SSAD Small team, In reading through this thread there seems to be two different topics. The first is around tracking registration data requests to non-participating registrars. I think we understood from our briefing from staff that the system as currently envisioned would NOT track requests for data from non-participating registrars. As pointed out by Steve Delbanco and others, this is significant gap. As I see it, one of the main drivers for proceeding with this system is to better understand the potential demand. If we aren't tracking attempted requests to non-participating registrars, then we won't have the full picture when evaluating the WDS and considering next steps. Along these lines I encourage us to spend time considering what are the data points we need to evaluate the WDS. I think we need to be specific with ICANN org as to what data we need and clear in our recommendations to the GNSO council as to what data we will be looking at in evaluating the WDS. There seems to be a second topic around the potential to email non-participating registrars when someone using this system attempts to request data from a domain they sponsor. As long as this is a voluntary pilot, then I think we need to respect that it is voluntary and leave it at that. I see tracking attempted requests to non-participating registrars as a necessary data point, but don't support emailing registrars who choose not to participate. Best, Marc From: GNSO-EPDPP2-SmallTeam <gnso-epdpp2-smallteam-bounces@icann.org> On Behalf Of Sebastien@registry.godaddy Sent: Tuesday, September 20, 2022 6:24 PM To: gnso-epdpp2-smallteam@icann.org Subject: [EXTERNAL] [GNSO-EPDPP2-SmallTeam] FW: [Ext] Post Board GNSO bilateral on WDS Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Dear Small Team, Following the Board-GNSO bilateral his morning, where WDS was discussed and specifically the matter of not logging requests from non-participating Registrars, I reached out Eleeza and Yuko to better understand the underlying motivations/issues behind the decision. Please find Eleeza's answer below. I understand though I wasn't able to follow the conversation, that the issue was also discussed during the Board-CSG bilateral today. I encourage all to try to catch up on it before our meeting Thursday, but am sure those present will be able to fill us in. Kindly, Sebastien Ducos GoDaddy Registry | Senior Client Services Manager +33612284445 France & Australia sebastien@registry.godaddy<mailto:sebastien@registry.godaddy> From: Eleeza Agopian <eleeza.agopian@icann.org<mailto:eleeza.agopian@icann.org>> Date: Tuesday, 20 September 2022 at 10:05 am To: Sebastien Ducos <Sebastien@registry.godaddy<mailto:Sebastien@registry.godaddy>>, Yuko Yokoyama <yuko.yokoyama@icann.org<mailto:yuko.yokoyama@icann.org>> Cc: Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> Subject: Re: [Ext] Post Board GNSO bilateral on WDS Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad@. Dear Seb, Thank you for your questions. I want to clarify an important point: If a registrar decides to participate in the system and receive requests, per the Interim Registration Data Policy for gTLDs (carrying over the requirements of the Temp Spec) requirement to provide "reasonable access," they must respond to the request. We cover this in Section 3.6 of the paper, which refers to Contractual Compliance. Please also note that this analysis concerns only requirements under the Temp Spec; once the EPDP Phase 1 policy (currently published for public comment<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann....>) goes into effect, that policy will supersede the current Temp Spec "reasonable access" requirement. With regard to your question on alerting non-participating registrars about queries for their domains, we have given this some additional thought and Göran shared some of these thoughts in the Board-CSG meeting<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2F75.schedul...> earlier today. Within the current system design, a requestor will be asked to enter the subject domain at the beginning of the form and the system will determine whether the domain's registrar is participating in the system. If the registrar is not participating, the system would display an error message to the requestor notifying them that the registrar is not participating and would suggest they directly contact the registrar. What is not currently contemplated but may be possible would be for the system to log that notification and trigger an email to the primary account holder in the Naming Services Portal. The notification would simply state that a nonpublic registration data request was made for a domain that is under their management - it could also specify the domain name and the type of requestor logging the request. The email notification to the non-participating registrar would not, as proposed here, trigger a requirement for the registrar to provide "reasonable access" in a manner contemplated in the Temp Spec. This is because the notification would not, on its own, be considered a request for registration data access, but would merely be a notification that a requestor attempted to submit a request via the system. The email notification could include information indicating how a registrar may participate in the system. ICANN could also explore capturing within the system's own reporting what type of requestor is requesting this data. If the system is logging this data, we could report on the number of requests for domains from non-participating registrars, which registrars are receiving these requests, and potentially the types of requestors. To your question regarding the collection of a full request for a domain under management by a non-participating registrar, there are some risks that have not been fully assessed and would require additional consideration from the team, including assessing the legitimacy to process the personal data requested through the form in line with data protection laws. In addition, sharing the full request data set outside the system (i.e. via email) is a security risk. Non-participating registrars will need to access the system to view the request. We would be happy to meet with you if you find it easier to have a quick conversation, and are also happy to join the small team's meeting on Thursday to answer any questions. Thank you, Eleeza From: "Sebastien@registry.godaddy<mailto:Sebastien@registry.godaddy>" <Sebastien@registry.godaddy<mailto:Sebastien@registry.godaddy>> Date: Tuesday, September 20, 2022 at 10:50 AM To: Eleeza Agopian <eleeza.agopian@icann.org<mailto:eleeza.agopian@icann.org>>, Yuko Yokoyama <yuko.yokoyama@icann.org<mailto:yuko.yokoyama@icann.org>> Cc: Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> Subject: [Ext] Post Board GNSO bilateral on WDS Hi Eleeza and Yuko, Please allow me to reach out personally following the Board-GNSO bilateral discussion on WDS. The point raised on Saturday regarding the fact that the WDS will only collect data for participating Registrars is one that is quickly becoming key. Before it snowballs into locking us out of a quick and positive decision from the small team, I wanted to make sure I fully understood the issue from your end. The answer given by Goran during the bilat - essentially that any new feature would require time to scope and would result not only in delays, but put this in competition with upcoming efforts such as SubPro - is valid, but I am afraid will not help us out to close this case. I understand the WDS will collect request data, store it securely, present it for Registrars to review AND send them an alert warn them of the case awaiting them. Arguably, without revealing PII, this alert could contain enough information (Request date, concerned domain name, etc...) to put the receiving contracted party in a position of no longer being able to outright ignore the request as per existing contracts. Conversely, if we only collect data and send alerts to participating Registrars we are creating an incentive for them not to participate; in fact I would assume that their Legal advisers would recommend not to participate as they would then protect themselves from having information collected on them. Are we here limited by the technical framework (SalesForce) that will only email known users? Or do you have other imperatives that guide you? If that is the reason, is there a way to continue collecting the data regardless? We would create a situation where unalerted Registrars might not be able to ignore a request, but where at least an impartial record of it is kept. In the absence of a Registrar-user, could we continue collecting formatted request, informing the Requestor that the Registrar cannot be alerted but supplying the Registrar's abuse email with an easy to copy/paste a rendering of the filled form, to easily form and send an email? I really don't want us - the small team - to start system-designing, but with the best of intentions the more I look into this the more I think that not only we would deprive ourselves from any pressure points to push unwilling Registrars, but actually offer a good reason for willing ones to stay out. I am happy to discuss this offline when you want. Kindly, Sebastien Ducos GoDaddy Registry | Senior Client Services Manager +33612284445 France & Australia sebastien@registry.godaddy<mailto:sebastien@registry.godaddy>
