Thanks Michele! 3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user. 4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way. Make sense? Jonathan -----Original Message----- From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, August 1, 2018 12:34 PM To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org> Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP Alan 1 - good 2 - good 3 - I don't understand what that means 4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote: Yesterday, the EPDP Members were asked to present a 1-3 minute summary of their groups position in regard to the EPDP. The following is the statement agreed to by me, Hadia, Holly and Seun. 1. The ALAC believes that the EPDP MUST succeed and will be working toward that end. 2. We have a support structure that we are organizing to ensure that what we present here is understood by our community and has their input and support. 3. The ALAC believes that individual registrants are users and we have regularly worked on their behalf (as in the PDP that we initiated to protect registrant rights when their domains expire), if registrant needs differ from those of the 4 billion Internet users who are not registrants, those latter needs take precedence. We believe that GDPR and this EPDP are such a situation. 4. Although some Internet users consult WHOIS and will not be able to do so in some cases going forward, our main concern is access for those third parties who work to ensure that the Internet is a safe and secure place for users and that means that law enforcement, cybersecurity researchers, those combatting fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks and such can work with minimal reduction in access to WHOIS data. All within the constraints of GDPR of course. _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

I have to agree with Michele here - if there is a due process, it must be for a good reason. To allow skipping due process for ease of access is, to me, like jumping a queue because it’s faster. But this is a discussion that we are having since before ICANN, and positions have not moved much. R

On 02.08.2018, at 16:37, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Jonathan / Alan

Thanks for the clarifications.

3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data 4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability.

Skipping due process for "ease of access" is a very slippery and dangerous slope.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:

Thanks Michele! 3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user. 4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.

Make sense? Jonathan

-----Original Message----- From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, August 1, 2018 12:34 PM To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org> Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP

Alan

1 - good 2 - good 3 - I don't understand what that means 4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

Yesterday, the EPDP Members were asked to present a 1-3 minute summary of their groups position in regard to the EPDP. The following is the statement agreed to by me, Hadia, Holly and Seun.

1. The ALAC believes that the EPDP MUST succeed and will be working toward that end.

2. We have a support structure that we are organizing to ensure that what we present here is understood by our community and has their input and support.

3. The ALAC believes that individual registrants are users and we have regularly worked on their behalf (as in the PDP that we initiated to protect registrant rights when their domains expire), if registrant needs differ from those of the 4 billion Internet users who are not registrants, those latter needs take precedence. We believe that GDPR and this EPDP are such a situation.

4. Although some Internet users consult WHOIS and will not be able to do so in some cases going forward, our main concern is access for those third parties who work to ensure that the Internet is a safe and secure place for users and that means that law enforcement, cybersecurity researchers, those combatting fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks and such can work with minimal reduction in access to WHOIS data. All within the constraints of GDPR of course.

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

Jonathan, It does make sense. However there are different positions that do not seem to me to have moved much over the decades and that it will be not be easy to converge. GDPR has only changed some of the status quo, tilting the table more towards the privacy concern, but the differences remain. Anyway, we have no other choice than keep trying. Cheers, Roberto

On 02.08.2018, at 16:59, Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Again, both "skipping due process" and "ease of access" are gross over simplifications. We're simply talking about a representation of interests, not some ultimate truth that you seem to have settled upon. Instead, we're talking about making sure that cybersecurity researchers can continue to do their work. We're talking about trying to make sure that reputational databases can continue to be maintained. We aren't going in with a preconceived notion about how that should happen, simply a commitment to working within the community to ensure those kinds of data uses are able to continue. That make more sense?

-----Original Message----- From: Roberto Gaetano <roberto_gaetano@hotmail.com> Sent: Thursday, August 2, 2018 10:46 AM To: Michele Neylon - Blacknight <michele@blacknight.com> Cc: Jonathan Zuck <JZuck@innovatorsnetwork.org>; Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org> Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP

I have to agree with Michele here - if there is a due process, it must be for a good reason. To allow skipping due process for ease of access is, to me, like jumping a queue because it’s faster. But this is a discussion that we are having since before ICANN, and positions have not moved much. R

...

On 02.08.2018, at 16:37, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Jonathan / Alan

Thanks for the clarifications.

3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data 4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability.

Skipping due process for "ease of access" is a very slippery and dangerous slope.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:

Thanks Michele! 3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user. 4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.

Make sense? Jonathan

-----Original Message----- From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, August 1, 2018 12:34 PM To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org> Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP

Alan

1 - good 2 - good 3 - I don't understand what that means 4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

Yesterday, the EPDP Members were asked to present a 1-3 minute summary of their groups position in regard to the EPDP. The following is the statement agreed to by me, Hadia, Holly and Seun.

1. The ALAC believes that the EPDP MUST succeed and will be working toward that end.

2. We have a support structure that we are organizing to ensure that what we present here is understood by our community and has their input and support.

3. The ALAC believes that individual registrants are users and we have regularly worked on their behalf (as in the PDP that we initiated to protect registrant rights when their domains expire), if registrant needs differ from those of the 4 billion Internet users who are not registrants, those latter needs take precedence. We believe that GDPR and this EPDP are such a situation.

4. Although some Internet users consult WHOIS and will not be able to do so in some cases going forward, our main concern is access for those third parties who work to ensure that the Internet is a safe and secure place for users and that means that law enforcement, cybersecurity researchers, those combatting fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks and such can work with minimal reduction in access to WHOIS data. All within the constraints of GDPR of course.

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

Hi Alan I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP. As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR. We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR. And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework. So your statement below that ‘yes, other issues trump privacy’ - misstates that. What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access. And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR. Holly On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

...

Jonathan / Alan

Thanks for the clarifications.

3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

...

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability.

Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully).

Alan

...

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:

Thanks Michele! 3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user. 4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.

Make sense? Jonathan

-----Original Message----- From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, August 1, 2018 12:34 PM To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org> Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP

Alan

1 - good 2 - good 3 - I don't understand what that means 4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

Yesterday, the EPDP Members were asked to present a 1-3 minute summary of their groups position in regard to the EPDP. The following is the statement agreed to by me, Hadia, Holly and Seun.

1. The ALAC believes that the EPDP MUST succeed and will be working toward that end.

2. We have a support structure that we are organizing to ensure that what we present here is understood by our community and has their input and support.

3. The ALAC believes that individual registrants are users and we have regularly worked on their behalf (as in the PDP that we initiated to protect registrant rights when their domains expire), if registrant needs differ from those of the 4 billion Internet users who are not registrants, those latter needs take precedence. We believe that GDPR and this EPDP are such a situation.

4. Although some Internet users consult WHOIS and will not be able to do so in some cases going forward, our main concern is access for those third parties who work to ensure that the Internet is a safe and secure place for users and that means that law enforcement, cybersecurity researchers, those combatting fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks and such can work with minimal reduction in access to WHOIS data. All within the constraints of GDPR of course.

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean to. In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts. -Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:

Holly, the original statement ends with "All within the constraints of GDPR of course."

I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable.

That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us.

GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate.

So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN.

In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is.

Alan

At 02/08/2018 06:42 PM, Holly Raiche wrote:

...

Hi Alan

I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP.

As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR. We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR. And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework.

So your statement below that ‘yes, other issues trump privacy’ - misstates that. What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access.

And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR.

Holly

On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca > wrote:

...

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

...

Jonathan / Alan

Thanks for the clarifications.

3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

...

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability.

Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully).

Alan

...

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:

Thanks Michele! 3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user. 4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.

Make sense? Jonathan

-----Original Message----- From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, August 1, 2018 12:34 PM To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org> Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP

Alan

1 - good 2 - good 3 - I don't understand what that means 4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

Yesterday, the EPDP Members were asked to present a 1-3 minute summary of their groups position in regard to the EPDP. The following is the statement agreed to by me, Hadia, Holly and Seun.

1. The ALAC believes that the EPDP MUST succeed and will be working toward that end.

2. We have a support structure that we are organizing to ensure that what we present here is understood by our community and has their input and support.

3. The ALAC believes that individual registrants are users and we have regularly worked on their behalf (as in the PDP that we initiated to protect registrant rights when their domains expire), if registrant needs differ from those of the 4 billion Internet users who are not registrants, those latter needs take precedence. We believe that GDPR and this EPDP are such a situation.

4. Although some Internet users consult WHOIS and will not be able to do so in some cases going forward, our main concern is access for those third parties who work to ensure that the Internet is a safe and secure place for users and that means that law enforcement, cybersecurity researchers, those combatting fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks and such can work with minimal reduction in access to WHOIS data. All within the constraints of GDPR of course.

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it is unintentional, but the language does send the message that we are looking more carefully at security than privacy. I am also not convinced that end-users would want us to do that. Marita On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all: contracted parties, business, registrants, governments, etc. We are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for research, and the result was the American election result impacted.

So, I agree with Bastiaan that we need to be careful and care about the protection of personal data as well as the prevention of any harmful use of the domain names, both together. ----------------------------------------------------------------------------- *Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>> a écrit :

Thanks for clarifying, Alan.

As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc.

Apologies if I am oversimplifying things here, I do not mean to.

In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts.

-Bastiaan

...

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> wrote:

Holly, the original statement ends with "All within the constraints of GDPR of course."

I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable.

That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us.

GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate.

So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN.

In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is.

Alan

At 02/08/2018 06:42 PM, Holly Raiche wrote:

...

Hi Alan

I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP.

As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR.  We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR.  And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework.

So your statement below that ‘yes, other issues trump privacy’ - misstates that.  What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access.

And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR.

Holly

On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca> > wrote:

...

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

...

Jonathan / Alan

Thanks for the clarifications.

3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

...

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability.

Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully).

Alan

...

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59  9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:

  Thanks Michele!   3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user.   4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.

  Make sense?   Jonathan

  -----Original Message-----   From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight   Sent: Wednesday, August 1, 2018 12:34 PM   To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org>   Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP

  Alan

  1 - good   2 - good   3 - I don't understand what that means   4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.

  Regards

  Michele

  --   Mr Michele Neylon   Blacknight Solutions   Hosting, Colocation & Domains   https://www.blacknight.com/   https://blacknight.blog/   Intl. +353 (0) 59  9183072   Direct Dial: +353 (0)59 9183090   Personal blog: https://michele.blog/   Some thoughts: https://ceo.hosting/   -------------------------------   Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

  On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

      Yesterday, the EPDP Members were asked to present a 1-3 minute       summary of their groups position in regard to the EPDP. The following       is the statement agreed to by me, Hadia, Holly and Seun.

      1.   The ALAC believes that the EPDP MUST succeed and will be working       toward that end.

      2.   We have a support structure that we are organizing to ensure       that what we present here is understood by our community and has       their input and support.

      3.   The ALAC believes that individual registrants are users and we       have regularly worked on their behalf (as in the PDP that we       initiated to protect registrant rights when their domains expire), if       registrant needs differ from those of the 4 billion Internet users       who are not registrants, those latter needs take precedence. We       believe that GDPR and this EPDP are such a situation.

      4.   Although some Internet users consult WHOIS and will not be able       to do so in some cases going forward, our main concern is access for       those third parties who work to ensure that the Internet is a safe       and secure place for users and that means that law enforcement,       cybersecurity researchers, those combatting fraud in domain names,       and others who help protect users from phishing, malware, spam,       fraud, DDoS attacks and such can work with minimal reduction in       access to WHOIS data. All within the constraints of GDPR of course.

      _______________________________________________       CPWG mailing list       CPWG@icann.org       https://mm.icann.org/mailman/listinfo/cpwg       _______________________________________________       registration-issues-wg mailing list       registration-issues-wg@atlarge-lists.icann.org       https://mm.icann.org/mailman/listinfo/registration-issues-wg

  _______________________________________________   CPWG mailing list   CPWG@icann.org   https://mm.icann.org/mailman/listinfo/cpwg   _______________________________________________   GTLD-WG mailing list   GTLD-WG@atlarge-lists.icann.org   https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

  Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

+1 If we had a definite supremacy of one over the other (security vs privacy or vice-versa) the problem would be easy to solve. The complication is exactly in the need to strike a balance between the two. R

On 07.08.2018, at 04:02, Evan Leibovitch <evanleibovitch@gmail.com> wrote:

Marita wrote:

*Perhaps it is * *unintentional, but the language does send the message that we are * *looking more carefully at security than privacy. I am also not convinced **that end-users would want us to do that.*

I , OTOH, am significantly more convinced of that ; I ask for evidence to back up the claim that those we try to speak for value privacy over security .

What we do have , from the massive successes of FANG and their spawn ... not to mention the explicitly invasive home devices that they deploy ... is compelling evidence of the LOW value given to privacy in the pursuit of other things. Add to that the pervasiveness of CCTV, license plate scanners and facial recognition in democracies where such surveillance is simply not a political controvery (including the countries that gave us the GDPR).

We have within this community privacy advocates , and that is important. But just as important is that we also have people on the front lines of the battle against internet scammers, malware spreaders and other bad actors who abuse privacy in pursuit of real harm. Uniquely within ICANN , At-Large seeks the necessary balance between privacy and accountability that seems so lacking elswhere .

So I will disagree with Marita that ALAC's long-standing interest to strike this balance is against the interest of the global Internet end users we are charged with advancing. While the need for privacy advocates (and what they advocate) is critical, it is a significant error to assert that the global public of today values privacy over security. What ought to be does not necessarily match what is.

- Evan _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

@ Roberto, + 10000000000 @ Jonathan: this is exactly what I said: never speak about security against privacy or the other way. I never said we should give preference to privacy over security. ----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

Le 7 août 2018 à 07:23, Roberto Gaetano <roberto_gaetano@hotmail.com <mailto:roberto_gaetano@hotmail.com>> a écrit :

+1

If we had a definite supremacy of one over the other (security vs privacy or vice-versa) the problem would be easy to solve. The complication is exactly in the need to strike a balance between the two. R

...

On 07.08.2018, at 04:02, Evan Leibovitch <evanleibovitch@gmail.com <mailto:evanleibovitch@gmail.com>> wrote:

Marita wrote:

*Perhaps it is * *unintentional, but the language does send the message that we are * *looking more carefully at security than privacy. I am also not convinced **that end-users would want us to do that.*

I , OTOH, am significantly more convinced of that ; I ask for evidence to back up the claim that those we try to speak for value privacy over security .

What we do have , from the massive successes of FANG and their spawn ... not to mention the explicitly invasive home devices that they deploy ... is compelling evidence of the LOW value given to privacy in the pursuit of other things. Add to that the pervasiveness of CCTV, license plate scanners and facial recognition in democracies where such surveillance is simply not a political controvery (including the countries that gave us the GDPR).

We have within this community privacy advocates , and that is important. But just as important is that we also have people on the front lines of the battle against internet scammers, malware spreaders and other bad actors who abuse privacy in pursuit of real harm. Uniquely within ICANN , At-Large seeks the necessary balance between privacy and accountability that seems so lacking elswhere .

So I will disagree with Marita that ALAC's long-standing interest to strike this balance is against the interest of the global Internet end users we are charged with advancing. While the need for privacy advocates (and what they advocate) is critical, it is a significant error to assert that the global public of today values privacy over security. What ought to be does not necessarily match what is.

- Evan _______________________________________________ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us. It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America? http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/ Marita On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you go back in the thread (which was not fully copied here) I believe that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR, but in fact compliance with GDPR is (to use a Startrek expression) "the prime directive".

It is not a simple matter of security vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge in deciding which was more important and I am pretty sure we would not even try in the general case.

But that is not what we are taking about here. We are talking about gTLD REGISTRANT privacy vs USER security. And the ALAC's position has previously been that although we care about registrants (and their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants, the shear number of users makes their security and ability to use the Internet with relative safety and trust takes precedence over the privacy of the relative handful of gTLD registrants. That is why ICANN has (and continues to) support the existing WHOIS system to the extent possible.

That is the entire gist of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....."

/And I note with some amusement that some filter along the way has flagged this entire thread as SPAM.

Alan

At 06/08/2018 12:08 PM, Marita Moll wrote:

...

I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it is unintentional, but the language does send the message that we are looking more carefully at security than privacy. I am also not convinced that end-users would want us to do that.

Marita

On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

...

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all: contracted parties, business, registrants, governments, etc. We are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for research, and the result was the American election result impacted.

So, I agree with Bastiaan that we need to be careful and care about the protection of personal data as well as the prevention of any harmful use of the domain names, both together. ----------------------------------------------------------------------------- *Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a écrit :

Thanks for clarifying, Alan.

As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc.

Apologies if I am oversimplifying things here, I do not mean to.

In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts.

-Bastiaan

...

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>> wrote:

Holly, the original statement ends with "All within the constraints of GDPR of course."

I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable.

That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us.

GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate.

So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN.

In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is.

Alan

At 02/08/2018 06:42 PM, Holly Raiche wrote:

...

Hi Alan

I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP.

As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR. Â We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR. Â And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework.

So your statement below that ‘yes, other issues trump privacy’ - misstates that.  What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access.

And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR.

Holly

On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> > wrote:

> At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote: >> Jonathan / Alan >> >> Thanks for the clarifications. >> >> 3 - I don't know how you can know what the interests of a user >> are. The assumption you seem to be making is that due process >> and privacy should take a backseat to access to data > > Privacy is not absolute but based on various other issues. So > yes, we are saying that in some cases, the other issues trump > privacy. Perhaps we differ on where the dividing line is. > > >> 4 - Same as 3. Plenty of ccTLDs never offered PII in their >> public whois and there weren't any issues with security or >> stability. >> >> Skipping due process for "ease of access" is a very slippery >> and dangerous slope. > > Both here and in reply to #3, the term "due process" tends to be > used in reference to legal constraints associated with law > enforcement actions as sanctioned by laws and courts. That is > one path to unlocking otherwise private information. A major > aspect of the GDPR implementation will be identifying other less > cumbersome and restricted processes for accessing WHOIS data by > a variety of partners. It will not be unconstrained nor will it > be as cumbersome as going to court (hopefully). > > Alan > > >> Regards >> >> Michele >> >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Hosting, Colocation & Domains >> https://www.blacknight.com/ <https://www.blacknight.com/> >> https://blacknight.blog/ <https://blacknight.blog/> >> Intl. +353 (0) 59  9183072 >> Direct Dial: +353 (0)59 9183090 >> Personal blog: https://michele.blog/ >> Some thoughts: https://ceo.hosting/ >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty >> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 >> >> On 02/08/2018, 15:03, "Jonathan Zuck" >> <JZuck@innovatorsnetwork.org> wrote: >> >>   Thanks Michele! >>   3. Where there appears to be a conflict of interest between >> a registrant and non-registrant end user, we'll be endeavoring >> to represent the interests of the non-registrant end user. >>   4. Related to 3. This is simply an affirmation of the >> interests of end users in a stable and secure internet and it >> is those interests we'll be representing. We've included law >> enforcement because efficiencies regarding their access may >> come up. Just because there's always a way for them to get to >> data doesn't mean it's the best way. >> >>   Make sense? >>   Jonathan >> >> >>   -----Original Message----- >>   From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On >> Behalf Of Michele Neylon - Blacknight >>   Sent: Wednesday, August 1, 2018 12:34 PM >>   To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG >> <cpwg@icann.org> >>   Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC >> Statement regarding EPDP >> >>   Alan >> >>   1 - good >>   2 - good >>   3 - I don't understand what that means >>   4 - Why are you combining law enforcement and private >> parties? Law enforcement can always get access to data when >> they follow due process. >> >>   Regards >> >>   Michele >> >> >>   -- >>   Mr Michele Neylon >>   Blacknight Solutions >>   Hosting, Colocation & Domains >>   https://www.blacknight.com/ <https://www.blacknight.com/> >>   https://blacknight.blog/ <https://blacknight.blog/> >>   Intl. +353 (0) 59  9183072 >>   Direct Dial: +353 (0)59 9183090 >>   Personal blog: https://michele.blog/ >>   Some thoughts: https://ceo.hosting/ >>   ------------------------------- >>   Blacknight Internet Solutions Ltd, Unit 12A,Barrowside >> Business Park,Sleaty >>   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: >> 370845 >> >>   On 01/08/2018, 17:27, "registration-issues-wg on behalf of >> Alan Greenberg" >> <registration-issues-wg-bounces@atlarge-lists.icann.org on >> behalf of alan.greenberg@mcgill.ca> wrote: >> >>       Yesterday, the EPDP Members were asked to present a >> 1-3 minute >>       summary of their groups position in regard to the >> EPDP. The following >>       is the statement agreed to by me, Hadia, Holly and >> Seun. >> >>       1.   The ALAC believes that the EPDP MUST succeed >> and will be working >>       toward that end. >> >>       2.   We have a support structure that we are >> organizing to ensure >>       that what we present here is understood by our >> community and has >>       their input and support. >> >>       3.   The ALAC believes that individual >> registrants are users and we >>       have regularly worked on their behalf (as in the >> PDP that we >>       initiated to protect registrant rights when their >> domains expire), if >>       registrant needs differ from those of the 4 billion >> Internet users >>       who are not registrants, those latter needs take >> precedence. We >>       believe that GDPR and this EPDP are such a situation. >> >>       4.   Although some Internet users consult WHOIS >> and will not be able >>       to do so in some cases going forward, our main >> concern is access for >>       those third parties who work to ensure that the >> Internet is a safe >>       and secure place for users and that means that law >> enforcement, >>       cybersecurity researchers, those combatting fraud >> in domain names, >>       and others who help protect users from phishing, >> malware, spam, >>       fraud, DDoS attacks and such can work with minimal >> reduction in >>       access to WHOIS data. All within the constraints of >> GDPR of course. >> >>       _______________________________________________ >>       CPWG mailing list >>       CPWG@icann.org >>       https://mm.icann.org/mailman/listinfo/cpwg >> <https://mm.icann.org/mailman/listinfo/cpwg> >>       _______________________________________________ >>       registration-issues-wg mailing list >>       registration-issues-wg@atlarge-lists.icann.org >>       >> https://mm.icann.org/mailman/listinfo/registration-issues-wg >> >> >>   _______________________________________________ >>   CPWG mailing list >>   CPWG@icann.org >>   https://mm.icann.org/mailman/listinfo/cpwg >> <https://mm.icann.org/mailman/listinfo/cpwg> >>   _______________________________________________ >>   GTLD-WG mailing list >>   GTLD-WG@atlarge-lists.icann.org >>   https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg >> >>   Working Group direct URL: >> https://community.icann.org/display/atlarge/New+GTLDs > > _______________________________________________ > CPWG mailing list > CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> > https://mm.icann.org/mailman/listinfo/cpwg > <https://mm.icann.org/mailman/listinfo/cpwg> > _______________________________________________ > registration-issues-wg mailing list > registration-issues-wg@atlarge-lists.icann.org > https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

_______________________________________________ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

_______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs>

With respect Evan, saying I am missing the point is not really respectful.  No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring. Marita On 8/7/2018 7:08 PM, Evan Leibovitch wrote:

Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan

PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.

On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?

http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/

Marita

On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you go back in the thread (which was not fully copied here) I believe that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR, but in fact compliance with GDPR is (to use a Startrek expression) "the prime directive". It is not a simple matter of security vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge in deciding which was more important and I am pretty sure we would not even try in the general case. But that is not what we are taking about here. We are talking about gTLD REGISTRANT privacy vs USER security. And the ALAC's position has previously been that although we care about registrants (and their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants, the shear number of users makes their security and ability to use the Internet with relative safety and trust takes precedence over the privacy of the relative handful of gTLD registrants. That is why ICANN has (and continues to) support the existing WHOIS system to the extent possible. That is the entire gist of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with some amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:

I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it is unintentional, but the language does send the message that we are looking more carefully at security than privacy. I am also not convinced that end-users would want us to do that. Marita On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all: contracted parties, business, registrants, governments, etc. We are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for research, and the result was the American election result impacted. So, I agree with Bastiaan that we need to be careful and care about the protection of personal data as well as the prevention of any harmful use of the domain names, both together. ------------------------------------------------------------------------ *Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114 ------------------------------------------------------------------------

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a écrit : Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean to. In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts. -Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>> wrote: Holly, the original statement ends with "All within the constraints of GDPR of course." I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable. That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us. GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate. So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN. In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is. Alan At 02/08/2018 06:42 PM, Holly Raiche wrote:

Hi Alan I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP. As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR.  We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR.  And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework. So your statement below that ‘yes, other issues trump privacy’ - misstates that.  What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access. And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR. Holly On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> > wrote:

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

Jonathan / Alan Thanks for the clarifications. 3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability. Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully). Alan

Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> Intl. +353 (0) 59  9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------------------------------------------------ Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:   Thanks Michele!   3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user.   4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <gtld-wg-bounces@atlarge-lists.icann.org> On Behalf Of Michele Neylon - Blacknight   Sent: Wednesday, August 1, 2018 12:34 PM   To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org>   Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP   Alan   1 - good   2 - good   3 - I don't understand what that means   4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight Solutions   Hosting, Colocation & Domains   https://www.blacknight.com/ <https://www.blacknight.com/>   https://blacknight.blog/ <https://blacknight.blog/>   Intl. +353 (0) 59  9183072   Direct Dial: +353 (0)59 9183090   Personal blog: https://michele.blog/   Some thoughts: https://ceo.hosting/   ------------------------------------------------------------------------   Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845   On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <registration-issues-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:       Yesterday, the EPDP Members were asked to present a 1-3 minute       summary of their groups position in regard to the EPDP. The following       is the statement agreed to by me, Hadia, Holly and Seun.       1.   The ALAC believes that the EPDP MUST succeed and will be working       toward that end.       2.   We have a support structure that we are organizing to ensure       that what we present here is understood by our community and has       their input and support.       3.   The ALAC believes that individual registrants are users and we       have regularly worked on their behalf (as in the PDP that we       initiated to protect registrant rights when their domains expire), if       registrant needs differ from those of the 4 billion Internet users       who are not registrants, those latter needs take precedence. We       believe that GDPR and this EPDP are such a situation.       4.   Although some Internet users consult WHOIS and will not be able       to do so in some cases going forward, our main concern is access for       those third parties who work to ensure that the Internet is a safe       and secure place for users and that means that law enforcement,       cybersecurity researchers, those combatting fraud in domain names,       and others who help protect users from phishing, malware, spam,       fraud, DDoS attacks and such can work with minimal reduction in       access to WHOIS data. All within the constraints of GDPR of course.       ------------------------------------------------------------------------       CPWG mailing list       CPWG@icann.org       https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>       ------------------------------------------------------------------------       registration-issues-wg mailing list       registration-issues-wg@atlarge-lists.icann.org       https://mm.icann.org/mailman/listinfo/registration-issues-wg   ------------------------------------------------------------------------   CPWG mailing list   CPWG@icann.org   https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>   ------------------------------------------------------------------------   GTLD-WG mailing list   GTLD-WG@atlarge-lists.icann.org   https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg   Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

------------------------------------------------------------------------ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

------------------------------------------------------------------------ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg> ------------------------------------------------------------------------ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg> Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs>

------------------------------------------------------------------------

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

------------------------------------------------------------------------

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL:https://community.icann.org/display/atlarge/New+GTLDs

I’ve been watching this conversation unfold for awhile. A few observations: 1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up. 2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors. 3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data. 4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing. 5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data. 6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service. 7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR. 8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users. Best regards, Greg Shatan On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch <evanleibovitch@gmail.com> wrote:

I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.

___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56

On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net> wrote:

...

With respect Evan, saying I am missing the point is not really respectful. No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring.

Marita

On 8/7/2018 7:08 PM, Evan Leibovitch wrote:

...

Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan

PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.

On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?

http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/

Marita

On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you go back in the thread (which was not fully copied here) I believe that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR, but in fact compliance with GDPR is (to use a Startrek expression) "the prime directive". It is not a simple matter of security vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge in deciding which was more important and I am pretty sure we would not even try in the general case. But that is not what we are taking about here. We are talking about gTLD REGISTRANT privacy vs USER security. And the ALAC's position has previously been that although we care about registrants (and their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants, the shear number of users makes their security and ability to use the Internet with relative safety and trust takes precedence over the privacy of the relative handful of gTLD registrants. That is why ICANN has (and continues to) support the existing WHOIS system to the extent possible. That is the entire gist of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with some amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:

I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it is unintentional, but the language does send the message that we are looking more carefully at security than privacy. I am also not convinced that end-users would want us to do that. Marita On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all: contracted parties, business, registrants, governments, etc. We are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for research, and the result was the American election result impacted. So, I agree with Bastiaan that we need to be careful and care about the protection of personal data as well as the prevention of any harmful use of the domain names, both together.

------------------------------------------------------------------------

...

*Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114

------------------------------------------------------------------------

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a écrit : Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean to. In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts. -Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>> wrote: Holly, the original statement ends with "All within the constraints of GDPR of course." I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable. That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us. GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate. So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN. In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is. Alan At 02/08/2018 06:42 PM, Holly Raiche wrote:

Hi Alan I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP. As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR.  We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR.  And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework. So your statement below that ‘yes, other issues trump privacy’ - misstates that.  What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access. And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR. Holly On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> >

wrote:

...

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

Jonathan / Alan Thanks for the clarifications. 3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability. Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully). Alan

Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> Intl. +353 (0) 59 Â 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/

------------------------------------------------------------------------

...

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:   Thanks Michele!   3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user.   4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <

gtld-wg-bounces@atlarge-lists.icann.org>

...

On Behalf Of Michele Neylon - Blacknight   Sent: Wednesday, August 1, 2018 12:34 PM   To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org>   Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP   Alan   1 - good   2 - good   3 - I don't understand what that means   4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight Solutions   Hosting, Colocation & Domains   https://www.blacknight.com/ <https://www.blacknight.com/>   https://blacknight.blog/ <https://blacknight.blog/>   Intl. +353 (0) 59  9183072   Direct Dial: +353 (0)59 9183090   Personal blog: https://michele.blog/   Some thoughts: https://ceo.hosting/  Â

------------------------------------------------------------------------

...

  Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845   On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <

registration-issues-wg-bounces@atlarge-lists.icann.org

...

on behalf of alan.greenberg@mcgill.ca> wrote:       Yesterday, the EPDP Members were asked to present a 1-3 minute       summary of their groups position in regard to the EPDP. The following       is the statement agreed to by me, Hadia, Holly and Seun.       1.   The ALAC believes that the EPDP MUST succeed and will be working       toward that end.       2.   We have a support structure that we are organizing to ensure       that what we present here is understood by our community and has       their input and support.       3.   The ALAC believes that individual registrants are users and we       have regularly worked on their behalf (as in the PDP that we       initiated to protect registrant rights when their domains expire), if       registrant needs differ from those of the 4 billion Internet users       who are not registrants, those latter needs take precedence. We       believe that GDPR and this EPDP are such a situation.       4.   Although some Internet users consult WHOIS and will not be able       to do so in some cases going forward, our main concern is access for       those third parties who work to ensure that the Internet is a safe       and secure place for users and that means that law enforcement,       cybersecurity researchers, those combatting fraud in domain names,       and others who help protect users from phishing, malware, spam,       fraud, DDoS attacks and such can work with minimal reduction in       access to WHOIS data. All within the constraints of GDPR of course.      Â

------------------------------------------------------------------------

...

      CPWG mailing list       CPWG@icann.org      Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

     Â

------------------------------------------------------------------------

...

      registration-issues-wg mailing list      Â

registration-issues-wg@atlarge-lists.icann.org

...

     Â

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

 Â

------------------------------------------------------------------------

...

  CPWG mailing list   CPWG@icann.org  Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

 Â

------------------------------------------------------------------------

...

  GTLD-WG mailing list   GTLD-WG@atlarge-lists.icann.org  Â

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

  Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

------------------------------------------------------------------------

...

registration-issues-wg mailing list

registration-issues-wg@atlarge-lists.icann.org

...

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg> Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

------------------------------------------------------------------------

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

+1 On Tue, Aug 7, 2018 at 10:24 AM, Marita Moll <mmoll@ca.inter.net> wrote:

This is great Greg. Thanks for filling in some of the details.

Marita

On 8/7/2018 10:17 PM, Greg Shatan wrote:

I’ve been watching this conversation unfold for awhile. A few observations:

1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up.

2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors.

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data.

4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing.

5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data.

6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service.

7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR.

8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users.

Best regards,

Greg Shatan

On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch <evanleibovitch@gmail.com> wrote:

...

I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.

___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56

On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net> wrote:

...

With respect Evan, saying I am missing the point is not really respectful. No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring.

Marita

On 8/7/2018 7:08 PM, Evan Leibovitch wrote:

...

Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan

PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.

On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?

http://www.insidesources.com/fake-news-fake-pharmacies- whats-next/

Marita

On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you go back in the thread (which was not fully copied here) I believe that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR, but in fact compliance with GDPR is (to use a Startrek expression) "the prime directive". It is not a simple matter of security vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge in deciding which was more important and I am pretty sure we would not even try in the general case. But that is not what we are taking about here. We are talking about gTLD REGISTRANT privacy vs USER security. And the ALAC's position has previously been that although we care about registrants (and their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants, the shear number of users makes their security and ability to use the Internet with relative safety and trust takes precedence over the privacy of the relative handful of gTLD registrants. That is why ICANN has (and continues to) support the existing WHOIS system to the extent possible. That is the entire gist of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with some amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:

I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it is unintentional, but the language does send the message that we are looking more carefully at security than privacy. I am also not convinced that end-users would want us to do that. Marita On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all: contracted parties, business, registrants, governments, etc. We are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for research, and the result was the American election result impacted. So, I agree with Bastiaan that we need to be careful and care about the protection of personal data as well as the prevention of any harmful use of the domain names, both together.

------------------------------------------------------------

---

...

...

*Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114

------------------------------------------------------------

---

...

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a écrit

:

...

Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean to. In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts. -Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>> wrote: Holly, the original statement ends with "All within the constraints of GDPR of course." I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable. That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us. GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate. So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN. In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is. Alan At 02/08/2018 06:42 PM, Holly Raiche wrote:

Hi Alan I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP. As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR.  We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR.  And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework. So your statement below that ‘yes, other issues trump privacy’ - misstates that.  What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access. And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR. Holly On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> >

wrote:

...

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

Jonathan / Alan Thanks for the clarifications. 3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability. Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully). Alan

Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> Intl. +353 (0) 59 Â 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/

------------------------------------------------------------

---

...

...

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:   Thanks Michele!   3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user.   4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <

gtld-wg-bounces@atlarge-lists.icann.org>

...

On Behalf Of Michele Neylon - Blacknight   Sent: Wednesday, August 1, 2018 12:34 PM   To: Alan Greenberg <alan.greenberg@mcgill.ca>; CPWG <cpwg@icann.org>   Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP   Alan   1 - good   2 - good   3 - I don't understand what that means   4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight Solutions   Hosting, Colocation & Domains   https://www.blacknight.com/ <https://www.blacknight.com/>   https://blacknight.blog/ <https://blacknight.blog/>   Intl. +353 (0) 59  9183072   Direct Dial: +353 (0)59 9183090   Personal blog: https://michele.blog/   Some thoughts: https://ceo.hosting/ Â

Â

...

------------------------------------------------------------

---

...

...

  Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845   On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <

registration-issues-wg-bounces@atlarge-lists.icann.org

...

on behalf of alan.greenberg@mcgill.ca> wrote:

Â

...

     Yesterday, the EPDP Members were asked to present a 1-3 minute       summary of their groups position in regard to the EPDP. The following       is the statement agreed to by me, Hadia, Holly and Seun.       1.   The ALAC believes that the EPDP MUST succeed and will be working       toward that end.       2.   We have a support structure that we are organizing to ensure       that what we present here is understood by our community and has       their input and support.       3.   The ALAC believes that individual registrants are users and we       have regularly worked on their behalf (as in the PDP that we       initiated to protect registrant rights when their domains expire), if       registrant needs differ from those of the 4 billion Internet users       who are not registrants, those latter needs take precedence. We       believe that GDPR and this EPDP are such a situation.       4.   Although some Internet users consult WHOIS and will not be able       to do so in some cases going forward, our main concern is access for       those third parties who work to ensure that the Internet is a safe       and secure place for users and that means that law enforcement,       cybersecurity researchers, those combatting fraud in domain names,       and others who help protect users from phishing, malware, spam,       fraud, DDoS attacks and such can work with minimal reduction in       access to WHOIS data. All within the constraints of GDPR of course.      Â

------------------------------------------------------------

---

...

...

      CPWG mailing list       CPWG@icann.org     Â

Â

...

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

     Â

------------------------------------------------------------

---

...

...

      registration-issues-wg mailing list      Â

registration-issues-wg@atlarge-lists.icann.org

...

     Â

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

 Â

------------------------------------------------------------

---

...

...

  CPWG mailing list   CPWG@icann.org  Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

 Â

------------------------------------------------------------

---

...

...

  GTLD-WG mailing list   GTLD-WG@atlarge-lists.icann.org  Â

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

  Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

------------------------------------------------------------

---

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

------------------------------------------------------------

---

...

...

registration-issues-wg mailing list

registration-issues-wg@atlarge-lists.icann.org

...

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

------------------------------------------------------------

---

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------

---

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------

---

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------

---

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------

---

...

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs>

------------------------------------------------------------

---

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

------------------------------------------------------------

---

...

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/ display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

I guess my point would be that simply because the interests of end users (as opposed to registrants in this particular case) align with the interests of cybersecurity researchers and reputational databases, etc., we shouldn't be afraid of those positions, especially when that position is not really adequetly represented on the EPDP On 8/8/18, 12:45 PM, "GTLD-WG on behalf of Hadia Abdelsalam Mokhtar EL miniawi" <gtld-wg-bounces@atlarge-lists.icann.org on behalf of Hadia@tra.gov.eg> wrote: So going back to the ALAC statement, which supposedly is going to be used as the base of the principals that are going to guide us throughout our contribution to the EPDP We should try to define our position with regard to the whole EPDP and not only the access part. The EPDP addresses four topics 1. Purposes for processing Registration Data 2. Required Data Processing activities (with 10 items one of which addresses access) 3. Data Processing terms 4. Updates to other Consensus Policies The most important of which in my opinion is the purposes for processing registration data based on which the access would be granted. By no means do we want to send the message that data privacy is not important and that we are only concerned with law enforcement and cybersecurity. Truly, the impact of the GDPR on WHOIS will hinder the work of those who identify cyber attackers, law enforcement agencies and customer protection agencies but it will directly impact the individual end users and customers. I don't think that it serves us right to be speaking only about cybersecurity and law enforcement agencies or being regarded as their advocates as for sure we are the advocates of the Internet end users. Best hadia From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of Maureen Hilyard Sent: Tuesday, August 07, 2018 10:52 PM To: Marita Moll Cc: Greg Shatan; cpwg@icann.org Subject: Re: [CPWG] [GTLD-WG] [SPAM] Re: [registration-issues-wg] ALAC Statement regarding EPDP +1 On Tue, Aug 7, 2018 at 10:24 AM, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote: This is great Greg. Thanks for filling in some of the details. Marita On 8/7/2018 10:17 PM, Greg Shatan wrote: I’ve been watching this conversation unfold for awhile. A few observations: 1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up. 2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors. 3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data. 4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing. 5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data. 6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service. 7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR. 8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users. Best regards, Greg Shatan On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch <evanleibovitch@gmail.com<mailto:evanleibovitch@gmail.com>> wrote: I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal. ___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56 On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote: > With respect Evan, saying I am missing the point is not really > respectful. No one is arguing for privacy without protections. I don't > have all the information I need to support this, but I have a feeling > the European Data Protection people might have thought about this. They > don't want to protect bad actors either. And I have heard that a > similiar law to GDPR is under consideration in California. So I don't > see any need to think we are only ones concerned with keeping bad actors > out of the ring. > > Marita > > > On 8/7/2018 7:08 PM, Evan Leibovitch wrote: > > Hi Marita, > > > > I think you may be missing the point when you state that "keeping the > > private info of registrants out of the hands of bad actors protects > > both parties". The examples that exist in abundance come from > > registrants who /ARE themselves/ the bad actors, that hide behind > > either privacy regulations or inaccurate contact information to avoid > > being held to account for their harm. > > > > Just as the right to freedom of speech is not absolute -- even in > > America -- neither is the right to privacy a way to hide > > accountability for causing demonstrable harm. Augmenting privacy with > > tiered access is fine so long as it is accessible to victims and > > effective in execution; that is exactly the balance of which I speak. > > This won't be easy -- being physically threatened demands a different > > response to merely being insulted -- but it is vital. Without such > > checks and balances, absolute privacy is a sure source of far more > > harm than good. For every whistleblower protected, a dozen others will > > be scammed out of their life savings, and thousands more will live in > > fear for their lives because of death threats from those with > > unchecked anonymity. This is not theory, it is happening. > > > > In summary, it is both naive and against the global public interest to > > advocate for privacy without advocating just as strenuously for > > appropriate protections against bad actors who seek to exploit that > > privacy to cause harm. At-Large seeks both. > > > > - Evan > > > > > > PS: I absolutely reject the assertion that it is fear-mongering to > > simply want to prevent abuse of privacy by some registrants that is > > both clearly evidenced and ongoing. > > > > > > On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net> > > <mailto:mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>>> wrote: > > > > Hello Evan and Allan. I agree with a number of those here how have > > suggested that the interests of registrants and end-users are not > that > > different. Keeping the private info of registrants out of the hands > of > > bad actors protects both parties. If crimes are committed, having > tiered > > access to the info would release that info to validated authorities. > As > > a registrant, I don't want my private information out there if it > isn't > > necessary. And I don't see how shielding my private info on WhoIS > will > > endanger my neighbour once tiered access is agreed upon. This is no > > different from the way the law usually works -- we don't all have to > > live in glass houses in order to be safe. We need well thought out > > procedures that protect all of us. > > > > It's just my opinion. I know others have good arguments. But I don't > buy > > the scary scenarios being presented by some groups hoping to scuttle > > this whole thing. If the Europeans don't think the world will come > to an > > end once GDPR is enforced, why is the boogey man being unleashed in > > North America? > > > > http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/ > > > > Marita > > > > > > On 8/7/2018 5:09 AM, Alan Greenberg wrote: > > > > Marita, you cannot take one phrase out of context. If you go > > back in the thread (which was not fully copied here) I believe > > that a major concern of Holly and Bastiaan was that my > > statement sounded like it was trying to get around GDPR, but > > in fact compliance with GDPR is (to use a Startrek expression) > > "the prime directive". It is not a simple matter of security > > vs privacy. If, for instance, we were talking about USER > > security vs USER privacy, we would have a real challenge in > > deciding which was more important and I am pretty sure we > > would not even try in the general case. But that is not what > > we are taking about here. We are talking about gTLD REGISTRANT > > privacy vs USER security. And the ALAC's position has > > previously been that although we care about registrants (and > > their privacy and their domains etc) and have put very > > significant resources into supporting gTLD registrants, the > > shear number of users makes their security and ability to use > > the Internet with relative safety and trust takes precedence > > over the privacy of the relative handful of gTLD registrants. > > That is why ICANN has (and continues to) support the existing > > WHOIS system to the extent possible. That is the entire gist > > of the Temporary Spec. - /"Consistent with ICANN’s stated > > objective to comply with the GDPR, while maintaining the > > existing WHOIS system to the greatest extent possible, the > > Temporary Specification maintains....." /And I note with some > > amusement that some filter along the way has flagged this > > entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita > > Moll wrote: > > > > I am in agreement with Tijani, Holly, Bastian and Michele. > > Perhaps it is unintentional, but the language does send > > the message that we are looking more carefully at security > > than privacy. I am also not convinced that end-users would > > want us to do that. Marita On 8/3/2018 10:30 AM, Tijani > > BEN JEMAA wrote: > > > > Very interesting discussion. This issue has been > > discussed several times and the positions didn’t > > change. What bothers me is the presentation of the > > registrants interest as opposite to the remaining > > users ones. they are not since the registrants are > > also subject to the domain abuse. You are speaking > > about 4 billion users; these include all: contracted > > parties, business, registrants, governments, etc. We > > are about defending the interest of all of them as > > individual end users, not as registry, registrar, > > businessman, minister, etc…. You included the > > cybersecurity researchers; you know how Cambridge > > Analytica got the American data from Facebook? They > > requested to have access to these data for research, > > and the result was the American election result > > impacted. So, I agree with Bastiaan that we need to be > > careful and care about the protection of personal data > > as well as the prevention of any harmful use of the > > domain names, both together. > > > ------------------------------------------------------------------------ > > *Tijani BEN JEMAA* Executive Director Mediterranean > > Federation of Internet Associations (*FMAI*) Phone: > > +216 98 330 114 +216 52 385 114 > > > ------------------------------------------------------------------------ > > > > Le 3 août 2018 à 07:22, Bastiaan Goslings > > <bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net> > > <mailto:bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net> > > <mailto:bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net>>>> a écrit : > > Thanks for clarifying, Alan. As a matter of > > principle I agree with Holly - and Michele. While > > I think I understand the good intent of what you > > are saying, your earlier responses almost sound to > > me like a false ‘security versus privacy’ > > dichotomy. Like, the number of people (users) that > > care about security as opposed to those > > (registrants) that want their privacy protected to > > the max is larger. Etc. Apologies if I am > > oversimplifying things here, I do not mean to. In > > this particular EPDP case though I am convinced > > that we can find a common ground on what the ALAC > > members and alternates should bring to the table. > > In terms of perceived registrants’ and general > > Internet end-users’ interests. As you rightly > > state, it is about being GDPR compliant. So we do > > not have to be philosophical about a rather broad > > term like ‘privacy’ and argue about whether it > > is in conflict with e.g. the interest of LEAs. > > Indeed, ‘Privacy is not absolute’. However, > > ‘due process’ is a(nother) no brainer, not > > just because it might be a legal requirement. From > > what I understand the work being done on defining > > Access and Accreditation criteria is keeping that > > principle in mind, and within in the MS context of > > the EPDP we can together see to it that it does > > end up properly enshrined in policy and contracts. > > -Bastiaan > > > > On 3 Aug 2018, at 01:10, Alan Greenberg > > <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>>> wrote: > > Holly, the original statement ends with "All > > within the constraints of GDPR of course." I > > don't know how to make that clearer. We would > > be absolutely FOOLISH to argue for anything > > else, since it will not be implementable. That > > being said, if through the EPDP or otherwise > > we can help make the legal argument for why > > good access for the folks we list at the end > > is within GDPR, more power to us. GDPR (and > > eventually similar legislation/regulation > > elsewhere) is the overall constraint. It is > > equivalent to the laws of physics which for > > the moment we need to consider inviolate. So > > my statement that "other issues trump privacy" > > is within that context. But just as > > proportionality governs what GDPR will decree > > as private in any given case, so it will > > govern what is not private. It all depends on > > making the legal argument and ultimately in > > needed convincing the courts. They are the > > arbiters, not me or anyone else in ICANN. In > > the US, there is the constitutional right to > > freedom of speech, but it is not unconstrained > > and there are limits to what you are allowed > > and not allowed to say. And from time to time, > > the courts and legislatures weigh in and > > decide where the line is. Alan At 02/08/2018 > > 06:42 PM, Holly Raiche wrote: > > > > Hi Alan I have concerns with your > > statement - and since your reply below, > > with our statement of principles for the > > EPDP. As I suggested in my email of 1 > > August, we need to be VERY clear that we > > are NOT arguing against implementation a > > policy that is compliant with the GDPR.  > > We are arguing for other issues that > > impact on users - WITHIN the umbrella of > > the GDPR.  And if we do not make that > > very clear, then we look as if we are not > > prepared to operate within the bounds of > > the EPDP - which is all about developing a > > new policy to replace the RDS requirements > > that will allow registries/registrars to > > comply with their ICANN contracts and > > operate within the GDPR framework. So your > > statement below that ‘yes, other issues > > trump privacyÂ’ - misstates that.  What > > we are (or should be) arguing for is a > > balance of rights of access that - to the > > greatest extend possible - recognises the > > value of RDS to some constituencies with > > legitimate purposes - WITHIN the GDPR > > framework. That implicitly accepts that > > people/organisations that once had free > > and unrestricted access to the data will > > no longer have that open access. And for > > ALAC generally, I will repeat what I said > > in my 1 August email - our statement of > > principles must be VERY clear that we are > > NOT arguing for a new RDS policy that goes > > outside of the GDPR. Holly On 3 Aug 2018, > > at 1:29 am, Alan Greenberg > > <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>> > wrote: > > > > At 02/08/2018 10:37 AM, Michele Neylon > > - Blacknight wrote: > > > > Jonathan / Alan Thanks for the > > clarifications. 3 - I don't know > > how you can know what the > > interests of a user are. The > > assumption you seem to be making > > is that due process and privacy > > should take a backseat to access > > to data > > > > Privacy is not absolute but based on > > various other issues. So yes, we are > > saying that in some cases, the other > > issues trump privacy. Perhaps we > > differ on where the dividing line is. > > > > 4 - Same as 3. Plenty of ccTLDs > > never offered PII in their public > > whois and there weren't any issues > > with security or stability. > > Skipping due process for "ease of > > access" is a very slippery and > > dangerous slope. > > > > Both here and in reply to #3, the term > > "due process" tends to be used in > > reference to legal constraints > > associated with law enforcement > > actions as sanctioned by laws and > > courts. That is one path to unlocking > > otherwise private information. A major > > aspect of the GDPR implementation will > > be identifying other less cumbersome > > and restricted processes for accessing > > WHOIS data by a variety of partners. > > It will not be unconstrained nor will > > it be as cumbersome as going to court > > (hopefully). Alan > > > > Regards Michele -- Mr Michele > > Neylon Blacknight Solutions > > Hosting, Colocation & Domains > > https://www.blacknight.com/ > > <https://www.blacknight.com/> > > https://blacknight.blog/ > > <https://blacknight.blog/> Intl. > > +353 (0) 59  9183072 Direct Dial: > > +353 (0)59 9183090 Personal blog: > > https://michele.blog/ Some > > thoughts: https://ceo.hosting/ > > > ------------------------------------------------------------------------ > > Blacknight Internet Solutions Ltd, > > Unit 12A,Barrowside Business > > Park,Sleaty > > Road,Graiguecullen,Carlow,R93 > > X265,Ireland  Company No.: 370845 > > On 02/08/2018, 15:03, > > "Jonathan Zuck" > > <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> > > wrote:   Thanks Michele!   3. > > Where there appears to be a > > conflict of interest between a > > registrant and non-registrant end > > user, we'll be endeavoring to > > represent the interests of the > > non-registrant end user.   4. > > Related to 3. This is simply an > > affirmation of the interests of > > end users in a stable and secure > > internet and it is those interests > > we'll be representing. We've > > included law enforcement because > > efficiencies regarding their > > access may come up. Just because > > there's always a way for them to > > get to data doesn't mean it's the > > best way.   Make sense?   > > Jonathan   -----Original > > Message-----   From: GTLD-WG > > < > gtld-wg-bounces@atlarge-lists.icann.org<mailto:gtld-wg-bounces@atlarge-lists.icann.org>> > > On Behalf Of Michele Neylon - > > Blacknight   Sent: Wednesday, > > August 1, 2018 12:34 PM   To: > > Alan Greenberg > > <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; CPWG > > <cpwg@icann.org<mailto:cpwg@icann.org>>   Subject: Re: > > [GTLD-WG] [CPWG] > > [registration-issues-wg] ALAC > > Statement regarding EPDP   Alan > >   1 - good   2 - good   3 - > > I don't understand what that means > >   4 - Why are you combining law > > enforcement and private parties? > > Law enforcement can always get > > access to data when they follow > > due process.   Regards   > > Michele   --   Mr Michele > > Neylon   Blacknight Solutions  > >  Hosting, Colocation & Domains  > >  https://www.blacknight.com/ > > <https://www.blacknight.com/>   > > https://blacknight.blog/ > > <https://blacknight.blog/>   > > Intl. +353 (0) 59  9183072   > > Direct Dial: +353 (0)59 9183090  > >  Personal blog: > > https://michele.blog/   Some > > thoughts: https://ceo.hosting/   > > > ------------------------------------------------------------------------ > >   Blacknight Internet Solutions > > Ltd, Unit 12A,Barrowside Business > > Park,Sleaty   > > Road,Graiguecullen,Carlow,R93 > > X265,Ireland  Company No.: 370845 > >   On 01/08/2018, 17:27, > > "registration-issues-wg on behalf > > of Alan Greenberg" > > < > registration-issues-wg-bounces@atlarge-lists.icann.org<mailto:registration-issues-wg-bounces@atlarge-lists.icann.org> > > on behalf of > > alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote:  > >      Yesterday, the EPDP > > Members were asked to present a > > 1-3 minute       summary of > > their groups position in regard to > > the EPDP. The following      > >  is the statement agreed to by > > me, Hadia, Holly and Seun.     > >   1.   The ALAC believes that > > the EPDP MUST succeed and will be > > working       toward that > > end.       2.   We have a > > support structure that we are > > organizing to ensure       > > that what we present here is > > understood by our community and > > has       their input and > > support.       3.   The > > ALAC believes that individual > > registrants are users and we    > >    have regularly worked on > > their behalf (as in the PDP that > > we       initiated to > > protect registrant rights when > > their domains expire), if     > >   registrant needs differ from > > those of the 4 billion Internet > > users       who are not > > registrants, those latter needs > > take precedence. We       > > believe that GDPR and this EPDP > > are such a situation.       > > 4.   Although some Internet > > users consult WHOIS and will not > > be able       to do so in > > some cases going forward, our main > > concern is access for       > > those third parties who work to > > ensure that the Internet is a safe > >       and secure place for > > users and that means that law > > enforcement,       > > cybersecurity researchers, those > > combatting fraud in domain names, > >       and others who help > > protect users from phishing, > > malware, spam,       fraud, > > DDoS attacks and such can work > > with minimal reduction in     > >   access to WHOIS data. All > > within the constraints of GDPR of > > course.       > > > ------------------------------------------------------------------------ > >       CPWG mailing list   > >     CPWG@icann.org<mailto:CPWG@icann.org>       > > > https://mm.icann.org/mailman/listinfo/cpwg > > < > https://mm.icann.org/mailman/listinfo/cpwg> > >       > > > ------------------------------------------------------------------------ > >       registration-issues-wg > > mailing list       > > > registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org> > >       > > > https://mm.icann.org/mailman/listinfo/registration-issues-wg > >   > > > ------------------------------------------------------------------------ > >   CPWG mailing list   > > CPWG@icann.org<mailto:CPWG@icann.org>   > > > https://mm.icann.org/mailman/listinfo/cpwg > > < > https://mm.icann.org/mailman/listinfo/cpwg> > >   > > > ------------------------------------------------------------------------ > >   GTLD-WG mailing list   > > GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org>  > >  > > > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > >   Working Group direct URL: > > > https://community.icann.org/display/atlarge/New+GTLDs > > > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto:CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>> > > > https://mm.icann.org/mailman/listinfo/cpwg > > < > https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > registration-issues-wg mailing list > > > registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org> > > > https://mm.icann.org/mailman/listinfo/registration-issues-wg > > > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto:CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > ------------------------------------------------------------------------ > > GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> > > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > > <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg> > > Working Group direct URL: > > https://community.icann.org/display/atlarge/New+GTLDs > > <https://community.icann.org/display/atlarge/New+GTLDs> > > > > > > > ------------------------------------------------------------------------ > > > > CPWG mailing list > > CPWG@icann.org<mailto:CPWG@icann.org> > > https://mm.icann.org/mailman/listinfo/cpwg > > > > > ------------------------------------------------------------------------ > > > > GTLD-WG mailing list > > GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> > > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > > > > Working Group direct URL: > https://community.icann.org/display/atlarge/New+GTLDs > > > > _______________________________________________ > CPWG mailing list > CPWG@icann.org<mailto:CPWG@icann.org> > https://mm.icann.org/mailman/listinfo/cpwg > _______________________________________________ > GTLD-WG mailing list > GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > > Working Group direct URL: > https://community.icann.org/display/atlarge/New+GTLDs _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

Hadia, The impact of the GDPR on WHOIS does not need to hinder the work of those who identify cyber attackers, law enforcement agencies and customer protection agencies in any truly significant way. If "GDPR" is used as a platform to hinder this type of access and processing, it will directly impact individual end-users and customers in a very negative. In my "day job," I've been spending an ever increasing amount of time helping companies comply with GDPR. It requires work. It requires some attention to detail. It requires a pretty fair amount of record-keeping. It requires amending or creating processes. It requires thoughtfulness. But, at the end of the day, there is almost always a pathway to continue processing that had a lawful basis in the first place. As long as the result complies with GDPR, there should be no reason for anyone to think we are sending the message that data privacy (or, more accurately, data protection) is not important. We should not stand in the way of GDPR-compliant processing and access just to demonstrate our independence from law enforcement, cybersecurity, etc. That would not be good compliance and it would not be good policy-making. Indeed, I think the biggest threat to success by the EPDP are those participants who start out by drawing "lines in the sand" and then spend the rest of the time stubbornly refusing to cross them. That has not been the ALAC/At Large approach as far I can see, based on my observations and, more recently, my participation. Rather, our hallmark has been an emphasis on practicality, but practicality with principles. When ALAC/At Large has led the way on practical approaches, practical needs of end-users, practical solutions, etc., this has often allowed ALAC/At Large to help find common ground between the positions of more "doctrinaire" participants, guide working groups out of dead ends, and bring their work to successful results. Best regards, Greg On Wed, Aug 8, 2018 at 2:39 PM Jonathan Zuck <JZuck@innovatorsnetwork.org>

wrote:

...

I guess my point would be that simply because the interests of end users (as opposed to registrants in this particular case) align with the interests of cybersecurity researchers and reputational databases, etc., we shouldn't be afraid of those positions, especially when that position is not really adequetly represented on the EPDP

On 8/8/18, 12:45 PM, "GTLD-WG on behalf of Hadia Abdelsalam Mokhtar EL miniawi" <gtld-wg-bounces@atlarge-lists.icann.org on behalf of Hadia@tra.gov.eg> wrote:

So going back to the ALAC statement, which supposedly is going to be used as the base of the principals that are going to guide us throughout our contribution to the EPDP

We should try to define our position with regard to the whole EPDP and not only the access part. The EPDP addresses four topics

1. Purposes for processing Registration Data

2. Required Data Processing activities (with 10 items one of which addresses access)

3. Data Processing terms

4. Updates to other Consensus Policies

The most important of which in my opinion is the purposes for processing registration data based on which the access would be granted. By no means do we want to send the message that data privacy is not important and that we are only concerned with law enforcement and cybersecurity. Truly, the impact of the GDPR on WHOIS will hinder the work of those who identify cyber attackers, law enforcement agencies and customer protection agencies but it will directly impact the individual end users and customers.

I don't think that it serves us right to be speaking only about cybersecurity and law enforcement agencies or being regarded as their advocates as for sure we are the advocates of the Internet end users.

Best hadia

From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of Maureen Hilyard Sent: Tuesday, August 07, 2018 10:52 PM To: Marita Moll Cc: Greg Shatan; cpwg@icann.org Subject: Re: [CPWG] [GTLD-WG] [SPAM] Re: [registration-issues-wg] ALAC Statement regarding EPDP

+1

On Tue, Aug 7, 2018 at 10:24 AM, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:

This is great Greg. Thanks for filling in some of the details.

Marita

On 8/7/2018 10:17 PM, Greg Shatan wrote: I’ve been watching this conversation unfold for awhile. A few observations:

1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up.

2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors.

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data.

4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing.

5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data.

6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service.

7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR.

8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users.

Best regards,

Greg Shatan

On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch < evanleibovitch@gmail.com<mailto:evanleibovitch@gmail.com>> wrote: I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.

