Good morning/afternoon EPDP Pioneers!

It's the Oregon Trail of PDPs!

Open Action Items: https://community.icann.org/display/EOTSFGRD/Action+Items+-+Phase+2

Compilation of Early Input: https://docs.google.com/document/d/13ynT-XM5CDDyTDW0rsZdpt91ym7QrjUD/edit

Next week works for BC

Sorry Caitlin for when is the briefing from B&B?

@Janis: Of course. Hopefully, only positive minds.

apologies fr being late, zoom problems

I think we missed that, with apologies. Thank you, Caitlin.

Thanks Caitlin. That’s very helpful.

Won’t object, but just noting that there are holidays across the region here next week.

That is Alex

I need to leave the call now as I have an overlapping call with the Board. Thanks everyone

Anybody have the link to the google doc on the screen handy?

https://docs.google.com/document/d/1iK9ygUOo8ntLWC_7dx3bS195W2ivkqHH/edit

Thanks Berry. Saw you copying it. :)

Thanks Berry

Do we get to react to Greg’s responses?

Responsibility to disclose is not a safeguard.

+ 1 to Amr, are we able to respond to responses?

Can we respond?

I don’t feel our comments were actually addressed

I do not believe they were, and when they were, IMO, this warrants some further clarification

yes, Amr, you are in line

to say the least

Thanks, Janis.

There is a lot of speculation in this. (Probably malicious , probably innocent…)

can we get this in writing?

I didn’t know we had to go through these slides.

this is really helpful & informative

Bit long though.

A lot of investigation happens before asking for contact info.

So you want to build an actual case prior to requesting a 6(1)f and try and figure out those factor that tip the balance in favour for disclosure for a 6(1)f ..... on a case by case basis.

yup

Why is attribution important in this case?

Courts have issued subpoenas without personal data in WHOIS. You can stop the attack without knowing who is behind it

if you want to help DoJ to issue indictments and name the attackers that’s another matter. That is not really cybersecurity that is attributing to punish the attacker which is far outside of SSAC mandate

That is the preference. Response in the goog doc. Thank you.

So then this is not the final reading of SSAC use case

Still not getting it. When we see such incidents, the registration data between domains involved usually does not match

We (SSAC) attempted to respond and incorporate comments on the google doc as of yesterday afternoon (PDT). Many of the NCSG comments were input later. We can take another pass at it.

that is true Ben and I am sorry about that. Appreciate a response

@Ben: Would be very much appreciated. Apologies for the late input on our part. Doing what we can.

This seems to indicate that you find most of the relevant information without need for requesting personal information either

+1 Tatiana

+1 Tatiana

@Tatiana: +1!!

+1

when private parties have the info, totally, yes

What do you want to do with attribution?

I was responding to the comments that private parties need to attribute to report to LEA

we co-authored that paper. Had 3 more authors on it Greg.

And in fact not all private investigators use whois data to do attribution. And when they do attribution they attribute it to a State. Not individuals.

+1 James

and that’s the information you put into you 6, 1f request

And we will balance it approporiately

@Margie: Sounds like you’re also proposing that balancing tests (which are required by law) cannot take place.

Well said, Margie

Appreciate that private investigators have needs. So do data subjects. The needs of the former cannot supersede the needs of the latter.

I appreciate, too. But I was talking about particular responses to the comments to the doc (about attribution and reporting to LEA). Now it’s all over the place which wasn’t my intent

@ Amp - some legal bases do not require balancing tests; some might require balancing, but we are getting legal advice to see if safeguards and certification can shift the balance so that there is no need for manual review of each request

Doesn’t sound like me, I LOVE anecdotes….

As long as they’re qualified as such, I suppose!

:-)

so a court order was still needed for that.

SSAC use case legal basis is 6(1)(f) . Nothing else. It needs balancing test.

Isn't this exactly what Law Enforcement is for? I dont think individual citizens typically investigate illegal activiites they're a victim of...

And even if the legal basis is not one that requires a balancing test specifically, for all requests we must ensure that there is a valid legal basis, the requestor is accredited, the requested data is minimized and releveant, etc. Ther's a lot that is hard to automate even for requests not under 61f

No, we can’t just rely on LEA. They need to be spoon-fed essential datas and even then manage to mess up the case

@Margie: Yup. 6(1)f is the legal basis that requires a balancing test to be conducted. Appreciate that there is a legal question proposed to clarify the extent to which this is needed. Speaking for myself, agree with those who said that “of course it is” on-list.

@Farzi- we disagree that f is the only bases and the legal committee is asking input from B&B on the scope of the others

Chris, if there is such a need and it’s legitimate I would like to hear what legal basic for this one would be, because I am not aware of the requirement to attribute before reporting to LEA and certainly recital 50 is not the basis.

Also…, not convinced that any of the legal bases in this use case are actually applicable, apart from 6(1)f, considering that this use case is about private investigators, and not a competent authority.

Wasn't Farzaneh's point that this specific use case has indicated 61f is the basis, so that's the one we must consider here & now?

If you want to attribute to bring charges, law enforcement has to be involved! At least I think so. (With the caveat of good law enforcement, not the ones that violate human rights

that kind of anonymization likely won’t fly

@Amr - legal advice will guide us - see the letters from the European Commission that note the other bases that apply

In the specific phishing example, we completely agree. It is a 6(1)f.

Since it allows cross referencing, it must already be considered personal information, just like IP addresses

Thank you @Ben. So, for 61f, balancing test is required

Of course

@Volker What kind of anonymization wont fly? and why?

+1 Alan

Thanks Ben. But we believe 6(1)(f) all the requests by cybersec researchers .

@Tatiana there is no requirement to attribute to a natural person but if you can attribute multiple domains to one malicious actor you will get a higher level of response.

6.1.f is not the only applicable legal basis for the disclosure here

It is, in fact

Happy to talk through fringe examples where a different basis may apply, but in the interest of time on the calls, we can do so either offline or in LA

also, this is not the usual level of detail in the disclosure requests we get.

If it were, we’d be able to comply with more

most are just: string x matches string y, now give us the data

Yes the court did.

@Hadia: Automation = no balancing test. That’s the short version of automation. Also, data subjects have the right to object to their data being processed in an automated manner.

right, Mark it would be a different use case in those instances

+1 Amr ... not to mention the fact that that would very fundamentally change the processing arena for all parties - including closer nexus to necessity to DPO etc.

That's an interesting point about the right to object to automated processing. Have we considered that yet? Probably sometign we should look inot

It is a very interesting case which Microsoft did. But it went to court and got permission for 3 months to divert the requests to its server. If that is what you are talking about Mark.

so many use cases! it's a challenge

QUestion for Hadia - When ALAC says that this is “important from an end-user perspective”, does ALAC have any data to support this assertion? I’d be especially interested in seeing how it is prioritized by various cohorts of end users versus online privacy. Thanks.

Good question James

@Farzi, that is one example

hang on

+1 James

Actually, over the presentation, I did not really have a chance to look at the changes

Alternatively, if this is one Member’s opinion of what is important to end-users, then I would ask that they qualify these claimns going forward. Thanks.

@Amr… To clarify your last point… End to end automation (complete automation) = no balancing test. Some aspects that may be required in a balancing test (we think, pending legal advice) may be able to benefit from some automation

That is totally fine Mark. The court was involved. Microsoft proved that its request was legitimate! In a very clever way actually.

@Ben: That sounds far more balanced to me (no pun intended). ;-)

We are not attempting to advocate for end-to-end automation. :)

As we mentioned, automation and the balancing test can co-exist.

Thanks, Ben. That’s very helpful.

How Brian ... truly ..... based on what.

@Amr why do you assume that having a balancing test eliminates the automation possibility also you could have some kind of human intervention at some point in the process and thus it would be GDPR compliant

Based on which arguments did you draw that conclusion Brian? I missed it

I would be happy to see how it was possible. That's not a road block, its a I'm genuinely interested.

I based it on a publication by the WP-29 that said so.

We're seeking legal advice to flesh out the specifics.

OK closer. And was that WP29 paper endorsed by the EDPB

(again not saying no... genuinely interested)

Thank you Janis.

Alan I first read it in the one on Article 7 of the Directive from 2014. I'm sure there's more recent stuff to be found.

in Germany, private investigations into some of this material is illegal, and rightly so

@James it is not either privacy or security. However, I would think that maybe putting together a survey in relation to your question could be beneficial. Personally, my experience is that all regular online users and consumers would like to have mechanisms that ensure that they are safe online.

which Art 29 Opinion?

Ok thank you. I'll review again. Truly we are looking for legal basis here and persuaive authority, if I know what we are basing our arguments on, we can be informed and come up with the path forward. Thank you.

+1 Volker

Steph & Alan one clue is here, top of p. 31: https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf

+1 Amr.

we can chat offline so as not to be a distraction here

Amr is correct. And I hate to be repetitive but Jacob Kohnstamm has pointed this out to us. So did Buttarelli in Copenhagen, as I recall

There is no need to limit the legal bases now while waiting for the legal advice.....

@Volker and Sarah, definitely an “in the weeds” point, but 3rd party investigations into those areas are sometimes illegal (like in Germany), but not everywhere. (Speaking as someone who has had to do them on behalf of a 3rd party) Not something we need to go into here though

different use case, different use case, different use case...

Ben - Yes, not everywhere. But for this use case on the whole, it seems to me that the info publicly availble should be turned over to LEA who have proper authority to get non-public data for an investigation.

@Margie: Discussing this use case is what we’re doing today, right? We’re just providing our reactions.

Legal obligations under contract does not turn an independent researcher into a law enforcement body. If they want that status they have to get a delegated authority.

@Stephanie: +1

I am representing NCSG obviously. But I am definitely a professor at Georgia Tech

just pointing out that we won't resolve it today - we understand there are different views on the legal bases

And a very fine one, too!

@Margie: Thanks for the clarification. I’m personally fine with that.

No need (or desire) to wrap this use case up today.

don’t understand why that point was made about Georgia Tech.

You mean about Milton being a fine prof? Just me being silly, apologies.

I have a comment

Farzaneh, me neither

No I meant Greg’s comment Steph.

Agree, it was a non-sequitur.

@Berry - Can we please have the link to the doc again

https://docs.google.com/document/d/1DBPBL_nIwE8tjaahM1uS3hvIA8FSzPiN/edit#

yes we can

Do we have to?

the icon community has done this discussion to death over and over\

icann

Let’s not waste time on this again and again. Let’s stick to the settled decision

In total agreement with Volker.

+1 Volker

put it on the website

Is the comment about enhancing trust in the marketplace based on empirical evidence?

I personally think that from the POV of the utilty of 'Use Cases' - this is a 6(1)f - so the process is the same -

Business is done on the website, not the domain

@Volker: +1

So, it's not happened yet - that means no crime has occurred. We're policing potential crimes now?

I've seen that scifi movie

Minority Report was a great film tho!

no it doesn’t Hadia

GDPR does not call for what you said it does

It was…, and I think they reached the conclusion that policing potential crimes is not a good thing. ;-)

Referring to the movie.

@Sarah - Tom Cruise doesn’t work here.

well… there are a wide variety of trust tools. Like trust mark , badge of honor etc

Sorry, but the scenario Hadia is describing is entirely out of scope for our work.

If you buy your tickets on a fake site, whois would not have helped yopu

Whois is just not the necessary tool …

Couldn't a lot of this consumer trust be gained by the RNH consenting to publish their data? If they don want to dislcose it, they shouldn't be obligated to do so

So are we to supplant the function of the police ?

goodness. What a consumer —

Yes verifying through turstmark, BBB, searching on google about reviews

@Sarah - agree that a reputation service might upvote a domain name where the contact data is unredacted and not privacy obscured.

And we continue to say “website” but RDS is associated with domain names.

+1 James!

@Hadia: Verification and validation of contact info, so far as they are requirements in ICANN/CPs contracts are done by Registrars, aren’t they?

let’s tap the brakes on this monologue

how does verification of who is behind a domain name can verify they are selling fake bags or not? is the consumer going to knock on the seller’s door?

if the registrant’s name is “evil fraud” then maybe...

This seems to be a basic and easily articulated use case. Users of the DNS should be able to confirm that the owner of a domain is who they say they are before doing business or interacting with the domain. The 6.1.f test can weigh all the factors, including whether the data is personal data.

@James: +1 on the scope.

+1 James

There are a myriad of ways to verify the integrity of the website. since GDPR says disclosure should happen when “necessary” … and when there is no alternative to carry out that purpose. In this use case I can give you at least three more tools to verify the integrity

@Farzaneh: +1

Well said James, thank you

@Sarah: +1

Pissedconsumers.com website is another to go to

+1 Stephanie!

+1 Stephanie

Also +1 Stephanie.

could not agree more, Stephanie

Farzaneh, I don't mean to pick, but "necessary" does not mean that there are no alternatives. That is simply not the correct standard.

@Brian: It’s one of the standards for a balancing test when requesting disclosure of personal data of a natural person.

Not the only one, but one of them.

@Margie - “Consumer Choice” and “competition” refers to the Domain Name industry. Not the online economy as a whole.

@James: Yes.

ICANN doesn’t handle online commercial disputes or vendor reputations, for example.

Also consider that a lot of transactions are consumer to consumer on eBay! And how is eBay involved! eBay is just a platform

@Amr yes

Why? it's a 6(1)f ...... again why are we straining the use case. What are the procedural steps in considering a 6(1)f - are there comanalities - the premise of this I think is exceptionally remote... but the process is the same as Greg's review earlier, and any ot her 6(1)f request.

*commonalities

My point is precisely that….it is NOT in the global public interest to claim that WHOIS will guide you to an accurate determination of the trustworthiness of a website

As someone (Alan G?) has already mentioned, the RDS does not distinguish between natural and legal.

It isn’t really an over-application of the law, unless we divine a way to ensure that personal data of natural persons will not be included in registration data of legal persons.

Greg’s comments about “the public interest” are based on an inaccurate understanding of the bylaws.

Alan, who is the controller here, ICANN or the registrar? If the registrar, then is it wrt the WHOIS data or the rest of their relationship with the registrant

which is outside the remit of ICANN

In the process of reforming ICANN’s bylaws during the transition (a process Greg was not involved in) we were careful to narrowly define ICANN’s mission precisely so that GPI could not be used to rationalize any thing and everything

+1 Stephanie

Extracting grains felt like extracting teeth

;-)

This case is limited to legal persons, hence there is no violation to data subjects rights. The EDPB acknowledged that ICANN bylaws go beyond the technical aspects and referred to consumer protection in their July 5th 2018 letter to ICANN. Finally we are not envisioning any sort of automation.

Have to drop. Thank you all for the comments and discussion.

Sorry, I have a hard stop. Thanks, Janis and colleagues!

+1 Hadia

Thanks team

I have to drop too. Thanks all.

Consumers in ICANN-land are registrants, not consumers of websites.

or web-based services.

Thank you

Thank you all bye

Thanks all

Thanks all. Bye.

thank you all