I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16 people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting.

Best regards, Lisa

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote:

Greg,

If we can say that not all legitimate purposes have to be catered for, then I agree with you. :)

If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right?

To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind.

Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable.

Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon.

Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable.

Cheers,

-- Shane

At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com> wrote:

...

I have to disagree. These are legitimate purposes for collection, as well as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

...

I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16 people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting.

Best regards, Lisa

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

The question is not "Is ICANN a law enforcement body?'' (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly "yes." ICANN's Bylaws describe ICANN's responsibilities and their scope - especially see Article 1, section 1, of ICANN's Bylaws, entitled "Mission, Commitments and Core Values." (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, "ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries... functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: ...maintenance of and access to accurate and up-to-date information concerning registered names and name servers". Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including "facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement" and "contributing to user confidence in the Internet", in keeping with law. We're reviewing all this now; just saying that there's a lot of precedent, and proposals for chnage need to address precedent. Currently there is an approach that's important to mention. The contracts say that registrars "shall permit use of data it provides in response to queries for any lawful purposes". [Emphases added; and except for "mass unsolicited, commercial messages" i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited. The alternative is to enumerate all allowable uses and to regulate access based on each user's intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Dear All, Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose... My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!) Best regards, Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta: I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote: I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly. Apologies if I did not make that point clear enough on the call. Stephanie Perrin On 2017-01-20 17:35, Gomes, Chuck wrote: Please note that our current poll ends in about 24 hours. So far only 16 people have responded. Chuck *From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg- bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear all, As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation: https://www.surveymonkey.com/r/SZX9QJZ A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw This poll will close at *COB Saturday 21 January 2017*. All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting. Best regards, Lisa _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

+1 Best Regards @__f_f__ about.me/farell ________________________________. Mail sent from my mobile phone. Excuse for brievety. Le 24 janv. 2017 11:58, "Volker Greimann" <vgreimann@key-systems.net> a écrit :

Actually, while it can contractually require it, there may be legal barriers to such requirements that would void them in the contracts. If such a contractual requirement were to violate requirements under local law, that contractual requirement becomes unenforceable.

So contrary to your opinion, the answer to the question is clearly "No". ICANN cannot require the collection of data by parties that would violate their legal requirements in doing so.

Best,

Volker

Am 23.01.2017 um 18:45 schrieb Greg Aaron:

The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.”

ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/ resources/pages/governance/bylaws-en/#article1 ) Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”.

Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent.

Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit *use *of data it provides in response to queries *for any lawful purposes*”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) *Access *is not prohibited or regulated. *All use is allowed* except when a use is specifically prohibited.

The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution.

All best,

--Greg

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kimpian Peter *Sent:* Monday, January 23, 2017 8:53 AM *To:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose

Dear All,

Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose...

My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!)

Best regards,

Peter

2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta:

I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-)

I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not.

cheers Stephanie

On 2017-01-22 04:03, Shane Kerr wrote:

Greg,

If we can say that not all legitimate purposes have to be catered for,

then I agree with you. :)

If we say that tracking down the registrar of a domain as part of

trademark research is a legitimate purpose, that does not mean that we

have to design the system for this purpose, right?

To try an analogy: We can recognize that using the plastic top of a

garbage can as a sled is legitimate, but we don't insist on designing

lids with sledding in mind.

Full disclosure: My own take on the "legitimate purpose" discussion

with regards to "thin data" is that we need *some* purpose for both

gathering and publishing the information, because otherwise privacy

laws may prohibit companies from gathering or publishing it. Luckily I

think that there are so many such purposes that the need for the

information is indisputable.

Jumping ahead... as I said in a prior call (sorry for missing ones since

then), I would prefer that the information is then allowed for any

purpose, without restriction, because otherwise you have to have not

only tiresome rules about what is allowed but also the Internet Police

to enforce those rules, which seems like a step towards Armageddon.

Given that we're still talking about "thin data", which is basically

just a pointer to a registrar who has *actual* data, my own

recommendation is not to stress too much. This stuff is only very, very

vaguely personally identifiable.

Cheers,

--

Shane

At 2017-01-21 14:51:29 -0500

Greg Shatan <gregshatanipc@gmail.com> <gregshatanipc@gmail.com> wrote:

I have to disagree. These are legitimate purposes for collection, as well

as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin <

stephanie.perrin@mail.utoronto.ca> wrote:

I filled it out, but I am afraid for most of the purposes I could not

agree. We do not *collect *data for many of those purposes. We disclose

it to people for those purposes, but the purpose of collecting those data

elements is not for tax collection, trademark enforcement actions, etc.

This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16

people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg <gnso-rds-pdp-wg>-

bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa

Phifer

*Sent:* Wednesday, January 18, 2017 1:50 PM

*To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org>

*Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on

Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is

now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are

posted on the 18 January meeting page: https://community.icann.org/x/

EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance

deliberation and prepare for next week's meeting.

Best regards,

Lisa

_______________________________________________

gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:www.facebook.com/KeySystemswww.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:www.facebook.com/KeySystemswww.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUPwww.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Dear Jim: If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases – can such a change be justified? As a practical matter, a change would makes people jump through hoops unnecessarily. If we’re talking about thin data, that data is not sensitive or personally identifiable. Thus there’s no reason for people who want to access it to declare their identities and use cases. Currently our RDS system (WHOIS) is a public query/response system. You’re pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example. There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing. The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others. All best, --Greg From: James Galvin [mailto:jgalvin@afilias.info] Sent: Tuesday, January 24, 2017 12:55 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Cc: Greg Aaron <gca@icginc.com> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I have a comment and a question about Greg’s suggestion/conclusion. First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that “all use is allowed except when a use is specifically prohibited” currently exists in contracts is not binding for us. Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means. Thanks, Jim On 23 Jan 2017, at 12:45, Greg Aaron wrote: The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.” ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”. Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent. Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit use of data it provides in response to queries for any lawful purposes”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited. The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Dear All, Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose... My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!) Best regards, Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta: I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote: I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly. Apologies if I did not make that point clear enough on the call. Stephanie Perrin On 2017-01-20 17:35, Gomes, Chuck wrote: Please note that our current poll ends in about 24 hours. So far only 16 people have responded. Chuck *From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg- bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear all, As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation: https://www.surveymonkey.com/r/SZX9QJZ A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw This poll will close at *COB Saturday 21 January 2017*. All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting. Best regards, Lisa _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I’m still struggling to understand your answer to my question, “How are the rights of legitimate users infringed by requiring them to authenticate in order to get access to data?” Scott has reframed my question by observing that one consideration for this group is that there may be data that is available anonymously and data that requires authentication of the requestor. Either that consideration implicitly infers that rights are not infringed or we still have a question to answer. Taking a step back, it’s probably too soon to focus too much on this issue. We’re really talking about data collection at this time so the parameters of display or access are relevant but don’t need to be solved just yet. I agree there are a number of interesting if not important use cases. The question I am pressing is why these use cases justify collection of the data? If we can’t clearly answer this question then I will continue to object to collecting the data for the purpose being discussed. I’m wondering if you’re asserting that legacy uses establish legitimate usage and since that has been anonymous to date it is an infringement of a “right” to take that away. Jim On 24 Jan 2017, at 14:05, Greg Aaron wrote:

I made a typo below. It should read: “For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do not want to violate terms of service or lie about who they are or what they are doing.” --Greg

From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, January 24, 2017 1:53 PM To: James Galvin <jgalvin@afilias.info>; RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear Jim:

If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases – can such a change be justified?

As a practical matter, a change would makes people jump through hoops unnecessarily. If we’re talking about thin data, that data is not sensitive or personally identifiable. Thus there’s no reason for people who want to access it to declare their identities and use cases.

Currently our RDS system (WHOIS) is a public query/response system. You’re pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example.

There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing.

The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others.

All best, --Greg

From: James Galvin [mailto:jgalvin@afilias.info] Sent: Tuesday, January 24, 2017 12:55 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Cc: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

I have a comment and a question about Greg’s suggestion/conclusion.

First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that “all use is allowed except when a use is specifically prohibited” currently exists in contracts is not binding for us.

Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means.

Thanks,

Jim

On 23 Jan 2017, at 12:45, Greg Aaron wrote:

The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.”

ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”.

Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent.

Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit use of data it provides in response to queries for any lawful purposes”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited.

The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution.

All best,

--Greg

From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose

Dear All,

Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose...

My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!)

Best regards,

Peter

2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta:

I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-)

I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not.

cheers Stephanie

On 2017-01-22 04:03, Shane Kerr wrote:

Greg,

If we can say that not all legitimate purposes have to be catered for,

then I agree with you. :)

If we say that tracking down the registrar of a domain as part of

trademark research is a legitimate purpose, that does not mean that we

have to design the system for this purpose, right?

To try an analogy: We can recognize that using the plastic top of a

garbage can as a sled is legitimate, but we don't insist on designing

lids with sledding in mind.

Full disclosure: My own take on the "legitimate purpose" discussion

with regards to "thin data" is that we need *some* purpose for both

gathering and publishing the information, because otherwise privacy

laws may prohibit companies from gathering or publishing it. Luckily I

think that there are so many such purposes that the need for the

information is indisputable.

Jumping ahead... as I said in a prior call (sorry for missing ones since

then), I would prefer that the information is then allowed for any

purpose, without restriction, because otherwise you have to have not

only tiresome rules about what is allowed but also the Internet Police

to enforce those rules, which seems like a step towards Armageddon.

Given that we're still talking about "thin data", which is basically

just a pointer to a registrar who has *actual* data, my own

recommendation is not to stress too much. This stuff is only very, very

vaguely personally identifiable.

Cheers,

--

Shane

At 2017-01-21 14:51:29 -0500

Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote:

I have to disagree. These are legitimate purposes for collection, as well

as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin <

stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

I filled it out, but I am afraid for most of the purposes I could not

agree. We do not *collect *data for many of those purposes. We disclose

it to people for those purposes, but the purpose of collecting those data

elements is not for tax collection, trademark enforcement actions, etc.

This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16

people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-

bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa

Phifer

*Sent:* Wednesday, January 18, 2017 1:50 PM

*To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org>

*Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on

Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is

now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are

posted on the 18 January meeting page: https://community.icann.org/x/

EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance

deliberation and prepare for next week's meeting.

Best regards,

Lisa

_______________________________________________

gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

i am sorry to have missed the call yesterday and have not had time to listen yet, but if I may comment on a couple of items: 1. Part of the confusion about personal information is the difference in definition. The US has recently (ok, for the last 20 years which is recent in my terms) focused on the notion of "personally identifiable information" which is usually taken to mean that the identification of the individual has to be present in the data set, could be by an identifier such as SSN but the identifier has to be there. Others consider/have legislated that any information "about an individual" (older definition) is personal. That includes information generated, such as account history. This approach inherently recognizes the difficulty in saying any data which originated in association with an individual could be called anonymous or non-personal... even if the data does not appear to be personal data (timestamps, health data without name, etc) is still personal if it is generated in association with an individual. 2. Information "generated" is generally considered as collected, unless as Peter Kimpian has pointed out, you use the term "processed" as the EU does, that gets around these details. (I used to dislike the concept of "data processer" but I am beginning to appreciate its simplicity....) 3. As James points out below, subsequent uses of information should not be used to justify collection in the first place. The primary question asked of Data controllers, and ICANN is in my view very clearly the data controller here, since it sets the rule, is what is the purpose of your operation? what is the limited and specific data set required to perform that set of operations? That defines the purpose of collection, not the manifold opportunities other stakeholders may see in your data set, or the many legitimate reasons to ask to see it once collected. Part of our problem here in my view, inherently, is the multistakeholder nature of the negotiations. If the government, for instance, (assuming a govt that provides healthcare as most western nations do) were to convene a meeting of all stakeholders, and said right, what are all the use cases for the health data about individuals, there would be a million use cases put forward by anyone with a product to sell or protect, or a risk to mitigate, or an expense to manage. The point is the purpose of gathering health data is to best manage the health care of the individual, and failure to stick to that narrow, limited and specific purpose opens up a Pandora's box. In consultations one might hear from all the stakeholders, but designing a system without due rigour for the primary policy goal is fraught with peril and basically violates data protection law. ICANN has basically done this over the years, by failing to be specific about the purpose of this collection, although I would note that the decision to stick to the narrow, technical purpose back in Task Force 2 was sensible. I have a feeling if we don't agree to do that soon we will be going in circles. And I apologize in advance, it will be my duty to keep raising objections (thus forcing circling) because from a data protection perspective it is just not acceptable to broaden the purpose of collection to the point where any data element will be deemed desirable and acceptable to collect for secondary purposes. Stephanie On 2017-01-24 19:57, Gomes, Chuck wrote:

Regarding our focus on collection and also on uses versus purposes, I would like to share some thoughts that I shared privately with a WG member a few days ago.

When I say ‘collection of data’, I mean collection for use in the RDS regardless of how it might be displayed or accessed. In our leadership call yesterday, Michele pointed out that thin data is generated, not collected. From the point of view of registries and registrars, I believe that is correct. But as others have pointed out, our task is not to decide what registries and registrars collect but rather what would be collected for the RDS. Of course, if we develop policies that require that a thin data element is needed in the RDS, it would need to be collected from registries and/or registrars, and it would then follow that registries and/or registrars would have to generate it.

With that explanation of my use of the word ‘collect’, let me also make a few other points:

·We initially narrowed our focus on ‘collection only’ to keep our focus on a more manageable scope; right or wrong, we decided that focusing on collection and display and access all at once would make our task more difficult.

·One problem with focusing on ‘collection only’ is that it causes us to reach conclusions that may later be changed and I am suspecting that that is part of the problem. For example, when we conclude that we have reached rough consensus that research is a legitimate purpose for collecting thin data, that conclusion could later change when we talk about display of certain thin data elements or access to some thin data elements. It might be better if we called our conclusions ‘interim conclusions’ because they may change after deeper deliberation.

To take this one step further, in our further deliberations on data elements beyond collection we could find that there are no legitimate uses for particular data elements. In such cases I think that we would then delete any interim purposes for which we reached rough consensus for collection of them. In other words, if there is no legitimate use for the data, whether public or gated access, it seems to me that there would be no need to collect it.

Does any of this make sense?

Chuck

*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *James Galvin *Sent:* Tuesday, January 24, 2017 4:20 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

I’m still struggling to understand your answer to my question, “How are the rights of legitimate users infringed by requiring them to authenticate in order to get access to data?”

Scott has reframed my question by observing that one consideration for this group is that there may be data that is available anonymously and data that requires authentication of the requestor. Either that consideration implicitly infers that rights are not infringed or we still have a question to answer.

Taking a step back, it’s probably too soon to focus too much on this issue. We’re really talking about data collection at this time so the parameters of display or access are relevant but don’t need to be solved just yet.

I agree there are a number of interesting if not important use cases. The question I am pressing is why these use cases justify collection of the data? If we can’t clearly answer this question then I will continue to object to collecting the data for the purpose being discussed.

I’m wondering if you’re asserting that legacy uses establish legitimate usage and since that has been anonymous to date it is an infringement of a “right” to take that away.

Jim

On 24 Jan 2017, at 14:05, Greg Aaron wrote:

I made a typo below. It should read: “For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do not want to violate terms of service or lie about who they are or what they are doing.”

--Greg

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>[mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Greg Aaron *Sent:* Tuesday, January 24, 2017 1:53 PM *To:* James Galvin <jgalvin@afilias.info <mailto:jgalvin@afilias.info>>; RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Subject:* Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear Jim:

If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases – can such a change be justified?

As a practical matter, a change would makes people jump through hoops unnecessarily. If we’re talking about thin data, that data is not sensitive or personally identifiable. Thus there’s no reason for people who want to access it to declare their identities and use cases.

Currently our RDS system (WHOIS) is a public query/response system. You’re pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example.

There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing.

The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others.

All best,

--Greg

*From:*James Galvin [mailto:jgalvin@afilias.info] *Sent:* Tuesday, January 24, 2017 12:55 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Cc:* Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Subject:* Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

I have a comment and a question about Greg’s suggestion/conclusion.

First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that “all use is allowed except when a use is specifically prohibited” currently exists in contracts is not binding for us.

Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means.

Thanks,

Jim

On 23 Jan 2017, at 12:45, Greg Aaron wrote:

The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.”

ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/resources/pages/governance/bylaws-en/#article1)Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”.

Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent.

Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit /use /of data it provides in response to queries /for any lawful purposes/”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) /Access /is not prohibited or regulated. /All use is allowed/ except when a use is specifically prohibited.

The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution.

All best,

--Greg

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>[mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Kimpian Peter *Sent:* Monday, January 23, 2017 8:53 AM *To:* Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose

Dear All,

Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose...

My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!)

Best regards,

Peter

2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta:

I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-)

I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not.

cheers Stephanie

On 2017-01-22 04:03, Shane Kerr wrote:

Greg,

If we can say that not all legitimate purposes have to be catered for,

then I agree with you. :)

If we say that tracking down the registrar of a domain as part of

trademark research is a legitimate purpose, that does not mean that we

have to design the system for this purpose, right?

To try an analogy: We can recognize that using the plastic top of a

garbage can as a sled is legitimate, but we don't insist on designing

lids with sledding in mind.

Full disclosure: My own take on the "legitimate purpose" discussion

with regards to "thin data" is that we need *some* purpose for both

gathering and publishing the information, because otherwise privacy

laws may prohibit companies from gathering or publishing it. Luckily I

think that there are so many such purposes that the need for the

information is indisputable.

Jumping ahead... as I said in a prior call (sorry for missing ones since

then), I would prefer that the information is then allowed for any

purpose, without restriction, because otherwise you have to have not

only tiresome rules about what is allowed but also the Internet Police

to enforce those rules, which seems like a step towards Armageddon.

Given that we're still talking about "thin data", which is basically

just a pointer to a registrar who has *actual* data, my own

recommendation is not to stress too much. This stuff is only very, very

vaguely personally identifiable.

Cheers,

--

Shane

At 2017-01-21 14:51:29 -0500

Greg Shatan <gregshatanipc@gmail.com> <mailto:gregshatanipc@gmail.com>wrote:

I have to disagree. These are legitimate purposes for collection, as well

as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin <

stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

I filled it out, but I am afraid for most of the purposes I could not

agree. We do not *collect *data for many of those purposes. We disclose

it to people for those purposes, but the purpose of collecting those data

elements is not for tax collection, trademark enforcement actions, etc.

This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16

people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>[mailto:gnso-rds-pdp-wg-

bounces@icann.org <mailto:bounces@icann.org><gnso-rds-pdp-wg-bounces@icann.org> <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa

Phifer

*Sent:* Wednesday, January 18, 2017 1:50 PM

*To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org><gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on

Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is

now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are

posted on the 18 January meeting page: https://community.icann.org/x/

EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance

deliberation and prepare for next week's meeting.

Best regards,

Lisa

_______________________________________________

gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I don't know if it will be helpful to anyone else, but I found it helpful to me to go back review why we are talking about purpose. ******** Charter question 1 is titled Users/Purposes and says: "Who should have access to gTLD registration data and why?" To answer the 'why' part of the question leads us to a discussion of purpose, albeit purpose for access, not for collection. I would argue though that if we agree on a purpose for access, then the data will have to be collected. ******** The sub-questions under question 1 came directly from the Issues Report (see pages 39-41 & 70) and were included in the Mind Map of our work. Note what they say (bolding done by me): o Should gTLD registration data be accessible for any purpose or only for specific purposes? o For what specific purposes should gTLD registration data be collected, maintained, and made accessible? o What should the over-arching purpose be of collecting, maintaining, and providing access to gTLD registration data? o What are the guiding principles that should be used to determine permissible users and purposes, today and in the future? Our charter clearly directs us to discuss purpose and it clearly talks about collection. Should we have talked about access first? Maybe. But we will get there fairly soon. Should we talk about purposes for access instead of purpose of the RDS? Probably. Chuck From: James Galvin [mailto:jgalvin@afilias.info] Sent: Wednesday, January 25, 2017 8:52 AM To: Gomes, Chuck <cgomes@verisign.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Chuck, While what you say is reasonable it also shows that you, as well as myself and the rest of us, are stuck blurring the lines between collection, storage, and display. I want to try a different approach. You start off saying "collection for use in the RDS". Then you say "collected for the RDS". Then you say "needed in the RDS". Just to confuse things I'm going to assert that all those phrases are wrong. The RDS is not the purpose here. It is a solution for the purpose. It is a system, a principle, or a concept. The details of its implementation are going to be interesting for a number of reasons but let's stick to the high-level for a moment. The purpose of the RDS is to support the management or control of the lifecycle of a domain name. For me, this is self-evident and really should not be subject to much discussion. If you disagree with this then we are creating a more typical cash-based retail system such as might exist for selling chewing gum, e.g., no registries and no registrars. We know this won't work because there are certain properties we need from our domain names, not the least of which is global uniqueness. Thus, there needs to exist an RDS that we can all share so we can all do our part to preserve an appropriate set of properties of domain names. I believe the question we are considering is if there are any other purposes of the RDS for which ICANN (either the whole or a subset of the royal ICANN including the corporation, contracted parties, interested parties, and random Internet users) is a required participant and thus use of the RDS should be required for those purposes and thus there are requirements on the data that should be present in the RDS. The questions of access and collection are an entirely different discussion. While I agree that most of the "purposes of thin data" suggested on the call yesterday are reasonable and sensible, perhaps even important, I am not yet convinced they rise to the level of requiring ICANN (the royal ICANN) to be an active participant and thus are not an appropriate purpose of the RDS. This is not about collection, storage, or display, or its about all of them. Why is ICANN and the RDS essential to the suggested purposes? The fact that data collected on behalf of managing the lifecycle of a domain name just happens, coincidentally, to be useful for other purposes, is just a happy circumstance. We can separately have discussions about how the data that is being collected could be used by others. I'm troubled by the fact that it is driving the current discussion. Jim On 24 Jan 2017, at 19:57, Gomes, Chuck wrote: Regarding our focus on collection and also on uses versus purposes, I would like to share some thoughts that I shared privately with a WG member a few days ago. When I say 'collection of data', I mean collection for use in the RDS regardless of how it might be displayed or accessed. In our leadership call yesterday, Michele pointed out that thin data is generated, not collected. From the point of view of registries and registrars, I believe that is correct. But as others have pointed out, our task is not to decide what registries and registrars collect but rather what would be collected for the RDS. Of course, if we develop policies that require that a thin data element is needed in the RDS, it would need to be collected from registries and/or registrars, and it would then follow that registries and/or registrars would have to generate it. With that explanation of my use of the word 'collect', let me also make a few other points: * We initially narrowed our focus on 'collection only' to keep our focus on a more manageable scope; right or wrong, we decided that focusing on collection and display and access all at once would make our task more difficult. * One problem with focusing on 'collection only' is that it causes us to reach conclusions that may later be changed and I am suspecting that that is part of the problem. For example, when we conclude that we have reached rough consensus that research is a legitimate purpose for collecting thin data, that conclusion could later change when we talk about display of certain thin data elements or access to some thin data elements. It might be better if we called our conclusions 'interim conclusions' because they may change after deeper deliberation. To take this one step further, in our further deliberations on data elements beyond collection we could find that there are no legitimate uses for particular data elements. In such cases I think that we would then delete any interim purposes for which we reached rough consensus for collection of them. In other words, if there is no legitimate use for the data, whether public or gated access, it seems to me that there would be no need to collect it. Does any of this make sense? Chuck From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of James Galvin Sent: Tuesday, January 24, 2017 4:20 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I'm still struggling to understand your answer to my question, "How are the rights of legitimate users infringed by requiring them to authenticate in order to get access to data?" Scott has reframed my question by observing that one consideration for this group is that there may be data that is available anonymously and data that requires authentication of the requestor. Either that consideration implicitly infers that rights are not infringed or we still have a question to answer. Taking a step back, it's probably too soon to focus too much on this issue. We're really talking about data collection at this time so the parameters of display or access are relevant but don't need to be solved just yet. I agree there are a number of interesting if not important use cases. The question I am pressing is why these use cases justify collection of the data? If we can't clearly answer this question then I will continue to object to collecting the data for the purpose being discussed. I'm wondering if you're asserting that legacy uses establish legitimate usage and since that has been anonymous to date it is an infringement of a "right" to take that away. Jim On 24 Jan 2017, at 14:05, Greg Aaron wrote: I made a typo below. It should read: "For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do not want to violate terms of service or lie about who they are or what they are doing." --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, January 24, 2017 1:53 PM To: James Galvin <jgalvin@afilias.info<mailto:jgalvin@afilias.info>>; RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear Jim: If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases - can such a change be justified? As a practical matter, a change would makes people jump through hoops unnecessarily. If we're talking about thin data, that data is not sensitive or personally identifiable. Thus there's no reason for people who want to access it to declare their identities and use cases. Currently our RDS system (WHOIS) is a public query/response system. You're pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example. There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing. The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others. All best, --Greg From: James Galvin [mailto:jgalvin@afilias.info] Sent: Tuesday, January 24, 2017 12:55 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Cc: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I have a comment and a question about Greg's suggestion/conclusion. First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that "all use is allowed except when a use is specifically prohibited" currently exists in contracts is not binding for us. Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means. Thanks, Jim On 23 Jan 2017, at 12:45, Greg Aaron wrote: The question is not "Is ICANN a law enforcement body?'' (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly "yes." ICANN's Bylaws describe ICANN's responsibilities and their scope - especially see Article 1, section 1, of ICANN's Bylaws, entitled "Mission, Commitments and Core Values." (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, "ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries... functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: ...maintenance of and access to accurate and up-to-date information concerning registered names and name servers". Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including "facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement" and "contributing to user confidence in the Internet", in keeping with law. We're reviewing all this now; just saying that there's a lot of precedent, and proposals for chnage need to address precedent. Currently there is an approach that's important to mention. The contracts say that registrars "shall permit use of data it provides in response to queries for any lawful purposes". [Emphases added; and except for "mass unsolicited, commercial messages" i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited. The alternative is to enumerate all allowable uses and to regulate access based on each user's intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Dear All, Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose... My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!) Best regards, Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta: I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote: I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly. Apologies if I did not make that point clear enough on the call. Stephanie Perrin On 2017-01-20 17:35, Gomes, Chuck wrote: Please note that our current poll ends in about 24 hours. So far only 16 people have responded. Chuck *From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg- bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear all, As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation: https://www.surveymonkey.com/r/SZX9QJZ A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw This poll will close at *COB Saturday 21 January 2017*. All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting. Best regards, Lisa _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

The situations Greg and Jim describe below are precisely why I think we need to consider that there are some uses for which no client authentication is required and some for which it should be required – and that there should be a corresponding type and amount of information returned in response to a query based on what the user/client is willing to share. We already have “a query/response system that does not require credentials or permissions” in WHOIS. If WHOIS met our needs we wouldn’t be having this conversation. Scott From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, January 24, 2017 1:53 PM To: James Galvin; RDS PDP WG Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear Jim: If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases – can such a change be justified? As a practical matter, a change would makes people jump through hoops unnecessarily. If we’re talking about thin data, that data is not sensitive or personally identifiable. Thus there’s no reason for people who want to access it to declare their identities and use cases. Currently our RDS system (WHOIS) is a public query/response system. You’re pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example. There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing. The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others. All best, --Greg From: James Galvin [mailto:jgalvin@afilias.info] Sent: Tuesday, January 24, 2017 12:55 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Cc: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I have a comment and a question about Greg’s suggestion/conclusion. First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that “all use is allowed except when a use is specifically prohibited” currently exists in contracts is not binding for us. Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means. Thanks, Jim On 23 Jan 2017, at 12:45, Greg Aaron wrote: The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.” ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”. Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent. Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit use of data it provides in response to queries for any lawful purposes”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited. The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Dear All, Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose... My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!) Best regards, Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta: I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote: I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly. Apologies if I did not make that point clear enough on the call. Stephanie Perrin On 2017-01-20 17:35, Gomes, Chuck wrote: Please note that our current poll ends in about 24 hours. So far only 16 people have responded. Chuck *From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg- bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear all, As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation: https://www.surveymonkey.com/r/SZX9QJZ A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw This poll will close at *COB Saturday 21 January 2017*. All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting. Best regards, Lisa _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Chuck, there is certainly a place for open, public access to *some* of the data, but I firmly do not believe that all data should be freely available to everyone for any purpose. In the RDAP implementation that my team has deployed we provide full access to unauthenticated clients for what we’re calling “thin” data. Our implementation (which I am fully planning to update based on this group’s work and recommendations) requires identification and authentication for access to additional information. Reasonable people (that’s all of us, right? ;)) should be able to figure out which use cases warrant access to which data for which purposes. Scott From: Gomes, Chuck Sent: Tuesday, January 24, 2017 2:34 PM To: Hollenbeck, Scott; gca@icginc.com; jgalvin@afilias.info; gnso-rds-pdp-wg@icann.org Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Scott, Am I correct in concluding that such situations could be addressed by public access? Chuck From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, January 24, 2017 2:25 PM To: gca@icginc.com<mailto:gca@icginc.com>; jgalvin@afilias.info<mailto:jgalvin@afilias.info>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose The situations Greg and Jim describe below are precisely why I think we need to consider that there are some uses for which no client authentication is required and some for which it should be required – and that there should be a corresponding type and amount of information returned in response to a query based on what the user/client is willing to share. We already have “a query/response system that does not require credentials or permissions” in WHOIS. If WHOIS met our needs we wouldn’t be having this conversation. Scott From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, January 24, 2017 1:53 PM To: James Galvin; RDS PDP WG Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear Jim: If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases – can such a change be justified? As a practical matter, a change would makes people jump through hoops unnecessarily. If we’re talking about thin data, that data is not sensitive or personally identifiable. Thus there’s no reason for people who want to access it to declare their identities and use cases. Currently our RDS system (WHOIS) is a public query/response system. You’re pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example. There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing. The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others. All best, --Greg From: James Galvin [mailto:jgalvin@afilias.info] Sent: Tuesday, January 24, 2017 12:55 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Cc: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I have a comment and a question about Greg’s suggestion/conclusion. First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that “all use is allowed except when a use is specifically prohibited” currently exists in contracts is not binding for us. Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means. Thanks, Jim On 23 Jan 2017, at 12:45, Greg Aaron wrote: The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.” ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”. Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent. Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit use of data it provides in response to queries for any lawful purposes”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited. The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Dear All, Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose... My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!) Best regards, Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta: I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote: I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly. Apologies if I did not make that point clear enough on the call. Stephanie Perrin On 2017-01-20 17:35, Gomes, Chuck wrote: Please note that our current poll ends in about 24 hours. So far only 16 people have responded. Chuck *From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg- bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear all, As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation: https://www.surveymonkey.com/r/SZX9QJZ A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw This poll will close at *COB Saturday 21 January 2017*. All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting. Best regards, Lisa _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Greg, I'm not confusing protocol and policy at all. I mentioned RDAP because it can be used to demonstrate implementations of policy - and the policy I mentioned is just one example. We do indeed need to first consider policy development, and I'm stating that I disagree with the premise that a policy of completely open access is desirable. Scott On Jan 24, 2017, at 3:02 PM, Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> wrote: RDAP is a protocol – a delivery mechanism that has some versatile technical capabilities. But it does not answer any policy questions. RDAP may allow us to implement certain policies, but the existence of the capability does not mean it’s the right thing to deploy. In the thread below, one of the questions is: who decides which users are allowed to see what data? Please, let’s answer those types of questions first, before talking about what RDAP can do. In other words, policy first and technical solutions second, as per our work plan. Scott said that “If WHOIS met our needs we wouldn’t be having this conversation.” Well,WHOIS is inadequate for a number reasons – for example its lack of capabilities for handling IDNs. But that’s more of a technical problem, not a policy problem. ICANN has not yet decided whether gated access etc. has a place in the gTLD world. From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] Sent: Tuesday, January 24, 2017 2:42 PM To: Gomes, Chuck <cgomes@verisign.com<mailto:cgomes@verisign.com>>; Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>>; jgalvin@afilias.info<mailto:jgalvin@afilias.info>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Chuck, there is certainly a place for open, public access to *some* of the data, but I firmly do not believe that all data should be freely available to everyone for any purpose. In the RDAP implementation that my team has deployed we provide full access to unauthenticated clients for what we’re calling “thin” data. Our implementation (which I am fully planning to update based on this group’s work and recommendations) requires identification and authentication for access to additional information. Reasonable people (that’s all of us, right? ;)) should be able to figure out which use cases warrant access to which data for which purposes. Scott From: Gomes, Chuck Sent: Tuesday, January 24, 2017 2:34 PM To: Hollenbeck, Scott; gca@icginc.com<mailto:gca@icginc.com>; jgalvin@afilias.info<mailto:jgalvin@afilias.info>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Scott, Am I correct in concluding that such situations could be addressed by public access? Chuck From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott Sent: Tuesday, January 24, 2017 2:25 PM To: gca@icginc.com<mailto:gca@icginc.com>; jgalvin@afilias.info<mailto:jgalvin@afilias.info>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose The situations Greg and Jim describe below are precisely why I think we need to consider that there are some uses for which no client authentication is required and some for which it should be required – and that there should be a corresponding type and amount of information returned in response to a query based on what the user/client is willing to share. We already have “a query/response system that does not require credentials or permissions” in WHOIS. If WHOIS met our needs we wouldn’t be having this conversation. Scott From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, January 24, 2017 1:53 PM To: James Galvin; RDS PDP WG Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear Jim: If legitimate users must identify themselves before looking up a domain name, and are required to state their purpose for making that query, that is a significant collection of data with huge privacy and security implications. It means that registrars and registry operators would collect information about what specific people are searching for, and why. Users who have perfectly legitimate uses are not currently required to give up their identities and use cases – can such a change be justified? As a practical matter, a change would makes people jump through hoops unnecessarily. If we’re talking about thin data, that data is not sensitive or personally identifiable. Thus there’s no reason for people who want to access it to declare their identities and use cases. Currently our RDS system (WHOIS) is a public query/response system. You’re pointing to turning RDS into a credential-driven system. That poses enormous consequences for privacy, security, and cost. A lot of people commented about those things in response to the EWG. See SAC061 or example. There are use cases that argue in favor of anonymous access. For example law enforcement investigators do not want to reveal what they are looking into, for obvious reasons. I also assume that they do they want to violate terms of service or lie about who they are or what they are doing. The setup we currently have -- a query/response system that does not require credentials or permissions -- avoids the above problems, among others. All best, --Greg From: James Galvin [mailto:jgalvin@afilias.info] Sent: Tuesday, January 24, 2017 12:55 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Cc: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I have a comment and a question about Greg’s suggestion/conclusion. First, while I appreciate the documented history and recollection of precedent, we are frequently reminded that we are starting with a clean slate. Thus the fact that “all use is allowed except when a use is specifically prohibited” currently exists in contracts is not binding for us. Second, could you say more about how the rights of legitimate users are infringed by having to identify themselves before getting access to data? In my experience it is ordinary process to identify yourself for access (and sometimes authenticate yourself) unless the circumstances are known to be anonymous or public. This group has to decide if the circumstances justify anonymous or public access, and what that means. Thanks, Jim On 23 Jan 2017, at 12:45, Greg Aaron wrote: The question is not “Is ICANN a law enforcement body?’’ (Clearly it is not.) The question is whether ICANN can require that data be collected and published in order to facilitate various legitimate goals. The answer to that question is clearly “yes.” ICANN’s Bylaws describe ICANN’s responsibilities and their scope – especially see Article 1, section 1, of ICANN’s Bylaws, entitled “Mission, Commitments and Core Values.” (https://www.icann.org/resources/pages/governance/bylaws-en/#article1 ) Among other things, “ICANN's scope is to coordinate the development and implementation of policies: For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries… functional and performance specifications for the provision of registrar services; registrar policies reasonably necessary to implement Consensus Policies relating to a gTLD registry; resolution of disputes regarding the registration of domain names... Examples of the above include, without limitation: …maintenance of and access to accurate and up-to-date information concerning registered names and name servers”. Years back it was decided that the collection and publication of the data was important for accomplishing some legitimate goals, in keeping with the above principles. And since the old days there have been additional statements of note. For example in 2007 the GAC weighed in recognizing a number of specific legitimate uses, including “facilitating inquiries and subsequent steps to conduct trademark clearances and help counter intellectual property infringement” and “contributing to user confidence in the Internet”, in keeping with law. We’re reviewing all this now; just saying that there’s a lot of precedent, and proposals for chnage need to address precedent. Currently there is an approach that’s important to mention. The contracts say that registrars “shall permit use of data it provides in response to queries for any lawful purposes”. [Emphases added; and except for “mass unsolicited, commercial messages” i.e. spamming, and some high-volume queries.) Access is not prohibited or regulated. All use is allowed except when a use is specifically prohibited. The alternative is to enumerate all allowable uses and to regulate access based on each user’s intent to honor those allowed uses. And that takes the world to a place where a system must gatekeep all users, and parcel out data to them only after the assert or prove they have a legitimate use and that they will employ the data only for that purpose. IMHO that infringes upon the rights of legitimate users, and is also a completely unmanageable solution. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kimpian Peter Sent: Monday, January 23, 2017 8:53 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Dear All, Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose... My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!) Best regards, Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta: I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-) I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not. cheers Stephanie On 2017-01-22 04:03, Shane Kerr wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com><mailto:gregshatanipc@gmail.com> wrote: I have to disagree. These are legitimate purposes for collection, as well as for disclosure. Greg On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly. Apologies if I did not make that point clear enough on the call. Stephanie Perrin On 2017-01-20 17:35, Gomes, Chuck wrote: Please note that our current poll ends in about 24 hours. So far only 16 people have responded. Chuck *From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg- bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org><mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Dear all, As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation: https://www.surveymonkey.com/r/SZX9QJZ A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw This poll will close at *COB Saturday 21 January 2017*. All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting. Best regards, Lisa _______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://http://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<mailto:listgnso-rds-pdp-wg@icann.orghttps://http://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Folks While I have a lot of sympathy for Peter’s questions, I’m not sure they are the right ones to ask. ANY person/organisation that collects personal data is, under most data protection law, a collector of data and thus subject to rules about the collection, use and disclosure of that information. At its most basic, the issue that has faced ICANN for YEARS is whether the contracts that it has with registries and registrars are in conflict with data protection legislation that those registries/registrars are bound by. So the issue is NOT whether ICANN is a law enforcement body or whatever. The issue is about its contracts - enforceable documents on the contracted parties - that potentially put registries/registrars in breach of their national law. The questions we are asking as a WG flow from that basic issue. Holly On 24 Jan 2017, at 12:53 am, Kimpian Peter <kimpian.peter@naih.hu> wrote:

Dear All,

Adding to the purpose debate: usually it is common sense and wiedly reckognised that we don't collect personal data just for the sake of it or in bulk saying it will be good for one purpose or another. Usually data controllers have the obligation to say openly in advance this is why I am going to process (ie collect, agregate, transfer, etc.) personal data. Being said that it can not be excluded that those data will be used/accessed for "higher" common good and for the benefit for all by another athorised data controller. For example a telco company can if all conditions met disclose (!) data it previously collected to law enforcement agencies but this does not mean that the Telco compony can collect, process etc data for law enforcement purpose...

My simple question to start with would be and always was: Is ICANN a law enforcement body? Does ICANN have any power/competence in fighting against crime? And it goes for other purposes as well: Is ICANN an international trademark organisation? Etc...Is the answer given to those questions is shared by all the community of ICANN? In my sense we have to be sure that we answer first those questions before deciding on possible purposes (which does not mean that discloser of data on a case-by case base according to international legal requirements will not be possible after this, but those will be exceptions !!!)

Best regards,

Peter 2017.01.22. 19:20 keltezéssel, Stephanie Perrin írta:

...

I love your analogy Shane, it is perfect. In data protection terms that would be a use. For a legitimate purpose... sledding. There might have to be repercussions if you cracked the lid....that might be a data breach:-)

I hate being a nit picker and calling out this distinction between purpose of collection as opposed to purpose for use and disclosure, but it is extremely important in terms of data protection. Some laws are more clear than others on the distinction, and you are correct that if we are not careful DP laws will forbid the collection and disclosure of the data. It is certainly clear that for collection of thin data, there is ample justification for collecting the info based on ICANN's limited mandate. However adding law enforcement and other similar website related investigative activities to the list of legitimate purposes is in my view opening a barn door. After a year of discussion we may understand the nuance, that we are talking about thin data, etc etc but when the fruits of our labours are published, it looks like we have all agreed that law enforcement (eg) is a legitimate purpose for collecting registration data. In my view, it is not.

cheers Stephanie

On 2017-01-22 04:03, Shane Kerr wrote:

...

Greg,

If we can say that not all legitimate purposes have to be catered for, then I agree with you. :)

If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right?

To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind.

Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable.

Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon.

Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable.

Cheers,

-- Shane

At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com> wrote:

...

I have to disagree. These are legitimate purposes for collection, as well as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

...

I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16 people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting.