___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56

On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net<mailto: mmoll@ca.inter.net>> wrote:

> With respect Evan, saying I am missing the point is not really > respectful. No one is arguing for privacy without protections. I don't > have all the information I need to support this, but I have a feeling > the European Data Protection people might have thought about this. They > don't want to protect bad actors either. And I have heard that a > similiar law to GDPR is under consideration in California. So I don't > see any need to think we are only ones concerned with keeping bad actors > out of the ring. > > Marita > > > On 8/7/2018 7:08 PM, Evan Leibovitch wrote: > > Hi Marita, > > > > I think you may be missing the point when you state that "keeping the > > private info of registrants out of the hands of bad actors protects > > both parties". The examples that exist in abundance come from > > registrants who /ARE themselves/ the bad actors, that hide behind > > either privacy regulations or inaccurate contact information to avoid > > being held to account for their harm. > > > > Just as the right to freedom of speech is not absolute -- even in > > America -- neither is the right to privacy a way to hide > > accountability for causing demonstrable harm. Augmenting privacy with > > tiered access is fine so long as it is accessible to victims and > > effective in execution; that is exactly the balance of which I speak. > > This won't be easy -- being physically threatened demands a different > > response to merely being insulted -- but it is vital. Without such > > checks and balances, absolute privacy is a sure source of far more > > harm than good. For every whistleblower protected, a dozen others will > > be scammed out of their life savings, and thousands more will live in > > fear for their lives because of death threats from those with > > unchecked anonymity. This is not theory, it is happening. > > > > In summary, it is both naive and against the global public interest to > > advocate for privacy without advocating just as strenuously for > > appropriate protections against bad actors who seek to exploit that > > privacy to cause harm. At-Large seeks both. > > > > - Evan > > > > > > PS: I absolutely reject the assertion that it is fear-mongering to > > simply want to prevent abuse of privacy by some registrants that is > > both clearly evidenced and ongoing. > > > > > > On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net<mailto: mmoll@ca.inter.net> > > <mailto:mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>>> wrote: > > > > Hello Evan and Allan. I agree with a number of those here how have > > suggested that the interests of registrants and end-users are not > that > > different. Keeping the private info of registrants out of the hands > of > > bad actors protects both parties. If crimes are committed, having > tiered > > access to the info would release that info to validated authorities. > As > > a registrant, I don't want my private information out there if it > isn't > > necessary. And I don't see how shielding my private info on WhoIS > will > > endanger my neighbour once tiered access is agreed upon. This is no > > different from the way the law usually works -- we don't all have to > > live in glass houses in order to be safe. We need well thought out > > procedures that protect all of us. > > > > It's just my opinion. I know others have good arguments. But I don't > buy > > the scary scenarios being presented by some groups hoping to scuttle > > this whole thing. If the Europeans don't think the world will come > to an > > end once GDPR is enforced, why is the boogey man being unleashed in > > North America? > > > > http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/ > > > > Marita > > > > > > On 8/7/2018 5:09 AM, Alan Greenberg wrote: > > > > Marita, you cannot take one phrase out of context. If you go > > back in the thread (which was not fully copied here) I believe > > that a major concern of Holly and Bastiaan was that my > > statement sounded like it was trying to get around GDPR, but > > in fact compliance with GDPR is (to use a Startrek expression) > > "the prime directive". It is not a simple matter of security > > vs privacy. If, for instance, we were talking about USER > > security vs USER privacy, we would have a real challenge in > > deciding which was more important and I am pretty sure we > > would not even try in the general case. But that is not what > > we are taking about here. We are talking about gTLD REGISTRANT > > privacy vs USER security. And the ALAC's position has > > previously been that although we care about registrants (and > > their privacy and their domains etc) and have put very > > significant resources into supporting gTLD registrants, the > > shear number of users makes their security and ability to use > > the Internet with relative safety and trust takes precedence > > over the privacy of the relative handful of gTLD registrants. > > That is why ICANN has (and continues to) support the existing > > WHOIS system to the extent possible. That is the entire gist > > of the Temporary Spec. - /"Consistent with ICANN’s stated > > objective to comply with the GDPR, while maintaining the > > existing WHOIS system to the greatest extent possible, the > > Temporary Specification maintains....." /And I note with some > > amusement that some filter along the way has flagged this > > entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita > > Moll wrote: > > > > I am in agreement with Tijani, Holly, Bastian and Michele. > > Perhaps it is unintentional, but the language does send > > the message that we are looking more carefully at security > > than privacy. I am also not convinced that end-users would > > want us to do that. Marita On 8/3/2018 10:30 AM, Tijani > > BEN JEMAA wrote: > > > > Very interesting discussion. This issue has been > > discussed several times and the positions didn’t > > change. What bothers me is the presentation of the > > registrants interest as opposite to the remaining > > users ones. they are not since the registrants are > > also subject to the domain abuse. You are speaking > > about 4 billion users; these include all: contracted > > parties, business, registrants, governments, etc. We > > are about defending the interest of all of them as > > individual end users, not as registry, registrar, > > businessman, minister, etc…. You included the > > cybersecurity researchers; you know how Cambridge > > Analytica got the American data from Facebook? They > > requested to have access to these data for research, > > and the result was the American election result > > impacted. So, I agree with Bastiaan that we need to be > > careful and care about the protection of personal data > > as well as the prevention of any harmful use of the > > domain names, both together. > > > ------------------------------------------------------------------------ > > *Tijani BEN JEMAA* Executive Director Mediterranean > > Federation of Internet Associations (*FMAI*) Phone: > > +216 98 330 114 +216 52 385 114 > > > ------------------------------------------------------------------------ > > > > Le 3 août 2018 à 07:22, Bastiaan Goslings > > <bastiaan.goslings@ams-ix.net<mailto: bastiaan.goslings@ams-ix.net> > > <mailto:bastiaan.goslings@ams-ix.net<mailto: bastiaan.goslings@ams-ix.net> > > <mailto:bastiaan.goslings@ams-ix.net<mailto: bastiaan.goslings@ams-ix.net>>>> a écrit : > > Thanks for clarifying, Alan. As a matter of > > principle I agree with Holly - and Michele. While > > I think I understand the good intent of what you > > are saying, your earlier responses almost sound to > > me like a false ‘security versus privacy’ > > dichotomy. Like, the number of people (users) that > > care about security as opposed to those > > (registrants) that want their privacy protected to > > the max is larger. Etc. Apologies if I am > > oversimplifying things here, I do not mean to. In > > this particular EPDP case though I am convinced > > that we can find a common ground on what the ALAC > > members and alternates should bring to the table. > > In terms of perceived registrants’ and general > > Internet end-users’ interests. As you rightly > > state, it is about being GDPR compliant. So we do > > not have to be philosophical about a rather broad > > term like ‘privacy’ and argue about whether it > > is in conflict with e.g. the interest of LEAs. > > Indeed, ‘Privacy is not absolute’. However, > > ‘due process’ is a(nother) no brainer, not > > just because it might be a legal requirement. From > > what I understand the work being done on defining > > Access and Accreditation criteria is keeping that > > principle in mind, and within in the MS context of > > the EPDP we can together see to it that it does > > end up properly enshrined in policy and contracts. > > -Bastiaan > > > > On 3 Aug 2018, at 01:10, Alan Greenberg > > <alan.greenberg@mcgill.ca<mailto: alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca<mailto: alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca<mailto: alan.greenberg@mcgill.ca>>>> wrote: > > Holly, the original statement ends with "All > > within the constraints of GDPR of course." I > > don't know how to make that clearer. We would > > be absolutely FOOLISH to argue for anything > > else, since it will not be implementable. That > > being said, if through the EPDP or otherwise > > we can help make the legal argument for why > > good access for the folks we list at the end > > is within GDPR, more power to us. GDPR (and > > eventually similar legislation/regulation > > elsewhere) is the overall constraint. It is > > equivalent to the laws of physics which for > > the moment we need to consider inviolate. So > > my statement that "other issues trump privacy" > > is within that context. But just as > > proportionality governs what GDPR will decree > > as private in any given case, so it will > > govern what is not private. It all depends on > > making the legal argument and ultimately in > > needed convincing the courts. They are the > > arbiters, not me or anyone else in ICANN. In > > the US, there is the constitutional right to > > freedom of speech, but it is not unconstrained > > and there are limits to what you are allowed > > and not allowed to say. And from time to time, > > the courts and legislatures weigh in and > > decide where the line is. Alan At 02/08/2018 > > 06:42 PM, Holly Raiche wrote: > > > > Hi Alan I have concerns with your > > statement - and since your reply below, > > with our statement of principles for the > > EPDP. As I suggested in my email of 1 > > August, we need to be VERY clear that we > > are NOT arguing against implementation a > > policy that is compliant with the GDPR.  > > We are arguing for other issues that > > impact on users - WITHIN the umbrella of > > the GDPR.  And if we do not make that > > very clear, then we look as if we are not > > prepared to operate within the bounds of > > the EPDP - which is all about developing a > > new policy to replace the RDS requirements > > that will allow registries/registrars to > > comply with their ICANN contracts and > > operate within the GDPR framework. So your > > statement below that ‘yes, other issues > > trump privacyÂ’ - misstates that.  What > > we are (or should be) arguing for is a > > balance of rights of access that - to the > > greatest extend possible - recognises the > > value of RDS to some constituencies with > > legitimate purposes - WITHIN the GDPR > > framework. That implicitly accepts that > > people/organisations that once had free > > and unrestricted access to the data will > > no longer have that open access. And for > > ALAC generally, I will repeat what I said > > in my 1 August email - our statement of > > principles must be VERY clear that we are > > NOT arguing for a new RDS policy that goes > > outside of the GDPR. Holly On 3 Aug 2018, > > at 1:29 am, Alan Greenberg > > <alan.greenberg@mcgill.ca<mailto: alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca> > > <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>> > wrote: > > > > At 02/08/2018 10:37 AM, Michele Neylon > > - Blacknight wrote: > > > > Jonathan / Alan Thanks for the > > clarifications. 3 - I don't know > > how you can know what the > > interests of a user are. The > > assumption you seem to be making > > is that due process and privacy > > should take a backseat to access > > to data > > > > Privacy is not absolute but based on > > various other issues. So yes, we are > > saying that in some cases, the other > > issues trump privacy. Perhaps we > > differ on where the dividing line is. > > > > 4 - Same as 3. Plenty of ccTLDs > > never offered PII in their public > > whois and there weren't any issues > > with security or stability. > > Skipping due process for "ease of > > access" is a very slippery and > > dangerous slope. > > > > Both here and in reply to #3, the term > > "due process" tends to be used in > > reference to legal constraints > > associated with law enforcement > > actions as sanctioned by laws and > > courts. That is one path to unlocking > > otherwise private information. A major > > aspect of the GDPR implementation will > > be identifying other less cumbersome > > and restricted processes for accessing > > WHOIS data by a variety of partners. > > It will not be unconstrained nor will > > it be as cumbersome as going to court > > (hopefully). Alan > > > > Regards Michele -- Mr Michele > > Neylon Blacknight Solutions > > Hosting, Colocation & Domains > > https://www.blacknight.com/ > > <https://www.blacknight.com/> > > https://blacknight.blog/ > > <https://blacknight.blog/> Intl. > > +353 (0) 59  9183072 Direct Dial: > > +353 (0)59 9183090 Personal blog: > > https://michele.blog/ Some > > thoughts: https://ceo.hosting/ > > > ------------------------------------------------------------------------ > > Blacknight Internet Solutions Ltd, > > Unit 12A,Barrowside Business > > Park,Sleaty > > Road,Graiguecullen,Carlow,R93 > > X265,Ireland  Company No.: 370845 > > On 02/08/2018, 15:03, > > "Jonathan Zuck" > > <JZuck@innovatorsnetwork.org <mailto:JZuck@innovatorsnetwork.org>> > > wrote:   Thanks Michele!   3. > > Where there appears to be a > > conflict of interest between a > > registrant and non-registrant end > > user, we'll be endeavoring to > > represent the interests of the > > non-registrant end user.   4. > > Related to 3. This is simply an > > affirmation of the interests of > > end users in a stable and secure > > internet and it is those interests > > we'll be representing. We've > > included law enforcement because > > efficiencies regarding their > > access may come up. Just because > > there's always a way for them to > > get to data doesn't mean it's the > > best way.   Make sense?   > > Jonathan   -----Original > > Message-----   From: GTLD-WG > > < > gtld-wg-bounces@atlarge-lists.icann.org<mailto: gtld-wg-bounces@atlarge-lists.icann.org>> > > On Behalf Of Michele Neylon - > > Blacknight   Sent: Wednesday, > > August 1, 2018 12:34 PM   To: > > Alan Greenberg > > <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>; CPWG > > <cpwg@icann.org<mailto: cpwg@icann.org>>   Subject: Re: > > [GTLD-WG] [CPWG] > > [registration-issues-wg] ALAC > > Statement regarding EPDP   Alan > >   1 - good   2 - good   3 - > > I don't understand what that means > >   4 - Why are you combining law > > enforcement and private parties? > > Law enforcement can always get > > access to data when they follow > > due process.   Regards   > > Michele   --   Mr Michele > > Neylon   Blacknight Solutions  > >  Hosting, Colocation & Domains  > >  https://www.blacknight.com/ > > <https://www.blacknight.com/>   > > https://blacknight.blog/ > > <https://blacknight.blog/>   > > Intl. +353 (0) 59  9183072   > > Direct Dial: +353 (0)59 9183090  > >  Personal blog: > > https://michele.blog/   Some > > thoughts: https://ceo.hosting/   > > > ------------------------------------------------------------------------ > >   Blacknight Internet Solutions > > Ltd, Unit 12A,Barrowside Business > > Park,Sleaty   > > Road,Graiguecullen,Carlow,R93 > > X265,Ireland  Company No.: 370845 > >   On 01/08/2018, 17:27, > > "registration-issues-wg on behalf > > of Alan Greenberg" > > < > registration-issues-wg-bounces@atlarge-lists.icann.org<mailto: registration-issues-wg-bounces@atlarge-lists.icann.org> > > on behalf of > > alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> wrote:  > >      Yesterday, the EPDP > > Members were asked to present a > > 1-3 minute       summary of > > their groups position in regard to > > the EPDP. The following      > >  is the statement agreed to by > > me, Hadia, Holly and Seun.     > >   1.   The ALAC believes that > > the EPDP MUST succeed and will be > > working       toward that > > end.       2.   We have a > > support structure that we are > > organizing to ensure       > > that what we present here is > > understood by our community and > > has       their input and > > support.       3.   The > > ALAC believes that individual > > registrants are users and we    > >    have regularly worked on > > their behalf (as in the PDP that > > we       initiated to > > protect registrant rights when > > their domains expire), if     > >   registrant needs differ from > > those of the 4 billion Internet > > users       who are not > > registrants, those latter needs > > take precedence. We       > > believe that GDPR and this EPDP > > are such a situation.       > > 4.   Although some Internet > > users consult WHOIS and will not > > be able       to do so in > > some cases going forward, our main > > concern is access for       > > those third parties who work to > > ensure that the Internet is a safe > >       and secure place for > > users and that means that law > > enforcement,       > > cybersecurity researchers, those > > combatting fraud in domain names, > >       and others who help > > protect users from phishing, > > malware, spam,       fraud, > > DDoS attacks and such can work > > with minimal reduction in     > >   access to WHOIS data. All > > within the constraints of GDPR of > > course.       > > > ------------------------------------------------------------------------ > >       CPWG mailing list   > >     CPWG@icann.org <mailto:CPWG@icann.org>       > > > https://mm.icann.org/mailman/listinfo/cpwg > > < > https://mm.icann.org/mailman/listinfo/cpwg> > >       > > > ------------------------------------------------------------------------ > >       registration-issues-wg > > mailing list       > > > registration-issues-wg@atlarge-lists.icann.org<mailto: registration-issues-wg@atlarge-lists.icann.org> > >       > > > https://mm.icann.org/mailman/listinfo/registration-issues-wg > >   > > > ------------------------------------------------------------------------ > >   CPWG mailing list   > > CPWG@icann.org<mailto: CPWG@icann.org>   > > > https://mm.icann.org/mailman/listinfo/cpwg > > < > https://mm.icann.org/mailman/listinfo/cpwg> > >   > > > ------------------------------------------------------------------------ > >   GTLD-WG mailing list   > > GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org>  > >  > > > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > >   Working Group direct URL: > > > https://community.icann.org/display/atlarge/New+GTLDs > > > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto: CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto: CPWG@icann.org>>> > > > https://mm.icann.org/mailman/listinfo/cpwg > > < > https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > registration-issues-wg mailing list > > > registration-issues-wg@atlarge-lists.icann.org<mailto: registration-issues-wg@atlarge-lists.icann.org> > > > https://mm.icann.org/mailman/listinfo/registration-issues-wg > > > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto: CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto: CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto: CPWG@icann.org>>> > > https://mm.icann.org/mailman/listinfo/cpwg > > < https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto: CPWG@icann.org> > > <mailto:CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto: CPWG@icann.org> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > > > ------------------------------------------------------------------------ > > CPWG mailing list CPWG@icann.org<mailto: CPWG@icann.org> > > https://mm.icann.org/mailman/listinfo/cpwg > > <https://mm.icann.org/mailman/listinfo/cpwg> > > > ------------------------------------------------------------------------ > > GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org <mailto:GTLD-WG@atlarge-lists.icann.org> > > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > > < https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg> > > Working Group direct URL: > > https://community.icann.org/display/atlarge/New+GTLDs > > < https://community.icann.org/display/atlarge/New+GTLDs> > > > > > > > ------------------------------------------------------------------------ > > > > CPWG mailing list > > CPWG@icann.org<mailto:CPWG@icann.org> > > https://mm.icann.org/mailman/listinfo/cpwg > > > > > ------------------------------------------------------------------------ > > > > GTLD-WG mailing list > > GTLD-WG@atlarge-lists.icann.org<mailto: GTLD-WG@atlarge-lists.icann.org> > > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > > > > Working Group direct URL: > https://community.icann.org/display/atlarge/New+GTLDs > > > > _______________________________________________ > CPWG mailing list > CPWG@icann.org<mailto:CPWG@icann.org> > https://mm.icann.org/mailman/listinfo/cpwg > _______________________________________________ > GTLD-WG mailing list > GTLD-WG@atlarge-lists.icann.org<mailto: GTLD-WG@atlarge-lists.icann.org> > https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg > > Working Group direct URL: > https://community.icann.org/display/atlarge/New+GTLDs _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto: GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

