I will do my best to make the call next week, but am travelling so may not manage it. Since I am the one querying the suggestion that protecting the data and the names of the individuals under the rubric of privacy is a wee bit off base, believing instead that people should be accountable for what they are putting in their polling data, here is my view, for what it is worth. 1. ICANN is fundamentally an open, transparent multistakeholder organization where pdps are open to all. There is an expectation that there will be robust debate and that people will be accountable for the views they wish to express. IF a person wishes to watch what is happening and not participate, they can monitor and thereby not be forced to express a view. Participation in the working group should mean that one's expectations of privacy in terms of opinions expressed is very limited. I would like to hear the arguments for such an opinion, if anyone has advanced them. 2. In this respect, if an organization sends a representative to attend a pdp and they do not have the authority to speak for the organization without vetting/checking, they have a number of options: a) omit the survey b) fill it out in their own name with caveats that they do not represent the organization c) get the survey questions and consult on the answers. I don't really think it is acceptable for organizations to anonymously fill out the survey, just as I don't buy the privacy argument from individuals. 3. The data is useful to those of us who are trying to understand where people are coming from. As I have said numerous times, we all view these matters from our own perspectives and knowledge base. I am trying to understand the degree to which people still do not understand privacy concepts, which I think I can detect from their answers. (others may wonder why I still don't understand how the RDS works, fair enough says I! CHeck my data, it might help you detect necessary educational opportunities...) I am also interested in the variance across questions, cumulative totals per SG, etc etc). 4. At a rather fundamental level, data that is used by us even to form rough concepts of concensus should be accessible to all in my view. This is very controversial topic which has caused considerable conflict over the years, let us try to minimize any potential for later questions or distrust by ensuring all data is available. There are ways around this problem of disclosure vs non-disclosure. 1. Inform people that polling data will be available. Forwarned. 2. RElease data minus the name. However, folks will be guessing who is from what constituency, and frankly we must have the constituency data. Normally for disclosure of PI for people in groups we go by the rule of 4.....rarely are there 4 NCSG folks filling out the polls, so you can identify us anyway, this may be different for other groups. I think this one is a non-starter but there it is. 3. Seek consent. As discussed above, I don't think the privacy arguments hold water; it is bad policy to seek consent on something that you could not /should not protect in the first place. Also a non-starter in my view, but there it is. Again, I hope to make the call next week but wanted to start off this discussion on the list in case I don't make it. Cheers STephanie On 2017-01-18 10:45, Gomes, Chuck wrote:

For those of you who were unable to attend this meeting, I encourage you to listen to the MP3 recording and/or review the transcript as well as the notes that Marika sent right after the meeting. We made quite a lot of progress; we discussed all of the remaining proposed purposes for the collection of thin data and there were no objections from anyone on the call to the conclusion that each of the purposes are legitimate for the collection of thin data.

The third purpose, where we started for this meeting, is Domain Name Certification. We spent quite a bit of time talking about this. For those who feel that you do not understand this purpose fully, at about 14:50 into the call we had what I thought was a very good discussion designed to make sure everyone understands Domain Name Certification, so I encourage you to at least listen to that portion and the discussion following where we discussed whether it was an acceptable purpose. You will note that some thick data elements were also mentioned but we did not make any conclusions regarding thick data.

Once we finished our deliberation on Domain Name Certification, there was just minimal discussion on the other remaining purposes so you may not find the balance of the recording very informative.

Near the very end of the recording we alerted everyone to an agenda topic we will have next week about whether raw poll data should be shared with the WG and, if so, in what way. Those not on the call may benefit from listening to that discussion in preparation for next week.

Happy listening.

Chuck

*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Nathalie Peregrine *Sent:* Wednesday, January 18, 2017 6:57 AM *To:* gnso-rds-pdp-wg@icann.org *Cc:* gnso-secs@icann.org *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

*With updated apologies*

*From: *"owner-gnso-secs@icann.org <mailto:owner-gnso-secs@icann.org>" <owner-gnso-secs@icann.org <mailto:owner-gnso-secs@icann.org>> on behalf of Nathalie Peregrine <nathalie.peregrine@icann.org <mailto:nathalie.peregrine@icann.org>> *Date: *Wednesday, January 18, 2017 at 11:52 AM *To: *"gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Cc: *"gnso-secs@icann.org <mailto:gnso-secs@icann.org>" <gnso-secs@icann.org <mailto:gnso-secs@icann.org>> *Subject: *[gnso-secs] Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

Dear all,

Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Wednesday, 18 January 2017 at 06:00 UTC.

*MP3:*https://audio.icann.org/gnso/gnso-nextgen-rds-pdp-18jan17-en.mp3[audio.icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__audio.icann.org_gnso_gn...>

The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:

http://gnso.icann.org/en/group-activities/calendar <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-...>

** Please let me know if your name has been left off the list **

Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/

Wiki page: https://community.icann.org/x/tarDAw[community.icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_t...>

Thank you.

Kind regards,

Nathalie

———————————————

*_AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017_*

Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call on Wednesday 18 January 2017 at 06:00 UTC.

Nathalie Peregrine:Meeting page: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_E...

Michele Neylon:good morning people

Michele Neylon:it's good middle of the bloody night :)

Chuck Gomes:Morning?!!

Benny / Nordreg AB:Good Afternoon ;-)

Alex Deacon:Hi all...

Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone

Maxim Alzoba (FAITID):Good morning all.

Michele Neylon:MUTE yourselves please

Fabricio Vayra:good morning

Tapani Tarvainen:Decent hour in Finland, too

Farell FOLLY (africa 2.0):Morning All

Michele Neylon:6am is an hour

Tapani Tarvainen:8am here

Michele Neylon:I'm not sure if it's decent or desiarable

Maxim Alzoba (FAITID):not thaat horrible - 9am

Farell FOLLY (africa 2.0):6 am here !

Benny / Nordreg AB:Currently in Bangkok 1 PM

Benny / Nordreg AB:so not to bad

Stephanie Perrin:1 am here. I am not at my perkiest I must admit.

Benny / Nordreg AB:So a silent Stephanie today? ;-)

Stephanie Perrin:Not likely...just delayed, I suspect....:-)

Marika Konings:no, I haven't seen anything

Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is -5C outside and the weather is freezing rain (-:

Lisa Phifer:Actually, question 3 assessed level of support for several listed purposes, not just Domain Name Certification

Stephanie Perrin:Yes Sam, if the power goes out again I may be extra quiet....

Alex Deacon:1995 - earlier if you count the RSA days :)

Fabricio Vayra:@Alex - Nice!

Sam Lanfranco npoc/csih:Question: What percentage of DN Certificate Requests turn out to be bogus?

Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should we assume that not all 100% are good?

Abdeldjalil Bachar Bong:I need some clarification about the first question as iam newcomer in this WG ,Thanks my second do you have some resources for no-English speaker ?

Benny / Nordreg AB:or .se / .nu where there are no info in whois for private persons

Lisa Phifer:@Geoff, with respect to thin data elements, which elements are consulted for this authentication?