Best regards, Lisa

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Shane, you said that “with regards to ‘thin data’ is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it.” You may be making an erroneous assumption. AFAIK, thin data is not protected by privacy laws. Generally, privacy laws are designed to protect personally identifiable information, and not all types of information. Privacy laws allow the _collection_ personal information for legitimate purposes. Privacy laws are not designed to prohibit the _publication_ of non-personally-identifiable information. This is why ccTLDs in countries with strong privacy laws (such as in the EU) DO collect and publish thin data in their WHOIS systems They do it because it’s allowed, and because there are legitimate reasons to collect AND publish it. And sometimes they publish thick data. For example you will see registrant and contact information below. That’s published because companies are not individuals. All best, --Greg Domain name: virgin.co.uk Registrant: Virgin Enterprises Limited Registrant type: Unknown Registrant's address: The Battleship Building 179 Harrow Road London EN W2 6NB United Kingdom Data validation: Nominet was able to match the registrant's name and address against a 3rd party data source on 21-Apr-2015 Registrar: Corporation Service Company (UK) Limited [Tag = CSC-CORP-DOMAINS] URL: http://www.cscprotectsbrands.com Relevant dates: Registered on: before Aug-1996 Expiry date: 07-Nov-2017 Last updated: 03-Nov-2015 Registration status: Registered until expiry date. Name servers: a4.nstld.com f4.nstld.com g4.nstld.com h4.nstld.com j4.nstld.com k4.nstld.com l4.nstld.com Domain name: virgin.ca Domain status: registered Creation date: 2001/01/31 Expiry date: 2017/03/10 Updated date: 2015/02/02 DNSSEC: Unsigned Registrar: Name: CSC Corporate Domains (Canada) Company Number: 2397937 Registrant: Name: Virgin Enterprises Limited TMA 383374 Administrative contact: Name: Ms Victoria Carrington Postal address: 112 Kent Street, Suite 2001 Ottawa ON K1P 5P2 Canada Phone: 1 613 2325300 Fax: 1 613 5639231 Email: email@shapirocohen.com Technical contact: Name: Russell Berman Postal address: The School House 50 Brook Green London EN W6 7RR United Kingdom Phone: +44.2073132000 Fax: +44.2031263608 Email: email@virgin.com Name servers: a4.nstld.com f4.nstld.com g4.nstld.com h4.nstld.com j4.nstld.com k4.nstld.com l4.nstld.com domain: virgin.fr status: ACTIVE hold: NO holder-c: VEL21-FRNIC admin-c: RD2263-FRNIC tech-c: DA4698-FRNIC zone-c: NFC1-FRNIC nsl-id: NSL17525-FRNIC registrar: CSC CORPORATE DOMAINS INC. Expiry Date: 11/12/2017 created: 28/06/1995 last-update: 07/12/2016 source: FRNIC ns-list: NSL17525-FRNIC nserver: a4.nstld.com nserver: f4.nstld.com nserver: g4.nstld.com nserver: h4.nstld.com nserver: j4.nstld.com nserver: k4.nstld.com nserver: l4.nstld.com source: FRNIC registrar: CSC CORPORATE DOMAINS INC. type: Isp Option 1 address: 2711 Centerville Road, Suite 400 address: DE 19808 WILMINGTON country: US phone: +1 302 636 5401 fax-no: +1 302 636 5454 e-mail: email@cscinfo.com website: http://www.csccorporatedomains.com anonymous: NO registered: 17/10/2006 source: FRNIC nic-hdl: VEL21-FRNIC type: ORGANIZATION contact: Virgin Enterprises Ltd. address: 120 Campden Hill Road address: W6 7RR London country: GB phone: +44 2073132000 fax-no: +44 2031263610 e-mail: email@virgin.com registrar: CSC CORPORATE DOMAINS INC. changed: 03/10/2012 email@nic.fr anonymous: NO obsoleted: NO eligstatus: ok eligsource: REGISTRAR eligdate: 03/10/2012 21:10:50 source: FRNIC nic-hdl: RD2263-FRNIC type: PERSON contact: Rebecca Delorey address: Partner/Avocat associe address: Gilbey Delorey 69 rue de Richelieu address: 75002 Paris country: FR phone: +33 1 56 02 62 00 fax-no: +33 1 56 02 62 10 e-mail: email@gilbeydehaas.com registrar: CSC CORPORATE DOMAINS INC. changed: 08/09/2010 email@nic.fr anonymous: NO obsoleted: NO source: FRNIC nic-hdl: DA4698-FRNIC type: PERSON contact: Domain Administrator address: Virgin Enterprises Ltd. address: The School House address: 50 Brook Green address: W6 7RR London EN country: GB phone: +44 2073132000 fax-no: +44 2031263608 e-mail: email@virgin.com registrar: CSC CORPORATE DOMAINS INC. changed: 26/09/2011 email@nic.fr anonymous: NO obsoleted: NO source: FRNIC City: Augustfehn I CountryCode: DE Phone: +49 4489 941030 Fax: +49 4489 9410369 Email: email@kataplonk.de Changed: 2013-08-03T15:21:00+02:00 ********************************** Greg Aaron Vice-President, Product Management iThreat Cyber Group / Cybertoolbelt.com mobile: +1.215.858.2257 ********************************** The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Shatan Sent: Sunday, January 22, 2017 1:33 PM To: Shane Kerr <shane@time-travellers.org> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] FW: Now open: 18 January Poll on Purpose Shane, First, I would say that all legitimate purposes need to be catered for, so I don't think we can agree there. :-( Second, I think the garbage can top analogy illustrates the difference between purpose and use. It is not a legitimate purpose of a garbage can top to be used as a sled, even if it is a potential use. (I don't think we can say that it is a legitimate use either, but hopefully we don't have to parse that issue, at least not yet. In college, we used to sled down the hill in the middle of campus on cafeteria trays (from the cafeteria conveniently located near the top of the hill. This was definitely not a legitimate purpose of those sleds. We students may have thought this was a legitimate use of the trays, but I doubt this view was shared by cafeteria staff or university administration. Or maybe we thought it was an illegitimate use, which made it more exciting (it's been a while...).) I share your view that the need for the information is indisputable -- so we can agree there. :-) Nonetheless, I think there are good reasons that it is important to identify the legitimate purposes of the data is collected, and to accommodate those purposes. Indeed, this is one of the essential purposes of this Working Group. Greg On Sun, Jan 22, 2017 at 4:03 AM, Shane Kerr <shane@time-travellers.org<mailto:shane@time-travellers.org>> wrote: Greg, If we can say that not all legitimate purposes have to be catered for, then I agree with you. :) If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right? To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind. Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable. Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon. Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable. Cheers, -- Shane At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com<mailto:gregshatanipc@gmail.com>> wrote:

I have to disagree. These are legitimate purposes for collection, as well as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

...

I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16 people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-<mailto:gnso-rds-pdp-wg-> bounces@icann.org<mailto:bounces@icann.org> <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting.

Best regards, Lisa

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<http://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Greg, [ I realize that we're deep in the weeds of talking about definitions. Apologies if this is already been discussed in the past. ] Let's try a thought experiment. Imagine a world without any RDS, WHOIS or otherwise. Would law enforcement simply give up trying to find contacts for domain holders? No. They would look up the registry on IANA's web page: https://www.iana.org/domains/root/db Then they would contact the registry for this information. The registry would then send them to the registrar. The registrar would then decide what - if any - information to share with the LEA. The WHOIS/RDS is really just a way to automate this process and make things cheaper, easier, and more open & transparent. Now... if we were to ask the LEA what system they would like if there was no WHOIS as a model, would it look like the system we have today? I'm not sure. I can imagine that it would involve things like a full feed of registrations in real time so that LEA could scan for patterns, ability to search history of registrations, alert mechanisms so that when certain rules were triggered the police would be notified. I don't want that. I don't want any of that!! So while I agree it will be helpful to compare the various "uses" of thin data, I do not want the RDS *designed* for all of these. If by "purpose" we mean what the thin data is designed for, then I really think it is just to get a referral to something with more information. Cheers, -- Shane At 2017-01-22 13:33:12 -0500 Greg Shatan <gregshatanipc@gmail.com> wrote:

First, I would say that all legitimate purposes need to be catered for, so I don't think we can agree there. :-(

Second, I think the garbage can top analogy illustrates the difference between purpose and use. It is not a legitimate purpose of a garbage can top to be used as a sled, even if it is a potential use. (I don't think we can say that it is a legitimate use either, but hopefully we don't have to parse that issue, at least not yet. In college, we used to sled down the hill in the middle of campus on cafeteria trays (from the cafeteria conveniently located near the top of the hill. This was definitely not a legitimate purpose of those sleds. We students may have thought this was a legitimate use of the trays, but I doubt this view was shared by cafeteria staff or university administration. Or maybe we thought it was an illegitimate use, which made it more exciting (it's been a while...).)

I share your view that the need for the information is indisputable -- so we can agree there. :-)

Nonetheless, I think there are good reasons that it is important to identify the legitimate purposes of the data is collected, and to accommodate those purposes. Indeed, this is one of the essential purposes of this Working Group.

Greg

On Sun, Jan 22, 2017 at 4:03 AM, Shane Kerr <shane@time-travellers.org> wrote:

...

Greg,

If we can say that not all legitimate purposes have to be catered for, then I agree with you. :)

If we say that tracking down the registrar of a domain as part of trademark research is a legitimate purpose, that does not mean that we have to design the system for this purpose, right?

To try an analogy: We can recognize that using the plastic top of a garbage can as a sled is legitimate, but we don't insist on designing lids with sledding in mind.

Full disclosure: My own take on the "legitimate purpose" discussion with regards to "thin data" is that we need *some* purpose for both gathering and publishing the information, because otherwise privacy laws may prohibit companies from gathering or publishing it. Luckily I think that there are so many such purposes that the need for the information is indisputable.

Jumping ahead... as I said in a prior call (sorry for missing ones since then), I would prefer that the information is then allowed for any purpose, without restriction, because otherwise you have to have not only tiresome rules about what is allowed but also the Internet Police to enforce those rules, which seems like a step towards Armageddon.

Given that we're still talking about "thin data", which is basically just a pointer to a registrar who has *actual* data, my own recommendation is not to stress too much. This stuff is only very, very vaguely personally identifiable.

Cheers,

-- Shane

At 2017-01-21 14:51:29 -0500 Greg Shatan <gregshatanipc@gmail.com> wrote:

...

I have to disagree. These are legitimate purposes for collection, as well as for disclosure.

Greg

On Fri, Jan 20, 2017 at 7:02 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

...

I filled it out, but I am afraid for most of the purposes I could not agree. We do not *collect *data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

Please note that our current poll ends in about 24 hours. So far only 16 people have responded.

Chuck

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Lisa Phifer *Sent:* Wednesday, January 18, 2017 1:50 PM *To:* RDS PDP WG <gnso-rds-pdp-wg@icann.org> < gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page: https://community.icann.org/x/ EbTDAw

This poll will close at *COB Saturday 21 January 2017*.

All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting.

Best regards, Lisa

_______________________________________________ gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg@icann.orghttps:// mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

I very much agree with this comment from Stephanie, as did a number of other people on the most recent call. This issue - of the difference between collection and disclosure as regards purpose - is significant and needs discussion in further detail. Though it may seem not that significant when we are only talking about ‘thin’ data that is likely going to be collected anyway, it becomes a much more significant difference when we broaden the range of data elements. David

On 21 Jan 2017, at 8:02 am, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:

I filled it out, but I am afraid for most of the purposes I could not agree. We do not collect data for many of those purposes. We disclose it to people for those purposes, but the purpose of collecting those data elements is not for tax collection, trademark enforcement actions, etc. This is the conflation issue I have raised repeatedly.

Apologies if I did not make that point clear enough on the call.

Stephanie Perrin

On 2017-01-20 17:35, Gomes, Chuck wrote:

...

Please note that our current poll ends in about 24 hours. So far only 16 people have responded.

Chuck   <> From: gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] On Behalf Of Lisa Phifer Sent: Wednesday, January 18, 2017 1:50 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Dear all,

As directed in the 18 January WG call, this week's new Poll on Purpose is now open for WG member participation:

https://www.surveymonkey.com/r/SZX9QJZ

<https://www.surveymonkey.com/r/SZX9QJZ>A PDF of this poll's questions and notes/recordings of the meeting are posted on the 18 January meeting page:https://community.icann.org/x/EbTDAw

<https://community.icann.org/x/EbTDAw>This poll will close at COB Saturday 21 January 2017.

All WG members are encouraged to participate in this poll to help advance deliberation and prepare for next week's meeting.

Best regards, Lisa

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

---

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Thank you Michele, ( ignoring the spell check driven typo of "think" for "thick" (-: ). We should be able to put this "thin" discussion behind us. The "thin" discussion should have taken about 2 email exchanges. Here is CIRA's (thin) search for .ca domain names [disclosure: it is my domain name] Domain name: artisanalpot.ca Domain status: registered Creation date: 2016/12/14 Expiry date: 2017/12/14 Updated date: 2016/12/19 DNSSEC: Unsigned Registrar: Name: Web Hosting Canada (7081936 Canada Inc.) Number: 5000080 Name servers: ns1.whc.ca 173.209.49.178 ns2.whc.ca 198.245.53.176 ns3.whc.ca 198.245.61.86 % WHOIS look-up made at 2017-01-25 11:32:24 (GMT) % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % (c) 2017 Canadian Internet Registration Authority, (http://www.cira.ca/) Nothing private is disclosed and LEA would have to resort to legal means to get to what is in the "thick" data set. There are no ICANN policy issues here. Sam L <artisanalpot.ca> (-:

Regarding the analogy with health data, the list of exceptions is long, when it comes to the application of data protection laws. For example, they do not apply in cases where public health and safety require it; For government research and statistics needs; In case of a law enforcement investigation; When the security of the President or other high ranking officials is at stake; When the data can be collected from other sources (such as the phone book); When needed for legislative purposes; In case of a court order or other legal mandate; If the person giving the data does so willingly; And data protection doesn't apply to second or all subsequent sharings. The truth is data protection is very loosely applied and is not meant to prevent law enforcement, legal processes from going their course. By gating all data, or reducing RDS to just a technician's tool, this would also break the economy of the Internet. WHOIS/RDS is also a phone book and as such, it protects the end-user by affording her and additional and important level of security. Nowhere is it said that RDS is purely technical. This is reductive view. Nathalie Sent from my iPhone

On Jan 25, 2017, at 6:56 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:

Sorry, this discussion is important. Your example proves my point. What you show below is a disclosure. It is a disclosure of a limited set of data. we are not supposed to be talking about disclosure at this point in our proceedings. I leave it to the experts on whether this is "thin" in the sense of the thick transition discussion, I really don't know because we are focused on gTLD policy here. My point is this is a disclosure. We do not "collect" thin data per se, we collect a whole mess of mandatory data elements, as per the RAA. Then we generate a whole mess as part of activating and making real the domain's existence. Then we share (release) a small subset.