-- Greg Shatan greg@isoc-ny.org "The Internet is for everyone"

+1 - Kaili ----- Original Message ----- From: "Jonathan Zuck" <JZuck@innovatorsnetwork.org> To: "Hadia Abdelsalam Mokhtar EL miniawi" <Hadia@tra.gov.eg>; "Maureen Hilyard" <maureen.hilyard@gmail.com>; "Marita Moll" <mmoll@ca.inter.net> Cc: <cpwg@icann.org> Sent: Thursday, August 09, 2018 2:39 AM Subject: Re: [CPWG] [GTLD-WG] [SPAM] Re: [registration-issues-wg] ALAC Statement regarding EPDP

I guess my point would be that simply because the interests of end users (as opposed to registrants in this particular case) align with the interests of cybersecurity researchers and reputational databases, etc., we shouldn't be afraid of those positions, especially when that position is not really adequetly represented on the EPDP

On 8/8/18, 12:45 PM, "GTLD-WG on behalf of Hadia Abdelsalam Mokhtar EL miniawi" <gtld-wg-bounces@atlarge-lists.icann.org on behalf of Hadia@tra.gov.eg> wrote:

So going back to the ALAC statement, which supposedly is going to be used as the base of the principals that are going to guide us throughout our contribution to the EPDP

We should try to define our position with regard to the whole EPDP and not only the access part. The EPDP addresses four topics

1. Purposes for processing Registration Data

2. Required Data Processing activities (with 10 items one of which addresses access)

3. Data Processing terms

4. Updates to other Consensus Policies

The most important of which in my opinion is the purposes for processing registration data based on which the access would be granted. By no means do we want to send the message that data privacy is not important and that we are only concerned with law enforcement and cybersecurity. Truly, the impact of the GDPR on WHOIS will hinder the work of those who identify cyber attackers, law enforcement agencies and customer protection agencies but it will directly impact the individual end users and customers.

I don't think that it serves us right to be speaking only about cybersecurity and law enforcement agencies or being regarded as their advocates as for sure we are the advocates of the Internet end users.

Best hadia

From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of Maureen Hilyard Sent: Tuesday, August 07, 2018 10:52 PM To: Marita Moll Cc: Greg Shatan; cpwg@icann.org Subject: Re: [CPWG] [GTLD-WG] [SPAM] Re: [registration-issues-wg] ALAC Statement regarding EPDP

+1

On Tue, Aug 7, 2018 at 10:24 AM, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote:

This is great Greg. Thanks for filling in some of the details.

Marita

On 8/7/2018 10:17 PM, Greg Shatan wrote: I’ve been watching this conversation unfold for awhile. A few observations:

1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up.

2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors.

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data.

4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing.

5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data.

6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service.

7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR.

8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users.

Best regards,

Greg Shatan

On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch <evanleibovitch@gmail.com<mailto:evanleibovitch@gmail.com>> wrote: I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.

___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56

On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>> wrote:

...

With respect Evan, saying I am missing the point is not really respectful. No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring.

Marita

On 8/7/2018 7:08 PM, Evan Leibovitch wrote:

...

Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan

PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.

On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net<mailto:mmoll@ca.inter.net> <mailto:mmoll@ca.inter.net<mailto:mmoll@ca.inter.net>>> wrote:

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?

http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/

Marita

On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you go back in the thread (which was not fully copied here) I believe that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR, but in fact compliance with GDPR is (to use a Startrek expression) "the prime directive". It is not a simple matter of security vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge in deciding which was more important and I am pretty sure we would not even try in the general case. But that is not what we are taking about here. We are talking about gTLD REGISTRANT privacy vs USER security. And the ALAC's position has previously been that although we care about registrants (and their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants, the shear number of users makes their security and ability to use the Internet with relative safety and trust takes precedence over the privacy of the relative handful of gTLD registrants. That is why ICANN has (and continues to) support the existing WHOIS system to the extent possible. That is the entire gist of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with some amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:

I am in agreement with Tijani, Holly, Bastian and Michele. Perhaps it is unintentional, but the language does send the message that we are looking more carefully at security than privacy. I am also not convinced that end-users would want us to do that. Marita On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all: contracted parties, business, registrants, governments, etc. We are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for research, and the result was the American election result impacted. So, I agree with Bastiaan that we need to be careful and care about the protection of personal data as well as the prevention of any harmful use of the domain names, both together.

------------------------------------------------------------------------

...

*Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114

------------------------------------------------------------------------

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net> <mailto:bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net> <mailto:bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net>>>> a écrit : Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele. While I think I understand the good intent of what you are saying, your earlier responses almost sound to me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users) that care about security as opposed to those (registrants) that want their privacy protected to the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean to. In this particular EPDP case though I am convinced that we can find a common ground on what the ALAC members and alternates should bring to the table. In terms of perceived registrants’ and general Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we do not have to be philosophical about a rather broad term like ‘privacy’ and argue about whether it is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement. From what I understand the work being done on defining Access and Accreditation criteria is keeping that principle in mind, and within in the MS context of the EPDP we can together see to it that it does end up properly enshrined in policy and contracts. -Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>>> wrote: Holly, the original statement ends with "All within the constraints of GDPR of course." I don't know how to make that clearer. We would be absolutely FOOLISH to argue for anything else, since it will not be implementable. That being said, if through the EPDP or otherwise we can help make the legal argument for why good access for the folks we list at the end is within GDPR, more power to us. GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate. So my statement that "other issues trump privacy" is within that context. But just as proportionality governs what GDPR will decree as private in any given case, so it will govern what is not private. It all depends on making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN. In the US, there is the constitutional right to freedom of speech, but it is not unconstrained and there are limits to what you are allowed and not allowed to say. And from time to time, the courts and legislatures weigh in and decide where the line is. Alan At 02/08/2018 06:42 PM, Holly Raiche wrote:

Hi Alan I have concerns with your statement - and since your reply below, with our statement of principles for the EPDP. As I suggested in my email of 1 August, we need to be VERY clear that we are NOT arguing against implementation a policy that is compliant with the GDPR.  We are arguing for other issues that impact on users - WITHIN the umbrella of the GDPR.  And if we do not make that very clear, then we look as if we are not prepared to operate within the bounds of the EPDP - which is all about developing a new policy to replace the RDS requirements that will allow registries/registrars to comply with their ICANN contracts and operate within the GDPR framework. So your statement below that ‘yes, other issues trump privacy’ - misstates that.  What we are (or should be) arguing for is a balance of rights of access that - to the greatest extend possible - recognises the value of RDS to some constituencies with legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data will no longer have that open access. And for ALAC generally, I will repeat what I said in my 1 August email - our statement of principles must be VERY clear that we are NOT arguing for a new RDS policy that goes outside of the GDPR. Holly On 3 Aug 2018, at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> <mailto:alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>> > wrote:

At 02/08/2018 10:37 AM, Michele Neylon - Blacknight wrote:

Jonathan / Alan Thanks for the clarifications. 3 - I don't know how you can know what the interests of a user are. The assumption you seem to be making is that due process and privacy should take a backseat to access to data

Privacy is not absolute but based on various other issues. So yes, we are saying that in some cases, the other issues trump privacy. Perhaps we differ on where the dividing line is.

4 - Same as 3. Plenty of ccTLDs never offered PII in their public whois and there weren't any issues with security or stability. Skipping due process for "ease of access" is a very slippery and dangerous slope.

Both here and in reply to #3, the term "due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to unlocking otherwise private information. A major aspect of the GDPR implementation will be identifying other less cumbersome and restricted processes for accessing WHOIS data by a variety of partners. It will not be unconstrained nor will it be as cumbersome as going to court (hopefully). Alan

Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> Intl. +353 (0) 59 Â 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/

------------------------------------------------------------------------

...

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845 On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote:   Thanks Michele!   3. Where there appears to be a conflict of interest between a registrant and non-registrant end user, we'll be endeavoring to represent the interests of the non-registrant end user.   4. Related to 3. This is simply an affirmation of the interests of end users in a stable and secure internet and it is those interests we'll be representing. We've included law enforcement because efficiencies regarding their access may come up. Just because there's always a way for them to get to data doesn't mean it's the best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <

gtld-wg-bounces@atlarge-lists.icann.org<mailto:gtld-wg-bounces@atlarge-lists.icann.org>>

...

On Behalf Of Michele Neylon - Blacknight   Sent: Wednesday, August 1, 2018 12:34 PM   To: Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; CPWG <cpwg@icann.org<mailto:cpwg@icann.org>>   Subject: Re: [GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP   Alan   1 - good   2 - good   3 - I don't understand what that means   4 - Why are you combining law enforcement and private parties? Law enforcement can always get access to data when they follow due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight Solutions   Hosting, Colocation & Domains   https://www.blacknight.com/ <https://www.blacknight.com/>   https://blacknight.blog/ <https://blacknight.blog/>   Intl. +353 (0) 59  9183072   Direct Dial: +353 (0)59 9183090   Personal blog: https://michele.blog/   Some thoughts: https://ceo.hosting/  Â

------------------------------------------------------------------------

...

  Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845   On 01/08/2018, 17:27, "registration-issues-wg on behalf of Alan Greenberg" <

registration-issues-wg-bounces@atlarge-lists.icann.org<mailto:registration-issues-wg-bounces@atlarge-lists.icann.org>

...

on behalf of alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote:       Yesterday, the EPDP Members were asked to present a 1-3 minute       summary of their groups position in regard to the EPDP. The following       is the statement agreed to by me, Hadia, Holly and Seun.       1.   The ALAC believes that the EPDP MUST succeed and will be working       toward that end.       2.   We have a support structure that we are organizing to ensure       that what we present here is understood by our community and has       their input and support.       3.   The ALAC believes that individual registrants are users and we       have regularly worked on their behalf (as in the PDP that we       initiated to protect registrant rights when their domains expire), if       registrant needs differ from those of the 4 billion Internet users       who are not registrants, those latter needs take precedence. We       believe that GDPR and this EPDP are such a situation.       4.   Although some Internet users consult WHOIS and will not be able       to do so in some cases going forward, our main concern is access for       those third parties who work to ensure that the Internet is a safe       and secure place for users and that means that law enforcement,       cybersecurity researchers, those combatting fraud in domain names,       and others who help protect users from phishing, malware, spam,       fraud, DDoS attacks and such can work with minimal reduction in       access to WHOIS data. All within the constraints of GDPR of course.      Â

------------------------------------------------------------------------

...

      CPWG mailing list       CPWG@icann.org<mailto:CPWG@icann.org>      Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

     Â

------------------------------------------------------------------------

...

      registration-issues-wg mailing list      Â

registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org>

...

     Â

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

 Â

------------------------------------------------------------------------

...

  CPWG mailing list   CPWG@icann.org<mailto:CPWG@icann.org>  Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

 Â

------------------------------------------------------------------------

...

  GTLD-WG mailing list   GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org>  Â

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

  Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>>

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

------------------------------------------------------------------------

...

registration-issues-wg mailing list

registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org>

...

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org> <mailto:CPWG@icann.org<mailto:CPWG@icann.org>>> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

------------------------------------------------------------------------

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg> Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs>

------------------------------------------------------------------------

...

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

------------------------------------------------------------------------

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

A great deal of the work in both the EWG and the RDS PDP consisted of identifying these parties and use cases. I invite you to peruse both for answers. It's not hard to find -- no begging needed. Best regards, Greg On Wed, Aug 8, 2018 at 6:30 AM wilkinson christopher < cw@christopherwilkinson.eu> wrote:

...

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access.

This argument begs the questions as to who are the 'third parties', what are the 'use cases' and what happens to the data after it has been used.

Regards

CW

...

El 7 de agosto de 2018 a las 22:17 Greg Shatan <greg@isoc-ny.org> escribió:

I’ve been watching this conversation unfold for awhile. A few observations:

1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up.

2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors.

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data.

4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing.

5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data.

6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service.

7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR.

8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users.

Best regards,

Greg Shatan

On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch <evanleibovitch@gmail.com

wrote:

...

I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.

___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56

On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net> wrote:

...

With respect Evan, saying I am missing the point is not really respectful. No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring.

Marita

On 8/7/2018 7:08 PM, Evan Leibovitch wrote:

...

Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan

PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.

On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?

http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/

...

Marita

On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you

go

...

back in the thread (which was not fully copied here) I

believe

...

that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR,

but

...

in fact compliance with GDPR is (to use a Startrek

expression)

...