Michele Neylon:My current bugbear is a particular company who insists on sending us their requests

Michele Neylon:not to our clients

Daniel K. Nanghaka:The challenge with the WHOIS is that there is no appropriate verification method for the users - there should be a way to validate sensitive data

Stephanie Perrin:How often do you need to authenticate for these certificates?

Benny / Nordreg AB:at least once per year

Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the technical/administrative contact?

Benny / Nordreg AB:per domain/ certificate

Stephanie Perrin:what data do you trust? IN other words, how do you verify the data?

Michele Neylon:domain validated certs are the cheapest ones

Michele Neylon:they're also the fastest ones to get issued

Michele Neylon:the level of "trust" is negligible

Stephanie Perrin:But what are they worth?

Michele Neylon:Stephanie - to whom?

Stephanie Perrin:To anyone who is relying on the certificate....

Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?

Michele Neylon:FYI - they're also used by valid users like me :)

Michele Neylon:I'm using one on michele.blog

Alex Deacon:You could argue that Domain Validation certs are good for encryption only. they provide zero value from an authentication/identity point of view.

Stephanie Perrin:I would have no clue what I am using. I think I speak for most consumers....

Michele Neylon:what Alex said

Michele Neylon:they're a step up from a self-signed cert

Stephanie Perrin:Thanks Alex, that is kind of where I was heading....

Daniel K. Nanghaka:This is where Domain verification comes in strongly - and the Domain validated certificates should be placed in the page of the Domain to prove that the domain is validated. The Company should have a respective data handler who will be responsible for domain validation and certificate authentication.

Michele Neylon:Daniel - which company?

Benny / Nordreg AB:Unsure how you will make that happen Daniel?

Maxim Alzoba (FAITID):The company

Maxim Alzoba (FAITID):in some movies it was the name for one of the agencies

Alex Deacon:@stephanie - it depends on the type of cert.

Daniel K. Nanghaka:@Michele - the company that that owns the Domain

Daniel K. Nanghaka:Yes, the biggest challenge is that many companies take these certificates for granted

Michele Neylon:Daniel - what makes you think they're a company? these days a LOT of the domain validated certs are for individiuals not companies

Michele Neylon:https://urldefense.proofpoint.com/v2/url?u=https-3A__letsencrypt.org_&d=DwIF...

Michele Neylon:see also https://urldefense.proofpoint.com/v2/url?u=http-3A__motherboard.vice.com_rea...

Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix, for exumple and the latter uses whois ...

Maxim Alzoba (FAITID):*example

Maxim Alzoba (FAITID):the only other source of info ... is LEA

Alex Deacon:@maxim - you lost me. what info does LEA have?

Maxim Alzoba (FAITID):Law Enforcement Agency

Alex Deacon:i know what lea stands for....

Stephanie Perrin:I must be missing something here. If I am a legitimate rep of a company requesting a cert, why could you not ask for a whole mess of non-publically available data, signed by the company, to validate my request?

Maxim Alzoba (FAITID):current internet users will surely suffer (and services too ) if certificates are no more

Michele Neylon:Stephanie - because it's time consuming and a pain in the neck?

Stephanie Perrin:If you are looking for a phone number is that part of thin data? I did not think so.

Michele Neylon:it doesn't scale

Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an org/user with a domain. WHOIS does this today.

Michele Neylon:phone numbers are "thick"

Stephanie Perrin:That is what I thought. So we are talking about thick data here. And if only some registrants want certs, then why should all registrants have to put their thick data in WHOIS?

Lisa Phifer:Note that handout is now displayed, showing this purpose and related thin data elements

Stephanie Perrin:So what percentage of registrations want/need certs?

Michele Neylon:Stephanie - see the link I posted above

Benny / Nordreg AB:Soon every active domains with a website

Michele Neylon:what Benny said :)

Stephanie Perrin:We are talking about a purpose for collection. I will certainly argue about disclosure. you are collecting for a valid purpose. We need to discuss how you are going to use and disclose it.

Abdeldjalil Bachar Bong:@Maxim I need more information when you said the current internet user will sufer if we don't have more certifications

Stephanie Perrin:As far as I can see though, you are not collecting any separate data elements solely for the purpose of domain certs. validation

Michele Neylon:Stephanie - in thin?

Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on certificates ... e-mail , online banking e.t.c.

Stephanie Perrin:certainly in thin, but even in thick...what new data elements are you looking for?

Michele Neylon:Stephanie - no new ones

Abdeldjalil Bachar Bong:Thanks @Maxim

Lisa Phifer:After we get rough consensus on purposes for collecting thin data, we'll move to Data Elements and examine the individual data elements needed by that purpose, and given that we can look at under what conditions that data should be disclosed for that purpose...

Stephanie Perrin:I seem to be the only one quibbling here. I am not arguing about the importance of encryption, or certification of sites. I am quibbling about whether authenticators, who arguably ought to be trusted parties, should be harvesting this data off an open WHOIS. If this is what they are doing as part of their functions, they could be autheticated to seek the data at a deeper level.

Lisa Phifer:@Sam, do study subjects not have any opportunity for anonymity, or does it depend on the study and the types of data involved?

Stephanie Perrin:It depends on the university ethics protocols. Certainly in Canadian unis you would not be able to disclose the personal data, you would have to bind users to the same privacy commitements.

Stephanie Perrin:ICANN would have to set a research protocol for this, that meets the highest standard, otherwise academic access could become one of those jurisdictional nightmares....

Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to the list of thin data elements for this purpose?

Stephanie Perrin:Is it not the case that every time you need thick data, you absolutely have to have access to the thin data to get at it??

Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query any WHOIS data, but beyond that you may not need other thin data elements (dates, etc) for a given purpose

Michele Neylon:Stephanie - yes

Stephanie Perrin:Thanks Michele

Michele Neylon:the thin tells you where to find the thick

Michele Neylon:(sort of)

Michele Neylon:(and I can't believe I just wrote that and it made sense to me)

Stephanie Perrin:It is indeed a worrying sign...

Stephanie Perrin:We have been at this a full year, I would point out....

Stephanie Perrin:Consumer protection is very limited. Yes it is a valid purpose. Disclosure is another matter...

Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick raw data from the polls? (-:

Maxim Alzoba (FAITID):just add checkbox - I do want my name shown

Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit less convenient than xls

Stephanie Perrin:I think it would be interesting to see both. I want to look for contradictions in responses. I also want to look for aggregates.

Maxim Alzoba (FAITID):NamesCon?

Tapani Tarvainen:(having written a number of pdf-to-text thingies...)

Maxim Alzoba (FAITID):Could we add example of report as a header to survey? like after you fill this - it is going to look like this and that?

Lisa Phifer:In short, we would need to get consent of all who responded

Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT pool of the local ISP

Michele Neylon:Stephanie is that you??

Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.

Michele Neylon:has someone hijacked her identity??

Michele Neylon:/me ducks

Lisa Phifer:@Maxim, generally not true of respondents taking survey from within corporate networks - in that case, IP is often static

Stephanie Perrin:Sadly I may not be on the call next week, depending on travel schedule

Maxim Alzoba (FAITID):@Lisa, agree - it depends

Maxim Alzoba (FAITID):Bye all

Benny / Nordreg AB:bye all

Daniel K. Nanghaka:bye

Patrick Lenihan:Thanks to Each and All!

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I never thought I would agree with Stephanie on a privacy-related matter.... 😂 But I do this time. Greg On Thu, Jan 19, 2017 at 11:44 AM, Gomes, Chuck <cgomes@verisign.com> wrote:

Thanks for your thoughtful contributions to this discussion Stephanie.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org] *On Behalf Of *Stephanie Perrin *Sent:* Wednesday, January 18, 2017 2:58 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

I will do my best to make the call next week, but am travelling so may not manage it. Since I am the one querying the suggestion that protecting the data and the names of the individuals under the rubric of privacy is a wee bit off base, believing instead that people should be accountable for what they are putting in their polling data, here is my view, for what it is worth.

1. ICANN is fundamentally an open, transparent multistakeholder organization where pdps are open to all. There is an expectation that there will be robust debate and that people will be accountable for the views they wish to express. IF a person wishes to watch what is happening and not participate, they can monitor and thereby not be forced to express a view. Participation in the working group should mean that one's expectations of privacy in terms of opinions expressed is very limited. I would like to hear the arguments for such an opinion, if anyone has advanced them.

2. In this respect, if an organization sends a representative to attend a pdp and they do not have the authority to speak for the organization without vetting/checking, they have a number of options: a) omit the survey b) fill it out in their own name with caveats that they do not represent the organization c) get the survey questions and consult on the answers. I don't really think it is acceptable for organizations to anonymously fill out the survey, just as I don't buy the privacy argument from individuals.

3. The data is useful to those of us who are trying to understand where people are coming from. As I have said numerous times, we all view these matters from our own perspectives and knowledge base. I am trying to understand the degree to which people still do not understand privacy concepts, which I think I can detect from their answers. (others may wonder why I still don't understand how the RDS works, fair enough says I! CHeck my data, it might help you detect necessary educational opportunities...) I am also interested in the variance across questions, cumulative totals per SG, etc etc).

4. At a rather fundamental level, data that is used by us even to form rough concepts of concensus should be accessible to all in my view. This is very controversial topic which has caused considerable conflict over the years, let us try to minimize any potential for later questions or distrust by ensuring all data is available.

There are ways around this problem of disclosure vs non-disclosure.

1. Inform people that polling data will be available. Forwarned.

2. RElease data minus the name. However, folks will be guessing who is from what constituency, and frankly we must have the constituency data. Normally for disclosure of PI for people in groups we go by the rule of 4.....rarely are there 4 NCSG folks filling out the polls, so you can identify us anyway, this may be different for other groups. I think this one is a non-starter but there it is.

3. Seek consent. As discussed above, I don't think the privacy arguments hold water; it is bad policy to seek consent on something that you could not /should not protect in the first place. Also a non-starter in my view, but there it is.

Again, I hope to make the call next week but wanted to start off this discussion on the list in case I don't make it.

Cheers STephanie

On 2017-01-18 10:45, Gomes, Chuck wrote:

For those of you who were unable to attend this meeting, I encourage you to listen to the MP3 recording and/or review the transcript as well as the notes that Marika sent right after the meeting. We made quite a lot of progress; we discussed all of the remaining proposed purposes for the collection of thin data and there were no objections from anyone on the call to the conclusion that each of the purposes are legitimate for the collection of thin data.

The third purpose, where we started for this meeting, is Domain Name Certification. We spent quite a bit of time talking about this. For those who feel that you do not understand this purpose fully, at about 14:50 into the call we had what I thought was a very good discussion designed to make sure everyone understands Domain Name Certification, so I encourage you to at least listen to that portion and the discussion following where we discussed whether it was an acceptable purpose. You will note that some thick data elements were also mentioned but we did not make any conclusions regarding thick data.

Once we finished our deliberation on Domain Name Certification, there was just minimal discussion on the other remaining purposes so you may not find the balance of the recording very informative.

Near the very end of the recording we alerted everyone to an agenda topic we will have next week about whether raw poll data should be shared with the WG and, if so, in what way. Those not on the call may benefit from listening to that discussion in preparation for next week.

Happy listening.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Nathalie Peregrine *Sent:* Wednesday, January 18, 2017 6:57 AM *To:* gnso-rds-pdp-wg@icann.org *Cc:* gnso-secs@icann.org *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

*With updated apologies*

*From: *"owner-gnso-secs@icann.org" <owner-gnso-secs@icann.org> on behalf of Nathalie Peregrine <nathalie.peregrine@icann.org> *Date: *Wednesday, January 18, 2017 at 11:52 AM *To: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> *Cc: *"gnso-secs@icann.org" <gnso-secs@icann.org> *Subject: *[gnso-secs] Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

Dear all,

Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Wednesday, 18 January 2017 at 06:00 UTC.

*MP3:* https://audio.icann.org/gnso/gnso-nextgen-rds-pdp- 18jan17-en.mp3[audio.icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__audio.icann.org_gnso_gn...>

The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:

http://gnso.icann.org/en/group-activities/calendar <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-...>

** Please let me know if your name has been left off the list **

Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/

Wiki page: https://community.icann.org/x/tarDAw[community.icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_t...>

Thank you.

Kind regards,

Nathalie

———————————————

*AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017*

Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call on Wednesday 18 January 2017 at 06:00 UTC.

Nathalie Peregrine:Meeting page: https://urldefense. proofpoint.com/v2/url?u=https-3A__community.icann.org_x_EbTDAw&d=DwIFaQ&c= FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_ FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m= WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=9uxit6N-giqXHRfYH-5VIR7I- CJjYrAxWqkj2PJDjGc&e=

Michele Neylon:good morning people

Michele Neylon:it's good middle of the bloody night :)

Chuck Gomes:Morning?!!

Benny / Nordreg AB:Good Afternoon ;-)

Alex Deacon:Hi all...

Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone

Maxim Alzoba (FAITID):Good morning all.

Michele Neylon:MUTE yourselves please

Fabricio Vayra:good morning

Tapani Tarvainen:Decent hour in Finland, too

Farell FOLLY (africa 2.0):Morning All

Michele Neylon:6am is an hour

Tapani Tarvainen:8am here

Michele Neylon:I'm not sure if it's decent or desiarable

Maxim Alzoba (FAITID):not thaat horrible - 9am

Farell FOLLY (africa 2.0):6 am here !

Benny / Nordreg AB:Currently in Bangkok 1 PM

Benny / Nordreg AB:so not to bad

Stephanie Perrin:1 am here. I am not at my perkiest I must admit.

Benny / Nordreg AB:So a silent Stephanie today? ;-)

Stephanie Perrin:Not likely...just delayed, I suspect....:-)

Marika Konings:no, I haven't seen anything

Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is -5C outside and the weather is freezing rain (-:

Lisa Phifer:Actually, question 3 assessed level of support for several listed purposes, not just Domain Name Certification

Stephanie Perrin:Yes Sam, if the power goes out again I may be extra quiet....

Alex Deacon:1995 - earlier if you count the RSA days :)

Fabricio Vayra:@Alex - Nice!

Sam Lanfranco npoc/csih:Question: What percentage of DN Certificate Requests turn out to be bogus?

Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should we assume that not all 100% are good?

Abdeldjalil Bachar Bong:I need some clarification about the first question as iam newcomer in this WG ,Thanks my second do you have some resources for no-English speaker ?

Benny / Nordreg AB:or .se / .nu where there are no info in whois for private persons

Lisa Phifer:@Geoff, with respect to thin data elements, which elements are consulted for this authentication?

Michele Neylon:My current bugbear is a particular company who insists on sending us their requests

Michele Neylon:not to our clients

Daniel K. Nanghaka:The challenge with the WHOIS is that there is no appropriate verification method for the users - there should be a way to validate sensitive data

Stephanie Perrin:How often do you need to authenticate for these certificates?

Benny / Nordreg AB:at least once per year

Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the technical/administrative contact?

Benny / Nordreg AB:per domain/ certificate

Stephanie Perrin:what data do you trust? IN other words, how do you verify the data?

Michele Neylon:domain validated certs are the cheapest ones

Michele Neylon:they're also the fastest ones to get issued

Michele Neylon:the level of "trust" is negligible

Stephanie Perrin:But what are they worth?

Michele Neylon:Stephanie - to whom?

Stephanie Perrin:To anyone who is relying on the certificate....

Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?

Michele Neylon:FYI - they're also used by valid users like me :)

Michele Neylon:I'm using one on michele.blog

Alex Deacon:You could argue that Domain Validation certs are good for encryption only. they provide zero value from an authentication/identity point of view.

Stephanie Perrin:I would have no clue what I am using. I think I speak for most consumers....

Michele Neylon:what Alex said

Michele Neylon:they're a step up from a self-signed cert

Stephanie Perrin:Thanks Alex, that is kind of where I was heading....

Daniel K. Nanghaka:This is where Domain verification comes in strongly - and the Domain validated certificates should be placed in the page of the Domain to prove that the domain is validated. The Company should have a respective data handler who will be responsible for domain validation and certificate authentication.

Michele Neylon:Daniel - which company?

Benny / Nordreg AB:Unsure how you will make that happen Daniel?

Maxim Alzoba (FAITID):The company

Maxim Alzoba (FAITID):in some movies it was the name for one of the agencies

Alex Deacon:@stephanie - it depends on the type of cert.

Daniel K. Nanghaka:@Michele - the company that that owns the Domain

Daniel K. Nanghaka:Yes, the biggest challenge is that many companies take these certificates for granted

Michele Neylon:Daniel - what makes you think they're a company? these days a LOT of the domain validated certs are for individiuals not companies

Michele Neylon:https://urldefense.proofpoint.com/v2/url?u=https- 3A__letsencrypt.org_&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6 sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_ uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s= gUMAlV9Le_Uk-WKSJISZI3A_tCUNIGZECo84Qr5k-w0&e=

Michele Neylon:see also https://urldefense.proofpoint.com/v2/url?u=http- 3A__motherboard.vice.com_read_google-2Dwill-2Dsoon-2Dshame- 2Dall-2Dwebsites-2Dthat-2Dare-2Dunencrypted-2Dchrome-2Dhttps&d=DwIFaQ&c= FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_ FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m= WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s= pFgFCnrUIsQEyD06VMwyJjHMCAjk5hpZrorKO9I0cCU&e=

Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix, for exumple and the latter uses whois ...

Maxim Alzoba (FAITID):*example

Maxim Alzoba (FAITID):the only other source of info ... is LEA

Alex Deacon:@maxim - you lost me. what info does LEA have?

Maxim Alzoba (FAITID):Law Enforcement Agency

Alex Deacon:i know what lea stands for....

Stephanie Perrin:I must be missing something here. If I am a legitimate rep of a company requesting a cert, why could you not ask for a whole mess of non-publically available data, signed by the company, to validate my request?

Maxim Alzoba (FAITID):current internet users will surely suffer (and services too ) if certificates are no more

Michele Neylon:Stephanie - because it's time consuming and a pain in the neck?

Stephanie Perrin:If you are looking for a phone number is that part of thin data? I did not think so.

Michele Neylon:it doesn't scale

Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an org/user with a domain. WHOIS does this today.

Michele Neylon:phone numbers are "thick"

Stephanie Perrin:That is what I thought. So we are talking about thick data here. And if only some registrants want certs, then why should all registrants have to put their thick data in WHOIS?

Lisa Phifer:Note that handout is now displayed, showing this purpose and related thin data elements

Stephanie Perrin:So what percentage of registrations want/need certs?

Michele Neylon:Stephanie - see the link I posted above

Benny / Nordreg AB:Soon every active domains with a website

Michele Neylon:what Benny said :)

Stephanie Perrin:We are talking about a purpose for collection. I will certainly argue about disclosure. you are collecting for a valid purpose. We need to discuss how you are going to use and disclose it.

Abdeldjalil Bachar Bong:@Maxim I need more information when you said the current internet user will sufer if we don't have more certifications

Stephanie Perrin:As far as I can see though, you are not collecting any separate data elements solely for the purpose of domain certs. validation

Michele Neylon:Stephanie - in thin?

Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on certificates ... e-mail , online banking e.t.c.

Stephanie Perrin:certainly in thin, but even in thick...what new data elements are you looking for?

Michele Neylon:Stephanie - no new ones

Abdeldjalil Bachar Bong:Thanks @Maxim

Lisa Phifer:After we get rough consensus on purposes for collecting thin data, we'll move to Data Elements and examine the individual data elements needed by that purpose, and given that we can look at under what conditions that data should be disclosed for that purpose...

Stephanie Perrin:I seem to be the only one quibbling here. I am not arguing about the importance of encryption, or certification of sites. I am quibbling about whether authenticators, who arguably ought to be trusted parties, should be harvesting this data off an open WHOIS. If this is what they are doing as part of their functions, they could be autheticated to seek the data at a deeper level.

Lisa Phifer:@Sam, do study subjects not have any opportunity for anonymity, or does it depend on the study and the types of data involved?

Stephanie Perrin:It depends on the university ethics protocols. Certainly in Canadian unis you would not be able to disclose the personal data, you would have to bind users to the same privacy commitements.

Stephanie Perrin:ICANN would have to set a research protocol for this, that meets the highest standard, otherwise academic access could become one of those jurisdictional nightmares....

Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to the list of thin data elements for this purpose?

Stephanie Perrin:Is it not the case that every time you need thick data, you absolutely have to have access to the thin data to get at it??

Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query any WHOIS data, but beyond that you may not need other thin data elements (dates, etc) for a given purpose

Michele Neylon:Stephanie - yes

Stephanie Perrin:Thanks Michele

Michele Neylon:the thin tells you where to find the thick

Michele Neylon:(sort of)

Michele Neylon:(and I can't believe I just wrote that and it made sense to me)

Stephanie Perrin:It is indeed a worrying sign...

Stephanie Perrin:We have been at this a full year, I would point out....

Stephanie Perrin:Consumer protection is very limited. Yes it is a valid purpose. Disclosure is another matter...

Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick raw data from the polls? (-:

Maxim Alzoba (FAITID):just add checkbox - I do want my name shown

Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit less convenient than xls

Stephanie Perrin:I think it would be interesting to see both. I want to look for contradictions in responses. I also want to look for aggregates.

Maxim Alzoba (FAITID):NamesCon?

Tapani Tarvainen:(having written a number of pdf-to-text thingies...)

Maxim Alzoba (FAITID):Could we add example of report as a header to survey? like after you fill this - it is going to look like this and that?

Lisa Phifer:In short, we would need to get consent of all who responded

Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT pool of the local ISP

Michele Neylon:Stephanie is that you??

Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.

Michele Neylon:has someone hijacked her identity??

Michele Neylon:/me ducks

Lisa Phifer:@Maxim, generally not true of respondents taking survey from within corporate networks - in that case, IP is often static

Stephanie Perrin:Sadly I may not be on the call next week, depending on travel schedule

Maxim Alzoba (FAITID):@Lisa, agree - it depends

Maxim Alzoba (FAITID):Bye all

Benny / Nordreg AB:bye all

Daniel K. Nanghaka:bye

Patrick Lenihan:Thanks to Each and All!

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

​ On Thu, Jan 19, 2017 at 1:24 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

It is your inner Canadian coming out there Greg, doubtless a harbinger of further agreement to come....:-D

SP

On 2017-01-19 12:35, Greg Shatan wrote:

I never thought I would agree with Stephanie on a privacy-related matter.... 😂

But I do this time.

Greg

On Thu, Jan 19, 2017 at 11:44 AM, Gomes, Chuck <cgomes@verisign.com> wrote:

...

Thanks for your thoughtful contributions to this discussion Stephanie.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounce s@icann.org] *On Behalf Of *Stephanie Perrin *Sent:* Wednesday, January 18, 2017 2:58 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

I will do my best to make the call next week, but am travelling so may not manage it. Since I am the one querying the suggestion that protecting the data and the names of the individuals under the rubric of privacy is a wee bit off base, believing instead that people should be accountable for what they are putting in their polling data, here is my view, for what it is worth.

1. ICANN is fundamentally an open, transparent multistakeholder organization where pdps are open to all. There is an expectation that there will be robust debate and that people will be accountable for the views they wish to express. IF a person wishes to watch what is happening and not participate, they can monitor and thereby not be forced to express a view. Participation in the working group should mean that one's expectations of privacy in terms of opinions expressed is very limited. I would like to hear the arguments for such an opinion, if anyone has advanced them.

2. In this respect, if an organization sends a representative to attend a pdp and they do not have the authority to speak for the organization without vetting/checking, they have a number of options: a) omit the survey b) fill it out in their own name with caveats that they do not represent the organization c) get the survey questions and consult on the answers. I don't really think it is acceptable for organizations to anonymously fill out the survey, just as I don't buy the privacy argument from individuals.

3. The data is useful to those of us who are trying to understand where people are coming from. As I have said numerous times, we all view these matters from our own perspectives and knowledge base. I am trying to understand the degree to which people still do not understand privacy concepts, which I think I can detect from their answers. (others may wonder why I still don't understand how the RDS works, fair enough says I! CHeck my data, it might help you detect necessary educational opportunities...) I am also interested in the variance across questions, cumulative totals per SG, etc etc).

4. At a rather fundamental level, data that is used by us even to form rough concepts of concensus should be accessible to all in my view. This is very controversial topic which has caused considerable conflict over the years, let us try to minimize any potential for later questions or distrust by ensuring all data is available.

There are ways around this problem of disclosure vs non-disclosure.

1. Inform people that polling data will be available. Forwarned.

2. RElease data minus the name. However, folks will be guessing who is from what constituency, and frankly we must have the constituency data. Normally for disclosure of PI for people in groups we go by the rule of 4.....rarely are there 4 NCSG folks filling out the polls, so you can identify us anyway, this may be different for other groups. I think this one is a non-starter but there it is.

3. Seek consent. As discussed above, I don't think the privacy arguments hold water; it is bad policy to seek consent on something that you could not /should not protect in the first place. Also a non-starter in my view, but there it is.

Again, I hope to make the call next week but wanted to start off this discussion on the list in case I don't make it.

Cheers STephanie

On 2017-01-18 10:45, Gomes, Chuck wrote:

For those of you who were unable to attend this meeting, I encourage you to listen to the MP3 recording and/or review the transcript as well as the notes that Marika sent right after the meeting. We made quite a lot of progress; we discussed all of the remaining proposed purposes for the collection of thin data and there were no objections from anyone on the call to the conclusion that each of the purposes are legitimate for the collection of thin data.

The third purpose, where we started for this meeting, is Domain Name Certification. We spent quite a bit of time talking about this. For those who feel that you do not understand this purpose fully, at about 14:50 into the call we had what I thought was a very good discussion designed to make sure everyone understands Domain Name Certification, so I encourage you to at least listen to that portion and the discussion following where we discussed whether it was an acceptable purpose. You will note that some thick data elements were also mentioned but we did not make any conclusions regarding thick data.

Once we finished our deliberation on Domain Name Certification, there was just minimal discussion on the other remaining purposes so you may not find the balance of the recording very informative.

Near the very end of the recording we alerted everyone to an agenda topic we will have next week about whether raw poll data should be shared with the WG and, if so, in what way. Those not on the call may benefit from listening to that discussion in preparation for next week.

Happy listening.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounce s@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Nathalie Peregrine *Sent:* Wednesday, January 18, 2017 6:57 AM *To:* gnso-rds-pdp-wg@icann.org *Cc:* gnso-secs@icann.org *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

*With updated apologies*

*From: *"owner-gnso-secs@icann.org" <owner-gnso-secs@icann.org> on behalf of Nathalie Peregrine <nathalie.peregrine@icann.org> *Date: *Wednesday, January 18, 2017 at 11:52 AM *To: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> *Cc: *"gnso-secs@icann.org" <gnso-secs@icann.org> *Subject: *[gnso-secs] Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC

Dear all,

Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Wednesday, 18 January 2017 at 06:00 UTC.

*MP3:* https://audio.icann.org/gnso/gnso-nextgen-rds-pdp-18jan 17-en.mp3[audio.icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__audio.icann.org_gnso_gn...>

The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:

http://gnso.icann.org/en/group-activities/calendar <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-...>

** Please let me know if your name has been left off the list **

Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/

Wiki page: https://community.icann.org/x/tarDAw[community.icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_t...>

Thank you.

Kind regards,

Nathalie

———————————————

*AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017*

Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call on Wednesday 18 January 2017 at 06:00 UTC.

Nathalie Peregrine:Meeting page: https://urldefense.proof point.com/v2/url?u=https-3A__community.icann.org_x_EbTDAw& d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r= PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSD zgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=9uxit6N -giqXHRfYH-5VIR7I-CJjYrAxWqkj2PJDjGc&e=

Michele Neylon:good morning people

Michele Neylon:it's good middle of the bloody night :)

Chuck Gomes:Morning?!!

Benny / Nordreg AB:Good Afternoon ;-)

Alex Deacon:Hi all...

Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone

Maxim Alzoba (FAITID):Good morning all.

Michele Neylon:MUTE yourselves please

Fabricio Vayra:good morning

Tapani Tarvainen:Decent hour in Finland, too

Farell FOLLY (africa 2.0):Morning All

Michele Neylon:6am is an hour

Tapani Tarvainen:8am here

Michele Neylon:I'm not sure if it's decent or desiarable

Maxim Alzoba (FAITID):not thaat horrible - 9am

Farell FOLLY (africa 2.0):6 am here !

Benny / Nordreg AB:Currently in Bangkok 1 PM

Benny / Nordreg AB:so not to bad

Stephanie Perrin:1 am here. I am not at my perkiest I must admit.

Benny / Nordreg AB:So a silent Stephanie today? ;-)

Stephanie Perrin:Not likely...just delayed, I suspect....:-)

Marika Konings:no, I haven't seen anything

Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is -5C outside and the weather is freezing rain (-:

Lisa Phifer:Actually, question 3 assessed level of support for several listed purposes, not just Domain Name Certification

Stephanie Perrin:Yes Sam, if the power goes out again I may be extra quiet....

Alex Deacon:1995 - earlier if you count the RSA days :)

Fabricio Vayra:@Alex - Nice!

Sam Lanfranco npoc/csih:Question: What percentage of DN Certificate Requests turn out to be bogus?

Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should we assume that not all 100% are good?

Abdeldjalil Bachar Bong:I need some clarification about the first question as iam newcomer in this WG ,Thanks my second do you have some resources for no-English speaker ?

Benny / Nordreg AB:or .se / .nu where there are no info in whois for private persons

Lisa Phifer:@Geoff, with respect to thin data elements, which elements are consulted for this authentication?

Michele Neylon:My current bugbear is a particular company who insists on sending us their requests

Michele Neylon:not to our clients

Daniel K. Nanghaka:The challenge with the WHOIS is that there is no appropriate verification method for the users - there should be a way to validate sensitive data

Stephanie Perrin:How often do you need to authenticate for these certificates?

Benny / Nordreg AB:at least once per year

Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the technical/administrative contact?

Benny / Nordreg AB:per domain/ certificate

Stephanie Perrin:what data do you trust? IN other words, how do you verify the data?

Michele Neylon:domain validated certs are the cheapest ones

Michele Neylon:they're also the fastest ones to get issued

Michele Neylon:the level of "trust" is negligible

Stephanie Perrin:But what are they worth?

Michele Neylon:Stephanie - to whom?

Stephanie Perrin:To anyone who is relying on the certificate....

Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?

Michele Neylon:FYI - they're also used by valid users like me :)

Michele Neylon:I'm using one on michele.blog

Alex Deacon:You could argue that Domain Validation certs are good for encryption only. they provide zero value from an authentication/identity point of view.

Stephanie Perrin:I would have no clue what I am using. I think I speak for most consumers....

Michele Neylon:what Alex said

Michele Neylon:they're a step up from a self-signed cert

Stephanie Perrin:Thanks Alex, that is kind of where I was heading....

Daniel K. Nanghaka:This is where Domain verification comes in strongly - and the Domain validated certificates should be placed in the page of the Domain to prove that the domain is validated. The Company should have a respective data handler who will be responsible for domain validation and certificate authentication.

Michele Neylon:Daniel - which company?

Benny / Nordreg AB:Unsure how you will make that happen Daniel?

Maxim Alzoba (FAITID):The company

Maxim Alzoba (FAITID):in some movies it was the name for one of the agencies

Alex Deacon:@stephanie - it depends on the type of cert.

Daniel K. Nanghaka:@Michele - the company that that owns the Domain

Daniel K. Nanghaka:Yes, the biggest challenge is that many companies take these certificates for granted

Michele Neylon:Daniel - what makes you think they're a company? these days a LOT of the domain validated certs are for individiuals not companies

Michele Neylon:https://urldefense.proofpoint.com/v2/url?u=https-3A__ letsencrypt.org_&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJ ms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTB s0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5D RdFM&s=gUMAlV9Le_Uk-WKSJISZI3A_tCUNIGZECo84Qr5k-w0&e=

Michele Neylon:see also https://urldefense.proofp oint.com/v2/url?u=http-3A__motherboard.vice.com_read_goog le-2Dwill-2Dsoon-2Dshame-2Dall-2Dwebsites-2Dthat-2Dare-2Dune ncrypted-2Dchrome-2Dhttps&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSV zgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyX rxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDP PFOkSb7qA5DRdFM&s=pFgFCnrUIsQEyD06VMwyJjHMCAjk5hpZrorKO9I0cCU&e=

Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix, for exumple and the latter uses whois ...

Maxim Alzoba (FAITID):*example

Maxim Alzoba (FAITID):the only other source of info ... is LEA

Alex Deacon:@maxim - you lost me. what info does LEA have?

Maxim Alzoba (FAITID):Law Enforcement Agency

Alex Deacon:i know what lea stands for....

Stephanie Perrin:I must be missing something here. If I am a legitimate rep of a company requesting a cert, why could you not ask for a whole mess of non-publically available data, signed by the company, to validate my request?

Maxim Alzoba (FAITID):current internet users will surely suffer (and services too ) if certificates are no more

Michele Neylon:Stephanie - because it's time consuming and a pain in the neck?

Stephanie Perrin:If you are looking for a phone number is that part of thin data? I did not think so.

Michele Neylon:it doesn't scale

Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an org/user with a domain. WHOIS does this today.

Michele Neylon:phone numbers are "thick"

Stephanie Perrin:That is what I thought. So we are talking about thick data here. And if only some registrants want certs, then why should all registrants have to put their thick data in WHOIS?

Lisa Phifer:Note that handout is now displayed, showing this purpose and related thin data elements

Stephanie Perrin:So what percentage of registrations want/need certs?

Michele Neylon:Stephanie - see the link I posted above

Benny / Nordreg AB:Soon every active domains with a website

Michele Neylon:what Benny said :)

Stephanie Perrin:We are talking about a purpose for collection. I will certainly argue about disclosure. you are collecting for a valid purpose. We need to discuss how you are going to use and disclose it.

Abdeldjalil Bachar Bong:@Maxim I need more information when you said the current internet user will sufer if we don't have more certifications

Stephanie Perrin:As far as I can see though, you are not collecting any separate data elements solely for the purpose of domain certs. validation

Michele Neylon:Stephanie - in thin?

Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on certificates ... e-mail , online banking e.t.c.

Stephanie Perrin:certainly in thin, but even in thick...what new data elements are you looking for?

Michele Neylon:Stephanie - no new ones

Abdeldjalil Bachar Bong:Thanks @Maxim

Lisa Phifer:After we get rough consensus on purposes for collecting thin data, we'll move to Data Elements and examine the individual data elements needed by that purpose, and given that we can look at under what conditions that data should be disclosed for that purpose...

Stephanie Perrin:I seem to be the only one quibbling here. I am not arguing about the importance of encryption, or certification of sites. I am quibbling about whether authenticators, who arguably ought to be trusted parties, should be harvesting this data off an open WHOIS. If this is what they are doing as part of their functions, they could be autheticated to seek the data at a deeper level.

Lisa Phifer:@Sam, do study subjects not have any opportunity for anonymity, or does it depend on the study and the types of data involved?

Stephanie Perrin:It depends on the university ethics protocols. Certainly in Canadian unis you would not be able to disclose the personal data, you would have to bind users to the same privacy commitements.

Stephanie Perrin:ICANN would have to set a research protocol for this, that meets the highest standard, otherwise academic access could become one of those jurisdictional nightmares....

Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to the list of thin data elements for this purpose?

Stephanie Perrin:Is it not the case that every time you need thick data, you absolutely have to have access to the thin data to get at it??

Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query any WHOIS data, but beyond that you may not need other thin data elements (dates, etc) for a given purpose

Michele Neylon:Stephanie - yes

Stephanie Perrin:Thanks Michele

Michele Neylon:the thin tells you where to find the thick

Michele Neylon:(sort of)

Michele Neylon:(and I can't believe I just wrote that and it made sense to me)

Stephanie Perrin:It is indeed a worrying sign...

Stephanie Perrin:We have been at this a full year, I would point out....

Stephanie Perrin:Consumer protection is very limited. Yes it is a valid purpose. Disclosure is another matter...

Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick raw data from the polls? (-:

Maxim Alzoba (FAITID):just add checkbox - I do want my name shown

Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit less convenient than xls

Stephanie Perrin:I think it would be interesting to see both. I want to look for contradictions in responses. I also want to look for aggregates.

Maxim Alzoba (FAITID):NamesCon?

Tapani Tarvainen:(having written a number of pdf-to-text thingies...)

Maxim Alzoba (FAITID):Could we add example of report as a header to survey? like after you fill this - it is going to look like this and that?

Lisa Phifer:In short, we would need to get consent of all who responded

Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT pool of the local ISP

Michele Neylon:Stephanie is that you??

Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.

Michele Neylon:has someone hijacked her identity??

Michele Neylon:/me ducks

Lisa Phifer:@Maxim, generally not true of respondents taking survey from within corporate networks - in that case, IP is often static

Stephanie Perrin:Sadly I may not be on the call next week, depending on travel schedule

Maxim Alzoba (FAITID):@Lisa, agree - it depends

Maxim Alzoba (FAITID):Bye all

Benny / Nordreg AB:bye all

Daniel K. Nanghaka:bye

Patrick Lenihan:Thanks to Each and All!

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/l istinfo/gnso-rds-pdp-wg

Hello Sam, I think we might stick to (3) in format of choice between 3 1. my name and affiliation is Ok to show 2. please show only my affiliation (could be group and not a company name_) 3 .please do not show any info. P.s: as an analyst I can say that the persons might be identified by the writing, so I see almost no value in hiding , and since we have public records of meetings and we express the same ideas via voice and chat ... it is almost not possible to push a particular idea without being identified. Sincerely Yours, Maxim Alzoba Special projects manager, International Relations Department, FAITID m. +7 916 6761580 skype oldfrogger Current UTC offset: +3.00 (Moscow)

On Jan 19, 2017, at 06:35, Sam Lanfranco <sam@lanfranco.net> wrote:

WG Colleagues,

Here are my thoughts on the survey raw data issue under discussion in the RDS PDP WG. We face four options. They include: (1) no survey raw data disclosure (but still mean/std. dev. disclosure); (2) full survey raw data disclosure, (3) limited survey raw data disclosure, and (4) abandoning use of the survey.

No disclosure (1) is the status quo. Full disclosure (2) maximizes transparency, at the risk of reduced survey participation and with little benefit over simple WG dialogue. Limited raw data disclosure (3) is the RDS PDP WG Thick/Thin data challenge, only now with regard to our survey data fields. The design of a limited disclosure protocol is beyond the time and resources available to us, and details beyond mean/std. dev. probably mean a loss of confidentiality. Small participant size in these surveys means that disclosure beyond mean/std. dev. makes it harder for responses to remain confidential. Comments are already less than anonymous since we know each other’s proclivities and propensities. One does have a choice to not comment. A permission box [Show my name] is also problematic, given respondent numbers, since it makes it easier to identify “no name” respondents.

Where do I stand on this? I am for either option (1) the status quo (no disclosure), or option 4 (no surveys at all). The survey is a quick aid to the WG dialogue and need not be seen as a binding measure of consensus. Survey results are not a vote. They are inputs for the WG dialogue grist mill, inputs that can facilitate the process of WG consensus. Confidentially poses no problem since the consensus process is still within the WG dialogue. The Chair of the WG, and the ICANN staff member, act as survey “scrutineers” and we should trust them to flag survey participation irregularities.

If (1) the status quo (no disclosure) is not acceptable, I am in favor of (4) no surveys. Limited disclosure (3) is logistically problematic, and full disclosure (2) offers few benefits over simply conducting the dialogue within the RDS PDP WG. To recap, I prefer either the status quo or no surveys at all. I look forward to other views on this matter.

Sam Lanfranco, npoc/csih

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

Thanks for the good feedback Tapani. I want to clarify something we have said before: responses to polls are not and will not be used as votes. As part of our work plan, we decided not to formally assess final positions until much later in the process; when we do that the results will be treated like votes. Until then, we are using polling, whether in meetings via Adobe or on our list to quickly and easily get a rough assessment of member positions to help us make progress toward developing final requirements for which we will eventually determine formal levels of consensus. Chuck -----Original Message----- From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Tapani Tarvainen Sent: Thursday, January 19, 2017 4:54 AM To: gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] The survey raw data issue Hi Maxim, After some reflection I think I agree limited disclosure is fine, even though I'd no problem with full disclosure either: details such as IP addresses are not important. What is important and should be public is who voted how on each question, preferably in an easy-to-analyze form (spreadsheet). It should not be difficult to generate such reports from the polls. I don't see any need for anonymity or privacy in this kind of working group, any more than in parliamentary votes. If these polls are used, as they are, in making decisions, people should know who voted what, and it should not be made any harder than necessary. I do appreciate the problem of changing rules after the fact though, so releasing such data from past polls would need a stronger support from the group than for future ones. Sincerely, Tapani On Jan 19 12:08, Maxim Alzoba (m.alzoba@gmail.com) wrote:

Hello Sam,

I think we might stick to (3) in format of choice between 3

1. my name and affiliation is Ok to show 2. please show only my affiliation (could be group and not a company name_) 3 .please do not show any info.

P.s: as an analyst I can say that the persons might be identified by the writing, so I see almost no value in hiding , and since we have public records of meetings and we express the same ideas via voice and chat ... it is almost not possible to push a particular idea without being identified.

Sincerely Yours,

Maxim Alzoba Special projects manager, International Relations Department, FAITID

m. +7 916 6761580 skype oldfrogger

Current UTC offset: +3.00 (Moscow)

...

On Jan 19, 2017, at 06:35, Sam Lanfranco <sam@lanfranco.net> wrote:

WG Colleagues,

Here are my thoughts on the survey raw data issue under discussion in the RDS PDP WG. We face four options. They include: (1) no survey raw data disclosure (but still mean/std. dev. disclosure); (2) full survey raw data disclosure, (3) limited survey raw data disclosure, and (4) abandoning use of the survey.

No disclosure (1) is the status quo. Full disclosure (2) maximizes transparency, at the risk of reduced survey participation and with little benefit over simple WG dialogue. Limited raw data disclosure (3) is the RDS PDP WG Thick/Thin data challenge, only now with regard to our survey data fields. The design of a limited disclosure protocol is beyond the time and resources available to us, and details beyond mean/std. dev. probably mean a loss of confidentiality. Small participant size in these surveys means that disclosure beyond mean/std. dev. makes it harder for responses to remain confidential. Comments are already less than anonymous since we know each other’s proclivities and propensities. One does have a choice to not comment. A permission box [Show my name] is also problematic, given respondent numbers, since it makes it easier to identify “no name” respondents.

Where do I stand on this? I am for either option (1) the status quo (no disclosure), or option 4 (no surveys at all). The survey is a quick aid to the WG dialogue and need not be seen as a binding measure of consensus. Survey results are not a vote. They are inputs for the WG dialogue grist mill, inputs that can facilitate the process of WG consensus. Confidentially poses no problem since the consensus process is still within the WG dialogue. The Chair of the WG, and the ICANN staff member, act as survey “scrutineers” and we should trust them to flag survey participation irregularities.

If (1) the status quo (no disclosure) is not acceptable, I am in favor of (4) no surveys. Limited disclosure (3) is logistically problematic, and full disclosure (2) offers few benefits over simply conducting the dialogue within the RDS PDP WG. To recap, I prefer either the status quo or no surveys at all. I look forward to other views on this matter.

Sam Lanfranco, npoc/csih

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I don’t like being too picky about terminology but in this case I think it may be important. The polls that we are doing are really not surveys in the more formal sense of the term. They certainly are not intended to be statistically valid and we definitely do not allow sufficient time for that to be the case. The primary objective of the polls are two-fold: 1) confirm conclusions reached in meetings with those who participated; 2) provide an easy way for those who did not participate to contribute to the conclusions reached. What we are trying to do is get a reasonably good sense of where WG members are with regard to specific issues and doing it in a way that is done fairly quickly so our work does not drag out too long. Chuck From: Sam Lanfranco [mailto:sam@lanfranco.net] Sent: Thursday, January 19, 2017 5:13 AM To: Maxim Alzoba <m.alzoba@gmail.com> Cc: gnso-rds-pdp-wg@icann.org; Gomes, Chuck <cgomes@verisign.com> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] The survey raw data issue Maxim, I will happily live with whatever consensus is arrived at here. I am for maximum transparency. I just suspect that significant disclosure will make surveys redundant to the discussions in the meetings. In any event, the real action, and consensus, happens in the meetings. The surveys, under any rules, are also an experiment. They may help, or hinder, progress in the meetings. Too much discussion of survey results might look like engagement, but may not be progress. Also, if we go with significant disclosure I may end up with a testable hypothesis, and evidence to test it. Sam On 1/19/2017 4:08 AM, Maxim Alzoba wrote: Hello Sam, I think we might stick to (3) in format of choice between 3 1. my name and affiliation is Ok to show 2. please show only my affiliation (could be group and not a company name_) 3 .please do not show any info. P.s: as an analyst I can say that the persons might be identified by the writing, so I see almost no value in hiding , and since we have public records of meetings and we express the same ideas via voice and chat ... it is almost not possible to push a particular idea without being identified. Sincerely Yours, Maxim Alzoba Special projects manager, International Relations Department, FAITID m. +7 916 6761580 skype oldfrogger Current UTC offset: +3.00 (Moscow) On Jan 19, 2017, at 06:35, Sam Lanfranco <sam@lanfranco.net<mailto:sam@lanfranco.net>> wrote: WG Colleagues, Here are my thoughts on the survey raw data issue under discussion in the RDS PDP WG. We face four options. They include: (1) no survey raw data disclosure (but still mean/std. dev. disclosure); (2) full survey raw data disclosure, (3) limited survey raw data disclosure, and (4) abandoning use of the survey. No disclosure (1) is the status quo. Full disclosure (2) maximizes transparency, at the risk of reduced survey participation and with little benefit over simple WG dialogue. Limited raw data disclosure (3) is the RDS PDP WG Thick/Thin data challenge, only now with regard to our survey data fields. The design of a limited disclosure protocol is beyond the time and resources available to us, and details beyond mean/std. dev. probably mean a loss of confidentiality. Small participant size in these surveys means that disclosure beyond mean/std. dev. makes it harder for responses to remain confidential. Comments are already less than anonymous since we know each other’s proclivities and propensities. One does have a choice to not comment. A permission box [Show my name] is also problematic, given respondent numbers, since it makes it easier to identify “no name” respondents. Where do I stand on this? I am for either option (1) the status quo (no disclosure), or option 4 (no surveys at all). The survey is a quick aid to the WG dialogue and need not be seen as a binding measure of consensus. Survey results are not a vote. They are inputs for the WG dialogue grist mill, inputs that can facilitate the process of WG consensus. Confidentially poses no problem since the consensus process is still within the WG dialogue. The Chair of the WG, and the ICANN staff member, act as survey “scrutineers” and we should trust them to flag survey participation irregularities. If (1) the status quo (no disclosure) is not acceptable, I am in favor of (4) no surveys. Limited disclosure (3) is logistically problematic, and full disclosure (2) offers few benefits over simply conducting the dialogue within the RDS PDP WG. To recap, I prefer either the status quo or no surveys at all. I look forward to other views on this matter. Sam Lanfranco, npoc/csih _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: Lanfran@Yorku.ca<mailto:Lanfran@Yorku.ca> Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852