Hi Nick, This case is very, very real. It is exactly what I have seen many times in my experience. Kathy Kathy Kleiman, Esq. Co-Founder, Noncommercial Users Constituency On 7/26/2016 5:27 AM, Nick Shorey wrote:

Are we keeping these source cases based on fact, or are hypothetical use cases permitted?

*Nick Shorey BA(Hons) MSc.* Senior Policy Advisor | Global Internet Governance Department for Culture, Media & Sport HM Government | United Kingdom

Email: nick.shorey@culture.gov.uk <mailto:nick.shorey@culture.gov.uk> Tel: +44 (0)7741 256 320 Skype: nick.shorey Twitter: @nickshorey LinkedIn: www.linkedin.com/in/nicklinkedin <http://www.linkedin.com/in/nicklinkedin>

On 25 July 2016 at 23:41, Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote:

Hello all,

I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened.

The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name.

*Misuse Case:* The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means.

*Main Misuse Case: *An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment.

*Primary Actor: *Government or other entity wanting to censor a dissident group.

*Other stakeholders:* Domain name registrant.

*Scope:* * * *Level:*

*Data Elements:* In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code.

*Story: *

* A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information.

*Privacy implications: *Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. * * *Who has control of and access to the data: * ** *Conditions under which the data are accessible: * *How data can be accessed: *At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. *Other?* As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better.

Thank you for your time, consideration, and feedback.

Best wishes,

Ayden Férdeline

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

To supplement Greg’s point, it is also the case that there are many other ways for a “dissident group [to use] the Internet to communicate information,” other than by registering a domain name at the second level in a gTLD – or at all. Steve Metalitz From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, July 26, 2016 9:11 AM To: Ayden Férdeline; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Here are three cases that are variations of the scenario that Ayden presented. 1. Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government). 2. Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country. 3. Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government. These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Monday, July 25, 2016 6:41 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Hello all, I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name. Misuse Case: The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means. Main Misuse Case: An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. Primary Actor: Government or other entity wanting to censor a dissident group. Other stakeholders: Domain name registrant. Scope: Level: Data Elements: In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code. Story: * A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information. Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. Who has control of and access to the data: Conditions under which the data are accessible: How data can be accessed: At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. Other? As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better. Thank you for your time, consideration, and feedback. Best wishes, Ayden Férdeline [https://app.mixmax.com/api/track/v2/Rv7sFvWFObcE9nmgR/i02bj5SZulGblRmclZGQu5...]

Volker, I assume your marketing department can provide you with an answer to your second question…… Steve Metalitz From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Tuesday, July 26, 2016 9:31 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Does that not apply to any activity on the internet? Why use domain names besides facebook.com<http://facebook.com> at all then? Am 26.07.2016 um 15:25 schrieb Metalitz, Steven: To supplement Greg’s point, it is also the case that there are many other ways for a “dissident group [to use] the Internet to communicate information,” other than by registering a domain name at the second level in a gTLD – or at all. Steve Metalitz From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, July 26, 2016 9:11 AM To: Ayden Férdeline; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Here are three cases that are variations of the scenario that Ayden presented. 1. Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government). 2. Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country. 3. Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government. These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Monday, July 25, 2016 6:41 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Hello all, I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name. Misuse Case: The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means. Main Misuse Case: An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. Primary Actor: Government or other entity wanting to censor a dissident group. Other stakeholders: Domain name registrant. Scope: Level: Data Elements: In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code. Story: * A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information. Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. Who has control of and access to the data: Conditions under which the data are accessible: How data can be accessed: At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. Other? As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better. Thank you for your time, consideration, and feedback. Best wishes, Ayden Férdeline [https://app.mixmax.com/api/track/v2/Rv7sFvWFObcE9nmgR/i02bj5SZulGblRmclZGQu5...] _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

I agree Steve, however the cases before us are related to registration of a gTLD for the use case specified, I can create hundreds of other use cases for use of the internet by such groups but they wouldn’t be relevant to the scope of this group. —James From: <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Date: Tuesday 26 July 2016 at 14:25 To: 'Greg Aaron' <gca@icginc.com<mailto:gca@icginc.com>>, Ayden Férdeline <icann@ferdeline.com<mailto:icann@ferdeline.com>>, "gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>" <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: Re: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information To supplement Greg’s point, it is also the case that there are many other ways for a “dissident group [to use] the Internet to communicate information,” other than by registering a domain name at the second level in a gTLD – or at all. Steve Metalitz From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, July 26, 2016 9:11 AM To: Ayden Férdeline; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Here are three cases that are variations of the scenario that Ayden presented. 1. Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government). 2. Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country. 3. Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government. These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP. All best, --Greg From:gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Monday, July 25, 2016 6:41 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Hello all, I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name. Misuse Case: The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means. Main Misuse Case: An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. Primary Actor: Government or other entity wanting to censor a dissident group. Other stakeholders: Domain name registrant. Scope: Level: Data Elements: In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code. Story: * A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information. Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. Who has control of and access to the data: Conditions under which the data are accessible: How data can be accessed: At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. Other? As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better. Thank you for your time, consideration, and feedback. Best wishes, Ayden Férdeline [https://app.mixmax.com/api/track/v2/Rv7sFvWFObcE9nmgR/i02bj5SZulGblRmclZGQu5...]

Thanks for your comments, Greg. Without wanting to dive too deep into our deliberations, I would just like to briefly comment on this: The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. I do not think it is reasonable to make such an assumption. Privacy proxy services have not reached critical mass, as most domain names are not protected through such cloaks. In addition, the subscription cost of such services must be seen as relative to local incomes and the ability to make a purchase in a foreign currency. It is not easy for everyone in every country to purchase goods online; not everyone has access to a credit card, and in many regions payment processors do not accept all currencies. And while US$7.00 per year may not be a lot to you or I, it is a significant amount of money to some. When I was living in Argentina in 2014, the government imposed restrictions on online purchases as part of efforts to prevent foreign currency reserves from dwindling. At one stage, I believe that Argentine credit cards were limited to making no more than US$25 per month in foreign transactions. In such a case a dissent group would have to choose carefully how to allocate their resources. Do they buy Skype credit to make calls abroad? Do they buy a privacy proxy cloak? Do they purchase literature from abroad that cannot be purchased locally? Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. This operates on the assumption that due process is followed. A privacy service provider is not a court and, as far as I am aware, there is no binding entitlement to domain name registrants to a fair and public hearing within a reasonable time by an independent, competent, and impartial tribunal as to whether the registrant's data should be released to that government authority? This also assumes that the data is requested and not simply taken . Given efforts are underway globally to restrict encryption, we cannot presume that all governments worldwide will follow due process if the data they desire exists in some form where it can somehow be extracted. Best wishes, Ayden On Tue, Jul 26, 2016 2:10 PM, Greg Aaron gca@icginc.com wrote: Here are three cases that are variations of the scenario that Ayden presented. 1. Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government). 2. Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country. 3. Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government. These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Monday, July 25, 2016 6:41 PM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Hello all, I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name. Misuse Case: The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means. Main Misuse Case: An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. Primary Actor: Government or other entity wanting to censor a dissident group. Other stakeholders: Domain name registrant. Scope: Level: Data Elements: In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code. Story: * A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information. Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. Who has control of and access to the data: Conditions under which the data are accessible: How data can be accessed: At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. Other? As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better. Thank you for your time, consideration, and feedback. Best wishes, Ayden Férdeline Ayden Férdeline Statement of Interest

Thanks for the questions, Alex. I am happy to clarify. Based on the details you outline, particularly the limitations you place on the RDS data elements, can you comment on how technical issues with the dissidents domain name operation are handled? I consider this to be registrar-registrant contract information. As such, it is up to the registrar to determine which additional data elements they wish to collect (if any), how they wish to store this data (if applicable), and to whom they wish to release it, in accordance with local laws and the informed consent of their customers. As for the cost of P/P services I appreciate the view it is an added cost (and even FWIW that one should not have to pay for privacy) but so is the purchase of the domain name, hosting provider, web-site, tis cert (the non-free ones) to enable transport encryption, etc. If there are funds available to purchase (and maintain) a domain name (and the site behind it) I’m not sure the extra cost for the P/P add-on is truly prohibitive. It is possible that the web hosting or these other required products/services have been donated. But the principle is less about the cost and more about the data being collected in the first place. If there exists a database which contains personally identifiable information, even if this information is stored behind a locked door , it is not unimaginable to anticipate it will be breached at some stage. And once data is leaked, the damage is permanent. Lastly, can you clarify the term “foreign nation” in the scenario description? Is it the same or different from the nation of the dissident? This is a small detail perhaps but one that got me thinking about how (or even if) this use case would play out in a real world scenario. The dissident lives in country X. The foreign nation is any other sovereign state except X. Best wishes, Ayden On Tue, Jul 26, 2016 4:46 PM, Deacon, Alex Alex_Deacon@mpaa.org wrote: Thanks for the use case Ayden. A few questions/comments. Based on the details you outline, particularly the limitations you place on the RDS data elements, can you comment on how technical issues with the dissidents domain name operation are handled? As for the cost of P/P services I appreciate the view it is an added cost (and even FWIW that one should not have to pay for privacy) but so is the purchase of the domain name, hosting provider, web-site, tis cert (the non-free ones) to enable transport encryption, etc. If there are funds available to purchase (and maintain) a domain name (and the site behind it) I’m not sure the extra cost for the P/P add-on is truly prohibitive. Lastly, can you clarify the term “foreign nation” in the scenario description? Is it the same or different from the nation of the dissident? This is a small detail perhaps but one that got me thinking about how (or even if) this use case would play out in a real world scenario. Thanks!! Alex On Jul 26, 2016, at 6:38 AM, Ayden Férdeline < icann@ferdeline.com > wrote: Thanks for your comments, Greg. Without wanting to dive too deep into our deliberations, I would just like to briefly comment on this: The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. I do not think it is reasonable to make such an assumption. Privacy proxy services have not reached critical mass, as most domain names are not protected through such cloaks. In addition, the subscription cost of such services must be seen as relative to local incomes and the ability to make a purchase in a foreign currency. It is not easy for everyone in every country to purchase goods online; not everyone has access to a credit card, and in many regions payment processors do not accept all currencies. And while US$7.00 per year may not be a lot to you or I, it is a significant amount of money to some. When I was living in Argentina in 2014, the government imposed restrictions on online purchases as part of efforts to prevent foreign currency reserves from dwindling. At one stage, I believe that Argentine credit cards were limited to making no more than US$25 per month in foreign transactions. In such a case a dissent group would have to choose carefully how to allocate their resources. Do they buy Skype credit to make calls abroad? Do they buy a privacy proxy cloak? Do they purchase literature from abroad that cannot be purchased locally? Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. This operates on the assumption that due process is followed. A privacy service provider is not a court and, as far as I am aware, there is no binding entitlement to domain name registrants to a fair and public hearing within a reasonable time by an independent, competent, and impartial tribunal as to whether the registrant's data should be released to that government authority? This also assumes that the data is requested and not simply taken. Given efforts are underway globally to restrict encryption, we cannot presume that all governments worldwide will follow due process if the data they desire exists in some form where it can somehow be extracted. Best wishes, Ayden On Tue, Jul 26, 2016 2:10 PM, Greg Aaron gca@icginc.com wrote: Here are three cases that are variations of the scenario that Ayden presented. 1. Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government). 2. Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country. 3. Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government. These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org [ mailto:gnso-rds-pdp-wg-bounces@icann.org ] On Behalf Of Ayden Férdeline Sent: Monday, July 25, 2016 6:41 PM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Hello all, I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name. Misuse Case: The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means. Main Misuse Case: An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. Primary Actor: Government or other entity wanting to censor a dissident group. Other stakeholders: Domain name registrant. Scope: Level: Data Elements: In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code. Story: * A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information. Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. Who has control of and access to the data: Conditions under which the data are accessible: How data can be accessed: At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. Other? As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better. Thank you for your time, consideration, and feedback. Best wishes, Ayden Férdeline Ayden Férdeline Statement of Interest _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg Ayden Férdeline Statement of Interest

Thanks for pointing this out Rod. There are a few rather difficult authorization issues we described but did not necessarily solve (who vouches for you, and how)....the secure credentials was for particular, desperate cases. It does not solve situations where all of a sudden what was legitimate political dissent becomes treason (I don't need to point to any recent examples, I am sure) and the unsuspecting group is outed because they did not think they needed to go the extra mile and apply for a secure credential. I think the broad category of banned religions, speech, and political dissent needs a variety of solutions. But if we could make anonymous registration easy (as you point out, much necessary work has progressed in the past two years) it would be wonderful. Stephanie Perrin On 16-07-26 1:17 PM, Rod Rasmussen wrote:

So let point out that the EWG spent a huge amount of time on exactly this use case area to address these very difficult issues and concerns to life and liberty. One reason that this took a lot of time is that the option that Ayden is advocating for here that you cannot store ANY personally identifiable data in any place anywhere (paraphrasing, please correct if I’m misinterpreting you here) due to risk of its exposure due to some compromise in the chain (RDS, registry, registrar, P/P service) runs counter to one of the *primary* use case building blocks for domain registrants. That primary concept is for a registrant to be able to definitively prove their ownership (or “right to control/use" if you don’t like the concept of “owning” domains) of a domain name. Someone has to have that information - the registrar is the base case - in order for the vast, vast majority of domain holders to do things like transfer their domain between registrars, sell the rights to their domain to some other party, obtain domain-related services, ensure their domain is not hijacked or can be recovered if it is, etc. So imposing requirements for a minuscule fraction of the domain registrant population in order to handle an uncommon (yet vitally important!) use case is simply disproportional. This is a great example of why you develop use cases - to tease out where they conflict, and instead of proscribing solutions up front (in this case not collecting information at all) you explore what the goals are (in this case, making sure that an oppressive regime cannot get ahold of the personal information of a dissident that could put that at risk of harm) to see how to solve those while imposing such restrictions on the system that you can’t accomplish other, equal or in this case, far more important goals of the system.

So, what did we do on the EWG? We proposed an entire system for dealing with such circumstances and that is explained in section VII b. Secure Protected Credentials Principals on pages 101-108 of the EWG report (https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf). I would refer people with an interest in this topic to that rather detailed section of our report to see a potential way forward on these issues. Since the writing of the EWG report, much more work has occurred within the space of providing anonymous, yet verifiable credentialing, particularly with the use of blockchain technologies which are open source, and largely available at very low cost for usage in software products and online services. Domain registration is not the only area where people have this sort of interest, and the market, along with the technical community, are responding accordingly. So while this is just one way of solving this use case, and may not be fully fleshed out to the implementation level in the current level of documentation, I will posit that when you run into a use case like this that runs counter to many others, there will often be a way to solve it without hampering or invalidating other use cases, particularly fundamental ones.

Cheers,

Rod

Rod Rasmussen VP, Cybersecurity

- <http://www.infoblox.com/> <http://www.infoblox.com/>

...

On Jul 26, 2016, at 8:57 AM, Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote:

Thanks for the questions, Alex. I am happy to clarify.

Based on the details you outline, particularly the limitations you place on the RDS data elements, can you comment on how technical issues with the dissidents domain name operation are handled?

I consider this to be registrar-registrant contract information. As such, it is up to the registrar to determine which additional data elements they wish to collect (if any), how they wish to store this data (if applicable), and to whom they wish to release it, in accordance with local laws and the informed consent of their customers.

As for the cost of P/P services I appreciate the view it is an added cost (and even FWIW that one should not have to pay for privacy) but so is the purchase of the domain name, hosting provider, web-site, tis cert (the non-free ones) to enable transport encryption, etc. If there are funds available to purchase (and maintain) a domain name (and the site behind it) I’m not sure the extra cost for the P/P add-on is truly prohibitive.

It is possible that the web hosting or these other required products/services have been donated.

But the principle is less about the cost and more about the data being collected in the first place. If there exists a database which contains personally identifiable information, even if this information is stored behind a locked door, it is not unimaginable to anticipate it will be breached at some stage. And once data is leaked, the damage is permanent.

Lastly, can you clarify the term “foreign nation” in the scenario description? Is it the same or different from the nation of the dissident? This is a small detail perhaps but one that got me thinking about how (or even if) this use case would play out in a real world scenario.

The dissident lives in country X. The foreign nation is any other sovereign state except X.

Best wishes,

Ayden

On Tue, Jul 26, 2016 4:46 PM, Deacon, AlexAlex_Deacon@mpaa.org <mailto:Alex_Deacon@mpaa.org>wrote:

Thanks for the use case Ayden. A few questions/comments.

Based on the details you outline, particularly the limitations you place on the RDS data elements, can you comment on how technical issues with the dissidents domain name operation are handled?

As for the cost of P/P services I appreciate the view it is an added cost (and even FWIW that one should not have to pay for privacy) but so is the purchase of the domain name, hosting provider, web-site, tis cert (the non-free ones) to enable transport encryption, etc. If there are funds available to purchase (and maintain) a domain name (and the site behind it) I’m not sure the extra cost for the P/P add-on is truly prohibitive.

Lastly, can you clarify the term “foreign nation” in the scenario description? Is it the same or different from the nation of the dissident? This is a small detail perhaps but one that got me thinking about how (or even if) this use case would play out in a real world scenario.

Thanks!!

Alex

...

On Jul 26, 2016, at 6:38 AM, Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote:

Thanks for your comments, Greg. Without wanting to dive too deep into our deliberations, I would just like to briefly comment on this:

The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost.

I do not think it is reasonable to make such an assumption. Privacy proxy services have not reached critical mass, as most domain names are not protected through such cloaks.

In addition, the subscription cost of such services must be seen as relative to local incomes and the ability to make a purchase in a foreign currency. It is not easy for everyone in every country to purchase goods online; not everyone has access to a credit card, and in many regions payment processors do not accept all currencies. And while US$7.00 per year may not be a lot to you or I, it is a significant amount of money to some.

When I was living in Argentina in 2014, the government imposed restrictions on online purchases as part of efforts to prevent foreign currency reserves from dwindling. At one stage, I believe that Argentine credit cards were limited to making no more than US$25 per month in foreign transactions. In such a case a dissent group would have to choose carefully how to allocate their resources. Do they buy Skype credit to make calls abroad? Do they buy a privacy proxy cloak? Do they purchase literature from abroad that cannot be purchased locally?

Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint.

This operates on the assumption that due process is followed. A privacy service provider is not a court and, as far as I am aware, there is no binding entitlement to domain name registrants to a fair and public hearing within a reasonable time by an independent, competent, and impartial tribunal as to whether the registrant's data should be released to that government authority?

This also assumes that the data is requested and not simply taken. Given efforts are underway globally to restrict encryption, we cannot presume that all governments worldwide will follow due process if the data they desire exists in some form where it can somehow be extracted.

Best wishes,

Ayden

On Tue, Jul 26, 2016 2:10 PM, Greg Aarongca@icginc.com <mailto:gca@icginc.com>wrote:

Here are three cases that are variations of the scenario that Ayden presented.

1.Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government).

2.Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country.

3.Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government.

These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP.

All best,

--Greg

*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Ayden Férdeline *Sent:*Monday, July 25, 2016 6:41 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*[gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information

Hello all,

I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened.

The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name.

*Misuse Case:*The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means.

*Main Misuse Case:*An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment.

*Primary Actor:*Government or other entity wanting to censor a dissident group.

*Other stakeholders:*Domain name registrant.

*Scope:*

*Level:*

*Data Elements:* In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code.

*Story: *

* A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information.

*Privacy implications:*Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes.

*Who has control of and access to the data:*

**

*Conditions under which the data are accessible:*

*How data can be accessed:*At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection.

*Other?*

As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better.

Thank you for your time, consideration, and feedback.

Best wishes,

Ayden Férdeline

Ayden Férdeline Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+F%C3%A9rdeline+SOI> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Ayden Férdeline Statement of Interest <https://community.icann.org/display/gnsosoi/Ayden+F%C3%A9rdeline+SOI> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Here are some thoughts on your primary issues here Ayden. 1) Collection of data necessary for various purposes does not imply that it can or should be fully accessible by all at all times. In today’s system we already have some operationally necessary data “hidden” in order to provide domain registration services, to whit, payment information. The existence of privacy/proxy services has come about as a market response to the display issue, and the entire concept of tiered access was proposed to much better deal with various issues, particularly privacy. So I would point out that a great deal of thought and effort has already occurred towards dealing with this important area. Our job is to see that through. 2) We have a globally unique namespace that is being allocated using a number of parties but all tied back to the same root (pun intended). We have rules regulating how this allocation is done, that all members of the ecosystem must respect in order to participate. One primary purpose of an interconnected system for the *management* of the namespace (not *use* of the namespace which is based in the DNS) is for allowing different 3rd parties to efficiently, fairly, securely, and legally reallocate names amongst each other including “the right to use” (registrant) and the “right to service” (registrar) these names. The concept of an RDS isn’t an “alternative” system - it is the system. It is necessary to have a system for doing so in a way that assures that names are properly handled and no participant can either intentionally or through error cause a registrant or registrar to have their rights impeded. To my knowledge, all management regimes that humans have invented over the years to record rights like these and necessary transactions between parties in changing those rights involve actually recording information on the parties involved. The current way we have implemented this is fraught with issues as we all know, but I don’t see how you can ever get away from that very basic tenant. I know that I personally would never trust a system that didn’t record my information in a way that would allow for relatively easy auditing/tracking of my rights to that name so that I could assert my legal rights in case something went wrong. I’ll also bet that corporations feel a tad bit stronger about that when it comes to an asset that may be worth billions of dollars (like google.com or facebook.com). Note that tracking and even publicly displaying this kind of information because people *want to* does not necessarily create a requirement that all participants in such a system have to do so as well. The current “whois” version of the system tends to force that though, and that’s one of the big reasons why we’re here. However, the reverse of that, which I have heard some argue for, is an unacceptable end state given this basic need of a majority of domain registrants. What I’m talking about is the desire I’ve heard put out there to build a system where “no” personal information is collected or even allowed to be collected in order to protect the privacy of registrants amongst other things. That’s why we flesh out these use cases - to see where different purposes, goals, etc. create the need for flexibility, contingencies, and functionality. Only after you see the system and what it needs to do in its entirety can you fully understand what it needs to be able to do and there are often surprising insights along the way. Bringing everyone’s particular perspective and uses together allows us to work through that, and realize that while we may have some really important goals to accomplish, there are many other important goals out there as well. These are all lessons we learned continuously throughout the EWG process - all of us came in with some pre-conceived notion of how we thought the system should “work” only to find out that there were things we didn’t know about that changed that outlook over and over. The use case process was a good way to get through that quickly, so hopefully this example will give some perspective to those who hadn’t considered this part of the domain management equation in depth. Cheers, Rod

On Aug 1, 2016, at 3:01 PM, Ayden Férdeline <icann@ferdeline.com> wrote:

Thanks for your comments, Rod.

That primary concept is for a registrant to be able to definitively prove their ownership (or “right to control/use" if you don’t like the concept of “owning” domains) of a domain name. Someone has to have that information - the registrar is the base case - in order for the vast, vast majority of domain holders to do things like transfer their domain between registrars, sell the rights to their domain to some other party, obtain domain-related services, ensure their domain is not hijacked or can be recovered if it is, etc.

I see where you are coming from here, I just question why privacy must be eroded to the point where anyone, for any reason, can query the RDS and retrieve such sensitive personal information.

If I run with the arguments I've heard in this thread, there are two main reasons for why we need a WHOIS-like service. One is so that if a domain name causes problems (intentionally or otherwise) or has technical issues, there's a point of contact who can be reached. The second argument, the one you have raised, is that there should be some kind of record, like a land title registry, of who owns each domain name. I'll admit I hadn't considered the latter before, and I've been reflecting on the idea over the past few days.

In Helsinki at our cross-community session, Jordyn Buchanan from Google said we shouldn't include any requirements where there's another, alternative mechanism to achieve the same result in a better way. Applying his suggestion here, there really would seem to be no need to know who owns a domain name, so long as there is a mechanism through which a message can be relayed to the registrant if there is a legitimate need to do so. Do questions of domain name ownership not fall within the remit of whatever contract exists between the registrar and the registrant? One of the data elements I suggested collecting was the name of the registrar. I imagine that most registrars retain the billing information of their active customers, so if they receive some kind of legal action, they have the capacity to pass this along to the billing contact. Likewise, if law enforcement is investigating something, provided due process is followed they may be able to query the billing contact information. However, I remain firmly of the view that such sensitive information should not be free for anyone to query and retrieve.

Best wishes,

Ayden

Ayden, Has someone suggested that “privacy must be eroded to the point where anyone, for any reason, can query the RDS and retrieve such sensitive personal information”? Chuck From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Monday, August 01, 2016 6:02 PM To: Rod Rasmussen Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Thanks for your comments, Rod. That primary concept is for a registrant to be able to definitively prove their ownership (or “right to control/use" if you don’t like the concept of “owning” domains) of a domain name. Someone has to have that information - the registrar is the base case - in order for the vast, vast majority of domain holders to do things like transfer their domain between registrars, sell the rights to their domain to some other party, obtain domain-related services, ensure their domain is not hijacked or can be recovered if it is, etc. I see where you are coming from here, I just question why privacy must be eroded to the point where anyone, for any reason, can query the RDS and retrieve such sensitive personal information. If I run with the arguments I've heard in this thread, there are two main reasons for why we need a WHOIS-like service. One is so that if a domain name causes problems (intentionally or otherwise) or has technical issues, there's a point of contact who can be reached. The second argument, the one you have raised, is that there should be some kind of record, like a land title registry, of who owns each domain name. I'll admit I hadn't considered the latter before, and I've been reflecting on the idea over the past few days. In Helsinki at our cross-community session, Jordyn Buchanan from Google said we shouldn't include any requirements where there's another, alternative mechanism to achieve the same result in a better way. Applying his suggestion here, there really would seem to be no need to know who owns a domain name, so long as there is a mechanism through which a message can be relayed to the registrant if there is a legitimate need to do so. Do questions of domain name ownership not fall within the remit of whatever contract exists between the registrar and the registrant? One of the data elements I suggested collecting was the name of the registrar. I imagine that most registrars retain the billing information of their active customers, so if they receive some kind of legal action, they have the capacity to pass this along to the billing contact. Likewise, if law enforcement is investigating something, provided due process is followed they may be able to query the billing contact information. However, I remain firmly of the view that such sensitive information should not be free for anyone to query and retrieve. Best wishes, Ayden [https://app.mixmax.com/api/track/v2/2LM7xORtH7PxLyIdA/i02bj5SZulGblRmclZGQu5...] On Tue, Jul 26, 2016 6:17 PM, Rod Rasmussen rrasmussen@infoblox.com<mailto:rrasmussen@infoblox.com> wrote: So let point out that the EWG spent a huge amount of time on exactly this use case area to address these very difficult issues and concerns to life and liberty. One reason that this took a lot of time is that the option that Ayden is advocating for here that you cannot store ANY personally identifiable data in any place anywhere (paraphrasing, please correct if I’m misinterpreting you here) due to risk of its exposure due to some compromise in the chain (RDS, registry, registrar, P/P service) runs counter to one of the *primary* use case building blocks for domain registrants. That primary concept is for a registrant to be able to definitively prove their ownership (or “right to control/use" if you don’t like the concept of “owning” domains) of a domain name. Someone has to have that information - the registrar is the base case - in order for the vast, vast majority of domain holders to do things like transfer their domain between registrars, sell the rights to their domain to some other party, obtain domain-related services, ensure their domain is not hijacked or can be recovered if it is, etc. So imposing requirements for a minuscule fraction of the domain registrant population in order to handle an uncommon (yet vitally important!) use case is simply disproportional. This is a great example of why you develop use cases - to tease out where they conflict, and instead of proscribing solutions up front (in this case not collecting information at all) you explore what the goals are (in this case, making sure that an oppressive regime cannot get ahold of the personal information of a dissident that could put that at risk of harm) to see how to solve those while imposing such restrictions on the system that you can’t accomplish other, equal or in this case, far more important goals of the system. So, what did we do on the EWG? We proposed an entire system for dealing with such circumstances and that is explained in section VII b. Secure Protected Credentials Principals on pages 101-108 of the EWG report (https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf). I would refer people with an interest in this topic to that rather detailed section of our report to see a potential way forward on these issues. Since the writing of the EWG report, much more work has occurred within the space of providing anonymous, yet verifiable credentialing, particularly with the use of blockchain technologies which are open source, and largely available at very low cost for usage in software products and online services. Domain registration is not the only area where people have this sort of interest, and the market, along with the technical community, are responding accordingly. So while this is just one way of solving this use case, and may not be fully fleshed out to the implementation level in the current level of documentation, I will posit that when you run into a use case like this that runs counter to many others, there will often be a way to solve it without hampering or invalidating other use cases, particularly fundamental ones. Cheers, Rod Rod Rasmussen VP, Cybersecurity [cid:image001.png@01D1EC4A.59316740]- <http://www.infoblox.com/> On Jul 26, 2016, at 8:57 AM, Ayden Férdeline <icann@ferdeline.com<mailto:icann@ferdeline.com>> wrote: Thanks for the questions, Alex. I am happy to clarify. Based on the details you outline, particularly the limitations you place on the RDS data elements, can you comment on how technical issues with the dissidents domain name operation are handled? I consider this to be registrar-registrant contract information. As such, it is up to the registrar to determine which additional data elements they wish to collect (if any), how they wish to store this data (if applicable), and to whom they wish to release it, in accordance with local laws and the informed consent of their customers. As for the cost of P/P services I appreciate the view it is an added cost (and even FWIW that one should not have to pay for privacy) but so is the purchase of the domain name, hosting provider, web-site, tis cert (the non-free ones) to enable transport encryption, etc. If there are funds available to purchase (and maintain) a domain name (and the site behind it) I’m not sure the extra cost for the P/P add-on is truly prohibitive. It is possible that the web hosting or these other required products/services have been donated. But the principle is less about the cost and more about the data being collected in the first place. If there exists a database which contains personally identifiable information, even if this information is stored behind a locked door, it is not unimaginable to anticipate it will be breached at some stage. And once data is leaked, the damage is permanent. Lastly, can you clarify the term “foreign nation” in the scenario description? Is it the same or different from the nation of the dissident? This is a small detail perhaps but one that got me thinking about how (or even if) this use case would play out in a real world scenario. The dissident lives in country X. The foreign nation is any other sovereign state except X. Best wishes, Ayden [https://compose.mixmax.com/img/blank.png] On Tue, Jul 26, 2016 4:46 PM, Deacon, Alex Alex_Deacon@mpaa.org<mailto:Alex_Deacon@mpaa.org> wrote: Thanks for the use case Ayden. A few questions/comments. Based on the details you outline, particularly the limitations you place on the RDS data elements, can you comment on how technical issues with the dissidents domain name operation are handled? As for the cost of P/P services I appreciate the view it is an added cost (and even FWIW that one should not have to pay for privacy) but so is the purchase of the domain name, hosting provider, web-site, tis cert (the non-free ones) to enable transport encryption, etc. If there are funds available to purchase (and maintain) a domain name (and the site behind it) I’m not sure the extra cost for the P/P add-on is truly prohibitive. Lastly, can you clarify the term “foreign nation” in the scenario description? Is it the same or different from the nation of the dissident? This is a small detail perhaps but one that got me thinking about how (or even if) this use case would play out in a real world scenario. Thanks!! Alex On Jul 26, 2016, at 6:38 AM, Ayden Férdeline <icann@ferdeline.com<mailto:icann@ferdeline.com>> wrote: Thanks for your comments, Greg. Without wanting to dive too deep into our deliberations, I would just like to briefly comment on this: The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. I do not think it is reasonable to make such an assumption. Privacy proxy services have not reached critical mass, as most domain names are not protected through such cloaks. In addition, the subscription cost of such services must be seen as relative to local incomes and the ability to make a purchase in a foreign currency. It is not easy for everyone in every country to purchase goods online; not everyone has access to a credit card, and in many regions payment processors do not accept all currencies. And while US$7.00 per year may not be a lot to you or I, it is a significant amount of money to some. When I was living in Argentina in 2014, the government imposed restrictions on online purchases as part of efforts to prevent foreign currency reserves from dwindling. At one stage, I believe that Argentine credit cards were limited to making no more than US$25 per month in foreign transactions. In such a case a dissent group would have to choose carefully how to allocate their resources. Do they buy Skype credit to make calls abroad? Do they buy a privacy proxy cloak? Do they purchase literature from abroad that cannot be purchased locally? Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. This operates on the assumption that due process is followed. A privacy service provider is not a court and, as far as I am aware, there is no binding entitlement to domain name registrants to a fair and public hearing within a reasonable time by an independent, competent, and impartial tribunal as to whether the registrant's data should be released to that government authority? This also assumes that the data is requested and not simply taken. Given efforts are underway globally to restrict encryption, we cannot presume that all governments worldwide will follow due process if the data they desire exists in some form where it can somehow be extracted. Best wishes, Ayden [https://compose.mixmax.com/img/blank.png] On Tue, Jul 26, 2016 2:10 PM, Greg Aaron gca@icginc.com<mailto:gca@icginc.com> wrote: Here are three cases that are variations of the scenario that Ayden presented. 1. Member of the dissident group registers a gTLD domain name using a privacy service, located in a different country from the registrant. The actual market price of such services is inexpensive (for example GoDaddy’s is US$7.00 per year). It may be reasonable to assume that at-risk dissidents are aware that privacy services exist, and can afford the minimal cost. Government authorities in the dissident’s country request the underlying registrant data from the privacy service provider. The privacy service provider must then decide whether it will accept the government’s complaint. The decision may depend mainly on whether the service provider believes the registrant has breached the service provider’s terms of service, as interpreted under the laws of the service provider’s country (not the country of the registrant and the complaining government). 2. Instead of a gTLD domain, member of the dissident group chooses to register a ccTLD domain, in a ccTLD that does not provide registrant contact data in its WHOIS. The ccTLD registry and registrar are outside the dissident’s country. If the government authorities in the dissident’s country wish to obtain contact data, the government authorities must contact either the registrar or registry, which will then consider the complaint according to their terms of service, as interpreted under the laws of the registrar’s or registry’s country. 3. Member of the dissident group registers a gTLD domain name using a proxy, such as a law firm located in another country. If government authorities in the dissident’s country request the identity of the dissident, the proxy must decide whether to reveal its client’s name. The proxy is not subject to the jurisdiction of the foreign government. These use cases assume that dissidents wish to take steps to keep their identities from their government regime. All three cases allow the registrant to work within existing ICANN registration data policies, including the recommendations that have come out of the recent privacy/proxy PDP. All best, --Greg From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Monday, July 25, 2016 6:41 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Use Case - Dissident Group Using the Internet to Communicate Information Hello all, I would like to introduce an additional use case. This is just a rough draft for now, and I welcome your feedback on how this use case can be strengthened. The scenario is: a dissident group launches a website to bring important news and information to the public. They register their domain name in a foreign nation and do not want law enforcement, or other parties, to be able to identify the website’s administrators, management, and/or sources of information. If this information was made known, their publishing could be silenced and their sources and contributors could suffer harm. The registrant is not aware of the existence of privacy proxy services at the time they register their domain name. Misuse Case: The RDS could be used by State actors or other parties to identify members of or contributors to the dissident group, and this could result in their voices being silenced through legal, political, or physical means. Main Misuse Case: An actor is unhappy that a website in a country is publishing material that speaks unfavourably about a given topic. They wish to launch political and legal attacks to silence the website’s publishers and to alter the narrative of the historical record on this topic. They thus utilise the RDS to identify a contact of someone involved in the administration of this website, with the view of torturing or otherwise extracting from this contact the names and contact details of contributors to the dissenting website. As the registrant does not subscribe to a privacy proxy service (possibly because of limited financial resources, or lack of awareness that such a service exists), their contact details have been permanently published into the public record and their privacy is thus permanently breached. As a result the RDS threatens the ability of dissenting voices to exercise their inalienable rights in an online environment. Primary Actor: Government or other entity wanting to censor a dissident group. Other stakeholders: Domain name registrant. Scope: Level: Data Elements: In order to prevent misuse by another actor, no personally identifiable information should be stored in the RDS whatsoever. The only data elements that the RDS requires to operate on a technical level are: the domain name itself, the registrar, the domain name’s expiry date, and its status (registered / not registered). For it to be of functional use, there are two optional fields: name servers, and the auth-code. Story: * A requestor accesses the RDS to obtain information about a registered domain name. The RDS immediately returns the registration data associated with the domain name, which may include a name and physical address of the registrant. * The requestor passes the extracted information on to a third party who visits the physical address of the contact. The registrant suffers physical harm as a result of the RDS and no longer feels comfortable using the Internet to convey to the public important information. Privacy implications: Article 19 of the Universal Declaration of Human Rights states that everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers. These principles must be upheld in the RDS. An RDS that contains any personally-identifiable information would threaten these very freedoms. Accordingly, the RDS must only collect and store data for limited, lawful, and appropriate purposes. Who has control of and access to the data: Conditions under which the data are accessible: How data can be accessed: At this time, personally identifiable information can be accessed by any party in the world, for any reason. This is not consistent with best practices in privacy protection. Other? As you can see, I have left a few of the fields in Lisa's template for use cases blank. I do not have all the answers, so I would very much welcome your suggestions on how this use case could be strengthened. I'm still a little uncertain as to whether we are designing use cases for what the WHOIS protocol is like today (this is an assumption I have gone by in this first draft) or if this is meant to be more like a use case in a dream system instead. I'll revise this use case once I understand this exercise a bit better. Thank you for your time, consideration, and feedback. Best wishes, Ayden Férdeline [https://compose.mixmax.com/img/blank.png] Ayden Férdeline Statement of Interest<https://community.icann.org/display/gnsosoi/Ayden+F%C3%A9rdeline+SOI> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg Ayden Férdeline Statement of Interest<https://community.icann.org/display/gnsosoi/Ayden+F%C3%A9rdeline+SOI> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg Ayden Férdeline Statement of Interest<https://community.icann.org/display/gnsosoi/Ayden+Férdeline+SOI>