"the prime directive". It is not a simple matter of

security

...

vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge in deciding which was more important and I am pretty sure we would not even try in the general case. But that is not

what

...

we are taking about here. We are talking about gTLD

REGISTRANT

...

privacy vs USER security. And the ALAC's position has previously been that although we care about registrants

(and

...

their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants, the shear number of users makes their security and ability to

use

...

the Internet with relative safety and trust takes

precedence

...

over the privacy of the relative handful of gTLD

registrants.

...

That is why ICANN has (and continues to) support the

existing

...

WHOIS system to the extent possible. That is the entire

gist

...

of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with

some

...

amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:

I am in agreement with Tijani, Holly, Bastian and

Michele.

...

Perhaps it is unintentional, but the language does send the message that we are looking more carefully at

security

...

than privacy. I am also not convinced that end-users

would

...

want us to do that. Marita On 8/3/2018 10:30 AM, Tijani BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the remaining users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all:

contracted

...

parties, business, registrants, governments, etc.

We

...

are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook? They requested to have access to these data for

research,

...

and the result was the American election result impacted. So, I agree with Bastiaan that we need

to be

...

careful and care about the protection of personal

data

...

as well as the prevention of any harmful use of the domain names, both together.

---

...

...

...

...

*Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114

---

...

...

...

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a

écrit :

...

Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele.

While

...

I think I understand the good intent of what

you

...

are saying, your earlier responses almost

sound to

...

me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users)

that

...

care about security as opposed to those (registrants) that want their privacy

protected to

...

the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean to.

In

...

this particular EPDP case though I am convinced that we can find a common ground on what the

ALAC

...

members and alternates should bring to the

table.

...

In terms of perceived registrants’ and

general

...

Internet end-users’ interests. As you rightly state, it is about being GDPR compliant. So we

do

...

not have to be philosophical about a rather

broad

...

term like ‘privacy’ and argue about

whether it

...

is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’. However, ‘due process’ is a(nother) no brainer, not just because it might be a legal requirement.

From

...

what I understand the work being done on

defining

...

Access and Accreditation criteria is keeping

that

...

principle in mind, and within in the MS

context of

...

the EPDP we can together see to it that it does end up properly enshrined in policy and

contracts.

...

-Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>> wrote: Holly, the original statement ends with

"All

...

within the constraints of GDPR of course."

I

...

don't know how to make that clearer. We

would

...

be absolutely FOOLISH to argue for anything else, since it will not be implementable.

That

...

being said, if through the EPDP or

otherwise

...

we can help make the legal argument for why good access for the folks we list at the

end

...

is within GDPR, more power to us. GDPR (and eventually similar legislation/regulation elsewhere) is the overall constraint. It is equivalent to the laws of physics which for the moment we need to consider inviolate.

So

...

my statement that "other issues trump

privacy"

...

is within that context. But just as proportionality governs what GDPR will

decree

...

as private in any given case, so it will govern what is not private. It all depends

on

...

making the legal argument and ultimately in needed convincing the courts. They are the arbiters, not me or anyone else in ICANN.

In

...

the US, there is the constitutional right

to

...

freedom of speech, but it is not

unconstrained

...

and there are limits to what you are

allowed

...

and not allowed to say. And from time to

time,

...

the courts and legislatures weigh in and decide where the line is. Alan At

02/08/2018

...

06:42 PM, Holly Raiche wrote:

Hi Alan I have concerns with your statement - and since your reply below, with our statement of principles for

the

...

EPDP. As I suggested in my email of 1 August, we need to be VERY clear that

we

...

are NOT arguing against implementation

a

...

policy that is compliant with the

GDPR. Â

...

We are arguing for other issues that impact on users - WITHIN the umbrella

of

...

the GDPR. Â And if we do not make that very clear, then we look as if we are

not

...

prepared to operate within the bounds

of

...

the EPDP - which is all about

developing a

...

new policy to replace the RDS

requirements

...

that will allow registries/registrars

to

...

comply with their ICANN contracts and operate within the GDPR framework. So

your

...

statement below that ‘yes, other

issues

...

trump privacyÂ’ - misstates that. Â

What

...

we are (or should be) arguing for is a balance of rights of access that - to

the

...

greatest extend possible - recognises

the

...

value of RDS to some constituencies

with

...

legitimate purposes - WITHIN the GDPR framework. That implicitly accepts that people/organisations that once had free and unrestricted access to the data

will

...

no longer have that open access. And

for

...

ALAC generally, I will repeat what I

said

...

in my 1 August email - our statement of principles must be VERY clear that we

are

...

NOT arguing for a new RDS policy that

goes

...

outside of the GDPR. Holly On 3 Aug

2018,

...

at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> >

wrote:

...

At 02/08/2018 10:37 AM, Michele

Neylon

...

- Blacknight wrote:

Jonathan / Alan Thanks for the clarifications. 3 - I don't

know

...

how you can know what the interests of a user are. The assumption you seem to be

making

...

is that due process and privacy should take a backseat to

access

...

to data

Privacy is not absolute but based

on

...

various other issues. So yes, we

are

...

saying that in some cases, the

other

...

issues trump privacy. Perhaps we differ on where the dividing line

is.

...

4 - Same as 3. Plenty of ccTLDs never offered PII in their

public

...

whois and there weren't any

issues

...

with security or stability. Skipping due process for "ease

of

...

access" is a very slippery and dangerous slope.

Both here and in reply to #3, the

term

...

"due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to

unlocking

...

otherwise private information. A

major

...

aspect of the GDPR implementation

will

...

be identifying other less

cumbersome

...

and restricted processes for

accessing

...

WHOIS data by a variety of

partners.

...

It will not be unconstrained nor

will

...

it be as cumbersome as going to

court

...

(hopefully). Alan

Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/>

Intl.

...

+353 (0) 59 Â 9183072 Direct

Dial:

...

+353 (0)59 9183090 Personal

blog:

...

https://michele.blog/ Some thoughts: https://ceo.hosting/

---

...

...

...

...

Where there appears to be a conflict of interest between a registrant and non-registrant

end

...

user, we'll be endeavoring to represent the interests of the non-registrant end user. Â Â 4. Related to 3. This is simply an affirmation of the interests of end users in a stable and

secure

...

internet and it is those

interests

...

we'll be representing. We've included law enforcement

because

...

efficiencies regarding their access may come up. Just

because

...

there's always a way for them

to

...

get to data doesn't mean it's

the

...

best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <

gtld-wg-bounces@atlarge-lists.icann.org>

...

On Behalf Of Michele Neylon - Blacknight   Sent: Wednesday, August 1, 2018 12:34 PM   To: Alan Greenberg <alan.greenberg@mcgill.ca>;

CPWG

...

<cpwg@icann.org> Â Â Subject:

Re:

...

[GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP Â Â

Alan

...

  1 - good   2 - good  Â

3 -

...

I don't understand what that

means

...

  4 - Why are you combining

law

...

enforcement and private

parties?

...

Law enforcement can always get access to data when they follow due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight

Solutions Â

...

 Hosting, Colocation &

Domains Â

...

 https://www.blacknight.com/ <https://www.blacknight.com/>

 Â

...

https://blacknight.blog/ <https://blacknight.blog/> Â Â Intl. +353 (0) 59 Â 9183072 Â Â Direct Dial: +353 (0)59

9183090 Â

...

 Personal blog: https://michele.blog/   Some thoughts: https://ceo.hosting/

 Â

...

...

...

...

...

Blacknight Internet Solutions

Ltd,

...

Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:

370845

...

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:   Thanks Michele!  Â

---

...

...

...

...

  Blacknight Internet

Solutions

...

Ltd, Unit 12A,Barrowside

Business

...

Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:

370845

...

  On 01/08/2018, 17:27, "registration-issues-wg on

behalf

...

of Alan Greenberg" <

registration-issues-wg-bounces@atlarge-lists.icann.org

...

on behalf of alan.greenberg@mcgill.ca>

wrote: Â

...

     Yesterday, the EPDP Members were asked to present a 1-3 minute       summary

of

...

their groups position in

regard to

...

the EPDP. The following   Â

 Â

...

 is the statement agreed to by me, Hadia, Holly and Seun.  Â

 Â

...

  1.   The ALAC believes

that

...

the EPDP MUST succeed and will

be

...

working       toward that end.       2.   We

have a

...

support structure that we are organizing to ensure     Â

Â

...

that what we present here is understood by our community and has       their input and support.       3.   The ALAC believes that individual registrants are users and we Â

 Â

...

   have regularly worked on their behalf (as in the PDP

that

...

we       initiated to protect registrant rights when their domains expire), if  Â

 Â

...

  registrant needs differ

from

...

those of the 4 billion Internet users       who are not registrants, those latter needs take precedence. We       believe that GDPR and this EPDP are such a situation.    Â

 Â

...

4. Â Â Although some Internet users consult WHOIS and will

not

...

be able       to do so in some cases going forward, our

main

...

concern is access for    Â

 Â

...

those third parties who work to ensure that the Internet is a

safe

...

      and secure place

for

...

users and that means that law enforcement, Â Â Â Â Â Â cybersecurity researchers,

those

...

combatting fraud in domain

names,

...

      and others who help protect users from phishing, malware, spam,      Â

fraud,

...

DDoS attacks and such can work with minimal reduction in  Â

 Â

...

  access to WHOIS data. All within the constraints of GDPR

of

...

course. Â Â Â Â Â Â

---

...

...

...

...

      CPWG mailing list

 Â

...

    CPWG@icann.org   Â

  Â

...

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

     Â

---

...

...

...

...

     Â

registration-issues-wg

...

mailing list      Â

registration-issues-wg@atlarge-lists.icann.org

...

     Â

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

 Â

---

...

...

...

...

  CPWG mailing list   CPWG@icann.org  Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

 Â

---

...

...

...

...

  GTLD-WG mailing list  Â

GTLD-WG@atlarge-lists.icann.org Â

...

Â

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

  Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

---

...

...

...

...

registration-issues-wg mailing list

registration-issues-wg@atlarge-lists.icann.org

...

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>> https://mm.icann.org/mailman/listinfo/cpwg <

https://mm.icann.org/mailman/listinfo/cpwg>

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org

...

...

https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

...

...

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

...

...

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

...

...

...

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

<

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>

...

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs

...

...

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

---

...

...

...

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

Christopher, A great deal of the work in both the EWG and the RDS PDP consisted of identifying these parties and use cases. I invite you to peruse both for answers. It's not hard to find -- no begging needed. Best regards, Greg

On Wed, Aug 8, 2018 at 6:30 AM wilkinson christopher < cw@christopherwilkinson.eu> wrote:

...

...

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access.

This argument begs the questions as to who are the 'third parties', what are the 'use cases' and what happens to the data after it has been used.

Regards

CW

...

El 7 de agosto de 2018 a las 22:17 Greg Shatan <greg@isoc-ny.org> escribió:

I’ve been watching this conversation unfold for awhile. A few observations:

1. Nobody suggested that ALAC support an outcome that would violate GDPR. Compliance with GDPR is a given. Thankfully, that misunderstanding seems to have been cleared up.

2. No one is arguing in favor of putting the “private info of registrants” into “the hands of bad actors.” Indeed, GDPR is not primarily aimed at preventing access by bad actors. Rather it is aimed at regulating the use of personal data by any actor. I haven’t really thought about it, but GDPR is probably not going to be a major deterrent against real bad actors.

3. WHOIS/RDS exists in order to be accessed by third parties (i.e., folks other than the registrant and the registrar). There are many, many legitimate use cases for access. Of course, there are “mis-use cases” involving bad actors, and one of the obvious challenges for the EPDP is dealing with those. From the point of view of the end-user, that needs to be dealt with in a way that does not hinder timely, straight-forward legitimate access to Whois data.

4. I have seen no evidence that the European Data Protection people have thought about how WHOIS/RDS can function under GDPR. More broadly, GDPR is a law about access, in very large part. GDPR provides a road map for data controllers and processors to get and “process” (use, store, provide access to, transfer, delete, etc.) data. Much of GDPR is concerned with how data is used (I’d rather use that term than “processed” for these discussions), the purposes for which it is used, how it is stored, how it is transferred, who is responsible for any use, the circumstances when a data subject does (and does not) have control over how their data is used. GDPR assumes that data will be “processed” and creates a set of rules of the road for that processing.

5. It is true that end-users and registrants benefit from both privacy and security. End-users benefit directly and indirectly from access to WHOIS/RDS data, for non-security related reasons as well as security-related reasons. Registrants also benefit from access to WHOIS/RDS, both by themselves and by third parties in a variety of ways. Registrants benefit from data privacy, at least with regard to their own data (though they may lose some of the benefits that come from third party access to their data, such as receiving offers to purchase domain names). However, I struggling to see how end-users (as end-users) benefit from barriers to accessing registrant WHOIS/RDS data.

6. How Cambridge Analytica got Facebook data is not particularly relevant. But if it is going to be used as a “cautionary tale”, we need to be accurate, so that the right lessons can be learned. Cambridge Analytica did NOT get the data by making a request to Facebook “to have access to these data for research.” In fact, they didn’t get the data directly from Facebook at all. The data was gathered through a personality quiz app, which was (as Facebook was configured at that time and with the consent of the participants) able to harvest data about friends and friends-of-friends of the participants, as well as the participants. It may have been used for legitimate research purposes. However, the data was then sold to Cambridge Analytica, without Facebook’s knowledge and in violation of their terms of service.

7. The California Consumer Privacy Act is already here, though it won’t be enforced until 2020. While it bears a resemblance to GDPR, it has many differences as well, and some of its goals are quite different. Like GDPR it is not primarily aimed at keeping data out of the hands of bad actors. I have not yet considered the impact of the CCPA on WHOIS/RDS, and how it is similar or different to the impact of GDPR. Its primary goals seem to be to control data monetization, and to give consumers greater access to their data, with data subject rights similar to those in GDPR.

8. Overall, I agree with those who believe that appropriate and timely access to WHOIS/RDS data benefits end-users. Whether GDPR is good or bad for end-users is moot. GDPR exists, and how it is dealt with will show how good or bad it is for end-users. Our goal should be to have GDPR implemented in the WHOIS/RDS context in a way that maximizes the benefit and minimizes the harm to end-users.

Best regards,

Greg Shatan

On Tue, Aug 7, 2018 at 1:58 PM Evan Leibovitch < evanleibovitch@gmail.com> wrote:

...

I don't know about the Europeans or the California government. I do have more than a decade's experience in ICANN, however, and have observed that its track record in both decent privacy and decent accessibility is abysmal.

___________________ Evan Leibovitch, Toronto @evanleibovitch/@el56

On Tue, Aug 7, 2018, 1:30 PM Marita Moll, <mmoll@ca.inter.net> wrote:

...

With respect Evan, saying I am missing the point is not really respectful. No one is arguing for privacy without protections. I don't have all the information I need to support this, but I have a feeling the European Data Protection people might have thought about this. They don't want to protect bad actors either. And I have heard that a similiar law to GDPR is under consideration in California. So I don't see any need to think we are only ones concerned with keeping bad actors out of the ring.

Marita

On 8/7/2018 7:08 PM, Evan Leibovitch wrote:

...

Hi Marita,

I think you may be missing the point when you state that "keeping the private info of registrants out of the hands of bad actors protects both parties". The examples that exist in abundance come from registrants who /ARE themselves/ the bad actors, that hide behind either privacy regulations or inaccurate contact information to avoid being held to account for their harm.

