Hi Steve,
I don’t think it helps us to break up the user groups like this; there's just users. Every user has to demonstrate their legal basis. We can’t predetermine what the outcome might be depending on the group a user falls into, because the specific circumstance for the disclosure request at hand plays a big part in the decision.
To your chart -
If the data is public then it can be accessed without the RDRS, but if an RDRS request is submitted then presumably the same data as is public will be provided.
If the data is "normal" in your doc (I refer to it as “masked”), then the request will be evaluated on its merits and the data may or may not be disclosed. The category of requestor does not determine the outcome, but it is a factor. For example, you have “R” (Redacted) as the response to a Citizen, but a citizen could demonstrate legal basis and receive real data in the response. You have “A” (actual data) as the response to the other types of user, but they could fail to demonstrate legal basis and thus be denied, it depends on the case at hand.
If the data is “protected” (has the Rr's P/P service) then only P/P data will be sent in response to the RDRS request. This is the same data as is available publicly. If the underlying data is required, that needs due process (warrant, subpoena, etc) and is not part of the RDRS at all. Due process requests are outside the scope of the RDRS, as is disclosure of data underlying a P/P service., I think we should document that and move on.
Thanks,
-- Sarah Wyld, CIPP/E
Policy & Privacy ManagerPronouns: she/they swyld@tucows.com
From: Steve Crocker
Sent: April 26, 2023 3:00 PM
To: Sarah Wyld
Cc: gnso-epdpp2-smallteam@icann.org; Steve Crocker
Subject: Re: [GNSO-EPDPP2-SmallTeam] Redaction vs privacy/proxy service
Sarah,
Thanks again for your response.
Everyone,
I'd like to push a bit further down this path. Attached is a short note attempting to sort out what the response will be according to:
I'd appreciate it if each of you would take a look and comment. This table does not take into account whether the registrant is a legal or a natural person, and it is not specific as to which fields would be treated in accordance with these rules. We can expand to cover these dimensions. (The tools we've been building at Edgemoor Research Institute do include these details, but I think it will be helpful to see if we can answer the questions in this very simplified model.)
Thanks,
Steve
On Tue, Apr 25, 2023 at 8:21 AM Sarah Wyld <swyld@tucows.com> wrote:
Hi all,
To Steve’s question about circumstances, it doesn’t really matter why a domain uses a registrar’s P/P service (and at this time I don’t think there’s policy limiting those potential reasons), just that it does or does not.
If the domain does use the registrar’s P/P service, then only the P/P data can be provided in response to an RDRS request. The group yesterday seemed strongly in favour of considering those to be ‘approved’ requests. The response would be to provide the P/P data (which is also available publicly), not redacted data.
If the domain does not use the registrar’s P/P service, then the request goes through the registrar’s review process and the registrar determines which of the requested fields to disclose. For the non-disclosed fields, when the registrar provides the response directly to the requestor they would likely indicate which fields they are not disclosing, but I don’t think we have (or should) defined how exactly they’d do that within their own platform. Within the RDRS, the registrar would indicate which requested fields were disclosed (this is one of the rows in Yuko’s spreadsheet) as part of tracking the outcome of the request.
The requestor’s recourse is not affected in either case: they can complain to ICANN if they believe ICANN Policy was not followed, or to the relevant legal authority if they think the law was not followed.
Hope that helps!
--Sarah Wyld, CIPP/EPolicy & Privacy ManagerPronouns: she/theyswyld@tucows.com
From: Steve Crocker
Sent: April 24, 2023 3:51 PM
To: gnso-epdpp2-smallteam@icann.org
Subject: [GNSO-EPDPP2-SmallTeam] Redaction vs privacy/proxy service
Folks,
Thanks for responding during today's call to my question regarding the difference between a registrar responding with the name of a privacy or proxy service versus the word "redacted." I think there are still outstanding questions to be resolved.
During the discussion an additional question arose in my mind, so here are the questions I'm seeking answers to.
- Under what circumstances may a registrar impose a privacy or proxy service to hide the registration data? Some possible answers:
- It's entirely up to the registrar. Different registrars may have different policies. The registrant has no say. (I doubt this is the case for any registrar, but I'm including it for completeness.)
- A registrar may choose to impose a privacy or proxy service by default, but the registrant is informed and may choose not to have it imposed.
- A registrar may give the registrant the choice of having the registration protected by the registrar's privacy or proxy service.
- Under what circumstances will a registrar respond to a request with "redacted" versus with the name of the privacy or proxy service?
- What recourse does the requester have in each case?
Thanks,
Steve