
28:41
Good morning/afternoon EPDP Pioneers!

29:06
It's the Oregon Trail of PDPs!

30:00
Open Action Items: https://community.icann.org/display/EOTSFGRD/Action+Items+-+Phase+2

30:41
Compilation of Early Input: https://docs.google.com/document/d/13ynT-XM5CDDyTDW0rsZdpt91ym7QrjUD/edit

30:43
Next week works for BC

38:47
Sorry Caitlin for when is the briefing from B&B?

40:53
@Janis: Of course. Hopefully, only positive minds.

41:17
apologies fr being late, zoom problems

43:33
I think we missed that, with apologies. Thank you, Caitlin.

43:53
Thanks Caitlin. That’s very helpful.

45:21
Won’t object, but just noting that there are holidays across the region here next week.

49:31
That is Alex

50:14
I need to leave the call now as I have an overlapping call with the Board. Thanks everyone

52:34
Anybody have the link to the google doc on the screen handy?

52:44
https://docs.google.com/document/d/1iK9ygUOo8ntLWC_7dx3bS195W2ivkqHH/edit

52:55
Thanks Berry. Saw you copying it. :)

53:07
Thanks Berry

55:32
Do we get to react to Greg’s responses?

59:31
Responsibility to disclose is not a safeguard.

01:00:09
+ 1 to Amr, are we able to respond to responses?

01:00:35
Can we respond?

01:00:49
I don’t feel our comments were actually addressed

01:01:28
I do not believe they were, and when they were, IMO, this warrants some further clarification

01:01:33
yes, Amr, you are in line

01:01:33
to say the least

01:01:44
Thanks, Janis.

01:04:58
There is a lot of speculation in this. (Probably malicious , probably innocent…)

01:07:49
can we get this in writing?

01:07:57
I didn’t know we had to go through these slides.

01:09:14
this is really helpful & informative

01:09:25
Bit long though.

01:10:04
A lot of investigation happens before asking for contact info.

01:11:42
So you want to build an actual case prior to requesting a 6(1)f and try and figure out those factor that tip the balance in favour for disclosure for a 6(1)f ..... on a case by case basis.

01:11:47
yup

01:11:54
Why is attribution important in this case?

01:12:53
Courts have issued subpoenas without personal data in WHOIS. You can stop the attack without knowing who is behind it

01:13:54
if you want to help DoJ to issue indictments and name the attackers that’s another matter. That is not really cybersecurity that is attributing to punish the attacker which is far outside of SSAC mandate

01:14:37
That is the preference. Response in the goog doc. Thank you.

01:14:38
So then this is not the final reading of SSAC use case

01:15:18
Still not getting it. When we see such incidents, the registration data between domains involved usually does not match

01:15:58
We (SSAC) attempted to respond and incorporate comments on the google doc as of yesterday afternoon (PDT). Many of the NCSG comments were input later. We can take another pass at it.

01:16:22
that is true Ben and I am sorry about that. Appreciate a response

01:16:25
@Ben: Would be very much appreciated. Apologies for the late input on our part. Doing what we can.

01:16:54
This seems to indicate that you find most of the relevant information without need for requesting personal information either

01:17:04
+1 Tatiana

01:17:12
+1 Tatiana

01:17:27
@Tatiana: +1!!

01:17:34
+1

01:19:38
when private parties have the info, totally, yes

01:19:40
What do you want to do with attribution?

01:20:01
I was responding to the comments that private parties need to attribute to report to LEA

01:20:01
we co-authored that paper. Had 3 more authors on it Greg.

01:22:13
And in fact not all private investigators use whois data to do attribution. And when they do attribution they attribute it to a State. Not individuals.

01:22:37
+1 James

01:25:05
and that’s the information you put into you 6, 1f request

01:25:43
And we will balance it approporiately

01:26:08
@Margie: Sounds like you’re also proposing that balancing tests (which are required by law) cannot take place.

01:26:19
Well said, Margie

01:27:08
Appreciate that private investigators have needs. So do data subjects. The needs of the former cannot supersede the needs of the latter.

01:27:45
I appreciate, too. But I was talking about particular responses to the comments to the doc (about attribution and reporting to LEA). Now it’s all over the place which wasn’t my intent

01:28:22
@ Amp - some legal bases do not require balancing tests; some might require balancing, but we are getting legal advice to see if safeguards and certification can shift the balance so that there is no need for manual review of each request

01:28:25
Doesn’t sound like me, I LOVE anecdotes….

01:28:47
As long as they’re qualified as such, I suppose!

01:28:55
:-)

01:29:00
so a court order was still needed for that.

01:29:19
SSAC use case legal basis is 6(1)(f) . Nothing else. It needs balancing test.

01:29:22
Isn't this exactly what Law Enforcement is for? I dont think individual citizens typically investigate illegal activiites they're a victim of...

01:30:35
And even if the legal basis is not one that requires a balancing test specifically, for all requests we must ensure that there is a valid legal basis, the requestor is accredited, the requested data is minimized and releveant, etc. Ther's a lot that is hard to automate even for requests not under 61f

01:30:38
No, we can’t just rely on LEA. They need to be spoon-fed essential datas and even then manage to mess up the case

01:30:39
@Margie: Yup. 6(1)f is the legal basis that requires a balancing test to be conducted. Appreciate that there is a legal question proposed to clarify the extent to which this is needed. Speaking for myself, agree with those who said that “of course it is” on-list.

01:30:58
@Farzi- we disagree that f is the only bases and the legal committee is asking input from B&B on the scope of the others

01:31:16
Chris, if there is such a need and it’s legitimate I would like to hear what legal basic for this one would be, because I am not aware of the requirement to attribute before reporting to LEA and certainly recital 50 is not the basis.

01:31:24
Also…, not convinced that any of the legal bases in this use case are actually applicable, apart from 6(1)f, considering that this use case is about private investigators, and not a competent authority.

01:31:39
Wasn't Farzaneh's point that this specific use case has indicated 61f is the basis, so that's the one we must consider here & now?

01:31:48
If you want to attribute to bring charges, law enforcement has to be involved! At least I think so. (With the caveat of good law enforcement, not the ones that violate human rights

01:31:49
that kind of anonymization likely won’t fly

01:32:04
@Amr - legal advice will guide us - see the letters from the European Commission that note the other bases that apply

01:32:12
In the specific phishing example, we completely agree. It is a 6(1)f.

01:32:17
Since it allows cross referencing, it must already be considered personal information, just like IP addresses

01:32:45
Thank you @Ben. So, for 61f, balancing test is required

01:32:51
Of course

01:33:13
@Volker What kind of anonymization wont fly? and why?

01:33:22
+1 Alan

01:33:29
Thanks Ben. But we believe 6(1)(f) all the requests by cybersec researchers .

01:34:07
@Tatiana there is no requirement to attribute to a natural person but if you can attribute multiple domains to one malicious actor you will get a higher level of response.

01:34:48
6.1.f is not the only applicable legal basis for the disclosure here

01:34:56
It is, in fact

01:35:00
Happy to talk through fringe examples where a different basis may apply, but in the interest of time on the calls, we can do so either offline or in LA

01:35:22
also, this is not the usual level of detail in the disclosure requests we get.

01:35:42
If it were, we’d be able to comply with more

01:36:02
most are just: string x matches string y, now give us the data

01:36:34
Yes the court did.

01:36:37
@Hadia: Automation = no balancing test. That’s the short version of automation. Also, data subjects have the right to object to their data being processed in an automated manner.

01:36:45
right, Mark it would be a different use case in those instances

01:37:23
+1 Amr ... not to mention the fact that that would very fundamentally change the processing arena for all parties - including closer nexus to necessity to DPO etc.

01:37:24
That's an interesting point about the right to object to automated processing. Have we considered that yet? Probably sometign we should look inot

01:37:26
It is a very interesting case which Microsoft did. But it went to court and got permission for 3 months to divert the requests to its server. If that is what you are talking about Mark.

01:37:32
so many use cases! it's a challenge

01:37:34
QUestion for Hadia - When ALAC says that this is “important from an end-user perspective”, does ALAC have any data to support this assertion? I’d be especially interested in seeing how it is prioritized by various cohorts of end users versus online privacy. Thanks.

01:37:48
Good question James

01:38:04
@Farzi, that is one example

01:38:11
hang on

01:38:19
+1 James

01:38:27
Actually, over the presentation, I did not really have a chance to look at the changes

01:38:29
Alternatively, if this is one Member’s opinion of what is important to end-users, then I would ask that they qualify these claimns going forward. Thanks.

01:38:30
@Amr… To clarify your last point… End to end automation (complete automation) = no balancing test. Some aspects that may be required in a balancing test (we think, pending legal advice) may be able to benefit from some automation

01:38:56
That is totally fine Mark. The court was involved. Microsoft proved that its request was legitimate! In a very clever way actually.

01:38:57
@Ben: That sounds far more balanced to me (no pun intended). ;-)

01:39:11
We are not attempting to advocate for end-to-end automation. :)

01:39:38
As we mentioned, automation and the balancing test can co-exist.

01:39:43
Thanks, Ben. That’s very helpful.

01:40:03
How Brian ... truly ..... based on what.

01:40:04
@Amr why do you assume that having a balancing test eliminates the automation possibility also you could have some kind of human intervention at some point in the process and thus it would be GDPR compliant

01:40:07
Based on which arguments did you draw that conclusion Brian? I missed it

01:40:25
I would be happy to see how it was possible. That's not a road block, its a I'm genuinely interested.

01:40:25
I based it on a publication by the WP-29 that said so.

01:40:44
We're seeking legal advice to flesh out the specifics.

01:41:13
OK closer. And was that WP29 paper endorsed by the EDPB

01:41:35
(again not saying no... genuinely interested)

01:43:42
Thank you Janis.

01:44:40
Alan I first read it in the one on Article 7 of the Directive from 2014. I'm sure there's more recent stuff to be found.

01:45:33
in Germany, private investigations into some of this material is illegal, and rightly so

01:45:39
@James it is not either privacy or security. However, I would think that maybe putting together a survey in relation to your question could be beneficial. Personally, my experience is that all regular online users and consumers would like to have mechanisms that ensure that they are safe online.

01:45:58
which Art 29 Opinion?

01:46:10
Ok thank you. I'll review again. Truly we are looking for legal basis here and persuaive authority, if I know what we are basing our arguments on, we can be informed and come up with the path forward. Thank you.

01:46:13
+1 Volker

01:48:25
Steph & Alan one clue is here, top of p. 31: https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf

01:48:30
+1 Amr.

01:48:43
we can chat offline so as not to be a distraction here

01:49:23
Amr is correct. And I hate to be repetitive but Jacob Kohnstamm has pointed this out to us. So did Buttarelli in Copenhagen, as I recall

01:49:28
There is no need to limit the legal bases now while waiting for the legal advice.....

01:49:29
@Volker and Sarah, definitely an “in the weeds” point, but 3rd party investigations into those areas are sometimes illegal (like in Germany), but not everywhere. (Speaking as someone who has had to do them on behalf of a 3rd party) Not something we need to go into here though

01:49:42
different use case, different use case, different use case...

01:50:00
Ben - Yes, not everywhere. But for this use case on the whole, it seems to me that the info publicly availble should be turned over to LEA who have proper authority to get non-public data for an investigation.

01:50:05
@Margie: Discussing this use case is what we’re doing today, right? We’re just providing our reactions.

01:50:14
Legal obligations under contract does not turn an independent researcher into a law enforcement body. If they want that status they have to get a delegated authority.

01:50:29
@Stephanie: +1

01:50:29
I am representing NCSG obviously. But I am definitely a professor at Georgia Tech

01:50:54
just pointing out that we won't resolve it today - we understand there are different views on the legal bases

01:51:06
And a very fine one, too!

01:51:11
@Margie: Thanks for the clarification. I’m personally fine with that.

01:51:26
No need (or desire) to wrap this use case up today.

01:51:43
don’t understand why that point was made about Georgia Tech.

01:52:13
You mean about Milton being a fine prof? Just me being silly, apologies.

01:52:23
I have a comment

01:52:29
Farzaneh, me neither

01:54:35
No I meant Greg’s comment Steph.

01:55:29
Agree, it was a non-sequitur.

01:58:55
@Berry - Can we please have the link to the doc again

01:59:14
https://docs.google.com/document/d/1DBPBL_nIwE8tjaahM1uS3hvIA8FSzPiN/edit#

01:59:20
yes we can

01:59:49
Do we have to?

02:00:04
the icon community has done this discussion to death over and over\

02:00:10
icann

02:00:42
Let’s not waste time on this again and again. Let’s stick to the settled decision

02:01:10
In total agreement with Volker.

02:01:27
+1 Volker

02:03:08
put it on the website

02:03:09
Is the comment about enhancing trust in the marketplace based on empirical evidence?

02:03:18
I personally think that from the POV of the utilty of 'Use Cases' - this is a 6(1)f - so the process is the same -

02:03:18
Business is done on the website, not the domain

02:03:28
@Volker: +1

02:04:03
So, it's not happened yet - that means no crime has occurred. We're policing potential crimes now?

02:04:10
I've seen that scifi movie

02:04:17
Minority Report was a great film tho!

02:04:22
no it doesn’t Hadia

02:04:47
GDPR does not call for what you said it does

02:04:48
It was…, and I think they reached the conclusion that policing potential crimes is not a good thing. ;-)

02:04:57
Referring to the movie.

02:05:04
@Sarah - Tom Cruise doesn’t work here.

02:05:31
well… there are a wide variety of trust tools. Like trust mark , badge of honor etc

02:05:43
Sorry, but the scenario Hadia is describing is entirely out of scope for our work.

02:05:44
If you buy your tickets on a fake site, whois would not have helped yopu

02:05:50
Whois is just not the necessary tool …

02:05:50
Couldn't a lot of this consumer trust be gained by the RNH consenting to publish their data? If they don want to dislcose it, they shouldn't be obligated to do so

02:06:01
So are we to supplant the function of the police ?

02:06:42
goodness. What a consumer —

02:07:00
Yes verifying through turstmark, BBB, searching on google about reviews

02:07:04
@Sarah - agree that a reputation service might upvote a domain name where the contact data is unredacted and not privacy obscured.

02:07:43
And we continue to say “website” but RDS is associated with domain names.

02:07:51
+1 James!

02:08:17
@Hadia: Verification and validation of contact info, so far as they are requirements in ICANN/CPs contracts are done by Registrars, aren’t they?

02:08:41
let’s tap the brakes on this monologue

02:09:47
how does verification of who is behind a domain name can verify they are selling fake bags or not? is the consumer going to knock on the seller’s door?

02:10:32
if the registrant’s name is “evil fraud” then maybe...

02:11:07
This seems to be a basic and easily articulated use case. Users of the DNS should be able to confirm that the owner of a domain is who they say they are before doing business or interacting with the domain. The 6.1.f test can weigh all the factors, including whether the data is personal data.

02:11:41
@James: +1 on the scope.

02:11:49
+1 James

02:12:23
There are a myriad of ways to verify the integrity of the website. since GDPR says disclosure should happen when “necessary” … and when there is no alternative to carry out that purpose. In this use case I can give you at least three more tools to verify the integrity

02:12:51
@Farzaneh: +1

02:13:55
Well said James, thank you

02:14:02
@Sarah: +1

02:14:23
Pissedconsumers.com website is another to go to

02:15:52
+1 Stephanie!

02:15:59
+1 Stephanie

02:16:12
Also +1 Stephanie.

02:16:18
could not agree more, Stephanie

02:18:00
Farzaneh, I don't mean to pick, but "necessary" does not mean that there are no alternatives. That is simply not the correct standard.

02:18:35
@Brian: It’s one of the standards for a balancing test when requesting disclosure of personal data of a natural person.

02:18:53
Not the only one, but one of them.

02:18:55
@Margie - “Consumer Choice” and “competition” refers to the Domain Name industry. Not the online economy as a whole.

02:19:11
@James: Yes.

02:19:14
ICANN doesn’t handle online commercial disputes or vendor reputations, for example.

02:19:35
Also consider that a lot of transactions are consumer to consumer on eBay! And how is eBay involved! eBay is just a platform

02:19:59
@Amr yes

02:20:44
Why? it's a 6(1)f ...... again why are we straining the use case. What are the procedural steps in considering a 6(1)f - are there comanalities - the premise of this I think is exceptionally remote... but the process is the same as Greg's review earlier, and any ot her 6(1)f request.

02:20:54
*commonalities

02:21:27
My point is precisely that….it is NOT in the global public interest to claim that WHOIS will guide you to an accurate determination of the trustworthiness of a website

02:22:13
As someone (Alan G?) has already mentioned, the RDS does not distinguish between natural and legal.

02:22:17
It isn’t really an over-application of the law, unless we divine a way to ensure that personal data of natural persons will not be included in registration data of legal persons.

02:22:47
Greg’s comments about “the public interest” are based on an inaccurate understanding of the bylaws.

02:23:49
Alan, who is the controller here, ICANN or the registrar? If the registrar, then is it wrt the WHOIS data or the rest of their relationship with the registrant

02:23:56
which is outside the remit of ICANN

02:24:11
In the process of reforming ICANN’s bylaws during the transition (a process Greg was not involved in) we were careful to narrowly define ICANN’s mission precisely so that GPI could not be used to rationalize any thing and everything

02:24:22
+1 Stephanie

02:25:13
Extracting grains felt like extracting teeth

02:25:52
;-)

02:26:47
This case is limited to legal persons, hence there is no violation to data subjects rights. The EDPB acknowledged that ICANN bylaws go beyond the technical aspects and referred to consumer protection in their July 5th 2018 letter to ICANN. Finally we are not envisioning any sort of automation.

02:26:52
Have to drop. Thank you all for the comments and discussion.

02:27:00
Sorry, I have a hard stop. Thanks, Janis and colleagues!

02:27:03
+1 Hadia

02:27:04
Thanks team

02:27:09
I have to drop too. Thanks all.

02:27:50
Consumers in ICANN-land are registrants, not consumers of websites.

02:28:09
or web-based services.

02:28:20
Thank you

02:28:27
Thank you all bye

02:28:28
Thanks all

02:28:31
Thanks all. Bye.

02:28:31
thank you all
Zoom would like to update your account settings. When joining a meeting or webinar by entering a meeting ID, participants will be required to enter a password. Participants joining using a meeting invite link will not be required to enter a password. Learn More
This change will be effective on . If approved or declined, the change will take effect immediately.