Just as the right to freedom of speech is not absolute -- even in America -- neither is the right to privacy a way to hide accountability for causing demonstrable harm. Augmenting privacy with tiered access is fine so long as it is accessible to victims and effective in execution; that is exactly the balance of which I speak. This won't be easy -- being physically threatened demands a different response to merely being insulted -- but it is vital. Without such checks and balances, absolute privacy is a sure source of far more harm than good. For every whistleblower protected, a dozen others will be scammed out of their life savings, and thousands more will live in fear for their lives because of death threats from those with unchecked anonymity. This is not theory, it is happening.

In summary, it is both naive and against the global public interest to advocate for privacy without advocating just as strenuously for appropriate protections against bad actors who seek to exploit that privacy to cause harm. At-Large seeks both.

- Evan

PS: I absolutely reject the assertion that it is fear-mongering to simply want to prevent abuse of privacy by some registrants that is both clearly evidenced and ongoing.

On Aug 7, 2018, at 11:55, Marita Moll <mmoll@ca.inter.net <mailto:mmoll@ca.inter.net>> wrote:

Hello Evan and Allan. I agree with a number of those here how have suggested that the interests of registrants and end-users are not that different. Keeping the private info of registrants out of the hands of bad actors protects both parties. If crimes are committed, having tiered access to the info would release that info to validated authorities. As a registrant, I don't want my private information out there if it isn't necessary. And I don't see how shielding my private info on WhoIS will endanger my neighbour once tiered access is agreed upon. This is no different from the way the law usually works -- we don't all have to live in glass houses in order to be safe. We need well thought out procedures that protect all of us.

It's just my opinion. I know others have good arguments. But I don't buy the scary scenarios being presented by some groups hoping to scuttle this whole thing. If the Europeans don't think the world will come to an end once GDPR is enforced, why is the boogey man being unleashed in North America?

http://www.insidesources.com/fake-news-fake-pharmacies-whats-next/

...

Marita

On 8/7/2018 5:09 AM, Alan Greenberg wrote:

Marita, you cannot take one phrase out of context. If you

go

...

back in the thread (which was not fully copied here) I

believe

...

that a major concern of Holly and Bastiaan was that my statement sounded like it was trying to get around GDPR,

but

...

in fact compliance with GDPR is (to use a Startrek

expression)

...

"the prime directive". It is not a simple matter of

security

...

vs privacy. If, for instance, we were talking about USER security vs USER privacy, we would have a real challenge

in

...

deciding which was more important and I am pretty sure we would not even try in the general case. But that is not

what

...

we are taking about here. We are talking about gTLD

REGISTRANT

...

privacy vs USER security. And the ALAC's position has previously been that although we care about registrants

(and

...

their privacy and their domains etc) and have put very significant resources into supporting gTLD registrants,

the

...

shear number of users makes their security and ability to

use

...

the Internet with relative safety and trust takes

precedence

...

over the privacy of the relative handful of gTLD

registrants.

...

That is why ICANN has (and continues to) support the

existing

...

WHOIS system to the extent possible. That is the entire

gist

...

of the Temporary Spec. - /"Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains....." /And I note with

some

...

amusement that some filter along the way has flagged this entire thread as SPAM. Alan At 06/08/2018 12:08 PM, Marita Moll wrote:

I am in agreement with Tijani, Holly, Bastian and

Michele.

...

Perhaps it is unintentional, but the language does

send

...

the message that we are looking more carefully at

security

...

than privacy. I am also not convinced that end-users

would

...

want us to do that. Marita On 8/3/2018 10:30 AM,

Tijani

...

BEN JEMAA wrote:

Very interesting discussion. This issue has been discussed several times and the positions didn’t change. What bothers me is the presentation of the registrants interest as opposite to the

remaining

...

users ones. they are not since the registrants are also subject to the domain abuse. You are speaking about 4 billion users; these include all:

contracted

...

parties, business, registrants, governments, etc.

We

...

are about defending the interest of all of them as individual end users, not as registry, registrar, businessman, minister, etc…. You included the cybersecurity researchers; you know how Cambridge Analytica got the American data from Facebook?

They

...

requested to have access to these data for

research,

...

and the result was the American election result impacted. So, I agree with Bastiaan that we need

to be

...

careful and care about the protection of personal

data

...

as well as the prevention of any harmful use of

the

...

domain names, both together.

---

...

...

...

...

*Tijani BEN JEMAA* Executive Director

Mediterranean

...

Federation of Internet Associations (*FMAI*)

Phone:

...

+216 98 330 114 +216 52 385 114

---

...

...

...

...

Le 3 août 2018 à 07:22, Bastiaan Goslings <bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>>> a

écrit :

...

Thanks for clarifying, Alan. As a matter of principle I agree with Holly - and Michele.

While

...

I think I understand the good intent of what

you

...

are saying, your earlier responses almost

sound to

...

me like a false ‘security versus privacy’ dichotomy. Like, the number of people (users)

that

...

care about security as opposed to those (registrants) that want their privacy

protected to

...

the max is larger. Etc. Apologies if I am oversimplifying things here, I do not mean

to. In

...

this particular EPDP case though I am

convinced

...

that we can find a common ground on what the

ALAC

...

members and alternates should bring to the

table.

...

In terms of perceived registrants’ and

general

...

Internet end-users’ interests. As you

rightly

...

state, it is about being GDPR compliant. So

we do

...

not have to be philosophical about a rather

broad

...

term like ‘privacy’ and argue about

whether it

...

is in conflict with e.g. the interest of LEAs. Indeed, ‘Privacy is not absolute’.

However,

...

‘due process’ is a(nother) no brainer, not just because it might be a legal requirement.

From

...

what I understand the work being done on

defining

...

Access and Accreditation criteria is keeping

that

...

principle in mind, and within in the MS

context of

...

the EPDP we can together see to it that it

does

...

end up properly enshrined in policy and

contracts.

...

-Bastiaan

On 3 Aug 2018, at 01:10, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>>>

wrote:

...

Holly, the original statement ends with

"All

...

within the constraints of GDPR of

course." I

...

don't know how to make that clearer. We

would

...

be absolutely FOOLISH to argue for

anything

...

else, since it will not be implementable.

That

...

being said, if through the EPDP or

otherwise

...

we can help make the legal argument for

why

...

good access for the folks we list at the

end

...

is within GDPR, more power to us. GDPR

(and

...

eventually similar legislation/regulation elsewhere) is the overall constraint. It

is

...

equivalent to the laws of physics which

for

...

the moment we need to consider inviolate.

So

...

my statement that "other issues trump

privacy"

...

is within that context. But just as proportionality governs what GDPR will

decree

...

as private in any given case, so it will govern what is not private. It all

depends on

...

making the legal argument and ultimately

in

...

needed convincing the courts. They are the arbiters, not me or anyone else in ICANN.

In

...

the US, there is the constitutional right

to

...

freedom of speech, but it is not

unconstrained

...

and there are limits to what you are

allowed

...

and not allowed to say. And from time to

time,

...

the courts and legislatures weigh in and decide where the line is. Alan At

02/08/2018

...

06:42 PM, Holly Raiche wrote:

Hi Alan I have concerns with your statement - and since your reply

below,

...

with our statement of principles for

the

...

EPDP. As I suggested in my email of 1 August, we need to be VERY clear that

we

...

are NOT arguing against

implementation a

...

policy that is compliant with the

GDPR. Â

...

We are arguing for other issues that impact on users - WITHIN the umbrella

of

...

the GDPR. Â And if we do not make that very clear, then we look as if we are

not

...

prepared to operate within the bounds

of

...

the EPDP - which is all about

developing a

...

new policy to replace the RDS

requirements

...

that will allow registries/registrars

to

...

comply with their ICANN contracts and operate within the GDPR framework. So

your

...

statement below that ‘yes, other

issues

...

trump privacyÂ’ - misstates that. Â

What

...

we are (or should be) arguing for is a balance of rights of access that - to

the

...

greatest extend possible - recognises

the

...

value of RDS to some constituencies

with

...

legitimate purposes - WITHIN the GDPR framework. That implicitly accepts

that

...

people/organisations that once had

free

...

and unrestricted access to the data

will

...

no longer have that open access. And

for

...

ALAC generally, I will repeat what I

said

...

in my 1 August email - our statement

of

...

principles must be VERY clear that we

are

...

NOT arguing for a new RDS policy that

goes

...

outside of the GDPR. Holly On 3 Aug

2018,

...

at 1:29 am, Alan Greenberg <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca>> >

wrote:

...

At 02/08/2018 10:37 AM, Michele

Neylon

...

- Blacknight wrote:

Jonathan / Alan Thanks for the clarifications. 3 - I don't

know

...

how you can know what the interests of a user are. The assumption you seem to be

making

...

is that due process and

privacy

...

should take a backseat to

access

...

to data

Privacy is not absolute but based

on

...

various other issues. So yes, we

are

...

saying that in some cases, the

other

...

issues trump privacy. Perhaps we differ on where the dividing line

is.

...

4 - Same as 3. Plenty of

ccTLDs

...

never offered PII in their

public

...

whois and there weren't any

issues

...

with security or stability. Skipping due process for

"ease of

...

access" is a very slippery and dangerous slope.

Both here and in reply to #3, the

term

...

"due process" tends to be used in reference to legal constraints associated with law enforcement actions as sanctioned by laws and courts. That is one path to

unlocking

...

otherwise private information. A

major

...

aspect of the GDPR implementation

will

...

be identifying other less

cumbersome

...

and restricted processes for

accessing

...

WHOIS data by a variety of

partners.

...

It will not be unconstrained nor

will

...

it be as cumbersome as going to

court

...

(hopefully). Alan

Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/>

Intl.

...

+353 (0) 59 Â 9183072 Direct

Dial:

...

+353 (0)59 9183090 Personal

blog:

...

https://michele.blog/ Some thoughts:

https://ceo.hosting/

...

---

...

...

...

...

Related to 3. This is simply

an

...

affirmation of the interests

of

...

end users in a stable and

secure

...

internet and it is those

interests

...

we'll be representing. We've included law enforcement

because

...

efficiencies regarding their access may come up. Just

because

...

there's always a way for them

to

...

get to data doesn't mean it's

the

...

best way.   Make sense?   Jonathan   -----Original Message-----   From: GTLD-WG <

gtld-wg-bounces@atlarge-lists.icann.org>

...

On Behalf Of Michele Neylon - Blacknight   Sent:

Wednesday,

...

August 1, 2018 12:34 PM Â Â

To:

...

Alan Greenberg <alan.greenberg@mcgill.ca>;

CPWG

...

<cpwg@icann.org> Â Â

Subject: Re:

...

[GTLD-WG] [CPWG] [registration-issues-wg] ALAC Statement regarding EPDP Â Â

Alan

...

  1 - good   2 - good  Â

3 -

...

I don't understand what that

means

...

  4 - Why are you combining

law

...

enforcement and private

parties?

...

Law enforcement can always get access to data when they

follow

...

due process.   Regards   Michele   --   Mr Michele Neylon   Blacknight

Solutions Â

...

 Hosting, Colocation &

Domains Â

...

 https://www.blacknight.com/ <https://www.blacknight.com/>

 Â

...

https://blacknight.blog/ <https://blacknight.blog/> Â

Â

...

Intl. +353 (0) 59 Â 9183072 Â

Â

...

Direct Dial: +353 (0)59

9183090 Â

...

 Personal blog: https://michele.blog/  Â

Some

...

thoughts:

https://ceo.hosting/ Â Â

...

...

...

...

...

Blacknight Internet Solutions

Ltd,

...

Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:

370845

...

On 02/08/2018, 15:03, "Jonathan Zuck" <JZuck@innovatorsnetwork.org> wrote:   Thanks Michele! Â

 3.

...

Where there appears to be a conflict of interest between a registrant and non-registrant

end

...

user, we'll be endeavoring to represent the interests of the non-registrant end user. Â Â

---

...

...

...

...

  Blacknight Internet

Solutions

...

Ltd, Unit 12A,Barrowside

Business

...

Park,Sleaty   Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.:

370845

...

  On 01/08/2018, 17:27, "registration-issues-wg on

behalf

...

of Alan Greenberg" <

registration-issues-wg-bounces@atlarge-lists.icann.org

...

on behalf of alan.greenberg@mcgill.ca>

wrote: Â

...

     Yesterday, the EPDP Members were asked to present

a

...

1-3 minute      Â

summary of

...

their groups position in

regard to

...

the EPDP. The following   Â

 Â

...

 is the statement agreed to

by

...

me, Hadia, Holly and Seun. Â

  Â

...

  1.   The ALAC believes

that

...

the EPDP MUST succeed and

will be

...

working       toward

that

...

end. Â Â Â Â Â Â 2. Â Â We

have a

...

support structure that we are organizing to ensure    Â

 Â

...

that what we present here is understood by our community

and

...

has       their input

and

...

support. Â Â Â Â Â Â 3. Â Â

The

...

ALAC believes that individual registrants are users and we

  Â

...

   have regularly worked on their behalf (as in the PDP

that

...

we       initiated to protect registrant rights when their domains expire), if  Â

 Â

...

  registrant needs differ

from

...

those of the 4 billion

Internet

...

users       who are not registrants, those latter

needs

...

take precedence. We     Â

Â

...

believe that GDPR and this

EPDP

...

are such a situation. Â Â Â Â

 Â

...

4. Â Â Although some Internet users consult WHOIS and will

not

...

be able       to do so

in

...

some cases going forward, our

main

...

concern is access for    Â

 Â

...

those third parties who work

to

...

ensure that the Internet is a

safe

...

      and secure place

for

...

users and that means that law enforcement, Â Â Â Â Â Â cybersecurity researchers,

those

...

combatting fraud in domain

names,

...

      and others who

help

...

protect users from phishing, malware, spam, Â Â Â Â Â Â

fraud,

...

DDoS attacks and such can work with minimal reduction in  Â

 Â

...

  access to WHOIS data. All within the constraints of

GDPR of

...

course. Â Â Â Â Â Â

---

...

...

...

...

      CPWG mailing list

 Â

...

    CPWG@icann.org   Â

  Â

...

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

     Â

---

...

...

...

...

     Â

registration-issues-wg

...

mailing list      Â

registration-issues-wg@atlarge-lists.icann.org

...

     Â

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

 Â

---

...

...

...

...

  CPWG mailing list   CPWG@icann.org  Â

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

 Â

---

...

...

...

...

  GTLD-WG mailing list  Â

GTLD-WG@atlarge-lists.icann.org Â

...

Â

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

  Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

---

...

...

...

...

registration-issues-wg mailing

list

...

registration-issues-wg@atlarge-lists.icann.org

...

https://mm.icann.org/mailman/listinfo/registration-issues-wg

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org>>

https://mm.icann.org/mailman/listinfo/cpwg

...

<

https://mm.icann.org/mailman/listinfo/cpwg>

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org <mailto:CPWG@icann.org

...

...

https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

...

...

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

...

...

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

...

...

...

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

...

<

https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>

...

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <

https://community.icann.org/display/atlarge/New+GTLDs>

...

---

...

...

...

...

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

---

...

...

...

...

GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL:

https://community.icann.org/display/atlarge/New+GTLDs

...

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg