AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

29 January 2018

Data Protection and Privacy Update - Community Feedback on Proposed Compliance Models

SUBMITTED

Alan Greenberg

Holly Raiche

ICANN Staff 
gdpr@icann.org

Hide the information below, please click here 

References:

Proposed Interim Models for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation

ICANN: Data Protection/Privacy Issues

= = = 

Happy new year to you all. We have kicked off 2018 by continuing our work on data protection and privacy issues. In particular, we are preparing for the 25 May 2018 enforcement date for the European Union's General Data Protection Regulation (GDPR). As I've previously written, we are working to ensure compliance with this law while maintaining access to WHOIS to the greatest extent possible.

Our work in this area began when we asked the community for user cases and created a matrix of these different use cases about the personal data that gTLD registries and registrars collect, transmit or publish pursuant to ICANN agreements or policies. In the absence of a WHOIS policy, the user stories are essential for describing the many different uses of the WHOIS system. The matrix informed discussions about whether there were potential compliance issues under ICANN's agreements with registries and registrars because of the new law, and aided in our engagement with data protection authorities.

On 2 November 2017, we published a Statement from Contractual Compliance, which indicated ICANNorg would defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible for this deferral, we asked ICANN's contracted parties and stakeholders to follow this process to submit proposed interim models for compliance. We've published those community-proposed models here.

In parallel, we engaged the European law firm Hamilton to provide its legal analysis of these issues. The three-part assessment found in its first memo [PDF, 253 KB] that the WHOIS service in its current form must change. In the second part [PDF, 577 KB], Hamilton answered community questions about the law's applicability and scope. In its third analysis [PDF, 440 KB], Hamilton described how processing data within the scope of WHOIS could be changed to become compliant with the GDPR. We asked for your feedback on these analyses and published your input here.

In December, I wrote that we were working to develop interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements. To be clear, these proposed models are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.

Today we published [PDF, 624 KB] for community input those three proposed discussion models for collecting registration data and implementing registration directory services. These models reflect discussions from across the community and with data protection authorities, legal analyses and the proposed models we have received to date. Please provide your input on these models. The input from the community will contribute to assessing the viability of each of the models. From that input either variations or modifications to one of these models will be identified at the end of January for the path forward. To help inform this, please provide your feedback by 29 January 2018. Please send your feedback to gdpr@icann.org.

The three models are summarized at a high-level below. The models differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS:

  • Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
  • Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
  • Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.

Please click here to see the models [PDF, 624 KB].

We will share these models as we continue our engagement work, including with the Article 29 Working Party.

As always, we'll continue to keep the community apprised of the various discussions we have. We've also received a range of correspondence relating to the GDPR. We urge you to visit our data protection/privacy page to view the latest correspondence, proposed models from the community, and other materials relevant to this discussion.

Happy 2018 and we look forward to all the work with the community over the coming year.

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.


FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments begins.

25 Comments

  1. Holly Raiche

    My comments on the models:

    General comments:

    Any model adopted should, as much as possible, be close to a position that everyone is comfortable with.  The reality is that actually changing the current RDS policy (i.e., requirements in the RAA on the collection and public access to registration data) will take at least another couple of years (The current RDS WG is only at the first stage of the policy change needed - 18 months after it started at least). So this ‘interim’ model will be used for a significant amount of time before it is replaced. Further, if we are calling on registrars/registries to adopt a model now, it should be as close as possible to the ultimate solution so that registries/registrars don’t have to change their systems yet again.  ( I recognise this is called an ‘interim’ solution: the reality - it will be a long ‘interim’)

    A related point - any policy adopted should be one that applies globally.  There should not be a policy that gives one part of the globe a level of privacy protection that does not apply elsewhere. And on a more practical note, how does a registrar or registry be sure of whether all of their customers live in an area that attracts one level of privacy protection or another.

    The basis of  any model adopted should be on privacy principles.  Yes, the GDPR is the most stringent, but we need to recognise that data protection legislation has been enacted globally, based on fundamental OECD principles.  Those principles include the direction that data collectors must only collect information - particularly personal information - that is necessary for them to carry out their function(s), that the data collector must - up front - tell the data subject the purposes to which the data will be put and the circumstances in which defined others will access the data.

    The final document should use the language of SSAC51 - for the data itself, the service and the protocol. Using ‘Whois’ leads to confusion as to what is being referred to

    Specific comments:

    Approach- Clause 6: Agree with the statement that all of the compliance models are based on tiered access - and agree with tiered access

    Commonalities - Clause 1: I am not sure we should agree with the statement that registrars may collect (but not necessarily publish) all of the personal data elements currently in the Thick registration data. This is an issue that the RDS WG is working through - to determine what information is actually necessary for the the registrars/registries to carry out their functions.  However, I accept that this may be too hard for anyone outside of the WG discussions to come to final agreement upon

    Purpose Description - Purpose of Whois. This text confuses two things.  The purpose of ICANN is about coordination, stability etc of the Internet’s unique identifier system.  But the purpose that is critical here is the purpose of the collector - the registrar.  So the tests for whether the information should be collected is whether the registrar needs the information to carry out their functions

    Models - General.Only Models 2B and Model 3 apply globally. On that basis, reject Models 1 and 2A

    Model 2A vs Model 3:

    In Model 2A - the name of the registrant is only displayed with the consent of the registrant (whether a natural person or company), access to non-public data would be to a defined set of third party requesters under a formal accreditation/certification  program (this could include law enforcement agencies, certified intellectual lawyers, etc  based on pre-defined criteria and as part of a formal accreditation process. As an interim measure, self certification could be used  as part of an interim mechanism

    In model 3, the registrant’s name would be displayed (with or without consent), and not publish personal data.  However, this would require assessment on a field by field basis as to whether personal data would be included.  There would be a stricter regime for access - only under applicable law and subject to due process requirements such as under subpoena or oner judicial order.

    My recommendation: Go with either Model 2B or 3.  Model 3 is the stricter, but appears to be a bit complex in its assessment against each field.  Certainly there are very tight controls on access to the data. Model 2A has the possibility of more access - based on pre-determined requirements/accreditation. The timeframe for data retention under both is also different (life of registration +1 year for 2A, and +60 days)


    My personal choice - Model 2B - as long as there is a tight accreditation process, and tightly defined criteria for who (already accredited) gets access to personal information in what circumstances. But this is for ALAC members to decide.




    1. Alan Greenberg

      Holly, I cannot agree with "The basis of  any model adopted should be on privacy principles.".

      The At-Large principle has long been that we do support rights of registrants, but that when there is a potential clash between rights of registrants and the needs of Internet users (a FAR larger community than gTLD registrants) we must factor in those needs.

      In this case, we have a situation where those who purvey malware, spam, phishing and such will be given a great boost by registrant privacy, and we need to do what we can to ensure that those who fight such activities can still do so. This will not be easy, and perhaps there will be a blackout period initially, but it has to be the target. If we do not do this, then we are failing the community whose interests we are here to defend.

      Alan

  2. Christopher Wilkinson

    Good evening:  From a cursory reading of about 50 pages on this matter that have appeared in the past ten days, it would seem to me that Model 3 is the most consistent with the ALAC 2017 position on WHOIS waivers. (An issue that pre-dates GDPR).

    Regarding Model 3, I do not understand the point about field-by-field analysis for personal data

    Regarding Hamilton III, I have never understood the rationale for giving 'intellectual property lawyers' privileged access to registration data on a par with law enforcement.

    Thankyou Olivier for drawing all this to our attention. Thankyou Holly for your detailed analysis and recommendations.

    Regards

    Christopher Wilkinson - 20 January.

    PS:  Since all these issues were clearly already on the table at ICANN60, it is really not on for ICANN to publish their Models on 12 January and bounce the community into responding within two weeks!



     

  3. Alan Greenberg

    Although it is not clear from the descriptions, I have now been told that we will not necessarily limit ourselves to one of the presented models, but that we can pick and choose characteristics.

    1. Justine Chew

      Yes, I heard Goran confirm this at the ICANN IP and BC hosted Conversation on WHOIS and Compliance with EU's GDPR and ICANN Contracts held on 24 Jan.

      We may also want to look at the additional 5 community proposed models, also shared at this link for additional thoughts. 

      1. Holly Raiche

        Thanks Justine.  Actually two of the models in particular are most useful.  Thomas Rickard (Eco Internet Indusry Assoc) is particularly useful on the application of relevant law to this issue.  My one comment is what, while the GDPR (and indeed most data protection regimes) follow the data minimisation principle, as he argues, I am very unsure that it is possible for the community to agree on what data is actually required by registries/registrars for their function(s). It is an issue that the RDS WG has spend weeks (really months) on and the likelihood of reaching final agreement between now and 25 May is almost non existent.  The other particularly useful of the five models is the iThreat Cybergoup, although some of the recommendations on data publication I'd question.  My other issue with that subission is that it would focus on the EU.  I believe that we should arrive at an interim solution that is global, for reasons I have already outlined.

  4. Holly Raiche

    I have real difficulty with Alan's rejection of privacy principles.  First - we are not talking just about principles - we are talking about law in many countries (including Australia and Canada) apart from the EU countries.  Second - those principles always recognise the legitimate interests of law enforcement agencies (broadly interpreted) in addressing criminal activity. So there is no clash.  The discussions now include how to define those bodies involved in the detection and addressing of the illegality - all difficult issues.  Those discussions are more nuanced - how to define law enforcement agency, and how to define those activities that warrant access. 


    So the clash is not about the rights of registrants  versus the rights of users.  It is about how to ensure that the definitions of law enforcement agencies and illegal actvity are broad enough to address abuse of the DNS system that harms users while upholding respect for an individual's privacy.



    1. Alan Greenberg

      Holly, I have not rejected privacy principles and I don't need to be told that we (ICANN and its contracted parties) need to obey laws.

      As you point out, privacy legislation may allow a broad interpretation of law enforcement and the principle of proportionality will allow others to get access to otherwise confidential information as well.

      My point is that we must take advantage of things like that to ensure that we can keep the Internet relatively safe (it is far to late to keep it safe!).

      Look at model 3 which says that information will be revealed only with a subpoena or warrant, even for legal persons which get no protection under GDPR and many similar laws. THAT is what I am worried about - options that ARE available within the law but we choose not to avail ourselves of in the name of greater privacy than the law requires.

      We are not debating the merits of privacy here, or of GDPR-like legislation. We are talking about how ICANN will interpret it and perhaps change its policies and practices to respect the laws and not cripple efforts that are at the core of minimizing risk on the Internet.

  5. Holly Raiche

    Alan - First - my mistake - above- on my preferred preference - it should be 2B as it would apply globally.  My concern with 2B - the need to be careful in both determining defnintions for accreditation tests and striking an appropriate balance between genuine need for access and protection of personal information - not an easy task. But as both you and Carlton observed, Model 2B is very close to what the WG came up with anyway.  I am also concerned with Model 3 - because of its apparent complexity.  And yes, it would impose far stricter rules on access to information.

  6. Holly Raiche

    Hadia Abdel Salam Mokhtar El Miniawi made the following comment in an email:

    After going through the document I am more towards option 2b where I think it provides a good balance between what is available and what is not and all registrations across the globe are treated equally, taking into account the data protection rules the location will not be an element when making registration or business decisions and while model 3 also allows for that, it seems too restrictive in areas and too complicated in othersmade the following comment in an email;


  7. Holly Raiche

    After yesterday's ALAC call, it seems that the response we draft should focus on the elements of the model we favour rather than just pick a model.  So I will rephrase my proposed response - restating much of what I have already said, but with a focus on the elements that ALAC supports for whatever model is finally adopted. (this is a bit explanatory - the final text can be shortened)

    • Any model should be as close as possible to a position everyone is comfortable with.  While this is an 'interim' solution with a focus on Compliance, the reality is that any final decision is easily a couple of years away. Further, if we are asking registries/registrars to change their processes, any change should be as close as possible to a final response to the issue.
    • Any policy adopted should apply globally, for two reasons.  The first is that many registries/registrars outside of the EEA will have customers such that they will be covered by GDRP requirements.  Second, many countries outside of the EU have similar privacy laws (most are based on the same OECD privacy principles set out in 1983) and therefore should be covered by similar data protections
    • Accept the 'commonalities' of all models, as listed in the 'Proposed Models' with exceptions below:
    • The response to all of the models is based on the response to three questions: what personal information of the registrant must the registrar collect in order to carry out their function(s);  what, of any of that information, should be publicly available; and finally, of that personal information, who and in what circumstances should another party have access to the personal information. The responses to each of those questions will determine which of the models (or combination of elements of the models) should be adopted.
      • On what personal information should be available, privacy law globally would mean the public display of all personal information collected is no longer a legal option. Model 1 would allow the publication or limited registrant information. Model 2 (A and B) would only publish the tech and Admin contacts of the registrant and only the registrant's name with their consent.  Model 3 would not publish the name at all.  Arguably both Models 2 and 3 more closely comply with the GDPR and other privacy legislation.
      • On Access, Model 1 provides the least restrictions on access to personal information, based on self certification of the requestor as to their purupose/need for the information. Model 2 (A and B) would establish a more formal accreditation process for identified user groups such as law enforcement agencies or intellectual property lawyers. Model 3 is the most restrictive, providing access to personal information only as a result of a subpoena or oher court/judicial order.
    • Concluding : 
      • Models 1 and 2A would only apply to the European Economic Area - not globally.  Therefore, support Models 2B or 3 on this issue
      • Model 1 would publish the name and address of the registrant - personal information and arguably not in line with the GDPR or other privacy regimes. Models 2 and 3 more closely restrict or forbid publication of most personal information except in defined circumstances and, in my opinion, are closer to the GDPR requirements. 
      • Model 1 would allow access to personal information on request and self certification of purpose and need for the information.  Model 2 would only allow access of thrid parties to personal information by a defined set of requrestors under a formal accreditation/certification process.  Groups eligible for access/certification to be developed in consulations that include the GAC. Model 3 would restrict access to situations where access to personal information is required by law or legal process.
    • In my opinion, Model 2B best balances the requirements of general privacy law with the legitimate needs for access to personal information.  However, I am aware that there there are other legitimate views on this issue and happy to see other comments.
    • I do think, in responding to the call for 'feedback', after discussing the elements of any response, we should state what model is closest to an ALACview and why.


  8. Holly Raiche

    We need a draft that can be voted on, so below is my suggested response, only slightly different to what is above, but taking into account comments made in the recent webinar organised by Steve Bianco.

    The ALAC provides the following comments in light of the necessity for ICANN Org to have an agreed approach on enforcement of its contracts with registries and registrars (and their resellers) before provisions of the General Data Protection Regulations (GDPR) become enforceable on 25 May 2018. We also note that within that timeframe, registries and registrars (and their resellers) must have implemented requirements of the agreed approach before the May deadline. Because of the very tight timeframe, the ALAC notes that the emphasis for the Interim Model will not address all of the requirements of the GDPR.  It will only address the most urgent of the Compliance Model  elements: the direct contradiction between the contractual requirements for the publication of potentially personal information and the legal prohibitions surrounding the publication of personal information.  Other elements of GDRP (and data protection requirements in other jurisdictions) are being addressed by the Registration Data Services Working Group.

    The ALAC supports the following elements of a Model for Compliance:

    • Any model should be as close as possible to compliance with the GDPR and other data protection regimes.
      While this is an 'interim' solution with a focus on Compliance, any final decision is some time away. If registries/registrars are to change their processes, any change should be as close as possible to what a longer term policy would require.
    • Any policy adopted should apply globally.  Many registries/registrars outside of the EEA will have customers such that they will be covered by GDRP requirements.  As well, many countries outside of the EU have similar data protection laws and are covered by similar data protection regimes.
    • The ALAC accepts the 'commonalities' listed for all three 'Proposed Models, with exceptions as follows:
      • On what information is collected from registrants, ALAC notes that the GDRP and other data protection regimes  have a collection minimisation principle:  only personal information that is required for the data collector to carry out its function(s) should be collected.  We note that, for this interim model, the assumption is that all information currently collected under contract requirements will continue to be collected.  While this is potentially in breach of data protection rules, the issue of what information is required by the registries/registrars is the subject of  discussion - as yet unresolved - by the WG.  Any final compliance regime will have to address the issue.
      • On what personal information should be available, data protection law globally would not allow the public display of all of the personal information that is currently collected and publicly available.
        Model 2 (A and B) would only publish the tech and Admin contacts of the registrant and only the registrant's name with their consent.  Model 3 would not publish the name at all.  Both Models 2 and 3 more closely comply with the GDPR and other data protection legislation. However, Model 2 does recognise need to contact the registrar/registry in legitimate situations, and also recognises that registrants may wish to have their name associated with the domain name.
      • On access to non-public data, there should clearly be tiered access: access to personal information must be restricted to accredited parties with a legitimate and specific reason to access the data.  Given the sensitivity of contact information for many individuals and organisations, a self-certification system for access would not be acceptable. As much as possisble, any access must be restricted under an ICANN monitored regime.  Under data protection regimes, law enforcement agencies or those operating under judicial order are given access to personal information in relation to specific factual situations.  Arguably, other governmental or regulatory agencies should be given access to personal information, again in relation to specific factual situations. ALAC accepts that there may not be sufficient time to establish a formal accreditation process and agreed access procedures.  As much as possible, however, ICANN must consult with all stakeholder groups, as well as data protection agencies, to develop rules on who and in what ccircumstances access is given to personal information of registrants.
      • The ALAC notes that there is discussion on whether the restrictions on access to personal information should apply only to natural persons or to both natural and legal persons.  The difficulty with drawing such distinction is that, in the case of very small businesses or organisations, the contact information for the legal entity amounts to personal information.  This is addressed by giving registrants (natural or legal persons) the option of opting in to having their name publicly available.
    • Based on the above considerations, Model 2B best balances the requirements of general  data protection law with the legitimate needs for access to personal information.

  9. Alan Greenberg

    Holly, I have significant problems with your proposal:

    1. Privacy is not absolute, but the principle of proportionality applies. My domain name of alangreenberg.org is CLEARLY personal information since it identified me (and many other Alan Greenbergs, but the law is pretty clear there being many of us does not reduce it being considered personal information. But not displaying it makes the domain name worthless, and my understanding is that no ccTLD hides it.
    2. In your second bullet of both docs above, you say that any POLICY must apply globally. First, this is not a policy we are talking about here, but a compliance model saying what parts of the current policy ICANN will not take actions on. Second, of course any policy (or compliance model) will APPLY globally, but it is the details we are looking at here. We MUST come up with something that we believe will pass muster with EU privacy officers. There may be other select parts of the world where there may be similar low. But there are a LARGE number of locations where that does not apply, and so any interim model should be selective to reduce the amount of information hidden. Until we can come up with a way to accredit and authenticate cyber security workers (and this will NOT happen quickly), we need to minimize the impact of these people's who are doing work that we rely on heavily. To be clear, this will apply to registries and registrars EVERYWHERE, but only for European (or other selected) residents.
    3. Although it may be problematic to definitively identify a legal person, the practice of some ccTLD is a good starting point - if you enter an organization name, you are a legal person. Their information should not be hidden.
    4. Model 3 requires a subpoena or court order. That will not only shut down civilian investigators, but most police investigations as well. Do you really think that is a good idea?

    1. Seun Ojedeji

      Hello Alan, it seem to be that going the route of the 2 variants will certainly require providing relevant policies so it seem to me that the compliance model will indeed require certain policies to be defined in the long run. On point 4, you raise a quite difficult point because I think if we were to allow what you seem to wish then it could defeat the registrants protection/privacy. In a real life scenario, police will require a search warrant to search my house, so I don't see why it should be a problem to apply same here. I just think the process of providing the subpoena or court order has to be very seemless and less complicated. Overall my initial view is that whatever we go for has to be applied on a global basis. 2B and 3 seem to satisfy that requirement but I am more inclined to 3 for now.

      1. Alan Greenberg

        Seun, of course we will require policy changes in the long run. The purpose of the current exercise is to decide on what we have compliance ignore until we can implement policy changes.

        Regarding warrants, To look in your house, a warrant may be required, but in real life all sorts of personal information is given out regularly to those we trust (such as your employer or bank or anyone you buy something from online) and we need the equivalent of that in the domain name business. How we do that is the challenge.

    2. Holly Raiche

      Point 1: Of course privacy is not absolute,  And if you choose a domain name that identifies you personally, it is your choice to do so, and data protection law will not stop you.  For those who do choose not to be so identified, they should be - and are - protected.

      Point 2: At this point, I am not at all fussed on the terminology.  And the reason I am arguing for adoption of a model that will apply globally is - as I have stated above - that EU countries are not the only ones covered by data protection law.  As I keep saying, many other jurisdictions, Australia, Canada and many other countries globally, have legal data protection regimes.  I understand concerns about access law enforcement agencies have to personal data, when that is required.  But data regimes generally, and the EU regime in particular, already allows access for law enforcement purposes to address the issues. 

      Point 3: This is a difficult issue that has taken a lot of discussion in the various  'Whois' WGs, as you would be aware. I'd generally agree that if the registrant is listed as a company, then the company name should be displayed.  However, there are some situations - women's refuges, human rights organisations, etc - where the organisation itself may be in danger if publicly listed.

      Poiont 4: I think you misunderstood what I said.  What I was saying is that there are situations where law enforcement agencies should have access to personal data.  And another situation where clearly access should be given is in order to comply with court orders.

      Concluding: There are difficult issues that the existing RDS WG has grappled with for many months - they raise legitimate concerns on all sides of the argument.  But we are running out of time.  Registries/registrars are already starting to implment processes to ensure compliance with GDPR and/or their own data protection requirements.  We aren't going to solve what are difficult issues over night.  But the elements of a Compliance model we call for should, as far as possible, bring us closer to compliance with data protection regimes - including the GDPR.

      1. Alan Greenberg

        Holly, my reference to point 4 was based on your support of Model 3 which would only grant access on presentation of such a legal instrument and not simply by virtue of being an (authenticated and approved) law enforcement agency.

  10. Alan Greenberg

    I am not at all sure we are going to come to closure here. I am preparing to submit a statement of my own, and perhaps others want to do the same.

    In essence:

    1. Security and stability of the Internet is crucial, and currently WHOIS information, pretty much all of it, can be useful in protecting the Internet. That I believe is sufficient cause to collect everything we collect now.
    2. In terms of models, I believe that pending development of new policy, the CM1 model presented by Greg Aaron comes closest to meeting the GDPR privacy requirements while minimizing impact on the Internet. CMx models can be found at https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en.
    3. The CM5 model based on the EWG findings presented by Faisal Shah is a good target for a successor model to be implemented as soon as we can have RDAP in universal use.
    4. Along with moving to 3, we need to immediately start to develop an accreditation process which will allow cyber investigators to get access through RDAP. I do not believe that self-certification is practical either from a view of ensuring reasonable privacy or registrar/registry workload in verifying such requests. Even if a full-fledged program of accreditation will take a long time to develop and implement, it will be possible to quickly allow such groups as the Anti-Phishing Working Group, ICANN Compliance and certain law enforcement agencies to regain full access.

    1. Holly Raiche

      I appreciate that the issues are now easy to get your head around, and some people may not feel comfortable voting.  But that said, before we abandon hope of agreement on a model, could we at least ask ALAC members if they want to vote on a statement or not. 

      It is always open to anyone to make an individual subission, regardless of what the SO/AC does.  And if ALAC as a whole decides not to submit a final statement, I will certainly submit what I have said.

      But this is a really important issue, and my preference would be that we submit at least a majority statemeent - that can have a minority statement as well.

  11. Alan Greenberg

    My submitted comments.

  12. Alan Greenberg

    Our (and others') request for an extension has been refused. However, the reply also encourages further input "as soon as possible". So new input will still be accepted, although clearly the window is very short.

    At this point, as far as I can see, I have been the only At-Large person to submit a personal comment, and no RALO or At-Large comments have been submitted.

    My comment is pointed to above, and all submitted comments may be seen at https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en.

    Alan

  13. Carlton Samuels

    Streups.

    The USG say they will support a model that enables 'easy access' to WHOIS data.  From the use cases friend Redl referred to substantiate the view, the policy position seems to be that  all now collected is continued indefinitely.  So now, the matter of publication.

    If I read the tea leaves right, the policy position of the USG is that they expect the public WHOIS to undergo minimal change.  

    In the end, never mind transition, kick and scream all you want, our Uncle Sam will get its way. 

    Save yourself the angst and choose the model that is closest to that....or, make a hybrid.

    The End,

    -Carlton

    1. Holly Raiche

      I have also made a personal submission - almost word for word what I suggested.  And Carlton - we can but try.  The RDS WG hasn't finished, but it is clear that most of the information collected under the RAA (which is really the issue) can be justified. (agreed, not all of it) so the issue is who gets to see it and under what circumstances (ah, therein lies the rub) In my view - as you know - there must be real limits.  No individual access, real brakes on the claims of the IP community.  Confine access - which is my attempt at hybrid. (and there are enough countries in the EU (even without the UK) so attention must be paid.

      1. Alan Greenberg

        Holly, why do you say "real brakes on the claims of the IP community"? As I read the EU letter, IP rights are one of the things wthey feel must be allowed for, and Lawyers are among the few groups we are talking about that are already subject to accreditation and must follow certain ethical guidelines. So on paper, it looks pretty much like business as usual for them, once we get the paperwork straight.

        1. Holly Raiche

          On IP claims:  In the many conversations I have had over the years, one of the complaints made in discussions was that in some instances, the holders of a name are simply harrassed over claims (not substantiated) of IP rights.  So in the earlier WG on access to privacy/proxy information on the registrant (I don't think you were in this one), on when the BC (particularly the IP people) could have access to registrant information, they would have to assert - and substantiate - both their right to the relevant domain name and that they were taking action to protect that name.  So the issue was NOT about those with a genuine case to be made. It was about the misuse of data to harass. In short, I am not talking about legitimate protection of IP rights - I am talking about misue of registrant data in the name of IP rights, and asking that, when such rights are asserted, that they can be substantiaated and a case made.