Marita, you cannot take one phrase out of context. If you go back in the
thread (which was not fully copied here) I believe that a major concern
of Holly and Bastiaan was that my statement sounded like it was trying to
get around GDPR, but in fact compliance with GDPR is (to use a Startrek
expression) "the prime directive".
It is not a simple matter of security vs privacy. If, for instance, we
were talking about USER security vs USER privacy, we would have a real
challenge in deciding which was more important and I am pretty sure we
would not even try in the general case.
But that is not what we are taking about here. We are talking about gTLD
REGISTRANT privacy vs USER security. And the ALAC's position has
previously been that although we care about registrants (and their
privacy and their domains etc) and have put very significant resources
into supporting gTLD registrants, the shear number of users makes their
security and ability to use the Internet with relative safety and trust
takes precedence over the privacy of the relative handful of gTLD
registrants. That is why ICANN has (and continues to) support the
existing WHOIS system to the extent possible.
That is the entire gist of the Temporary Spec. -
"Consistent with ICANN’s stated objective
to comply with the GDPR, while maintaining the existing WHOIS system to
the greatest extent possible, the Temporary Specification
maintains....."
And I note with some amusement that some filter along the way
has flagged this entire thread as SPAM.
Alan
At 06/08/2018 12:08 PM, Marita Moll wrote:
I am in agreement with Tijani,
Holly, Bastian and Michele. Perhaps it is unintentional, but the language
does send the message that we are looking more carefully at security than
privacy. I am also not convinced that end-users would want us to do
that.
Marita
On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:
Very interesting discussion.
This issue has been discussed several times and the positions didn’t
change.
What bothers me is the presentation of the registrants interest asÂ
opposite to the remaining users ones. they are not since the registrants
are also subject to the domain abuse.
You are speaking about 4 billion users; these include all: contracted
parties, business, registrants, governments, etc. We are about defending
the interest of all of them as individual end users, not as registry,
registrar, businessman, minister, etc….
> You included
the cybersecurity researchers; you know how Cambridge
Analytica got the American data
from Facebook? They requested to have access to these data for research,
and the result was the American election result impacted.
So, I agree with Bastiaan that we need to be careful and care about the
protection of personal data as well as the prevention of any harmful use
of the domain names, both together.
-----------------------------------------------------------------------------
*Tijani BEN JEMAA*
Executive Director
Mediterranean Federation of Internet Associations (*FMAI*)
Phone: +216 98 330 114
+216 52 385 114
-----------------------------------------------------------------------------
Le 3 août 2018 à 07:22,
Bastiaan Goslings <bastiaan.goslings@ams-ix.net
<
mailto:bastiaan.goslings@ams-ix.net>> a écrit :
Thanks for clarifying, Alan.
As a matter of principle I agree with Holly - and Michele. While I think
I understand the good intent of what you are saying, your earlier
responses almost sound to me like a false ‘security versus privacy’
dichotomy. Like, the number of people (users) that care about security as
opposed to those (registrants) that want their privacy protected to the
max is larger. Etc.
Apologies if I am oversimplifying things here, I do not mean to.
In this particular EPDP case though I am convinced that we can find a
common ground on what the ALAC members and alternates should bring to the
table. In terms of perceived registrants’ and general Internet
end-users’ interests. As you rightly state, it is about being GDPR
compliant. So we do not have to be philosophical about a rather broad
term like ‘privacy’ and argue about whether it is in conflict with
e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’.
However, ‘due process’ is a(nother) no brainer, not just because it
might be a legal requirement. From what I understand the work being done
on defining Access and Accreditation criteria is keeping that principle
in mind, and within in the MS context of the EPDP we can together see to
it that it does end up properly enshrined in policy and
contracts.
-Bastiaan
On 3 Aug 2018, at 01:10, Alan
Greenberg <alan.greenberg@mcgill.ca
<
mailto:alan.greenberg@mcgill.ca>> wrote:
Holly, the original statement ends with "All within the constraints
of GDPR of course."
I don't know how to make that clearer. We would be absolutely FOOLISH to
argue for anything else, since it will not be implementable.
That being said, if through the EPDP or otherwise we can help make the
legal argument for why good access for the folks we list at the end is
within GDPR, more power to us.
GDPR (and eventually similar legislation/regulation elsewhere) is the
overall constraint. It is equivalent to the laws of physics which for the
moment we need to consider inviolate.
So my statement that "other issues trump privacy" is within
that context. But just as proportionality governs what GDPR will decree
as private in any given case, so it will govern what is not private. It
all depends on making the legal argument and ultimately in needed
convincing the courts. They are the arbiters, not me or anyone else in
ICANN.
In the US, there is the constitutional right to freedom of speech, but it
is not unconstrained and there are limits to what you are allowed and not
allowed to say. And from time to time, the courts and legislatures weigh
in and decide where the line is.
Alan
At 02/08/2018 06:42 PM, Holly Raiche wrote:
Hi Alan
I have concerns with your statement - and since your reply below, with
our statement of principles for the EPDP.
As I suggested in my email of 1 August, we need to be VERY clear that we
are NOT arguing against implementation a policy that is compliant with
the GDPR. Â We are arguing for other issues that impact on users - WITHIN
the umbrella of the GDPR. Â And if we do not make that very clear, then
we look as if we are not prepared to operate within the bounds of the
EPDP - which is all about developing a new policy to replace the RDS
requirements that will allow registries/registrars to comply with their
ICANN contracts and operate within the GDPR framework.
So your statement below that ‘yes, other issues trump privacy’ -
misstates that. Â What we are (or should be) arguing for is a balance of
rights of access that - to the greatest extend possible - recognises the
value of RDS to some constituencies with legitimate purposes - WITHIN the
GDPR framework. That implicitly accepts that people/organisations that
once had free and unrestricted access to the data will no longer have
that open access.
And for ALAC generally, I will repeat what I said in my 1 August email -
our statement of principles must be VERY clear that we are NOT arguing
for a new RDS policy that goes outside of the GDPR.
Holly
On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca
<
mailto:alan.greenberg@mcgill.ca> > wrote:
At 02/08/2018 10:37 AM, Michele
Neylon - Blacknight wrote:
Jonathan / Alan
Thanks for the clarifications.
3 - I don't know how you can know what the interests of a user are. The
assumption you seem to be making is that due process and privacy should
take a backseat to access to data
Privacy is not absolute but based on various other issues. So yes, we are
saying that in some cases, the other issues trump privacy. Perhaps we
differ on where the dividing line is.
4 - Same as 3. Plenty of ccTLDs
never offered PII in their public whois and there weren't any issues with
security or stability.
Skipping due process for "ease of access" is a very slippery
and dangerous slope.
Both here and in reply to #3, the term "due process" tends to
be used in reference to legal constraints associated with law enforcement
actions as sanctioned by laws and courts. That is one path to unlocking
otherwise private information. A major aspect of the GDPR implementation
will be identifying other less cumbersome and restricted processes for
accessing WHOIS data by a variety of partners. It will not be
unconstrained nor will it be as cumbersome as going to court
(hopefully).
Alan
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59 Â 9183072
Direct Dial: +353 (0)59 9183090
Personal blog:
https://michele.blog/
Some thoughts:
https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
On 02/08/2018, 15:03, "Jonathan Zuck"
<JZuck@innovatorsnetwork.org> wrote:
  Thanks Michele!
  3. Where there appears to be a conflict of interest between a
registrant and non-registrant end user, we'll be endeavoring to represent
the interests of the non-registrant end user.
  4. Related to 3. This is simply an affirmation of the interests of
end users in a stable and secure internet and it is those interests we'll
be representing. We've included law enforcement because efficiencies
regarding their access may come up. Just because there's always a way for
them to get to data doesn't mean it's the best way.
  Make sense?
  Jonathan
  -----Original Message-----
  From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On
Behalf Of Michele Neylon - Blacknight
  Sent: Wednesday, August 1, 2018 12:34 PM
  To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG
<cpwg@icann.org>
  Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement
regarding EPDP
  Alan
  1 - good
  2 - good
  3 - I don't understand what that means
  4 - Why are you combining law enforcement and private parties? Law
enforcement can always get access to data when they follow due
process.
  Regards
  Michele
  --
  Mr Michele Neylon
  Blacknight Solutions
  Hosting, Colocation & Domains
 Â
https://www.blacknight.com/
 Â
https://blacknight.blog/
  Intl. +353 (0) 59  9183072
  Direct Dial: +353 (0)59 9183090
  Personal blog:
https://michele.blog/
  Some thoughts:
https://ceo.hosting/
  -------------------------------
  Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
  Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:
370845
  On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan
Greenberg"
<registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of
alan.greenberg@mcgill.ca> wrote:
      Yesterday, the EPDP Members were asked to present a 1-3
minute
      summary of their groups position in regard to the EPDP. The
following
      is the statement agreed to by me, Hadia, Holly and
Seun.
      1.   The ALAC believes that the EPDP MUST succeed and will
be working
      toward that end.
      2.   We have a support structure that we are organizing to
ensure
      that what we present here is understood by our community and
has
      their input and support.
      3.   The ALAC believes that individual registrants are
users and we
      have regularly worked on their behalf (as in the PDP that
we
      initiated to protect registrant rights when their domains
expire), if
      registrant needs differ from those of the 4 billion Internet
users
      who are not registrants, those latter needs take precedence.
We
      believe that GDPR and this EPDP are such a
situation.
      4.   Although some Internet users consult WHOIS and will
not be able
      to do so in some cases going forward, our main concern is
access for
      those third parties who work to ensure that the Internet is a
safe
      and secure place for users and that means that law
enforcement,
      cybersecurity researchers, those combatting fraud in domain
names,
      and others who help protect users from phishing, malware,
spam,
      fraud, DDoS attacks and such can work with minimal reduction
in
      access to WHOIS data. All within the constraints of GDPR of
course.
      _______________________________________________
      CPWG mailing list
      CPWG@icann.org
     Â
https://mm.icann.org/mailman/listinfo/cpwg
      _______________________________________________
      registration-issues-wg mailing list
      registration-issues-wg@atlarge-lists.icann.org
     Â
https://mm.icann.org/mailman/listinfo/registration-issues-wg
  _______________________________________________
  CPWG mailing list
  CPWG@icann.org
 Â
https://mm.icann.org/mailman/listinfo/cpwg
  _______________________________________________
  GTLD-WG mailing list
  GTLD-WG@atlarge-lists.icann.org
 Â
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
  Working Group direct URL:
https://community.icann.org/display/atlarge/New+GTLDs
_______________________________________________
CPWG mailing list
CPWG@icann.org
<
mailto:CPWG@icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
registration-issues-wg mailing list
registration-issues-wg@atlarge-lists.icann.org
https://mm.icann.org/mailman/listinfo/registration-issues-wg
_______________________________________________
CPWG mailing list
CPWG@icann.org
<
mailto:CPWG@icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
CPWG mailing list
CPWG@icann.org
<
mailto:CPWG@icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
GTLD-WG mailing list
GTLD-WG@atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
Working Group direct URL:
https://community.icann.org/display/atlarge/New+GTLDs