PP services for gated access data
All – Just to continue the smaller discussion from today’s call: Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that: 1) privacy/proxy providers will continue to do business and 2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available; I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA: 3.5.7 Provider shall not provide Services for Customers whose data is non-public. Or 3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS. Thanks, Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Thursday, August 30, 2018 3:08 AM To: gdd-gnso-ppsai-impl@icann.org; Michele Neylon - Blacknight <michele@blacknight.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens. http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf<https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf> Thanks, Theo On 30-8-2018 7:55, Michele Neylon - Blacknight wrote: I won’t be able to attend as I’m at an event. I also agree with the concerns raised by others about pegging *anything* to a moving target, which the Temp Spec is TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday 29 August 2018 at 16:22 To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Dear Colleagues, This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC. A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only. We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list): (1) Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future? (2) The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data. (3) The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model<https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)? (4) Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup? (5) Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment? (6) We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list. One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi Peter, This seems like a substantive policy change that was not envisioned or included in the original policy. Accordingly, I don’t think the IRT is empowered to make this change. If you think the changes created by the GDPR necessitate substantive changes to the underlying policy (which I think is a reasonable view), then I think it would be necessary to pause the IRT and reconsider the policy itself. (is that right Amy?) Thanks, Greg From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Thursday, August 30, 2018 10:28 AM To: gdd-gnso-ppsai-impl@icann.org Subject: [Gdd-gnso-ppsai-impl] PP services for gated access data All – Just to continue the smaller discussion from today’s call: Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that: 1) privacy/proxy providers will continue to do business and 2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available; I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA: 3.5.7 Provider shall not provide Services for Customers whose data is non-public. Or 3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS. Thanks, Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Thursday, August 30, 2018 3:08 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens. http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf<https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf> Thanks, Theo On 30-8-2018 7:55, Michele Neylon - Blacknight wrote: I won’t be able to attend as I’m at an event. I also agree with the concerns raised by others about pegging *anything* to a moving target, which the Temp Spec is TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday 29 August 2018 at 16:22 To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Dear Colleagues, This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC. A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only. We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list): (1) Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future? (2) The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data. (3) The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model<https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)? (4) Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup? (5) Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment? (6) We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list. One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Thanks, Greg! It’s my understanding that (a) if it is the consensus view of the IRT that a Policy issue has come up that is not addressed in the Final Recommendations that (b) should or must be addressed (or if it is unclear whether the issue should be addressed) before we can proceed, then the appropriate vehicle for resolution would be for the Council Liaison to escalate the issue to the Council (looking at the IRT guidelines, here: https://gnso.icann.org/sites/default/files/file/field-file-attach/2016-12/ir...). I don’t think the Council would necessarily have to reconsider the policy itself, but that’s one of the options—I think the Council could also use its relatively new guidance process (GGP) or initiate an ePDP if the Council decided to do so (that’s my understanding, but I will confirm with the Policy team on this). Procedurally, I think any change in course would have to come from the Council, as ICANN org is currently implementing based on the Council and Board’s instruction to proceed to implementation. Best, Amy From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> On Behalf Of DiBiase, Gregory via Gdd-gnso-ppsai-impl Sent: Thursday, August 30, 2018 3:29 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] PP services for gated access data Hi Peter, This seems like a substantive policy change that was not envisioned or included in the original policy. Accordingly, I don’t think the IRT is empowered to make this change. If you think the changes created by the GDPR necessitate substantive changes to the underlying policy (which I think is a reasonable view), then I think it would be necessary to pause the IRT and reconsider the policy itself. (is that right Amy?) Thanks, Greg From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Thursday, August 30, 2018 10:28 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] PP services for gated access data All – Just to continue the smaller discussion from today’s call: Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that: 1) privacy/proxy providers will continue to do business and 2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available; I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA: 3.5.7 Provider shall not provide Services for Customers whose data is non-public. Or 3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS. Thanks, Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Thursday, August 30, 2018 3:08 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens. http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf<https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf> Thanks, Theo On 30-8-2018 7:55, Michele Neylon - Blacknight wrote: I won’t be able to attend as I’m at an event. I also agree with the concerns raised by others about pegging *anything* to a moving target, which the Temp Spec is TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday 29 August 2018 at 16:22 To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Dear Colleagues, This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC. A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only. We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list): 1. Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future? 2. The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data. 3. The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model<https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)? 4. Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup? 5. Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment? 6. We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list. One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi all, Seems all paths lead to the GNSO. So I think there are two tracks; Pause it and wait for the ePDP, if Peter is correct and the UAM is the answer I do not see a need for the disclosure frameworks as the UAM will apply to privacy providers and or redacted WHOIS records. Then there is the existential question, and Greg is correct not for us to decide on but we can assist the GNSO to gain a better understanding how the landscape has changed compared to years ago when we started this group. Correct? Theo Amy Bivins schreef op 2018-08-30 09:52 PM:
Thanks, Greg!
It’s my understanding that (a) if it is the consensus view of the IRT that a Policy issue has come up that is not addressed in the Final Recommendations that (b) should or must be addressed (or if it is unclear whether the issue should be addressed) before we can proceed, then the appropriate vehicle for resolution would be for the Council Liaison to escalate the issue to the Council (looking at the IRT guidelines, here: https://gnso.icann.org/sites/default/files/file/field-file-attach/2016-12/ir...).
I don’t think the Council would necessarily have to reconsider the policy itself, but that’s one of the options—I think the Council could also use its relatively new guidance process (GGP) or initiate an ePDP if the Council decided to do so (that’s my understanding, but I will confirm with the Policy team on this). Procedurally, I think any change in course would have to come from the Council, as ICANN org is currently implementing based on the Council and Board’s instruction to proceed to implementation.
Best, Amy
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> On Behalf Of DiBiase, Gregory via Gdd-gnso-ppsai-impl Sent: Thursday, August 30, 2018 3:29 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] PP services for gated access data
Hi Peter,
This seems like a substantive policy change that was not envisioned or included in the original policy. Accordingly, I don’t think the IRT is empowered to make this change.
If you think the changes created by the GDPR necessitate substantive changes to the underlying policy (which I think is a reasonable view), then I think it would be necessary to pause the IRT and reconsider the policy itself. (is that right Amy?)
Thanks, Greg
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Thursday, August 30, 2018 10:28 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] PP services for gated access data
All –
Just to continue the smaller discussion from today’s call:
Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that:
1) privacy/proxy providers will continue to do business and
2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available;
I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA:
3.5.7 Provider shall not provide Services for Customers whose data is non-public.
Or
3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS.
Thanks,
Peter Roman
Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Thursday, August 30, 2018 3:08 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens.
http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant
This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf<https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf>
Thanks,
Theo
On 30-8-2018 7:55, Michele Neylon - Blacknight wrote: I won’t be able to attend as I’m at an event.
I also agree with the concerns raised by others about pegging *anything* to a moving target, which the Temp Spec is
TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea
Regards
Michele
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday 29 August 2018 at 16:22 To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Dear Colleagues,
This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC.
A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only.
We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list):
1. Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future? 2. The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data. 3. The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model<https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)? 4. Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup? 5. Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment? 6. We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list.
One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider.
Best, Amy
Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hello, everyone, To clarify, there must be consensus among the IRT members that an issue needs to be escalated to the Council. If there isn't a consensus to take an issue to the Council, another option would be to flag the issue for community feedback in the call for public comments. Thanks so much for your input thus far, and I encourage those of you who haven't weighed in on this issue yet to share your thoughts on the list! Best, Amy -----Original Message----- From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> On Behalf Of gtheo Sent: Friday, August 31, 2018 4:15 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] PP services for gated access data Hi all, Seems all paths lead to the GNSO. So I think there are two tracks; Pause it and wait for the ePDP, if Peter is correct and the UAM is the answer I do not see a need for the disclosure frameworks as the UAM will apply to privacy providers and or redacted WHOIS records. Then there is the existential question, and Greg is correct not for us to decide on but we can assist the GNSO to gain a better understanding how the landscape has changed compared to years ago when we started this group. Correct? Theo Amy Bivins schreef op 2018-08-30 09:52 PM:
Thanks, Greg!
It’s my understanding that (a) if it is the consensus view of the IRT that a Policy issue has come up that is not addressed in the Final Recommendations that (b) should or must be addressed (or if it is unclear whether the issue should be addressed) before we can proceed, then the appropriate vehicle for resolution would be for the Council Liaison to escalate the issue to the Council (looking at the IRT guidelines, here: https://gnso.icann.org/sites/default/files/file/field-file-attach/2016-12/ir...).
I don’t think the Council would necessarily have to reconsider the policy itself, but that’s one of the options—I think the Council could also use its relatively new guidance process (GGP) or initiate an ePDP if the Council decided to do so (that’s my understanding, but I will confirm with the Policy team on this). Procedurally, I think any change in course would have to come from the Council, as ICANN org is currently implementing based on the Council and Board’s instruction to proceed to implementation.
Best, Amy
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> On Behalf Of DiBiase, Gregory via Gdd-gnso-ppsai-impl Sent: Thursday, August 30, 2018 3:29 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] PP services for gated access data
Hi Peter,
This seems like a substantive policy change that was not envisioned or included in the original policy. Accordingly, I don’t think the IRT is empowered to make this change.
If you think the changes created by the GDPR necessitate substantive changes to the underlying policy (which I think is a reasonable view), then I think it would be necessary to pause the IRT and reconsider the policy itself. (is that right Amy?)
Thanks, Greg
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Thursday, August 30, 2018 10:28 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] PP services for gated access data
All –
Just to continue the smaller discussion from today’s call:
Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that:
1) privacy/proxy providers will continue to do business and
2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available;
I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA:
3.5.7 Provider shall not provide Services for Customers whose data is non-public.
Or
3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS.
Thanks,
Peter Roman
Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Thursday, August 30, 2018 3:08 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens.
http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant
This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/ uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf<https://via.hypo thes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHO IS-Legislation-as-of-Aug-16-2018.pdf>
Thanks,
Theo
On 30-8-2018 7:55, Michele Neylon - Blacknight wrote: I won’t be able to attend as I’m at an event.
I also agree with the concerns raised by others about pegging *anything* to a moving target, which the Temp Spec is
TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea
Regards
Michele
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bou nces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday 29 August 2018 at 16:22 To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Dear Colleagues,
This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC.
A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only.
We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list):
1. Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future? 2. The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data. 3. The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model<https://www.icann.org/en/system/files/files/framework-elements-u nified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)? 4. Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup? 5. Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment? 6. We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list.
One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider.
Best, Amy
Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
This seems highly impractical, as a service provider would suddenly have to monitor what happens to a domain name whois after the fact. And why shouldn't there be an additional layer of privacy for those that legitimately need or want it? Maybe the data just is not public because the registry is redacting it, but the registrant does not trust the registry operator with his data? Aside from the fact that this is a policy question that does not belong into the IRT but into the PDP proper, I do not support the proposed addition on its merits either. Volker Am 30.08.2018 um 19:28 schrieb Roman, Peter (CRM):
All –
Just to continue the smaller discussion from today’s call:
Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that:
1) privacy/proxy providers will continue to do business and
2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available;
I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA:
3.5.7 Provider shall not provide Services for Customers whose data is non-public.
Or
3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS.
Thanks,
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Theo Geurts *Sent:* Thursday, August 30, 2018 3:08 AM *To:* gdd-gnso-ppsai-impl@icann.org; Michele Neylon - Blacknight <michele@blacknight.com> *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens.
http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant
This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/upload... <https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf>
Thanks,
Theo
On 30-8-2018 7:55, Michele Neylon - Blacknight wrote:
I won’t be able to attend as I’m at an event.
I also agree with the concerns raised by others about pegging **anything** to a moving target, which the Temp Spec is
TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>on behalf of Amy Bivins <amy.bivins@icann.org> <mailto:amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org><gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday 29 August 2018 at 16:22 *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org><gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Dear Colleagues,
This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC.
A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only.
We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list):
(1)Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future?
(2)The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data.
(3)The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model <https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)?
(4)Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup?
(5)Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment?
(6)We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list.
One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider.
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org>
www.icann.org <http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
My main problem with Peter’s proposal is that it rests on assumptions about what will be the ultimate outcome of the ePDP. It would be irresponsible to rely upon such assumptions (which are clearly premature) in fashioning the implementation rules for a consensus policy adopted by the community as the output of a multi-stakeholder process. It would be even less justified to rely upon such premature assumptions as an excuse for “pausing” our work when it is so near to completion and when completion is so long overdue. Steve Metalitz From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> On Behalf Of Volker Greimann Sent: Friday, August 31, 2018 4:30 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] PP services for gated access data This seems highly impractical, as a service provider would suddenly have to monitor what happens to a domain name whois after the fact. And why shouldn't there be an additional layer of privacy for those that legitimately need or want it? Maybe the data just is not public because the registry is redacting it, but the registrant does not trust the registry operator with his data? Aside from the fact that this is a policy question that does not belong into the IRT but into the PDP proper, I do not support the proposed addition on its merits either. Volker Am 30.08.2018 um 19:28 schrieb Roman, Peter (CRM): All – Just to continue the smaller discussion from today’s call: Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that: 1) privacy/proxy providers will continue to do business and 2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available; I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA: 3.5.7 Provider shall not provide Services for Customers whose data is non-public. Or 3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS. Thanks, Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Thursday, August 30, 2018 3:08 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Michele Neylon - Blacknight <michele@blacknight.com><mailto:michele@blacknight.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens. http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant<http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant> This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf<https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf> Thanks, Theo On 30-8-2018 7:55, Michele Neylon - Blacknight wrote: I won’t be able to attend as I’m at an event. I also agree with the concerns raised by others about pegging *anything* to a moving target, which the Temp Spec is TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/<https://www.blacknight.com/> http://blacknight.blog/<http://blacknight.blog/> Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/<https://michele.blog/> Some thoughts: https://ceo.hosting/<https://ceo.hosting/> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday 29 August 2018 at 16:22 To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached Dear Colleagues, This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC. A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only. We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list): (1) Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3<http://3.5.3.3>. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future? (2) The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data. (3) The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model<https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)? (4) Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup? (5) Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment? (6) We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list. One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
Agreed, it is better to include this aspect in the ePDP deliberations and let them work this out. Am 05.09.2018 um 20:44 schrieb Metalitz, Steven:
My main problem with Peter’s proposal is that it rests on assumptions about what will be the ultimate outcome of the ePDP. It would be irresponsible to rely upon such assumptions (which are clearly premature) in fashioning the implementation rules for a consensus policy adopted by the community as the output of a multi-stakeholder process. It would be even less justified to rely upon such premature assumptions as an excuse for “pausing” our work when it is so near to completion and when completion is so long overdue.
Steve Metalitz
**
*From:*Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> *On Behalf Of *Volker Greimann *Sent:* Friday, August 31, 2018 4:30 AM *To:* gdd-gnso-ppsai-impl@icann.org *Subject:* Re: [Gdd-gnso-ppsai-impl] PP services for gated access data
This seems highly impractical, as a service provider would suddenly have to monitor what happens to a domain name whois after the fact. And why shouldn't there be an additional layer of privacy for those that legitimately need or want it? Maybe the data just is not public because the registry is redacting it, but the registrant does not trust the registry operator with his data?
Aside from the fact that this is a policy question that does not belong into the IRT but into the PDP proper, I do not support the proposed addition on its merits either.
Volker
Am 30.08.2018 um 19:28 schrieb Roman, Peter (CRM):
All –
Just to continue the smaller discussion from today’s call:
Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that:
1) privacy/proxy providers will continue to do business and
2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available;
I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA:
3.5.7 Provider shall not provide Services for Customers whose data is non-public.
Or
3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS.
Thanks,
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Theo Geurts *Sent:* Thursday, August 30, 2018 3:08 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Michele Neylon - Blacknight <michele@blacknight.com> <mailto:michele@blacknight.com> *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens.
http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant
This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/upload... <https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf>
Thanks,
Theo
On 30-8-2018 7:55, Michele Neylon - Blacknight wrote:
I won’t be able to attend as I’m at an event.
I also agree with the concerns raised by others about pegging **anything** to a moving target, which the Temp Spec is
TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>on behalf of Amy Bivins <amy.bivins@icann.org> <mailto:amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org><gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday 29 August 2018 at 16:22 *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org><gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Dear Colleagues,
This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC.
A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only.
We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list):
(1)Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3 <http://3.5.3.3>. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future?
(2)The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data.
(3)The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model <https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)?
(4)Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup?
(5)Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment?
(6)We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list.
One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider.
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org>
www.icann.org <http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
In my view it is not advisable to base this implementation on speculation. It is reasonable the ePDP might eventually report something that could upend the P/P framework. As it might several other consensus policies. The way forward is to acknowledge that the output from the ePDP may fatally undermine a P/P framework but proceed with this work to completion on the current policy perspective. - Carlton ============================== *Carlton A Samuels* *Mobile: 876-818-1799Strategy, Process, Governance, Assessment & Turnaround* ============================= On Thu, Aug 30, 2018 at 12:28 PM Roman, Peter (CRM) <Peter.Roman@usdoj.gov> wrote:
All –
Just to continue the smaller discussion from today’s call:
Putting aside the existential question of whether the business case for privacy/proxy makes sense following the implementation of the GDPR, and assuming that:
1) privacy/proxy providers will continue to do business and
2) the EPDP is going to reach a solution that will give IP rights holders, cybersecurity researchers, law enforcement, and other vetted people access to the registrant data that is not publicly available;
I propose that the IRT consider that, since the second tier of WHOIS data would only be available to vetted, accredited law enforcement, cybersecurity, IP rights holders, etc. that have represented that they have a legitimate purpose for accessing the data, and since that data is merely subscriber data (which under the Council of Europe’s CyberCrime Convention, and numerous other legal regimes as well, is deserving of the lowest level of privacy protection), and therefore no legitimate purpose is served by further hindering access to such data, the IRT should add the following language to the draft PPAA:
3.5.7 Provider shall not provide Services for Customers whose data is non-public.
Or
3.5.7 Provider shall not provide Services for Customers whose data is only accessible through gated access in the RDDS system and is not publicly available through WHOIS.
Thanks,
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov
*From:* Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Theo Geurts *Sent:* Thursday, August 30, 2018 3:08 AM *To:* gdd-gnso-ppsai-impl@icann.org; Michele Neylon - Blacknight < michele@blacknight.com> *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Agreed on the moving target part. Not too mention another moving target that will render most of our work right down into the trash if it happens.
http://domainincite.com/23371-could-a-new-us-law-make-gdpr-irrelevant
This draft seems to be in direct conflict with some of the WG's recommendations; https://via.hypothes.is/https://www.internetgovernance.org/wp-content/upload... <https://via.hypothes.is/https:/www.internetgovernance.org/wp-content/uploads/Draft-WHOIS-Legislation-as-of-Aug-16-2018.pdf>
Thanks,
Theo
On 30-8-2018 7:55, Michele Neylon - Blacknight wrote:
I won’t be able to attend as I’m at an event.
I also agree with the concerns raised by others about pegging **anything** to a moving target, which the Temp Spec is
TLDR – it’s not policy – it’s a stopgap. Baking it into anything else is a really bad idea
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> <amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday 29 August 2018 at 16:22 *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Materials for tomorrow's PP IRT meeting are attached
Dear Colleagues,
This is a reminder that the PP IRT will meet tomorrow, Thursday, 30 August, at 1600 UTC.
A draft markup of the PPAA is attached. This markup is for discussion purposes only—it is not a final proposal and remains subject to revision. The draft is being circulated, without further delay, to continue the conversation. It has not been approved by senior management and is for discussion only.
We would like to begin discussing the following topics tomorrow (but please feel free to comment before then on the list):
(1) Some suggested edits track what’s in the Temporary Specification for gTLD Registration Data. For example, section 3.5.3.3. How should we approach drafting provisions modeled on the Temp Spec, given that its language is subject to change in the near future?
(2) The disclosure frameworks seem to be written from the position that there’s no discretion for the Provider to not provide the underlying customer data if the conditions in the framework are met. Is this the intent? This could potentially cause issues under the GDPR, because this doesn’t seem to leave room to balance the interests of the data subjects with the legitimate interest of the parties requesting personal data.
(3) The disclosure frameworks raise additional GDPR-related questions that are similar to questions raised in the Draft Framework Elements of a Potential Unified Access Model <https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20aug18-en.pdf> paper published by ICANN org. For example, what would the requirements be for logging requests for disclosure made under the frameworks (or even requests not governed by the frameworks)?
(4) Do you see any other issues that you believe must be addressed related to GDPR that were not addressed in this markup?
(5) Following the completion of the IRT’s review of this draft accreditation agreement and related matters, we believe are ready to proceed to public comment. Do you believe there is any reason why the IRT should not proceed to public comment?
(6) We have heard questions from various members of the community about how the proposed accreditation program requirements will operate within the current Temp Spec RDDS environment. These proposed program requirements do not address how PP registrations interact with a gated access model or how they might be impacted, if at all, by the results of the EPDP. Is this an issue that the IRT believes should be explored at this stage? If any member of the IRT wishes to raise any comments or points about this topic, you are encouraged to do so during the IRT call or via the list.
One area that may need further attention in the agreement is specifically defining what data is to be collected and for what purpose. In addition, the new Specification 8 contains some data processing requirements, but additional discussion is needed on the appropriate controller arrangements that are needed between ICANN, the registrar and the Provider.
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org
www.icann.org
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
participants (7)
-
Amy Bivins -
Carlton Samuels -
DiBiase, Gregory -
gtheo -
Metalitz, Steven -
Roman, Peter (CRM) -
Volker Greimann