GNSO Council /Government Advisory Committee
meeting in Mar del Plata

3 April 2005

GNSO Council Participants:
Bruce Tonkin - GNSO Council Chair
Tom Keller - Registrars Constituency
Marilyn Cade - Commercial and Business Users Constituency
Philip Sheppard - Commercial and Business Users Constituency
Antonio Harris - ISPCPC
Tony Holmes - ISPCPC
Ken Stubbs - gTLD Registries constituency
Maureen Cubberley - Nominating Committee appointee
Kiyoshi Tsuru - Intellectual Property Interests Constituency
Niklas Lagergren - Intellectual Property Interests Constituency

Government Advisory Commitee (GAC) Participants
Suzanne Sene - Government Advisory Committee (GAC Liaison - GNSO Council
Hiroshi Kato - Japan
Handan Has - Canada
Malcolm Andrew - Canada
Ashley Cross - Australia
Mohamed Sharil Tarmizi - GAC chair - Malaysia
Marc S. Crandall - US Department of Justice

GNSO Council Remote Participants:
Grant Forsyth - Commercial and Business Users Constituency
Philip Colebrook - gTLD Registries Constituency

GNSO Council Absentees
Greg Ruth - ISPCPC
Ross Rader - Registrars Constituency
Marc Schneiders - NCUC
Carlos Afonso - NCUC
Robin Gross - NCUC
Cary Karp - gTLD Registries Constituency
Alick Wilson - Nominating Committee
Lucy Nichols - Intellectual Property Interests constituency

ICANN STAFF
ICANN Policy Officer - Olof Nordling
ICANN GNSO Policy Officer - Maria Farrell
GNSO Secretariat: Glen de Saint Géry

Bruce – presentation on GNSO & current issues (get presentation from Bruce) and WHOIS, invitation to GAC to provide information on public policy issues surrounding whois.

Suzanne – thanks. GAC is working to develop a concepts paper – principles is a bit too heavy – to try and find the commonalities on the issues relating to whois such as consumer protection, law enforcement, etc. uses of data. We want to get broad concepts on paper to reflect GAC consensus. We want to feed into the effort that we view very positively to develop consensus policy. We have some colleagues who will definitely find this an educational process so this is a useful exercise to broaden understanding about the issues and then we will extrapolate those commonalities to provide to the GNSO process.

Australia – we will be part of the paper and want to try to help balance the concepts of law enforcement etc. from a personal perspective, 90% of my input is on the cyber security protection of the critical infrastructure side. Phishing, etc, is becoming so sophisticated that legislation won’t counter it. I want the GAC to be more aware of the growing security aspects of this. Whois isn’t necessarily the answer to this, there is a range of activities to track down and close down sites. I’d personally like to find out a bit more about how lea use whois. They’re certainly starting to get more active on using whois around the world. In this concepts paper we should try to draw out – with out l;ea giving away trade secrets – some of these emerging security issues and how whois relates to them. When we get to Luxembourg we should be able to explain these issues a bit. Lea may not be able to lay all the issues out, ut they need to provide some input.

Bruce – we use quite a few of these systems, including IP address registries. If we start looking at this with law enforcement, we should look at those too.

Marilyn – I welcome the idea of the concepts paper. And at our own strategic planning session this afternoon we should examine the idea of a concepts paper as well. More specifically, on Ashley’s comments, about 3 years ago I hosted a seminar on lea, privacy, consumer protection and isps, it was to let people talk openly but not disclose their own practices too much. There is a lot to be learned about the changing world, and having the different parties look at it will advance everyone’s understanding. There are somethings we can do in icann – I support bruce’s comment – and somethings we can’t. so I don’t expect us to recommend the OECD principles again but we can use some adjacent inputs on privacy for our work as well.

Sharil– thanks to Suzanne for idea of concept paper. One of our difficulties with the GAC generally is that government officials change, sometimes every three years, and we have to go through a learning process again. The good thing about the churn rate is a lot of distributed knowledge, the bad is having to go through the educational process again. Secondly, these issues often come out of law enforcement parts of government first, privacy is secondary and then intellectual property is often tertiary. What we have undertaken in Malaysia is to try and bring back what we learn to other forums, such as Asia Pac Telecoms Forum. I also come from a law enforcement side, what you (Bruce) have pointed out on your slides just now is what we are looking at too. What I am worried about personally is over-regulation. One thing I have learned is that the moment you regulate something, the techies will find a way around it. Moving forward, at least from my region, the input I can give is as we move along identifying issues, from time to time, what I can do is to sensitise a broader community. But I caution you that even within governments perspectives will not be the same. For example law enforcement will not have the same perspective on security as others.

Ken Stubbs– given the time parameters and how the GAC moves , I’m concerned we’ll run into an impasse in two or three years. Various countries have laws regarding privacy that frankly are not being enforced now, but we could have a direct conflict between the privacy laws of the countries and the philosophy that ICANN is adopting. E.g. requirements for data to be included. I would hate a situation where german registrars as a result of an enthusiastic enforcement policy were forced into a situation where it became impossible for them to continue with domain names where the data was being produced in a non-compliant manner. As an example, biz and info are thick registries – in thin registries the data can be redacted in compliance with german law – but in a thick registry the registrar is required to provided the data for those who request it. We need to have a consistent policy. If .com becomes a thick registry – which could well happen – we could have millions of domain names where there are suddenly issues. So I hope you will develop in your plan a way to deal with that. We will have in security and stability concerns to deal with that. I would hate to see that internet become less stable as a place to do transactions, e.g. credit card transactions. In ccTLDs things are more stable but we could have problem with gTLDs.

Malcolm – we have privacy registration in Canada and .ca is revising policy to comply with that. Individuals have a problem as they’re no longer allowed to put names, addresses etc. on the internet. You would think it was ok to say as long as individuals have our own .ca registry then we’re ok, but if a country decided to say to registrars in Canada you must comply with our legislation even if you’re registering for .com I don’t know what we can do.

Ken – it’s the elephant in the room that there will always be a system to provide information to lea. You may have to jump through bigger hoops for other jurisdictions but you will get the information.

Bruce – looking at the timeframe of the development of whois and other structures, the establishment of the UDRP, at that time trademark law had been closed for many years whether the issues for lea and privacy on the internet. Whereas now the number of users on the internet has grown so the issues have grown massively. In the areas where we’re starting to look at privacy, privacy legislation in many countries is very new.

Australia – one of the issues we see rising is increasing sophistication of phishing attacks, the ability of criminals to cover their tracks. The speed issue of responses to whois is increasingly an issue. The sky is about to fall in in terms of cybersecurity – there are plenty of professional doom and gloom merchants – so the reality is hard to judge. But as the rate of attacks increases and is more high profile, you’ll see more governments getting interested. In the next 6 – 12 months our government will start really looking at this issue, so speed is really important.

Ken – if we don’t get the RIRs involved we’re in trouble.

Bruce – yes they have to be in the chain. All you know is it’s one big carrier in the US when you try and track something back.

Mark DoJ – we’re involved in forensics for several years. Registrars have a problem complying with the RAA. It will hve to be addressed on a country by country basis, not between the registrar and the privacy regulator, but it should be sorted out between the dpa and the lea. Why should ICANN and the registrars be in the middle. What if ICANN and registrars said to lea ‘what would you think if we took all this information offline’? many governments take different views internally on this.

Marilyn – we’re concerned with balance but can only determine it if we have the facts to inform and develop policy. Internet users and suppliers are changing massively. There are different issues – security, reliability, etc. – I’m wondering in your concepts paper that we would all benefit from a study that ICANN might commission about the characteristics of users on the internet today. Many individuals are not directly online – are on through their isp, etc. we don’t know enough about the characteristics of the users on whois. Icann is in a negotiation to introduce an individual gTLD that provides anonymity, but to get a registration you need to be authenticated. So the environment is changing. So we need to look at what is changing in the demographics of the space.

Australia – from security and public policy interest, which will raise its ugly head more often, perhaps one role for the policy officer may be to track through the issues surrounding whois such as phishing, child porn, etc. position tracking through the community to see what the lengths are. We’re getting lea to address GAC in Luxembourg, but it may be too narrow. And it needs the RIR. We may need ICANN to do some policy work to track these issues.

Bruce – we could bring up a live example of how to track a phishing attack..

Susanne – the ASO, we’ve done this on a regional basis. Same with the ccNSO we have 5 regional liaisons. We havne’t organized a meeting of our 5 regional reps, but if we collaborate and stayed on the same page, we could jointly reach out and expand the dialogue. We could set something up between now and Luxembourg. We would like to make the pitch and collaborate with you to move that forward.

Bruce – yes, in some of these meetings we may not call it an ICANN meeting as it’s not entirely within the ICANN scope and we’re not expanding the mission but we can hold a meeting on one side of the ICANN meeting.

Kiyoshi– I agree enforcement is a top priority. We haven’t heard that loud enough in our whois task forces. Let me explain why whois task forces are important. It’s not just an issue between data protection and enforcement. It’s global policy. It is restricted to the gTLD world but it may influence ccTLDs later on. So whatever policy comes out of this process will be a uniform global policy. So tat’s why we need to year from you on enforcement and accuracy and your views on the privacy/enforcement dilemma.

Philip Sheppard– I’m not directly involved within the task forces, but I’m interested in opportunities to share best practice. E.g. Canada is driving .ca and how to find solutions that are not too draconian. We’ll see with .eu a model that is compliant with the EU data protection directive, and what can we take from these.

Susanne – we know that you have reached out to some ccTLDs and benefited from some briefing with them. We did not have the sense that you needed anything from us to help you liaise with the cc community, but we’re more than happy to take it back to them and help. We’re in your hands on that. We want to better understand the different models.

Kiyoshi– we need a closer communication at the next level on actually creating policy, on enforcement and dealing with privacy issues.

Marilyn – I’m going to put a proposal on the table. What I hear is that the council of the GNSO and the GAC have a mutual concern with understanding how whois works, risks, needs of key stakeholders, that there’s a mutuality of concern here. In our meeting this afternoon we need a joint collaborative effort at the council level not the task force. This is a more strategic discussion. This is important because by working together we be able to identify the area bruce pointed to where ‘here’s the problem and here’s the part of it we can address within ICANN’. Then those of us in our day jobs can make the links with work outside ICANN and feed work back into other relevant groups.

Australia – are some ccTLDs using models where they’ve balanced in a day to day way the privacy and law enforcement access in their countries?

Marilyn – I instituted work on that in the previous whois task force, to learn from cc’s on how they deal with authentication, develop consultative process and learn from other groups about how they’ve faced these challenges.

Bruce – we haven’t looked at issues on my slide about external pressures in the task forces. So that was a different level of discussion what marilyn is suggesting is that dialogue is needed outside narrow area of whois re. security and stability that deals with whois. Whois isn’t phishing. So we need to understand how other issues relate to whois, not just whois.

Australia – so are we talking about having a session. Have just law enforcement and not privacy yet?

Marilyn & Suzanne – be realistic and just have law enforcement.

Susanne – part of our goal in having law enforcement is to educate our own community. To say here is the issue and here is how some of us have approached it.

Tony holmes – start having the RIRs there. We need to construct quite carefully as we don’t want yet another rehearsal of the arguments inside the task forces.

Bruce – I want to draw this discussion to a close. We have a sense that there’s something we are trying to achieve but we need to make that a bit more concrete in terms of suggestions.

Malcolm – we don’t have solutions yet though .ca would be glad to come and talk about what they’re doing. In terms of achieving the balance, we’re not there yet. And there needs to be more of a dialogue. It’s important that the privacy and lea people themselves talk some more.

Susanne – one of our goals is to facilitate those exchanges in capitals. To send people back home and contact there colleagues in other ministries etc. because that ism’t necessarily happening right now. Sharil is v. helpful and is working with us to bring along countries to whom this is new.

Ken – I have to echo some of the statements made. If at all possible Luxembourg is an ideal place to start the ball rolling . it needs to be narrowly focused and in addition to the technical responsibilities for security and stability, we are being called upon by various entities and processes to facilitate another sense of the use of the term security and stability. We4 need a discussion where we can raise these issues. Not necessarily raise the issues, but if we don’t bring in the RIRs, educate people about how this system works and why there are issues… you have to get a buy in.

Maureen – I’m wondering if the task forces have started to develop an inventory of reconciling whois and national policies.

Susanne – the GAC was invited to respond to a questionnaire but didn’t have enough time to respond. It’s not easy as there is in the us an inter-agency group with 12 – 15 agencies. Even if we’d had two months to come to a consensus on an appropriate answer on each question. The GAC itself did attempt to do its own questionnaire to elicit the different public policy uses to which governments put whois data. Out of 90 questionnaires we had 9 answers. It’s a very difficult job.

Maureen – is there way to

Kiyoshi– interrupts – there is a common denominator. Not a big position paper but two three bullets from lea on accuracy and how to deal with privacy.

Susanne – our goal in this paper is two fold. We want to try and extract these broad concepts as there is commonality. But part6 of the paper is awareness to educate colleagues around the table for whom this is a new issues. For us to elevate an issue to a GAC wide position it takes quite a bit of going to create a comfort with the issue. I don’t want to oversell this effort, as we’re very happy to be doing it, but these are early days and we’re at the beginning. by Luxembourg we will not necessarily have a paper. From our discussion today I feel we both think there’s value, but it’s educational, progressive and step by step.

Bruce – we have notes of this meeting. We will set up some conference calls etc. on what we can achieve before Luxembourg.

Marilyn – RIRs

Susanne – it won’t be a big public meeting but a closed workshop with no press.

Bruce – and probably outside ICANN

Marilyn – can we find another time to talk to Susanne about how we can continue to work together on this, at some other point this week. Maybe on public forum day?

Tony holmes – if we do that, remember we3 need to reach out to the missing element, the RIRs.

Bruce – we need to look at some case studies. i.e. examples of trying to identify people.

Australia – when we developed our position in Australia, we had to coordinate 8 different agencies. It’s a challenging task and we don’t want to set up committees.

GNSO input to ICANN planning

Bruce – GNSO input to ICANN planning. From a gnso point of view, we organized a meeting in Amsterdam in February, and outreached ot other areas – rirs and cctlds – it was a short once-off event to have some structured input to the first draft. Going forward, the strategic plan is assumed to be a rolling plan so will have new input -. How does the GAC feel this process should be going forward?

Susanne – as liaison I try to feed information to the GAC I send a little report out to say something is newsworthy, so I did one on Amsterdam. Once of our vice chairs, Stefano Trumpi of italy – was asked by Sharil to look at it and draw out some issues for the GAC plenary. But I can’t report anything yet as our plenary is tomorrow. I can provide that response through our list server One thing I flagged though was the commitment by ICANN to provide a revised strategic plan. Our timing is not concurrent with developments, Stefano has drafted something but we don’t have a working group that tracks this neatly. We have however recently created an executive committee composed of a chair and two vice-chairs. Very sadly our Nigerian vice chair died suddenly last fall. We haven’t replaced that spot. Also on the committee are the GAC working group convenors and liaisons. So there are 8 – 9 people and we use it to socialize issues to try and get a feel for GAC views on a topic. I’m happy to report back on whether we have a view on this issue of consultation.

Bruce – yes. It’s also thinking of how consultation will be going forward as this plan is likely to be signed off.

Marilyn – in catalyzing what is called the Amsterdam consultation, the council authorized the funding to make the meeting happen but reached out broadly to the ccNSO and the cc community, and to the RIRs, so that it would be a multi-stakeholder event. That’s an important message, as that was something we though should have taken place. Sometimes the best way to make change happen is to model it. Three events this week – volunteers from the Amsterdam consultation took the time to develop a draft consultation process as a working document. One thing we must think about is how to increase the input back and forth is the appropriate GAC contacts back and forward. So that’s another topic – how to strengthen the flow of information back and forth to the GNSO/GAC

Bruce– so it wasn’t a GNSO event though we were a catalyst.

Susanne – so it’s important to have input and contact. We’re trying to figure out how to handle issues back and forth.MF provided a helpful overview of the whois issues and overview yesterday. One thing we’re prepared to do in our communiqué is to support and commend the work being done on this issue. We hope you’ll welcome that. But to get at the cross cutting issues, for example, one of our Indian colleagues asked a question about whois and IDN which we’d never thought about before. So we don’t want to stovepipe these things. On our side we want the information to go back and forth, we welcome the opportunity to have had the question from you on should the GAC focus on this issue.

Bruce – thanks to everyone for attending.

Susanne – thank you and especially Glen for doing all the organizing for us. It’s great that you always take the lead. It’s a positive step forward and we will set up a group to look at this idea of the strategic plan looking ahead to Luxembourg.