procedure to be used when the requester wishes to add a purpose after its initial request. Perhaps adding language to deal with this second aspect is what's needed. In that regard, the issue seems to be who will decide whether further processing under the second purpose is "incompatible" with the original stated purposes.
Alex Deacon (IPC)
01:35:55
+1 Laureen - we need to capture that detail in the policy so it can be properly (and correctly) handled in implementation and beyond.
Thomas Rickert (ISPCP)
01:36:11
To Amr‘s point: LEA requestors must mention the legal basis
Thomas Rickert (ISPCP)
01:36:45
so that disclosure can take place based on 6 I c (if applicable)
Hadia Elminiawi (ALAC)
01:37:11
@Alex yes I know - and that is why my understanding is that you will always be able to say for which purpose the data was disclosed because each purpose is coupled with a unique identifier though it relates to the same requestor
Marc Anderson (Verisign / RySG)
01:37:54
Keep the language, but add the note that additional details will be in audit section
Marc Anderson (Verisign / RySG)
01:38:32
+1 Marika - looks good.
Brian King (IPC)
01:38:35
Fine by me
Brian King (IPC)
01:39:54
Could we start at the beginning?
Stephanie Perrin (NCSG)
01:39:55
worth noting that we are moving from an information commons to something that is [finally] compliant with DP law. In answer to Mark SV (The non-theoretical nature of the Equifax case allows us to clearly discuss if the likely processing was disclosed to the data subject or if the processing was compatible. we don't have such details here.
) this is indeed a problem. ICANN has not actually done independent research on what organizations have done with the data they have collected fromWHOIS. WE have heard a lot of rhetoric about LEA use and consumer protection, but the actual economic use of these data collections has not been published (to my knowledge, references would be gratefully received).
Alan Woods (RySG)
01:41:12
@stephanie … of course we need to look at the data in the .NZ Domain tools case to scratch the surface of that particular super volcano....
Brian King (IPC)
01:41:33
Could we start at the top of building block H, please?
Alan Woods (RySG)
01:43:01
it is so very confusing!
Matt Serlin (RrSG)
01:43:04
+1 Marc
Alex Deacon (IPC)
01:43:08
very confusing
Amr Elsadr (NCSG)
01:43:09
@Marc: +1 on the double negatives!!
Mark Svancarek (BC marksv)
01:43:11
I am alsoconfused by the double negative
Stephanie Perrin (NCSG)
01:44:34
Thanks for reminding me Alan, indeed lawsuits and disclosure appear to be the only way to get such data. Unless someone who served on the competition and consumer trust review point me to research on this important area....
Margie Milam (BC)
01:47:29
I need to drop off in a few min to drive but will remain on the phone
Brian King (IPC)
01:47:54
I can make it easy, just strike the word "necessary" in a)
Brian King (IPC)
01:48:19
It's a loaded word, it doesn't carry its dictionary meaning, and is not necessary for the objective in a)
Amr Elsadr (NCSG)
01:49:36
@Stephanie: +1
Mark Svancarek (BC marksv)
01:50:37
Splitting may help
Alex Deacon (IPC)
01:52:14
If the EWG report has helpful language here we should take a look at it.
Brian King (IPC)
01:54:28
Thank you
Brian King (IPC)
01:59:23
+1 Alan G, many of this is far too subjective
Volker Greimann (RrSG)
01:59:53
Then propose a definition
Hadia Elminiawi (ALAC)
02:00:17
+1 Mark to me also number 6 is difficult to comprehend
Brian King (IPC)
02:00:29
I thought we had a good definition previously when abuse was framed in terms of undermining the stability of the SSAD
Brian King (IPC)
02:00:57
"high volume" and "frequent" are particularly problematic
Alex Deacon (IPC)
02:02:10
We need to consider our principal of predictability here also - especially in a scenario where disclosure decisions may be distributed amongst 2000+ registrars.
Hadia Elminiawi (ALAC)
02:02:15
number 6 how would you implement this ?
Brian King (IPC)
02:02:23
"likely to have changed" and "intention of causing" are also problematic: according to whom?
Amr Elsadr (NCSG)
02:02:31
@Greg: Why should we expect SSAD to be used by parties different from those who used whois?
Volker Greimann (RrSG)
02:02:42
but it may work too
Matt Serlin (RrSG)
02:04:20
Agree that the specifics are probably better left to the implementation process so maybe just those high level principles are better here maybe along with some examples
Stephanie Perrin (NCSG)
02:05:44
+100 James
Hadia Elminiawi (ALAC)
02:05:46
@James the intent of 6 is understood but as it is now written it is so subjective
Alan Woods (RySG)
02:06:12
all the agreement to what James said"
James Bladel (RrSG)
02:07:04
@Hadia - some degree of subjectivity is unavoidable. But please propose some more specific definitions of this behavior (‘harvesting’ or ‘data mining’) that would be better
James Bladel (RrSG)
02:07:49
This is kinda like “I understand there should be speed limits on the road, but not when MY car is being ticketed.”
Hadia Elminiawi (ALAC)
02:09:20
@james no it is not the same - the speed limit in known to everyone but here we don't know how you will apply this
Brian King (IPC)
02:09:57
+1 AlanG
Volker Greimann (RrSG)
02:10:04
That seems reasonable, since who would have a legitimate interest in harvesting Godaddys entire database?
James Bladel (RrSG)
02:10:35
AlanG - 1440 requests per day should satisfy nearly every conceivable use case — for a given user.
Alex Deacon (IPC)
02:10:35
+1 MarkSV
Alan Greenberg (ALAC)
02:11:06
@Volker, I agree, but the concern was that someone would try to meet a non-legitimate interest...
Volker Greimann (RrSG)
02:11:11
bad registrars have ICANN compliance to worry anbout
Matt Serlin (RrSG)
02:11:28
yes but we don’t know yet that these requests are even going to the small registrar as the model hasn’t yet been finalized
Alan Greenberg (ALAC)
02:11:47
@Volker, compliance can only take action if our policy CLEARLY says something is not allowed.
Stephanie Perrin (NCSG)
02:11:48
I agree with Mark SV on this.
Brian King (IPC)
02:11:51
@James I respectfully disagree. There are plenty of companies with 1440+ infringing domains at a given registrar
Marc Anderson (Verisign / RySG)
02:11:53
Bad actors are not suddenly going to be good actors if we get the words right.
Stephanie Perrin (NCSG)
02:12:16
It is a difficult problem to solve, from a competition and a regulatory perspective
Hadia Elminiawi (ALAC)
02:12:25
@james maybe you could say when data mining is detected.
Alan Greenberg (ALAC)
02:12:38
Regarding 1440, even if it is sufficient, having to spread them out 1 per minute is in my mind unreasonable.
Alan Greenberg (ALAC)
02:13:23
@Marc, correct, but our policies will allow action against them, IF we get it right.
Brian King (IPC)
02:14:31
As a policy principle, perhaps we all agree that as a priority the SSAD should meet the needs of its users. This will likely require addressing potential abuse, and any unavailability of the system should be limited to addressing abuse.
Hadia Elminiawi (ALAC)
02:15:31
@james that is refer to the detection of the act rather than referring to what might be the intent of the requestor.
Alan Woods (RySG)
02:16:15
Brian …. again …. the core consideration of the SSAD is not the user. It's the data subject!
Amr Elsadr (NCSG)
02:16:53
@Alan: Thank you!!
Brian King (IPC)
02:17:12
Ha, you don't give me enough credit :-)
Brian King (IPC)
02:17:29
"the SSAD (technical) system" better?
Alex Deacon (IPC)
02:17:45
+1 Alan - vague policies = vague implementation = zero compliance.
Matt Serlin (RrSG)
02:17:47
Compliance doesn’t take action on the words we use here…that gets done in implementation
James Bladel (RrSG)
02:17:53
No good deed....
Stephanie Perrin (NCSG)
02:17:54
Not sure that compliance is the appropriate enforcement arm here.
Stephanie Perrin (NCSG)
02:18:04
Depends entirely on ICANN’s role as controller
Mark Svancarek (BC marksv)
02:18:30
+1 Stephanie I am also concerned about compliance; might just be me being uninformed
Stephanie Perrin (NCSG)
02:18:57
also on the nature of the abuse. Some abuse needs to be policed by the DPAs. And of course civil society now that they are recognized.
James Bladel (RrSG)
02:19:07
@Greg - what about querying the same domain name 10,000 times?
Matt Serlin (RrSG)
02:19:16
I don’t believe James said leave that up to the registrar and registry…that could be decided by the central authority that runs the SSAD and that is language that is used currently in ICANN contracts
Stephanie Perrin (NCSG)
02:19:45
Important to remember in any definition of the public interest that we might come up with this year that protection of the individual IS the public interest in data protection law....
Alan Woods (RySG)
02:21:16
Agreed. Should be left up to the Controller who is legally liable to ensure that there is no abuse of the system .. or to put a fine point on it … doesn't have sufficient technical and organizational measures to prevent data breaches.
Amr Elsadr (NCSG)
02:21:21
@Stephanie: +1
Alan Woods (RySG)
02:22:06
or should I say Does have them... jeeze!
Alan Woods (RySG)
02:22:37
+1 Stephanie also!
Alan Woods (RySG)
02:25:49
Surely the legal questions would be far more beneficial based on the results of the study?
Brian King (IPC)
02:27:07
Q for IRT team: is that legal/natural study being addressed by IRT team?
Brian King (IPC)
02:27:32
I haven't followed IRT as closely as some others
Margie Milam (BC)
02:29:25
The discussion with GNSO isn't related to the topic of Accuracy
Becky Burr (ICANN Board Liaison)
02:29:30
The legal committee has a number of questions regarding legal/natural persons that it will be reviewing in the future
Margie Milam (BC)
02:29:34
that's a separate discussion
Amr Elsadr (NCSG)
02:29:51
@Margie: The GNSO Council are in talks with the Board on both accuracy and ARS.
Margie Milam (BC)
02:30:26
Amr- in what context?
Amr Elsadr (NCSG)
02:31:17
The Board asked for clarification on how the GNSO is handling those topics, and wether the EPDP Team would be doing any of the heavy lifting.
Georgios Tselentis (GAC)
02:31:39
@ Marika there is an orphan link in the accuracy text regarding the link to a letter Can we please have this link?
Marika Konings
02:31:58
Here is the latest letter: https://gnso.icann.org/en/correspondence/drazek-to-marby-15oct19-en.pdf
Amr Elsadr (NCSG)
02:32:01
Letters sent from Board to Council and Council to Board.
Becky Burr (ICANN Board Liaison)
02:32:06
@Stephanie - I don’t believe there is a proposal on any table to “define” the global public interest, which is - of course - highly contextual. That said, applicable law would certainly play an important role in the proposed GPI framework
Georgios Tselentis (GAC)
02:32:13
@Marika Many thnaks !
Marika Konings
02:32:21
And this is the original letter: https://gnso.icann.org/sites/default/files/file/field-file-attach/marby-to-drazek-21jun19-en.pdf
Stephanie Perrin (NCSG)
02:32:31
I thought Goran had it in his deliverables...
Brian King (IPC)
02:33:13
Got it, thanks
Margie Milam (BC)
02:33:29
The letter merely points to the fact that we are working on it in Phase 2
Margie Milam (BC)
02:33:37
we should continue to do so.
Rafik Dammak (GNSO Council Liaison)
02:34:05
Council responded to the letter about ARS is from Goran/ICANN org
Volker Greimann (RrSG)
02:34:42
Food makes it more likely to come to agreement
Alan Woods (RySG)
02:34:49
Kicked off the call, but I will have to run anyway. Talk to you all Thursday!
Alex Deacon (IPC)
02:35:07
Food plus a keg of Molson.
Brian King (IPC)
02:36:54
+1 Alex
Hadia Elminiawi (ALAC)
02:37:15
thank you all bye
Amr Elsadr (NCSG)
02:37:22
Thanks all. Bye.