So talking about collecting thin data is misleading in my view. Purpose of disclosing it is what we are in fact talking about. Calling it a purpose for collection opens the barn door.

Stephanie

...

On 2017-01-25 06:46, Sam Lanfranco wrote: Thank you Michele, ( ignoring the spell check driven typo of "think" for "thick" (-: ). We should be able to put this "thin" discussion behind us. The "thin" discussion should have taken about 2 email exchanges. Here is CIRA's (thin) search for .ca domain names [disclosure: it is my domain name]

Domain name: artisanalpot.ca Domain status: registered Creation date: 2016/12/14 Expiry date: 2017/12/14 Updated date: 2016/12/19 DNSSEC: Unsigned Registrar: Name: Web Hosting Canada (7081936 Canada Inc.) Number: 5000080 Name servers: ns1.whc.ca 173.209.49.178 ns2.whc.ca 198.245.53.176 ns3.whc.ca 198.245.61.86 % WHOIS look-up made at 2017-01-25 11:32:24 (GMT) % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % (c) 2017 Canadian Internet Registration Authority, (http://www.cira.ca/)

Nothing private is disclosed and LEA would have to resort to legal means to get to what is in the "thick" data set. There are no ICANN policy issues here.

Sam L <artisanalpot.ca> (-:

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Isn’t consent always been acceptable for use and disclosure purposes? And doesn’t all of this have to be balanced with the public’s legitimate interest in transparency? From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Wednesday, January 25, 2017 2:33 PM To: nathalie coupet <nathaliecoupet@yahoo.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose WHOIS at the moment is a phone book, and it is a phone book that arguably violates data protection law. The purpose of this pdp is to determine what the policy behind the RDS ought to be....not just limp along with the vestigial WHOIS we inherited from Jon Postel. The analogy with health data was to demonstrate that if the management of the DNS was in the hands of government, they would have public policy responsibilities, enforced in their parliaments or legislatures, to take ALL views with due consideration (read with a grain of salt) and act in compliance with law and with their respective Constitutions and Charters. That was the point I was trying to make...we are in a multistakeholder environment where stakeholders can influence policy to a greater extent, with no recourse to a higher authority to question the inclusion of perspectives that may not be agreed by others (eg. a Parliament). and I am aware that the list of exceptions for third party access is long. But they are for release or sharing of data....they are not purposes of collection. In the cases of many of the government exceptions you list, those are releases or sharing agreements authorized by law, and subject to legal protection. They are not, in most cases where there is a constitution in place that protects fundamental rights and due process, reasons for broader collection for those purposes. There are rare exceptions to that general principle, but by and large they are rare. Apologies if that example was not sufficiently clear. cheers Stephanie On 2017-01-25 07:53, nathalie coupet wrote: Regarding the analogy with health data, the list of exceptions is long, when it comes to the application of data protection laws. For example, they do not apply in cases where public health and safety require it; For government research and statistics needs; In case of a law enforcement investigation; When the security of the President or other high ranking officials is at stake; When the data can be collected from other sources (such as the phone book); When needed for legislative purposes; In case of a court order or other legal mandate; If the person giving the data does so willingly; And data protection doesn't apply to second or all subsequent sharings. The truth is data protection is very loosely applied and is not meant to prevent law enforcement, legal processes from going their course. By gating all data, or reducing RDS to just a technician's tool, this would also break the economy of the Internet. WHOIS/RDS is also a phone book and as such, it protects the end-user by affording her and additional and important level of security. Nowhere is it said that RDS is purely technical. This is reductive view. Nathalie Sent from my iPhone On Jan 25, 2017, at 6:56 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: Sorry, this discussion is important. Your example proves my point. What you show below is a disclosure. It is a disclosure of a limited set of data. we are not supposed to be talking about disclosure at this point in our proceedings. I leave it to the experts on whether this is "thin" in the sense of the thick transition discussion, I really don't know because we are focused on gTLD policy here. My point is this is a disclosure. We do not "collect" thin data per se, we collect a whole mess of mandatory data elements, as per the RAA. Then we generate a whole mess as part of activating and making real the domain's existence. Then we share (release) a small subset. So talking about collecting thin data is misleading in my view. Purpose of disclosing it is what we are in fact talking about. Calling it a purpose for collection opens the barn door. Stephanie On 2017-01-25 06:46, Sam Lanfranco wrote: Thank you Michele, ( ignoring the spell check driven typo of "think" for "thick" (-: ). We should be able to put this "thin" discussion behind us. The "thin" discussion should have taken about 2 email exchanges. Here is CIRA's (thin) search for .ca domain names [disclosure: it is my domain name] Domain name: artisanalpot.ca<http://artisanalpot.ca> Domain status: registered Creation date: 2016/12/14 Expiry date: 2017/12/14 Updated date: 2016/12/19 DNSSEC: Unsigned Registrar: Name: Web Hosting Canada (7081936 Canada Inc.) Number: 5000080 Name servers: ns1.whc.ca<http://ns1.whc.ca> 173.209.49.178 ns2.whc.ca<http://ns2.whc.ca> 198.245.53.176 ns3.whc.ca<http://ns3.whc.ca> 198.245.61.86 % WHOIS look-up made at 2017-01-25 11:32:24 (GMT) % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % (c) 2017 Canadian Internet Registration Authority, (http://www.cira.ca/) Nothing private is disclosed and LEA would have to resort to legal means to get to what is in the "thick" data set. There are no ICANN policy issues here. Sam L <artisanalpot.ca<http://artisanalpot.ca>> (-: _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

My last comment here (from the balmy shores of Dakar) is: Can we close the door on the "thin" data discussion. Stephanie is right when she says deciding what to collect is difference from deciding what to disclose. The purpose of that thin data example is that it violates none of the principles being discussed here. As for what to collect, data is never proposed for collection without some purpose, be that good, bad, legal or illegal. We have had analogies (garbage can lids), example (health data) etc.. Should we get back to simply listing the principles (legal, ethical, etc.) that should be considered when deciding what to collect, then later on get into the principles that should govern what should be disclosed and under what conditions? Sam /On 2017-01-25 11:56 AM, Stephanie Perrin wrote: /

//

/Sorry, this discussion is important. Your example proves my point. What you show below is a disclosure. It is a disclosure of a limited set of data. we are not supposed to be talking about disclosure at this point in our proceedings. I leave it to the experts on whether this is "thin" in the sense of the thick transition discussion, I really don't know because we are focused on gTLD policy here. My point is this is a disclosure. We do not "collect" thin data per se, we collect a whole mess of mandatory data elements, as per the RAA. Then we generate a whole mess as part of activating and making real the domain's existence. Then we share (release) a small subset. /

//

/So talking about collecting thin data is misleading in my view. Purpose of disclosing it is what we are in fact talking about. Calling it a purpose for collection opens the barn door./

//

/Stephanie /

//

Stephanie Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement. As to the specifics .. I would argue that generated data is NOT collected, as it’s generated. If you register stephanieperrin.com with us the only elements we are “collecting” that end up in in the “thin” data are: the domain name string the nameservers you’re using (and if you don’t specify any we’ll use our own) All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> Date: Wednesday 25 January 2017 at 11:56 To: Sam Lanfranco <sam@lanfranco.net>, Michele Neylon <michele@blacknight.com>, David Cake <dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Sorry, this discussion is important. Your example proves my point. What you show below is a disclosure. It is a disclosure of a limited set of data. we are not supposed to be talking about disclosure at this point in our proceedings. I leave it to the experts on whether this is "thin" in the sense of the thick transition discussion, I really don't know because we are focused on gTLD policy here. My point is this is a disclosure. We do not "collect" thin data per se, we collect a whole mess of mandatory data elements, as per the RAA. Then we generate a whole mess as part of activating and making real the domain's existence. Then we share (release) a small subset. So talking about collecting thin data is misleading in my view. Purpose of disclosing it is what we are in fact talking about. Calling it a purpose for collection opens the barn door. Stephanie On 2017-01-25 06:46, Sam Lanfranco wrote: Thank you Michele, ( ignoring the spell check driven typo of "think" for "thick" (-: ). We should be able to put this "thin" discussion behind us. The "thin" discussion should have taken about 2 email exchanges. Here is CIRA's (thin) search for .ca domain names [disclosure: it is my domain name] Domain name: artisanalpot.ca Domain status: registered Creation date: 2016/12/14 Expiry date: 2017/12/14 Updated date: 2016/12/19 DNSSEC: Unsigned Registrar: Name: Web Hosting Canada (7081936 Canada Inc.) Number: 5000080 Name servers: ns1.whc.ca 173.209.49.178 ns2.whc.ca 198.245.53.176 ns3.whc.ca 198.245.61.86 % WHOIS look-up made at 2017-01-25 11:32:24 (GMT) % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % (c) 2017 Canadian Internet Registration Authority, (http://www.cira.ca/) Nothing private is disclosed and LEA would have to resort to legal means to get to what is in the "thick" data set. There are no ICANN policy issues here. Sam L <artisanalpot.ca> (-:

Scott Sure, but if we go down that route we could make cases for a lot of things ☺ My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Scott Hollenbeck <shollenbeck@verisign.com> Date: Wednesday 25 January 2017 at 17:15 To: Michele Neylon <michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, January 25, 2017 12:09 PM To: Stephanie Perrin; Sam Lanfranco; David Cake Cc: gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Stephanie Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement. As to the specifics .. I would argue that generated data is NOT collected, as it’s generated. If you register stephanieperrin.com with us the only elements we are “collecting” that end up in in the “thin” data are: the domain name string the nameservers you’re using (and if you don’t specify any we’ll use our own) All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered. [SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated. Scott

Both Michele and Stephanie are right. The EU’s (and EC’s) words concern information ‘that relates to’. This is broader than the usual phrase in many data protection jurisdictions - 'information about' - the later being data that is clearly about an individual. But in a world where bits of data variously gathered can form a very complete picture of an individual, the European view is increasingly more relevant. That said, basic data protection law recognises that the collection of information that is about and relates to individuals is necessary for the vast array of purposes of agencies, corporations, etc. do. So the principle behind the collection of any data is to ask whether it is necessary to collect that information to accomplish what the agency, corporation etc actually (and legitimately) does. (and that also goes to the point Jim is making) So yes, we do have to ask about the collection of information that relates to individuals - in the context of what agencies/governments/corporations etc actually (and legitimately) do. But, as Michele keeps pointing out, we are talking about thin data here. And if you look at the list of data that is collected,it is collected to achieve the purposes of being a registrar or registry. At the end of the day, there will be collection of data that relates to individuals so that the processes of domain name acquisition, handling, transfer etc, etc. can occur. Holly On 26 Jan 2017, at 6:40 am, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:

Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are.

Stephanie

On 2017-01-25 12:32, Michele Neylon - Blacknight wrote:

...

Scott

Sure, but if we go down that route we could make cases for a lot of things J My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: Scott Hollenbeck <shollenbeck@verisign.com> Date: Wednesday 25 January 2017 at 17:15 To: Michele Neylon <michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, January 25, 2017 12:09 PM To: Stephanie Perrin; Sam Lanfranco; David Cake Cc: gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Stephanie

Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement.

As to the specifics ..

I would argue that generated data is NOT collected, as it’s generated.

If you register stephanieperrin.com with us the only elements we are “collecting” that end up in in the “thin” data are: the domain name string the nameservers you’re using (and if you don’t specify any we’ll use our own) All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered.

[SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated.

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Stephanie Do you have any links to any legislation / regulations etc., that are this broad? And honestly I don’t see how a set of nameserver is “personally identifiable” unless you’re using your own name in the hostname (which you could, but then I’d see that as your choice and not a technical requirement) Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> Date: Wednesday 25 January 2017 at 19:40 To: Michele Neylon <michele@blacknight.com>, Scott Hollenbeck <shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are. Stephanie On 2017-01-25 12:32, Michele Neylon - Blacknight wrote: Scott Sure, but if we go down that route we could make cases for a lot of things ☺ My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Scott Hollenbeck <shollenbeck@verisign.com><mailto:shollenbeck@verisign.com> Date: Wednesday 25 January 2017 at 17:15 To: Michele Neylon <michele@blacknight.com><mailto:michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net><mailto:sam@lanfranco.net>, "dave@davecake.net"<mailto:dave@davecake.net> <dave@davecake.net><mailto:dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org"<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, January 25, 2017 12:09 PM To: Stephanie Perrin; Sam Lanfranco; David Cake Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Stephanie Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement. As to the specifics .. I would argue that generated data is NOT collected, as it’s generated. If you register stephanieperrin.com with us the only elements we are “collecting” that end up in in the “thin” data are: the domain name string the nameservers you’re using (and if you don’t specify any we’ll use our own) All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered. [SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated. Scott

Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home. Unless someone is suggesting we completely re-architect DNS, having nameservers tied to domain records is absolutely essential. You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for. J Sent from my iPhone

On Jan 25, 2017, at 16:08, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Stephanie

Do you have any links to any legislation / regulations etc., that are this broad?

And honestly I don’t see how a set of nameserver is “personally identifiable” unless you’re using your own name in the hostname (which you could, but then I’d see that as your choice and not a technical requirement)

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845

From: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> Date: Wednesday 25 January 2017 at 19:40 To: Michele Neylon <michele@blacknight.com>, Scott Hollenbeck <shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are.

