Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who ARE themselves the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.  

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan


PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.


On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net> wrote:
Hello Evan and Allan. I agree with a number of those here how have 
suggested that the interests of registrants and end-users are not that 
different. Keeping the private info of registrants out of the hands of 
bad actors protects both parties. If crimes are committed, having tiered 
access to the info would release that info to validated authorities. As 
a registrant, I don't want my private information out there if it isn't 
necessary. And I don't see how shielding my private info on WhoIS will 
endanger my neighbour once tiered access is agreed upon. This is no 
different from the way the law usually works -- we don't all have to 
live in glass houses in order to be safe. We need well thought out 
procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy 
the scary scenarios being presented by some groups hoping to scuttle 
this whole thing. If the Europeans don't think the world will come to an 
end once GDPR is enforced, why is the boogey man being unleashed in 
North America?

http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/

Marita


On 8/7/2018 5:09 AM, Alan Greenberg wrote:
 Marita, you cannot take one phrase out of context. If you go back in 
 the thread (which was not fully copied here) I believe that a major 
 concern of Holly and Bastiaan was that my statement sounded like it 
 was trying to get around GDPR, but in fact compliance with GDPR is (to 
 use a Startrek expression) "the prime directive".

 It is not a simple matter of security vs privacy. If, for instance, we 
 were talking about USER security vs USER privacy, we would have a real 
 challenge in deciding which was more important and I am pretty sure we 
 would not even try in the general case.

 But that is not what we are taking about here. We are talking about 
 gTLD REGISTRANT privacy vs USER security. And the ALAC's position has 
 previously been that although we care about registrants (and their 
 privacy and their domains etc) and have put very significant resources 
 into supporting gTLD registrants, the shear number of users makes 
 their security and ability to use the Internet with relative safety 
 and trust takes precedence over the privacy of the relative handful of 
 gTLD registrants. That is why ICANN has (and continues to) support the 
 existing WHOIS system to the extent possible.

 That is the entire gist of the Temporary Spec. - /"Consistent with 
 ICANN’s stated objective to comply with the GDPR, while maintaining 
 the existing WHOIS system to the greatest extent possible, the 
 Temporary Specification maintains....."

 /And I note with some amusement that some filter along the way has 
 flagged this entire thread as SPAM.

 Alan

 At 06/08/2018 12:08 PM, Marita Moll wrote:
 I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it 
 is unintentional, but the language does send the message that we are 
 looking more carefully at security than privacy. I am also not 
 convinced that end-users would want us to do that.

 Marita


 On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:
 Very interesting discussion. This issue has been discussed several 
 times and the positions didn’t change.
 What bothers me is the presentation of the registrants interest as 
 opposite to the remaining users ones. they are not since the 
 registrants are also subject to the domain abuse.
 You are speaking about 4 billion users; these include all: 
 contracted parties, business, registrants, governments, etc. We are 
 about defending the interest of all of them as individual end users, 
 not as registry, registrar, businessman, minister, etc….
 You included the cybersecurity researchers; you know how Cambridge
 Analytica got the American data from Facebook? They requested to 
 have access to these data for research, and the result was the 
 American election result impacted.

 So, I agree with Bastiaan that we need to be careful and care about 
 the protection of personal data as well as the prevention of any 
 harmful use of the domain names, both together.

 *Tijani BEN JEMAA*
 Executive Director
 Mediterranean Federation of Internet Associations (*FMAI*)
 Phone: +216 98 330 114
 +216 52 385 114



 Le 3 août 2018 à 07:22, Bastiaan Goslings 
 <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net 
 <mailto:bastiaan.goslings@ams-ix.net>>> a écrit :

 Thanks for clarifying, Alan.

 As a matter of principle I agree with Holly - and Michele. While I 
 think I understand the good intent of what you are saying, your 
 earlier responses almost sound to me like a false ‘security 
 versus privacy’ dichotomy. Like, the number of people (users) 
 that care about security as opposed to those (registrants) that 
 want their privacy protected to the max is larger. Etc.

 Apologies if I am oversimplifying things here, I do not mean to.

 In this particular EPDP case though I am convinced that we can find 
 a common ground on what the ALAC members and alternates should 
 bring to the table. In terms of perceived registrants’ and 
 general Internet end-users’ interests. As you rightly state, it 
 is about being GDPR compliant. So we do not have to be 
 philosophical about a rather broad term like ‘privacy’ and 
 argue about whether it is in conflict with e.g. the interest of 
 LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due 
 process’ is a(nother) no brainer, not just because it might be a 
 legal requirement. From what I understand the work being done on 
 defining Access and Accreditation criteria is keeping that 
 principle in mind, and within in the MS context of the EPDP we can 
 together see to it that it does end up properly enshrined in policy 
 and contracts.

 -Bastiaan



 On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca 
 <mailto:alan.greenberg@mcgill.ca 
 <mailto:alan.greenberg@mcgill.ca>>> wrote:

 Holly, the original statement ends with "All within the 
 constraints of GDPR of course."

 I don't know how to make that clearer. We would be absolutely 
 FOOLISH to argue for anything else, since it will not be 
 implementable.

 That being said, if through the EPDP or otherwise we can help make 
 the legal argument for why good access for the folks we list at 
 the end is within GDPR, more power to us.

 GDPR (and eventually similar legislation/regulation elsewhere) is 
 the overall constraint. It is equivalent to the laws of physics 
 which for the moment we need to consider inviolate.

 So my statement that "other issues trump privacy" is within that 
 context. But just as proportionality governs what GDPR will decree 
 as private in any given case, so it will govern what is not 
 private. It all depends on making the legal argument and 
 ultimately in needed convincing the courts. They are the arbiters, 
 not me or anyone else in ICANN.

 In the US, there is the constitutional right to freedom of speech, 
 but it is not unconstrained and there are limits to what you are 
 allowed and not allowed to say. And from time to time, the courts 
 and legislatures weigh in and decide where the line is.

 Alan


 At 02/08/2018 06:42 PM, Holly Raiche wrote:
 Hi Alan

 I have concerns with your statement - and since your reply below, 
 with our statement of principles for the EPDP.

 As I suggested in my email of 1 August, we need to be VERY clear 
 that we are NOT arguing against implementation a policy that is 
 compliant with the GDPR. Â We are arguing for other issues that 
 impact on users - WITHIN the umbrella of the GDPR. Â And if we do 
 not make that very clear, then we look as if we are not prepared 
 to operate within the bounds of the EPDP - which is all about 
 developing a new policy to replace the RDS requirements that will 
 allow registries/registrars to comply with their ICANN contracts 
 and operate within the GDPR framework.

 So your statement below that ‘yes, other issues trump privacy’ 
 - misstates that. Â What we are (or should be) arguing for is a 
 balance of rights of access that - to the greatest extend 
 possible - recognises the value of RDS to some constituencies 
 with legitimate purposes - WITHIN the GDPR framework. That 
 implicitly accepts that people/organisations that once had free 
 and unrestricted access to the data will no longer have that open 
 access.

 And for ALAC generally, I will repeat what I said in my 1 August 
 email - our statement of principles must be VERY clear that we 
 are NOT arguing for a new RDS policy that goes outside of the GDPR.

 Holly


 On 3 Aug 2018, at 1:29 am, Alan Greenberg 
 <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca 
 <mailto:alan.greenberg@mcgill.ca>> > wrote:

 At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:
 Jonathan / Alan

 Thanks for the clarifications.

 3 - I don't know how you can know what the interests of a user 
 are. The assumption you seem to be making is that due process 
 and privacy should take a backseat to access to data

 Privacy is not absolute but based on various other issues. So 
 yes, we are saying that in some cases, the other issues trump 
 privacy. Perhaps we differ on where the dividing line is.


 4 - Same as 3. Plenty of ccTLDs never offered PII in their 
 public whois and there weren't any issues with security or 
 stability.

 Skipping due process for "ease of access" is a very slippery 
 and dangerous slope.

 Both here and in reply to #3, the term "due process" tends to be 
 used in reference to legal constraints associated with law 
 enforcement actions as sanctioned by laws and courts. That is 
 one path to unlocking otherwise private information. A major 
 aspect of the GDPR implementation will be identifying other less 
 cumbersome and restricted processes for accessing WHOIS data by 
 a variety of partners. It will not be unconstrained nor will it 
 be as cumbersome as going to court (hopefully).

 Alan


 Regards

 Michele


 --
 Mr Michele Neylon
 Blacknight Solutions
 Hosting, Colocation & Domains
 https://www.blacknight.com/ <https://www.blacknight.com/>
 https://blacknight.blog/ <https://blacknight.blog/>
 Intl. +353 (0) 59 Â 9183072
 Direct Dial: +353 (0)59 9183090
 Personal blog: https://michele.blog/
 Some thoughts: https://ceo.hosting/

 Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
 Park,Sleaty
 Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

 On 02/08/2018, 15:03, "Jonathan Zuck" 
 <JZuck@innovatorsnetwork.org> wrote:

 Â Â Thanks Michele!
 Â Â 3. Where there appears to be a conflict of interest between 
 a registrant and non-registrant end user, we'll be endeavoring 
 to represent the interests of the non-registrant end user.
 Â Â 4. Related to 3. This is simply an affirmation of the 
 interests of end users in a stable and secure internet and it 
 is those interests we'll be representing. We've included law 
 enforcement because efficiencies regarding their access may 
 come up. Just because there's always a way for them to get to 
 data doesn't mean it's the best way.

 Â Â Make sense?
 Â Â Jonathan


 Â Â -----Original Message-----
 Â Â From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On 
 Behalf Of Michele Neylon - Blacknight
 Â Â Sent: Wednesday, August 1, 2018 12:34 PM
 Â Â To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG 
 <cpwg@icann.org>
 Â Â Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC 
 Statement regarding EPDP

 Â Â Alan

 Â Â 1 - good
 Â Â 2 - good
 Â Â 3 - I don't understand what that means
 Â Â 4 - Why are you combining law enforcement and private 
 parties? Law enforcement can always get access to data when 
 they follow due process.

 Â Â Regards

 Â Â Michele


 Â Â --
 Â Â Mr Michele Neylon
 Â Â Blacknight Solutions
 Â Â Hosting, Colocation & Domains
 Â Â https://www.blacknight.com/ <https://www.blacknight.com/>
 Â Â https://blacknight.blog/ <https://blacknight.blog/>
 Â Â Intl. +353 (0) 59 Â 9183072
 Â Â Direct Dial: +353 (0)59 9183090
 Â Â Personal blog: https://michele.blog/
 Â Â Some thoughts: https://ceo.hosting/
 Â Â

 Â Â Blacknight Internet Solutions Ltd, Unit 12A,Barrowside 
 Business Park,Sleaty
   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 
 370845

 Â Â On 01/08/2018, 17:27, "registration-issues-wg on behalf of 
 Alan Greenberg" 
 <registration-issues-wg-bounces@atlarge-lists.icann.org on 
 behalf of alan.greenberg@mcgill.ca> wrote:

 Â Â Â Â Â Â Yesterday, the EPDP Members were asked to present a 
 1-3 minute
 Â Â Â Â Â Â summary of their groups position in regard to the 
 EPDP. The following
 Â Â Â Â Â Â is the statement agreed to by me, Hadia, Holly and 
 Seun.

 Â Â Â Â Â Â 1. Â Â The ALAC believes that the EPDP MUST succeed 
 and will be working
 Â Â Â Â Â Â toward that end.

 Â Â Â Â Â Â 2. Â Â We have a support structure that we are 
 organizing to ensure
 Â Â Â Â Â Â that what we present here is understood by our 
 community and has
 Â Â Â Â Â Â their input and support.

 Â Â Â Â Â Â 3. Â Â The ALAC believes that individual 
 registrants are users and we
 Â Â Â Â Â Â have regularly worked on their behalf (as in the 
 PDP that we
 Â Â Â Â Â Â initiated to protect registrant rights when their 
 domains expire), if
 Â Â Â Â Â Â registrant needs differ from those of the 4 billion 
 Internet users
 Â Â Â Â Â Â who are not registrants, those latter needs take 
 precedence. We
 Â Â Â Â Â Â believe that GDPR and this EPDP are such a situation.

 Â Â Â Â Â Â 4. Â Â Although some Internet users consult WHOIS 
 and will not be able
 Â Â Â Â Â Â to do so in some cases going forward, our main 
 concern is access for
 Â Â Â Â Â Â those third parties who work to ensure that the 
 Internet is a safe
 Â Â Â Â Â Â and secure place for users and that means that law 
 enforcement,
 Â Â Â Â Â Â cybersecurity researchers, those combatting fraud 
 in domain names,
 Â Â Â Â Â Â and others who help protect users from phishing, 
 malware, spam,
 Â Â Â Â Â Â fraud, DDoS attacks and such can work with minimal 
 reduction in
 Â Â Â Â Â Â access to WHOIS data. All within the constraints of 
 GDPR of course.

 Â Â Â Â Â Â

 Â Â Â Â Â Â CPWG mailing list
 Â Â Â Â Â Â CPWG@icann.org
 Â Â Â Â Â Â https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>
 Â Â Â Â Â Â

 Â Â Â Â Â Â registration-issues-wg mailing list
 Â Â Â Â Â Â registration-issues-wg@atlarge-lists.icann.org
 Â Â Â Â Â Â 
 https://mm.icann.org/mailman/listinfo/registration-issues-wg


 Â Â

 Â Â CPWG mailing list
 Â Â CPWG@icann.org
 Â Â https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>
 Â Â

 Â Â GTLD-WG mailing list
 Â Â GTLD-WG@atlarge-lists.icann.org
 Â Â https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

 Â Â Working Group direct URL: 
 https://community.icann.org/display/atlarge/New+GTLDs


 CPWG mailing list
 CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>
 https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>

 registration-issues-wg mailing list
 registration-issues-wg@atlarge-lists.icann.org
 https://mm.icann.org/mailman/listinfo/registration-issues-wg 

 CPWG mailing list
 CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>
 https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>


 CPWG mailing list
 CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>
 https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>




 CPWG mailing list
 CPWG@icann.org
 https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>




 CPWG mailing list
 CPWG@icann.org
 https://mm.icann.org/mailman/listinfo/cpwg 
 <https://mm.icann.org/mailman/listinfo/cpwg>


 GTLD-WG mailing list
 GTLD-WG@atlarge-lists.icann.org
 https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg 
 <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>

 Working Group direct URL: 
 https://community.icann.org/display/atlarge/New+GTLDs 
 <https://community.icann.org/display/atlarge/New+GTLDs>


CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg

GTLD-WG mailing list
GTLD-WG@atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs