Versions Compared

Old Version 12

changes.mady.by.user Lisa Phifer

Saved on

compared with

New Version Current

changes.mady.by.user Lisa Phifer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wednesday November 1, 2017 16:00 - 18:30 local time


REVISED PROPOSED AGENDA - WEDNESDAY

...

4. Purposes for gTLD registration data and directory services (continuing from Saturday F2F)

  • Business Domain Name Purchase/Sale (Drafting Team #4, Wednesday 16:15)
  • Criminal Investigation/DNS Abuse Mitigation (Drafting Team #7, Wednesday 16:45)
  • Technical Issue Resolution (Drafting Team #1, Wednesday 17:15)
  • Academic/Public Interest DNS Research (Drafting Team #1, 17:45)

...

5. Confirm action items and proposed agreements (last 15 minutes)next meeting dates (18:15-18:30)


NOTES 

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki here.

Primary Goal: Shared understanding of existing purposes for gTLD registration data and directory services

1. Introductions and SOI Updates

2. Quick PDP Background

3. Quick review of Meeting Goals and Saturday progress

  • Brief updates from DT5 and DT6
  • No updates from DT2 or DT3 at this meeting

4. Purposes for gTLD registration data and directory services (continues from Saturday)

b. Criminal Investigation/DNS Abuse Mitigation (DT#7)

  • Link to Draft:  https://community.icann.org/download/attachments/69280637/DraftingTeam7-CrimInvAbuseMit-1%20November%202017.pdf
  • Slides: https://community.icann.org/download/attachments/69280637/RDS3-DT7%20Overview%20for%20ICANN%2060.pdf
  • Category covers all use of an RDS to support criminal and other investigations
  • Users include law enforcement, cybersec professionals, IT admins protecting their own networks, automated protection systems, others pursing abuse issues
  • Definition of “Abuse” is included in the definition slide 2
  • Who you need to contact depends upon the particular abuse case
  • Expand investigation to understand scope of abuse may involve identifying additional domain names
  • Investigation may lead to request to suspend domain names
  • Users either making a lot of ad hoc requests to support investigation or automated processes that query data for a large number of domains – probably more than one purpose
  • Categories of Actions – should include hosting providers getting involved in mitigation, as opposed to just the registrars for the underlying DNs
  • Re: hosting companies may not be willing to talk to investigator but may be willing to talk to the DN’s Tech/Admin contact
  • Relationship to compliance and reg enforcement purpose as well? Where do these purposes overlap or do they just relate to each other in a way that can be defined?
  • No such thing as world-recognized law enforcement – jurisdiction may play role in determining users and chains of users (3d matrix?, even GDPR does not address needs of law enforcement)
  • Note that who gets access to what data still needs to be addressed, even after defining the purpose and data involved
  • Noted that these cases are about access and not putting data into the system in the first place

a. Domain Name Purchase/Sale (DT#4)

  • Link to Draft: https://community.icann.org/download/attachments/69280637/DraftingTeam4-DNPurchaseSale-Definition-v6-clean.pdf
  • Note that this purpose applies to all domain names, regardless of what the domain name might be used for (business or otherwise)
  • Why was history considered important for this purpose – goes to merchantability, may need to tease this rationale out more to enhance understanding
  • Is merchantability about reputation more than ownership of the domain name prior to possible purchase?
  • Should “third party buyer” be “potential registrant” – no, because there are many scenarios where the party making contact for purchase will not end up being the registrant
  • Why is trademark infringement part of this purpose? Perhaps narrow text to indicate this is for cases in which the situation is resolved through purchasing the domain name

c. Technical Issue Resolution (DT#1)

  • Link to Draft:  https://community.icann.org/download/attachments/69280637/techissues1.pdf
  • One of the more obvious uses considering it was one of the first basic uses envisaged for WHOIS
  • Note “Technical Contacts” is intended to represent those who can help resolve technical issues, not necessarily the WHOIS “Tech Contact” set of data elements
  • “Internet users” may be too broad – break out IT users
  • Is abuse responder an overlap with the purpose from DT7 – would this be abuse reporter? For example, a broken feature that someone reports may turn out to be the result of DN abuse, but that might be distinct from a third party subsequently responding to that DN abuse (DT7)?
  • From chat: It seems that the ability to search across multiple domain names (to identify common registrants, name servers, etc., is a common theme across several uses/purposes.  Note that strictly speaking this is NOT a feature of the current RDS --- in the sense that it is not something contracted parties provide today (they did in the system ICANN inherited, but that is another story).   Third parties provide this today.

d. Academic/Public Interest DNS Research (DT#1)

  • Link to Draft: https://community.icann.org/download/attachments/69280637/techissues1.pdf
  • For example, DN registration history was used in a study of the introduction of new TLDs
  • Another example: APWG researching trends and patterns – for example history data (WhoWas)
  • WHOIS accuracy studies (starting from 2000 USG study, continuing through ICANN ARS)
  • May also be used to assess P/P use, examining geographic distribution of registrations, etc.
  • Could potentially be used for examining the impacts of GDPR in the future
  • Many of these are examples of public policy research (including ICANN policies)
  • Examples of organizations conducting such studies include ISOC, EFF
  • Data elements list is not inclusive – often use whatever data is available, may need data across many domains for statistical analysis, etc.
  • Distinction between this and market research? Sometimes academic study data ends up being applied for other reasons, including commercial
  • Question: Since virtually all the examples given require the aggregation of RDS data and the ability to search across multiple domains, do we need to treat this aggregation itself as a use case/purpose?  
  • Would it be a method or use or purpose? Or would the search of aggregated data produces a new data set, that may then be used several purposes?
  • See ref to ICANN contractual enforcement – is this covered by DT5? Use of data by Contractual Enforcement Dept for research vs. use of data by Contractual Enforcement Dept for enforcement purpose?

5. Confirm action items and next meeting dates

  • Continue Drafting Teams through next week to address these points:
    • Summarize each purpose in one sentence:
      “Information collected to enable contact between the registrant and <who> <to accomplish what>”
    • Think in terms of explaining to the data subject why data is being collected for this purpose – keep it concise and simple.
    • Are the tasks/users identified by your team so diverse and distinct that they may be more than one purpose? If so, split them up and describe each purpose separately.
    • Which purposes covered by other teams are closely related to or overlap the purpose(s) covered by your team?
    • Is there any data collected specifically for the stated purpose? Or does that purpose use only data collected for other purposes?

Action: Drafting teams to deliver final outputs by Friday 10 November

Action: Drafting teams to present results to full WG on 14 Nov call

  • Questions
    • Are these purposes or use cases? Many see what has been produced so far as use cases
    • Does calling them “purposes” imply legitimacy? Or can we frame these as possible purposes?
    • How do we get from use cases to purposes?
    • Formulation of one-sentence action focuses on contact – but not always limited to contact?
    • Will also need to identify impact on registrant (data subject) when stating purpose
    • See chat comments about limitations of the suggested formulation and use of formulation as a tool to teach out contact specifics and help teams pinpoint other data or needs
    • For example, putting registrant first highlights when registrant-supplied data is being used to enable contact with another party not the registrant
    • Next Meeting Dates:
      • 7 Nov – no full WG call, complete DT work
      • Schedule of DT calls: https://community.icann.org/x/lgByB
      • Next full WG Call: 14 Nov – 17:00 UTC
      • NOTE: Starting next week, we shift back to the weekly call time slots used last winter: 17:00/06:00 UTC

MEETING MATERIALS

  • SlidesICANN60 RDS PDP F2F v6.PDF (updated 1 November for Wednesday F2F)
  • List of Drafting Teams (includes team member lists & links to team email archives)
  • Drafting Team outputs - may be updated in advance of meeting:
    • DT1: Tech Issue Resolution and DNS Research [doc, PDF]
    • DT2: Domain Name Control and Individual Internet Use [docPDF]
    • DT3: Domain Name Certification [docPDF]
    • DT4:  Business Domain Name Purchase/Sale [docPDF]
    • DT5: Regulatory or Contractual Enforcement [docPDF]
    • DT6: Legal Actions [docPDF]
    • DT7: Criminal Investigation/DNS Abuse Mitigation [docPDF] and slides