Stephanie

On 2017-01-25 12:32, Michele Neylon - Blacknight wrote: Scott

Sure, but if we go down that route we could make cases for a lot of things J My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: Scott Hollenbeck <shollenbeck@verisign.com> Date: Wednesday 25 January 2017 at 17:15 To: Michele Neylon <michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, January 25, 2017 12:09 PM To: Stephanie Perrin; Sam Lanfranco; David Cake Cc: gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Stephanie

Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement.

As to the specifics ..

I would argue that generated data is NOT collected, as it’s generated.

If you register stephanieperrin.com with us the only elements we are “collecting” that end up in in the “thin” data are: the domain name string the nameservers you’re using (and if you don’t specify any we’ll use our own) All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered.

[SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated.

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

If we are going to consider this in the context of ICANN's mission, I thought it would be helpful to have the whole package of ICANN's Mission, Commitments and Core Values in front of us: ARTICLE 1 MISSION, COMMITMENTS AND CORE VALUESSection 1.1. MISSION (a) The mission of the Internet Corporation for Assigned Names and Numbers ("*ICANN*") is to ensure the stable and secure operation of the Internet's unique identifier systems as described in this *Section 1.1(a)* (the " *Mission*"). Specifically, ICANN: (i) Coordinates the allocation and assignment of names in the root zone of the Domain Name System ("*DNS*") and coordinates the development and implementation of policies concerning the registration of second-level domain names in generic top-level domains ("*gTLDs*"). In this role, ICANN's scope is to coordinate the development and implementation of policies: - For which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLDregistrars and registries, policies in the areas described in Annex G-1 and Annex G-2; and - That are developed through a bottom-up consensus-based multistakeholder process and designed to ensure the stable and secure operation of the Internet's unique names systems. The issues, policies, procedures, and principles addressed in Annex G-1 and Annex G-2 with respect to gTLD registrars and registries shall be deemed to be within ICANN's Mission. (ii) Facilitates the coordination of the operation and evolution of the DNS root name server system. (iii) Coordinates the allocation and assignment at the top-most level of Internet Protocol numbers and Autonomous System numbers. In service of its Mission, ICANN (A) provides registration services and open access for global number registries as requested by the Internet Engineering Task Force ("*IETF*") and the Regional Internet Registries ("*RIRs*") and (B) facilitates the development of global number registry policies by the affected community and other related tasks as agreed with the RIRs. (iv) Collaborates with other bodies as appropriate to provide registries needed for the functioning of the Internet as specified by Internet protocol standards development organizations. In service of its Mission, ICANN's scope is to provide registration services and open access for registries in the public domain requested by Internet protocol development organizations. (b) ICANN shall not act outside its Mission. (c) ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet's unique identifiers or the content that such services carry or provide, outside the express scope of *Section 1.1(a)*. For the avoidance of doubt, ICANN does not hold any governmentally authorized regulatory authority. (d) For the avoidance of doubt and notwithstanding the foregoing: (i) the foregoing prohibitions are not intended to limit ICANN's authority or ability to adopt or implement policies or procedures that take into account the use of domain names as natural-language identifiers; (ii) Notwithstanding any provision of the Bylaws to the contrary, the terms and conditions of the documents listed in subsections (A) through (C) below, and ICANN's performance of its obligations or duties thereunder, may not be challenged by any party in any proceeding against, or process involving, ICANN (including a request for reconsideration or an independent review process pursuant to Article 4) on the basis that such terms and conditions conflict with, or are in violation of, ICANN's Mission or otherwise exceed the scope of ICANN's authority or powers pursuant to these Bylaws ("*Bylaws*") or ICANN's Articles of Incorporation ("*Articles of Incorporation*"): (A) (1) all registry agreements and registrar accreditation agreements between ICANN and registry operators or registrars in force on 1 October 2016 <https://www.icann.org/resources/pages/bylaws-2016-09-30-en#foot1>[1], including, in each case, any terms or conditions therein that are not contained in the underlying form of registry agreement and registrar accreditation agreement; (2) any registry agreement or registrar accreditation agreement not encompassed by (1) above to the extent its terms do not vary materially from the form of registry agreement or registrar accreditation agreement that existed on 1 October 2016; (B)any renewals of agreements described in subsection (A) pursuant to their terms and conditions for renewal; and (C)ICANN's Five-Year Strategic Plan and Five-Year Operating Plan existing on 10 March 2016. (iii) *Section 1.1(d)(ii)* does not limit the ability of a party to any agreement described therein to challenge any provision of such agreement on any other basis, including the other party's interpretation of the provision, in any proceeding or process involving ICANN. (iv) ICANN shall have the ability to negotiate, enter into and enforce agreements, including public interest commitments, with any party in service of its Mission. Section 1.2. COMMITMENTS AND CORE VALUES In performing its Mission, ICANN will act in a manner that complies with and reflects ICANN's Commitments and respects ICANN's Core Values, each as described below. (a) *COMMITMENTS* In performing its Mission, ICANN must operate in a manner consistent with these Bylaws for the benefit of the Internet community as a whole, carrying out its activities in conformity with relevant principles of international law and international conventions and applicable local law, through open and transparent processes that enable competition and open entry in Internet-related markets. Specifically, ICANN commits to do the following (each, a "*Commitment*," and collectively, the "*Commitments*"): (i) Preserve and enhance the administration of the DNS and the operational stability, reliability, security, global interoperability, resilience, and openness of the DNS and the Internet; (ii) Maintain the capacity and ability to coordinate the DNS at the overall level and work for the maintenance of a single, interoperable Internet; (iii) Respect the creativity, innovation, and flow of information made possible by the Internet by limiting ICANN's activities to matters that are within ICANN's Mission and require or significantly benefit from global coordination; (iv) Employ open, transparent and bottom-up, multistakeholder policy development processes that are led by the private sector (including business stakeholders, civil society, the technical community, academia, and end users), while duly taking into account the public policy advice of governments and public authorities. These processes shall (A) seek input from the public, for whose benefit ICANN in all events shall act, (B) promote well-informed decisions based on expert advice, and (C) ensure that those entities most affected can assist in the policy development process; (v) Make decisions by applying documented policies consistently, neutrally, objectively, and fairly, without singling out any particular party for discriminatory treatment (i.e., making an unjustified prejudicial distinction between or among different parties); and (vi) Remain accountable to the Internet community through mechanisms defined in these Bylaws that enhance ICANN's effectiveness. (b) *CORE VALUES* In performing its Mission, the following "*Core Values*" should also guide the decisions and actions of ICANN: (i) To the extent feasible and appropriate, delegating coordination functions to or recognizing the policy role of, other responsible entities that reflect the interests of affected parties and the roles of bodies internal to ICANN and relevant external expert bodies; (ii) Seeking and supporting broad, informed participation reflecting the functional, geographic, and cultural diversity of the Internet at all levels of policy development and decision-making to ensure that the bottom-up, multistakeholder policy development process is used to ascertain the global public interest and that those processes are accountable and transparent; (iii) Where feasible and appropriate, depending on market mechanisms to promote and sustain a competitive environment in the DNS market; (iv) Introducing and promoting competition in the registration of domain names where practicable and beneficial to the public interest as identified through the bottom-up, multistakeholder policy development process; (v) Operating with efficiency and excellence, in a fiscally responsible and accountable manner and, where practicable and not inconsistent with ICANN's other obligations under these Bylaws, at a speed that is responsive to the needs of the global Internet community; (vi) While remaining rooted in the private sector (including business stakeholders, civil society, the technical community, academia, and end users), recognizing that governments and public authorities are responsible for public policy and duly taking into account the public policy advice of governments and public authorities; (vii) Striving to achieve a reasonable balance between the interests of different stakeholders, while also avoiding capture; and (viii) Subject to the limitations set forth in *Section 27.2*, within the scope of its Mission and other Core Values, respecting internationally recognized human rights as required by applicable law. This Core Value does not create, and shall not be interpreted to create, any obligation on ICANN outside its Mission, or beyond obligations found in applicable law. This Core Value does not obligate ICANN to enforce its human rights obligations, or the human rights obligations of other parties, against other parties. (c) The Commitments and Core Values are intended to apply in the broadest possible range of circumstances. The Commitments reflect ICANN's fundamental compact with the global Internet community and are intended to apply consistently and comprehensively to ICANN's activities. The specific way in which Core Values are applied, individually and collectively, to any given situation may depend on many factors that cannot be fully anticipated or enumerated. Situations may arise in which perfect fidelity to all Core Values simultaneously is not possible. Accordingly, in any situation where one Core Value must be balanced with another, potentially competing Core Value, the result of the balancing must serve a policy developed through the bottom-up multistakeholder process or otherwise best serve ICANN's Mission. On Wed, Jan 25, 2017 at 11:26 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

I am not sure how we get to this discussion. What I am saying, is that the purpose of collecting data has to be linked to ICANN's core mission. AS Peter said a while ago, is the core mission to enable law enforcement investigations? No. It is a legitimate purpose to use or disclose limited sets of data as required in accordance with law, but it is not the reason we collect or generate thin data. This distinction is important in data protection law. Nobody is saying we should not disclose the thin data, including name servers. What we are trying to say, and obviously with very little success, is that several of the purposes for collecting thin data which were in the last poll, were not related to ICANN's core mission. They might be legitimate disclosures of data, but they are not legitimate purposes to collect.

Displaying data in WHOIS is a disclosure. We are not supposed to be talking about that yet. We keep conflating the legitimacy of collection, and why we gather or generate data elements about a domain name, and disclosure.

Sorry to keep hammering on this, but it is a very simple concept that is fundamental to data protection. No wonder we have been arguing about this for 18 years.....

cheers Stephanie

On 2017-01-25 21:06, John Bambenek wrote:

Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home.

Unless someone is suggesting we completely re-architect DNS, having nameservers tied to domain records is absolutely essential.

You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for.

J

Sent from my iPhone

On Jan 25, 2017, at 16:08, Michele Neylon - Blacknight < michele@blacknight.com> wrote:

Stephanie

Do you have any links to any legislation / regulations etc., that are this broad?

And honestly I don’t see how a set of nameserver is “personally identifiable” unless you’re using your own name in the hostname (which you could, but then I’d see that as your choice and not a technical requirement)

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/

http://blacknight.blog/

http://ceo.hosting/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,

Ireland Company No.: 370845

*From: *Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> *Date: *Wednesday 25 January 2017 at 19:40 *To: *Michele Neylon <michele@blacknight.com>, Scott Hollenbeck < shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net>, " dave@davecake.net" <dave@davecake.net> *Cc: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are.

Stephanie

On 2017-01-25 12:32, Michele Neylon - Blacknight wrote:

Scott

Sure, but if we go down that route we could make cases for a lot of things J

My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>

Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>

Social: http://mneylon.social

Some thoughts: http://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *Scott Hollenbeck <shollenbeck@verisign.com> <shollenbeck@verisign.com> *Date: *Wednesday 25 January 2017 at 17:15 *To: *Michele Neylon <michele@blacknight.com> <michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> <stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net> <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> <dave@davecake.net> <dave@davecake.net> *Cc: *"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject: *RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Michele Neylon - Blacknight *Sent:* Wednesday, January 25, 2017 12:09 PM *To:* Stephanie Perrin; Sam Lanfranco; David Cake *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Stephanie

Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement.

As to the specifics ..

I would argue that generated data is NOT collected, as it’s generated.

If you register stephanieperrin.com with us the only elements we are “collecting” that end up in in the “thin” data are:

the domain name string

the nameservers you’re using (and if you don’t specify any we’ll use our own)

All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered.

[SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated.

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

No argument from me on that. None. Not sure why you keep bringing it up. Shall we just stop now? I will stop intervening. SP On 2017-01-26 03:36, Michele Neylon - Blacknight wrote:

Stephanie

Ok that’s simple.

If you want a domain name to resolve on the internet you need certain data elements to be available to everyone.

That’s a technical reality.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/

http://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,Ireland Company No.: 370845

*From: *Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> *Date: *Thursday 26 January 2017 at 04:26 *To: *John Bambenek <jcb@bambenekconsulting.com>, Michele Neylon <michele@blacknight.com> *Cc: *Scott Hollenbeck <shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net>, "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

I am not sure how we get to this discussion. What I am saying, is that the purpose of collecting data has to be linked to ICANN's core mission. AS Peter said a while ago, is the core mission to enable law enforcement investigations? No. It is a legitimate purpose to use or disclose limited sets of data as required in accordance with law, but it is not the reason we collect or generate thin data. This distinction is important in data protection law. Nobody is saying we should not disclose the thin data, including name servers. What we are trying to say, and obviously with very little success, is that several of the purposes for collecting thin data which were in the last poll, were not related to ICANN's core mission. They might be legitimate disclosures of data, but they are not legitimate purposes to collect.

Displaying data in WHOIS is a disclosure. We are not supposed to be talking about that yet. We keep conflating the legitimacy of collection, and why we gather or generate data elements about a domain name, and disclosure.

Sorry to keep hammering on this, but it is a very simple concept that is fundamental to data protection. No wonder we have been arguing about this for 18 years.....

cheers Stephanie

On 2017-01-25 21:06, John Bambenek wrote:

Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home.

Unless someone is suggesting we completely re-architect DNS, having nameservers tied to domain records is absolutely essential.

You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for.

J

Sent from my iPhone

On Jan 25, 2017, at 16:08, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

Stephanie

Do you have any links to any legislation / regulations etc., that are this broad?

And honestly I don’t see how a set of nameserver is “personally identifiable” unless you’re using your own name in the hostname (which you could, but then I’d see that as your choice and not a technical requirement)

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/

http://blacknight.blog/

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,

Ireland Company No.: 370845

*From: *Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> *Date: *Wednesday 25 January 2017 at 19:40 *To: *Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com>>, Scott Hollenbeck <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>>, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>>, "dave@davecake.net <mailto:dave@davecake.net>" <dave@davecake.net <mailto:dave@davecake.net>> *Cc: *"gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Subject: *Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are.

Stephanie

On 2017-01-25 12:32, Michele Neylon - Blacknight wrote:

Scott

Sure, but if we go down that route we could make cases for a lot of things J

My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Social: http://mneylon.social

Some thoughts: http://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *Scott Hollenbeck <shollenbeck@verisign.com> <mailto:shollenbeck@verisign.com> *Date: *Wednesday 25 January 2017 at 17:15 *To: *Michele Neylon <michele@blacknight.com> <mailto:michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> <mailto:stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net> <mailto:sam@lanfranco.net>, "dave@davecake.net" <mailto:dave@davecake.net> <dave@davecake.net> <mailto:dave@davecake.net> *Cc: *"gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> *Subject: *RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Michele Neylon - Blacknight *Sent:* Wednesday, January 25, 2017 12:09 PM *To:* Stephanie Perrin; Sam Lanfranco; David Cake *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Stephanie

Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement.

As to the specifics ..

I would argue that generated data is NOT collected, as it’s generated.

If you register stephanieperrin.com <http://stephanieperrin.com> with us the only elements we are “collecting” that end up in in the “thin” data are:

the domain name string

the nameservers you’re using (and if you don’t specify any we’ll use our own)

All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered.

[SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated.

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Agreed Volker, it only makes things more complex. Theo Volker Greimann schreef op 2017-01-26 01:16 PM:

Does all data need to be available to everyone though? Is it not sufficient that there be authorized anyones that can get the data and facilitate the use for those that need it? I have no contest on domain name and name servers being public, but do other parts of the thin data expiration/registration dates have to be to keep the internet functional?

I do not dispute that there are purposes for legitimately accessing the data if it is there, but does it all have to be there?

Volker

Am 26.01.2017 um 09:36 schrieb Michele Neylon - Blacknight:

...

Stephanie

Ok that’s simple.

If you want a domain name to resolve on the internet you need certain data elements to be available to everyone.

That’s a technical reality.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/

http://blacknight.blog /

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,Ireland Company No.: 370845

FROM: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> DATE: Thursday 26 January 2017 at 04:26 TO: John Bambenek <jcb@bambenekconsulting.com>, Michele Neylon <michele@blacknight.com> CC: Scott Hollenbeck <shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net>, "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> SUBJECT: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

I am not sure how we get to this discussion. What I am saying, is that the purpose of collecting data has to be linked to ICANN's core mission. AS Peter said a while ago, is the core mission to enable law enforcement investigations? No. It is a legitimate purpose to use or disclose limited sets of data as required in accordance with law, but it is not the reason we collect or generate thin data. This distinction is important in data protection law. Nobody is saying we should not disclose the thin data, including name servers. What we are trying to say, and obviously with very little success, is that several of the purposes for collecting thin data which were in the last poll, were not related to ICANN's core mission. They might be legitimate disclosures of data, but they are not legitimate purposes to collect.

Displaying data in WHOIS is a disclosure. We are not supposed to be talking about that yet. We keep conflating the legitimacy of collection, and why we gather or generate data elements about a domain name, and disclosure.

Sorry to keep hammering on this, but it is a very simple concept that is fundamental to data protection. No wonder we have been arguing about this for 18 years.....

cheers Stephanie

On 2017-01-25 21:06, John Bambenek wrote:

Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home.

Unless someone is suggesting we completely re-architect DNS, having nameservers tied to domain records is absolutely essential.

You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for.

J

Sent from my iPhone

On Jan 25, 2017, at 16:08, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Stephanie

Do you have any links to any legislation / regulations etc., that are this broad?

And honestly I don’t see how a set of nameserver is “personally identifiable” unless you’re using your own name in the hostname (which you could, but then I’d see that as your choice and not a technical requirement)

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/ [1]

http://blacknight.blog/ [2]

http://ceo.hosting/ [3]

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,

Ireland Company No.: 370845

FROM: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> DATE: Wednesday 25 January 2017 at 19:40 TO: Michele Neylon <michele@blacknight.com>, Scott Hollenbeck <shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> CC: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> SUBJECT: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are.

Stephanie

On 2017-01-25 12:32, Michele Neylon - Blacknight wrote:

Scott

Sure, but if we go down that route we could make cases for a lot of things J

My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Social: http://mneylon.social

Some thoughts: http://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

FROM: Scott Hollenbeck <shollenbeck@verisign.com> DATE: Wednesday 25 January 2017 at 17:15 TO: Michele Neylon <michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net>, "dave@davecake.net" <dave@davecake.net> CC: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> SUBJECT: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

FROM: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] ON BEHALF OF Michele Neylon - Blacknight SENT: Wednesday, January 25, 2017 12:09 PM TO: Stephanie Perrin; Sam Lanfranco; David Cake CC: gnso-rds-pdp-wg@icann.org SUBJECT: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Stephanie

Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement.

As to the specifics ..

I would argue that generated data is NOT collected, as it’s generated.

If you register stephanieperrin.com [4] with us the only elements we are “collecting” that end up in in the “thin” data are:

the domain name string

the nameservers you’re using (and if you don’t specify any we’ll use our own)

All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered.

[SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated.

Scott

...

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net [5] / www.RRPproxy.net [6] www.domaindiscount24.com [7] / www.BrandShelter.com [8]

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems [9] www.twitter.com/key_systems [10]

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu [11]

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net

Web: www.key-systems.net [5] / www.RRPproxy.net [6] www.domaindiscount24.com [7] / www.BrandShelter.com [8]

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems [9] www.twitter.com/key_systems [10]

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu [11]

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Links: ------ [1] http://www.blacknight.host/ [2] http://blacknight.blog/ [3] http://ceo.hosting/ [4] http://stephanieperrin.com [5] http://www.key-systems.net [6] http://www.RRPproxy.net [7] http://www.domaindiscount24.com [8] http://www.BrandShelter.com [9] http://www.facebook.com/KeySystems [10] http://www.twitter.com/key_systems [11] http://www.keydrive.lu _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

If thin data is considered private data, then ccTLD registries such as those in Europe and Canada would not publish it in WHOIS. But they do. They collect and publish it because it is important for legitimate and stated reasons, and doing so is consistent with the law. The implementations and details vary a bit from country to country, but that's generally the situation. For example, in Germany, where the privacy laws seem some of the most protective, the .DE registry publishes not only the thin data but also some contact data. The reasons for collecting and publishing that include: addressing technical problems, addressing abuse, and intellectual property protection. See below for references. At these registries, thin data (and often at least some contact data) is available anonymously to anyone who queries it. No one has to get pre-authorized permission to query it, no one has to declare their intended use case before getting it. Some members of this WG are arguing that the collection of and publication of thin data, even creation dates, is a problem, or should be gated or permissioned. Such arguments are inconsistent with legally vetted practices in front of us. All best, --Greg DENIC (.DE): https://www.denic.de/fileadmin/public/documentation/DENIC-12p_EN.pdf "[If you make a WHOIS query] Besides the data of the domain holder, the output you will receive will include data on the administrative and the technical contact and on the zone administrator. On top of that, the technical data of the domain will be displayed." https://www.denic.de/en/faqs/faqs-for-domain-holders/ "Why are other people permitted to see my data, for example my address, in the whois query? This data has been rendered public in the whois query for some very good reasons. Firstly, it is important to be able to contact you if ever there are any technical difficulties caused by your domain or its use, which might lead to problems for others. Of course, it would normally be your provider who would sort out such technical problems for you, but that does not affect publication of your data. It may happen that your provider is partly to blame for the technical difficulties and, ultimately, you, the domain holder, will be held liable (and that includes liability for any legal consequences). Secondly, your data must be made public, so that, if your domain is the source of an infringement of somebody else's rights, it will be possible to establish against whom to proceed, if need be. Against this background, incidentally, the German data-protection authorities have expressly approved of the publication of personal data in the whois query. Further information on this subject is to be found, for example, in the thirteenth data-protection report by the government of the German federal state of Hesse (sections 9.2 and 9.3) and also in its fifteenth data-protection report (section 8.7). If you do not want to have your address made public, the only option you have is to get the domain registered by someone else whom you trust. This other person will then be the legal domain holder instead of you, and their address will, of course, be made public in the whois query." ********************************** Greg Aaron Vice-President, Product Management iThreat Cyber Group / Cybertoolbelt.com mobile: +1.215.858.2257 ********************************** The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Thursday, January 26, 2017 7:16 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Does all data need to be available to everyone though? Is it not sufficient that there be authorized anyones that can get the data and facilitate the use for those that need it? I have no contest on domain name and name servers being public, but do other parts of the thin data expiration/registration dates have to be to keep the internet functional? I do not dispute that there are purposes for legitimately accessing the data if it is there, but does it all have to be there? Volker Am 26.01.2017 um 09:36 schrieb Michele Neylon - Blacknight: Stephanie Ok that's simple. If you want a domain name to resolve on the internet you need certain data elements to be available to everyone. That's a technical reality. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca> Date: Thursday 26 January 2017 at 04:26 To: John Bambenek <jcb@bambenekconsulting.com><mailto:jcb@bambenekconsulting.com>, Michele Neylon <michele@blacknight.com><mailto:michele@blacknight.com> Cc: Scott Hollenbeck <shollenbeck@verisign.com><mailto:shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net><mailto:sam@lanfranco.net>, "dave@davecake.net"<mailto:dave@davecake.net> <dave@davecake.net><mailto:dave@davecake.net>, "gnso-rds-pdp-wg@icann.org"<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose I am not sure how we get to this discussion. What I am saying, is that the purpose of collecting data has to be linked to ICANN's core mission. AS Peter said a while ago, is the core mission to enable law enforcement investigations? No. It is a legitimate purpose to use or disclose limited sets of data as required in accordance with law, but it is not the reason we collect or generate thin data. This distinction is important in data protection law. Nobody is saying we should not disclose the thin data, including name servers. What we are trying to say, and obviously with very little success, is that several of the purposes for collecting thin data which were in the last poll, were not related to ICANN's core mission. They might be legitimate disclosures of data, but they are not legitimate purposes to collect. Displaying data in WHOIS is a disclosure. We are not supposed to be talking about that yet. We keep conflating the legitimacy of collection, and why we gather or generate data elements about a domain name, and disclosure. Sorry to keep hammering on this, but it is a very simple concept that is fundamental to data protection. No wonder we have been arguing about this for 18 years..... cheers Stephanie On 2017-01-25 21:06, John Bambenek wrote: Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home. Unless someone is suggesting we completely re-architect DNS, having nameservers tied to domain records is absolutely essential. You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for. J Sent from my iPhone On Jan 25, 2017, at 16:08, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote: Stephanie Do you have any links to any legislation / regulations etc., that are this broad? And honestly I don't see how a set of nameserver is "personally identifiable" unless you're using your own name in the hostname (which you could, but then I'd see that as your choice and not a technical requirement) Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> Date: Wednesday 25 January 2017 at 19:40 To: Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>>, Scott Hollenbeck <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>>, Sam Lanfranco <sam@lanfranco.net<mailto:sam@lanfranco.net>>, "dave@davecake.net<mailto:dave@davecake.net>" <dave@davecake.net<mailto:dave@davecake.net>> Cc: "gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>" <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are. Stephanie On 2017-01-25 12:32, Michele Neylon - Blacknight wrote: Scott Sure, but if we go down that route we could make cases for a lot of things :) My main problem with this entire debacle is that the data we're dealing with is pretty much useless and isn't personally identifiable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social Some thoughts: http://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Scott Hollenbeck <shollenbeck@verisign.com><mailto:shollenbeck@verisign.com> Date: Wednesday 25 January 2017 at 17:15 To: Michele Neylon <michele@blacknight.com><mailto:michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net><mailto:sam@lanfranco.net>, "dave@davecake.net"<mailto:dave@davecake.net> <dave@davecake.net><mailto:dave@davecake.net> Cc: "gnso-rds-pdp-wg@icann.org"<mailto:gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Wednesday, January 25, 2017 12:09 PM To: Stephanie Perrin; Sam Lanfranco; David Cake Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose Stephanie Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement. As to the specifics .. I would argue that generated data is NOT collected, as it's generated. If you register stephanieperrin.com<http://stephanieperrin.com> with us the only elements we are "collecting" that end up in in the "thin" data are: the domain name string the nameservers you're using (and if you don't specify any we'll use our own) All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered. [SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that - generated. Scott _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

I am not saying it is necessarily privileged data, I would assume it probably is not. However that does not answer the question whether it should be published for anyone to see, given that there is also potential for abuse. The creation date and the renewal dates allow the criminal mind to send fake renewal notices, do domain slamming, etc. If that information were only handled by registry, registrar and registrant, a lot of currently existing abuse would be much harder to do, if not go away completely. Am 26.01.2017 um 16:31 schrieb Greg Aaron:

If thin data is considered private data, then ccTLD registries such as those in Europe and Canada would not publish it in WHOIS. But they do. They collect and publish it because it is important for legitimate and stated reasons, and doing so is consistent with the law. The implementations and details vary a bit from country to country, but that’s generally the situation.

For example, in Germany, where the privacy laws seem some of the most protective, the .DE registry publishes not only the thin data but also some contact data. The reasons for collecting and publishing that include: addressing technical problems, addressing abuse, and intellectual property protection. See below for references.

At these registries, thin data (and often at least some contact data) is available anonymously to anyone who queries it. No one has to get pre-authorized permission to query it, no one has to declare their intended use case before getting it.

Some members of this WG are arguing that the collection of and publication of thin data, even creation dates, is a problem, or should be gated or permissioned. Such arguments are inconsistent with legally vetted practices in front of us.

All best,

--Greg

DENIC (.DE):

https://www.denic.de/fileadmin/public/documentation/DENIC-12p_EN.pdf

“[If you make a WHOIS query] Besides the data of the domain holder, the output you will receive will include data on the administrative and the technical contact and on the zone administrator. On top of that, the technical data of the domain will be displayed.”

https://www.denic.de/en/faqs/faqs-for-domain-holders/

“Why are other people permitted to see my data, for example my address, in the whois query?

This data has been rendered public in the whois query for some very good reasons.

Firstly, it is important to be able to contact you if ever there are any technical difficulties caused by your domain or its use, which might lead to problems for others. Of course, it would normally be your provider who would sort out such technical problems for you, but that does not affect publication of your data. It may happen that your provider is partly to blame for the technical difficulties and, ultimately, you, the domain holder, will be held liable (and that includes liability for any legal consequences).

Secondly, your data must be made public, so that, if your domain is the source of an infringement of somebody else's rights, it will be possible to establish against whom to proceed, if need be.

Against this background, incidentally, the German data-protection authorities have expressly approved of the publication of personal data in the whois query. Further information on this subject is to be found, for example, in the thirteenth data-protection report by the government of the German federal state of Hesse (sections 9.2 and 9.3) and also in its fifteenth data-protection report (section 8.7).

If you do not want to have your address made public, the only option you have is to get the domain registered by someone else whom you trust. This other person will then be the legal domain holder instead of you, and their address will, of course, be made public in the whois query.”

**********************************

Greg Aaron

Vice-President, Product Management

iThreat Cyber Group / Cybertoolbelt.com

mobile: +1.215.858.2257

**********************************

The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Thursday, January 26, 2017 7:16 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Does all data need to be available to everyone though? Is it not sufficient that there be authorized anyones that can get the data and facilitate the use for those that need it? I have no contest on domain name and name servers being public, but do other parts of the thin data expiration/registration dates have to be to keep the internet functional?

I do not dispute that there are purposes for legitimately accessing the data if it is there, but does it all have to be there?

Volker

Am 26.01.2017 um 09:36 schrieb Michele Neylon - Blacknight:

Stephanie

Ok that’s simple.

If you want a domain name to resolve on the internet you need certain data elements to be available to everyone.

That’s a technical reality.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/

http://blacknight.blog/

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,Ireland Company No.: 370845

*From: *Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> <mailto:stephanie.perrin@mail.utoronto.ca> *Date: *Thursday 26 January 2017 at 04:26 *To: *John Bambenek <jcb@bambenekconsulting.com> <mailto:jcb@bambenekconsulting.com>, Michele Neylon <michele@blacknight.com> <mailto:michele@blacknight.com> *Cc: *Scott Hollenbeck <shollenbeck@verisign.com> <mailto:shollenbeck@verisign.com>, Sam Lanfranco <sam@lanfranco.net> <mailto:sam@lanfranco.net>, "dave@davecake.net" <mailto:dave@davecake.net><dave@davecake.net> <mailto:dave@davecake.net>, "gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org><gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> *Subject: *Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

I am not sure how we get to this discussion. What I am saying, is that the purpose of collecting data has to be linked to ICANN's core mission. AS Peter said a while ago, is the core mission to enable law enforcement investigations? No. It is a legitimate purpose to use or disclose limited sets of data as required in accordance with law, but it is not the reason we collect or generate thin data. This distinction is important in data protection law. Nobody is saying we should not disclose the thin data, including name servers. What we are trying to say, and obviously with very little success, is that several of the purposes for collecting thin data which were in the last poll, were not related to ICANN's core mission. They might be legitimate disclosures of data, but they are not legitimate purposes to collect.

Displaying data in WHOIS is a disclosure. We are not supposed to be talking about that yet. We keep conflating the legitimacy of collection, and why we gather or generate data elements about a domain name, and disclosure.

Sorry to keep hammering on this, but it is a very simple concept that is fundamental to data protection. No wonder we have been arguing about this for 18 years.....

cheers Stephanie

On 2017-01-25 21:06, John Bambenek wrote:

Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home.

Unless someone is suggesting we completely re-architect DNS, having nameservers tied to domain records is absolutely essential.

You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for.

J

Sent from my iPhone

On Jan 25, 2017, at 16:08, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote:

Stephanie

Do you have any links to any legislation / regulations etc., that are this broad?

And honestly I don’t see how a set of nameserver is “personally identifiable” unless you’re using your own name in the hostname (which you could, but then I’d see that as your choice and not a technical requirement)

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

http://www.blacknight.host/

http://blacknight.blog/

http://ceo.hosting/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,

Ireland Company No.: 370845

*From: *Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> *Date: *Wednesday 25 January 2017 at 19:40 *To: *Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com>>, Scott Hollenbeck <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>>, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net>>, "dave@davecake.net <mailto:dave@davecake.net>" <dave@davecake.net <mailto:dave@davecake.net>> *Cc: *"gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>" <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Subject: *Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Unfortunately, in a world where the Internet of things is taking off, privacy advocates and authorities have to insist that data generated by or as a result of the actions of an individual or his devices(eg metadata, timestamping, etc) has to be considered as personal information. If it is used to describe processes pertaining to that information, if it could be used to incriminate that individual, it is important that it be recognized as information for which individuals have rights. Otherwise, we have a situation where the individual has no right to access information that may impact him, may incriminate him, but to which he may be utterly oblivious. Sorry it is such a pain in the neck, but there we are.

Stephanie

On 2017-01-25 12:32, Michele Neylon - Blacknight wrote:

Scott

Sure, but if we go down that route we could make cases for a lot of things J

My main problem with this entire debacle is that the data we’re dealing with is pretty much useless and isn’t personally identifiable.

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

http://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Social: http://mneylon.social

Some thoughts: http://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *Scott Hollenbeck <shollenbeck@verisign.com> <mailto:shollenbeck@verisign.com> *Date: *Wednesday 25 January 2017 at 17:15 *To: *Michele Neylon <michele@blacknight.com> <mailto:michele@blacknight.com>, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> <mailto:stephanie.perrin@mail.utoronto.ca>, Sam Lanfranco <sam@lanfranco.net> <mailto:sam@lanfranco.net>, "dave@davecake.net" <mailto:dave@davecake.net><dave@davecake.net> <mailto:dave@davecake.net> *Cc: *"gnso-rds-pdp-wg@icann.org" <mailto:gnso-rds-pdp-wg@icann.org><gnso-rds-pdp-wg@icann.org> <mailto:gnso-rds-pdp-wg@icann.org> *Subject: *RE: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>[mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Michele Neylon - Blacknight *Sent:* Wednesday, January 25, 2017 12:09 PM *To:* Stephanie Perrin; Sam Lanfranco; David Cake *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Now open: 18 January Poll on Purpose

Stephanie

Sorry, but policy + the technology go hand in hand. You cannot completely separate them and any policy that this (or any other) group produces needs to be technically possible to implement.

As to the specifics ..

I would argue that generated data is NOT collected, as it’s generated.

If you register stephanieperrin.com <http://stephanieperrin.com>with us the only elements we are “collecting” that end up in in the “thin” data are:

the domain name string

the nameservers you’re using (and if you don’t specify any we’ll use our own)

All the other elements are NOT collected by the registrar or even the registry from the registrant, they are generated as part of the process of the domain being registered.

[SAH] Michele, some might argue that the registration period is also collected from the registrant and is then used to generate the expiration date at the registry. A case might also be made for status values like clientTransferProhibited etc. I agree completely that generated data is just that – generated.

Scott

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web:www.key-systems.net <http://www.key-systems.net> /www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> /www.BrandShelter.com <http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

RE the connection between created/generated data and input-by-user data - and whether generated data is "personal" (or can be used to identify a person) ... My credit-card number is generated data, automatically created, and it absolutely is "personal data" :) Michele wrote:

If you want a domain name to resolve on the internet you need certain data elements to be available to everyone. That’s a technical reality.

As the Cheshire Cat said ... "I'm not crazy. My reality is just different than yours." And I think we are drifting into a reality where we are conflating Domains and RDS - can these things be found out (where appropriate) another way than a whois lookup - absolutely - a resolving domain name will have entries in a zone file on a nameserver RDS being _required_ for anything to "work" however is a complete fallacy, not a technical reality - an RDS is not in any way needed for the functioning of the internet, resolving of domain names and so on - that's simply not how it works. no-rds-test.astutium.com . 517344 IN NS a.root-servers.net. . 517344 IN NS b.root-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. astutium.com. 172800 IN NS ns1.astutium.com. astutium.com. 172800 IN NS ns2.astutium.com. ns1.astutium.com. 14400 IN A 80.76.218.199 no-rds-test.astutium.com. 14400 IN A 80.76.211.1 No "whois" (RDS) was accessed at any point to determine the current IP address - The port 43 was actively firewalled and that new dns entry still resolves, still pings - i.e. still works

On 2017-01-25 21:06, John Bambenek wrote: Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home.

Plenty of RDS failures happen - with some registries/registrars their whois is down more than up, and the internet still works, the domains still work and so on - domains resolve based on the nameservers of the domain returning an appropriate answer, neither the nameserver details nor the answer are retrieved from any RDS, and the inclusion (or not) in RDS will not be changing that in any way It's _convenient_ for non-techies to use the "current RDS" (whois) to see what the nameservers *might have been at some historical point-in-time* [with caveats about why that data is incorrect as often as it's correct] but that is (in my experience) because explaining how to "nslookup" or "dig" or "whatever" often takes longer than "go to internic.net and type ..."

You could deprecate displaying it in whois but any DNS client would easily be able to retrieve the data because the resolver still has to know what to ask for.

Indeed, in fact as the resolver method is more reliable, more accurate, faster, necessary and so on - why are we duplicating it in WHOIS at all ?!? Rob --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

...

...

Regardless of the privacy implications, if someone who wants to look up a hostname and can't find can't figure out what the authoritative nameservers are for the domain, DNS quite simply will not work and with it the internet is down; go home.

...

Plenty of RDS failures happen - with some registries/registrars their whois is down more than up, and the internet still works, the domains still work and so on - domains resolve based on the nameservers of the domain returning an appropriate answer, neither the nameserver details nor the answer are retrieved from any RDS, and the inclusion (or not) in RDS will not be changing that in any way

My point wasn't that RDS has to be correct... my point was the registries need to collect and present this data anyway and it has to be globally consistent and accessible (via DNS).

We aren't talking about DNS, we aren't (able to or even contemplating) changing DNS - so the nameservers being available for DNS (as they would have to be) I think is a perfectly good reason _not_ to include them in RDS Data should exist once, only once and exactly once :) If there is already a way to get it, why create yet another store/display method _in addition to not replacing_ the correct existing method ? (especially with the inherrant issues we have now that the data isn't necessarily accurate)

So the entities collect and display it to users using the right commands anyway, so turning around and saying we have to shield it from RDS as a privacy risk is a fallacy

I (personally) don't think _nameservers_ is privacy risk (I can already find out your nameservers should your domain have them set) -as _something_ needs to be able to query them for things to work I still don’t think duplicating data is ever a good idea, and in the (current) case of WHOIS is actively hurting rather than helping Rob --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

When things break, one thing any competent network admin does is check the DNS to make sure something isn't wrong. If that doesn't seem broken, one immediately checks whois/RDDS to see whether what's in the DNS is what's _supposed_ to be there. I admit to being a newbie to the Internet, since I didn't join it until some time in the 1990s, but as near as I can tell this is what people have _always_ done to diagonose problems.

Definitely not disagreeing with the principle - yes it's more-or-less what sysadmins doing diagnostics have always done - although I think you missed the very first step which is * ask when the user last fiddled with it (not ever taking their first answer) Where I see the methodology differing slightly is the "check whois" part Now it's _probably_ due to the type of business we are in - instead of "look at whois" (which was for many years a part of the process) as a Registrar that became * check our own systems * query the registry Or quite often when guiding people through the same what-is-broken checks swapping some of that for * check with your registrar The RDS part of the checking has for a long time in my experience been declining in usefulness - often even diverting onto looking at non-exist-problems at the expense of dealing with the actual issue What you said about "to see whether what's in the DNS is what's _supposed_ to be there" is 100% correct ! I just think with the real disconnect between "the system that puts it in the tld zone" and "the system that displays stuff to the public" at registrars/registries [ which is why we have "you'll update the whois with T period" sections in ICANN contracts ] it's the wrong thing to be using to verify things. It's not the "end of the world" to me either way

note, the reason that a "centralized" system that holds all the data for all registries is as astonishingly bad idea, because it creates yet a new data sync problem that cannot be checked.)

Agreed, I'm not a fan of that idea. Neither am I a fan of the current com/net whois-referral system rather than the details per domain being at the actual registry for that TLD because of the data dupe/sync/accuracy/availability issues (plus making transfers easier etc)

There are lots of other uses of the current whois system that I think are bogus (I think, for instance, that the encroachment of intellectual property claims on the DNS has been an unmitigated disaster for the Internet). But this technical use is the basic point of the RDS facility, and I think it is plainly useful.

I'm not disagreeing it has _been_ useful - I just don't see it as having remained as useful / reliable as it was in back when we could carry a list of all the domain names in existence in a lever arch binder :) Rob --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

..and Sam. -Carlton ============================== *Carlton A Samuels* *Mobile: 876-818-1799Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Wed, Jan 25, 2017 at 6:46 AM, Sam Lanfranco <sam@lanfranco.net> wrote:

Thank you Michele, ( ignoring the spell check driven typo of "think" for "thick" (-: ). We should be able to put this "thin" discussion behind us. The "thin" discussion should have taken about 2 email exchanges. Here is CIRA's (thin) search for .ca domain names [disclosure: it is my domain name]

Domain name: artisanalpot.ca Domain status: registered Creation date: 2016/12/14 Expiry date: 2017/12/14 Updated date: 2016/12/19 DNSSEC: Unsigned Registrar: Name: Web Hosting Canada (7081936 Canada Inc.) Number: 5000080 Name servers: ns1.whc.ca 173.209.49.178 ns2.whc.ca 198.245.53.176 ns3.whc.ca 198.245.61.86 % WHOIS look-up made at 2017-01-25 11:32:24 (GMT) % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % (c) 2017 Canadian Internet Registration Authority, (http://www.cira.ca/)

Nothing private is disclosed and LEA would have to resort to legal means to get to what is in the "thick" data set. There are no ICANN policy issues here.

Sam L <artisanalpot.ca> (-:

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg