Next-Generation gTLD Registration Directory Services to Replace Whois

Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

Tip

title	PARTICIPATION

Attendees

Apologies: Andrew Sullivan, James Galvin, Michele Neylon, Alan Woods, Chuck Gomes, Paul Keating

Note
Notes/ Action Items These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki here. 1. Roll Call/SOI Updates No SOI updates 2. Drafting teams to present proposed purposes (5 minutes/purpose), addressing these questions: See Handout: https://community.icann.org/download/attachments/74580010/Handout-14Nov-RDSWGCall-v4.pdf a) Give concise single-sentence version of purpose definition, using the format: "Information to enable contact between WHO and WHO for what reason..." b) briefly describe other changes made to your purpose document since ICANN 60 c) Answer any questions that were posed to the DT by the full WG or your team Slide 3 - background explaining why we are focusing on purposes at this time - drafting teams were tasked with defining possible purposes as the foundation for deliberation Each possible purpose identified to date - this does not preclude identifying additional purposes as deliberation proceeds Note that "purpose" in the meaning of our group does not necessarily match the definition of "purpose" under data protection laws. So there may be a purpose that is legitimate, but that does not meet the legal requirements for collection and/or provision Technical Issue Resolution Information collected to enable the tracing, identification and resolution of incidents, which relate, either entirely or in part, to technical issues relating to the DNS. Use of such data should ordinarily be limited to those who are affected by such issues, or by those persons who are tasked (directly or indirectly) with the resolution of such matters on their behalf. Some concern that is a too-significant narrowing of the definition. Concerns are "relating to DNS" may be misunderstood, and that second sentence may need reworking as it is not part of the purpose definition itself and will be deliberated on later in the WG. For example, "related to DNS" - resolving mail delivery issues, as that may or may not be considered a "DNS" tech issue May also be differences between outreach to fix and investigation of an issue Alternative may be proposed by DT1: Tech Issue Resolution (Greg Squared Alternative): Information collected to enable contact of the relevant contacts to facilitate tracing, identification and resolution of incidents related to services associated with the domain name. Action Item: DT1 is asked to complete discussion and finalize its output no later than Friday 17 November to allow WG review for deliberation in next week's WG call. Academic or Public Interest Research Information collected to enable use of aggregate registration data elements by researchers and other similar persons, as a source for academic or other public interest studies or research, relating either solely or in part, to the use of the DNS. Some concern regarding use of "aggregate" and limitation to public interest research. There may be other aspects of research touched on in the longer definition that are not encompassed in the single-sentence. Domain Name Management Collecting the required information to create a new domain name registration and ensuring that the domain registration records are under the control of the authorized party and that no unauthorized changes, transfers are made in the record. Changes since ICANN60 were largely limited to single-sentence definition Add managing renewal of domain name to the single-sentence purpose - take note of this to address during deliberation on this purpose Individual Internet Use Collecting the required information of the registrant or relevant contact in the record to allow the internet user to contact or determine reputation of the domain name registration. Amend last word to read "registration or relevant contact." - take note of this to address during deliberation on this purpose Domain Name Certification Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name. Note that definition has been tuned to indicate that RDS data is used for this purpose but not strictly speaking required for this purpose Domain Name Purchase/Sale Information to enable contact between the registrant and third-party buyer to assist registrant in proving and exercising property interest in the domain name and third-party buyer in confirming the registrant's property interest and related merchantability. Changes made to address questions raised at ICANN60 re: merchantability and use for trademark investigation. Discussed but chose not to change third-party buyer to registrant because there are cases where the buyer does not end up being the registrant. ICANN Contractual Enforcement Information accessed to enable ICANN Compliance to monitor and enforce contracted parties’ agreements with ICANN. Narrowed purpose to focus on ICANN compliance (rather than broader contractual compliance) and use of data by ICANN for this purpose Regulatory Enforcement Information accessed by regulatory entities to enable contact with the registrant to ensure compliance with applicable laws. Tightened the definition to eliminate overlap with Legal Actions Legal Actions Includes assisting certain parties (or their legal representatives, agents or service providers) to investigate and enforce civil and criminal laws, protect recognized legal rights, address online abuse or contractual compliance matters, or to assist parties defending against these kinds of activities, in each case with respect to all stages associated with such activities, including investigative stages; communications with registrants, registration authorities or hosting providers, or administrative or technical personnel relevant to the domain at issue; arbitrations; administrative proceedings; civil litigations (private or public); and criminal prosecutions. Removed due process from definition since ICANN60. Other minor edits to the document. Criminal Activity/DNS Abuse - Investigation Information to be made available to regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders for the purpose of enabling identification of the nature of the registration and operation of a domain name linked to abuse and/or criminal activities to facilitate the eventual mitigation and resolution of the abuse identified: Domain metadata (registrar, registration date, nameservers, etc.), Registrant contact information, Registrar contact Information, DNS contact, etc.. Rolled up use cases into groups, resulting in three distinct purposes - investigation, notification, and reputation For other purposes: may wish to consider splitting apart investigation from taking action (which may be contacting the registrant or designated contacts) Question: Is there a real distinction between regulatory compliance, legal actions, and criminal activity investigation or reputation? For example, is blocking spam for the purpose of enforcing anti-spam regulations or laws? (not really - reputation is used for defense of networks and not by a regulatory authority for enforcement) Answer: There is definitely a large amount of overlap between LE/Abuse/Regulatory reasons. Use case is largely the same but actors and basis for activities are different. Investigate and contact apply to almost all purposes - who is making the request and what they intend to do with the information is what varies across purposes Criminal Activity/DNS Abuse - Notification Information collected and made available for the purpose of enabling notification by regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders of the appropriate party (registrant, providers of associated services, registrar, etc), of abuse linked to a certain domain name registration to facilitate the mitigation and resolution of the abuse identified: Registrant contact information, Registrar contact Information, DNS contact, etc.. Criminal Activity/DNS Abuse - Reputation Information made available to organizations running automated protection systems for the purpose of enabling the establishment of reputation for a domain name to facilitate the provision of services and acceptance of communications from the domain name examined: Domain metadata (registrar, registration date, nameservers, etc.), Registrant contact information, Registrar contact Information, DNS contact, etc.. Different because you are not going to contact the registrant or other responsible party - you are going to do something else as a result (e.g., reputation - protect your own network). This involves access to data already collected vs. collecting data specifically for the stated purpose Reputation is not a universal concept -subject to ranking of a particular CyberSecurity organization. All such lists have their own parameters and construction, much less timeliness, accuracy, etc. Investigation vs. contact - do these concepts apply to every purpose? Consider these questions as we try to start using these definitions for deliberation Tech Issue Resolution – may involve investigation and then contact for resolution Public Internet Research – involves investigation but not necessarily contact DN Management - may not fit this model, as contact is not always involved Contact can involve registrant, registrar, registry, or another designated contact or responsible party - do not presume that contact must be between registrant and requestor of data 3. Leadership proposal for moving forward Take building block approach to deliberation by considering possible purposes one by one Consider whether the purpose is legit and why Consider data needed and if it can be collected for that purpose Propose starting with Technical Issue Resolution as a way to move forward, hopefully by agreeing on at least one legitimate purpose and the data needed (and to be collected) for that purpose If we have that foundation, we can examine other possible purposes and whether they legitimately uses data collected for other purposes - vs - they need additional data collected specifically for the purpose Need to be mindful of whether or not purposes are overly broad and consistent with ICANN's mission - may be divergent opinions on this As we create building blocks, we may also create workflows and scenarios where data is used for other purposes 4. Confirm action items and proposed decision points Action Item: DT1 is asked to complete discussion and finalize its output no later than Friday 17 November to allow WG review for deliberation in next week's WG call. Action Item: All WG members to review Tech Issue Resolution purpose (final output) in advance of next week's call to prepare for deliberation on that purpose. 5. Confirm next WG meeting: Tuesday, 21 November 2017 at 17:00 UTC

Note

Notes/ Action Items

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki here.

1. Roll Call/SOI Updates

No SOI updates

2. Drafting teams to present proposed purposes (5 minutes/purpose), addressing these questions:

See Handout: https://community.icann.org/download/attachments/74580010/Handout-14Nov-RDSWGCall-v4.pdf

a) Give concise single-sentence version of purpose definition, using the format:
"Information to enable contact between WHO and WHO for what reason..."
b) briefly describe other changes made to your purpose document since ICANN 60
c) Answer any questions that were posed to the DT by the full WG or your team

Slide 3 - background explaining why we are focusing on purposes at this time - drafting teams were tasked with defining possible purposes as the foundation for deliberation
Each possible purpose identified to date - this does not preclude identifying additional purposes as deliberation proceeds
Note that "purpose" in the meaning of our group does not necessarily match the definition of "purpose" under data protection laws. So there may be a purpose that is legitimate, but that does not meet the legal requirements for collection and/or provision

Technical Issue Resolution

Information collected to enable the tracing, identification and resolution of incidents, which relate, either entirely or in part, to technical issues relating to the DNS. Use of such data should ordinarily be limited to those who are affected by such issues, or by those persons who are tasked (directly or indirectly) with the resolution of such matters on their behalf.
Some concern that is a too-significant narrowing of the definition. Concerns are "relating to DNS" may be misunderstood, and that second sentence may need reworking as it is not part of the purpose definition itself and will be deliberated on later in the WG.
For example, "related to DNS" - resolving mail delivery issues, as that may or may not be considered a "DNS" tech issue
May also be differences between outreach to fix and investigation of an issue
Alternative may be proposed by DT1:
Tech Issue Resolution (Greg Squared Alternative): Information collected to enable contact of the relevant contacts to facilitate tracing, identification and resolution of incidents related to services associated with the domain name.

Action Item: DT1 is asked to complete discussion and finalize its output no later than Friday 17 November to allow WG review for deliberation in next week's WG call.

Academic or Public Interest Research

Information collected to enable use of aggregate registration data elements by researchers and other similar persons, as a source for academic or other public interest studies or research, relating either solely or in part, to the use of the DNS.
Some concern regarding use of "aggregate" and limitation to public interest research. There may be other aspects of research touched on in the longer definition that are not encompassed in the single-sentence.

Domain Name Management

Collecting the required information to create a new domain name registration and ensuring that the domain registration records are under the control of the authorized party and that no unauthorized changes, transfers are made in the record.
Changes since ICANN60 were largely limited to single-sentence definition
Add managing renewal of domain name to the single-sentence purpose - take note of this to address during deliberation on this purpose

Individual Internet Use

Collecting the required information of the registrant or relevant contact in the record to allow the internet user to contact or determine reputation of the domain name registration.
Amend last word to read "registration or relevant contact." - take note of this to address during deliberation on this purpose

Domain Name Certification

Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name.
Note that definition has been tuned to indicate that RDS data is used for this purpose but not strictly speaking required for this purpose

Domain Name Purchase/Sale

Information to enable contact between the registrant and third-party buyer to assist registrant in proving and exercising property interest in the domain name and third-party buyer in confirming the registrant's property interest and related merchantability.
Changes made to address questions raised at ICANN60 re: merchantability and use for trademark investigation.
Discussed but chose not to change third-party buyer to registrant because there are cases where the buyer does not end up being the registrant.

ICANN Contractual Enforcement

Information accessed to enable ICANN Compliance to monitor and enforce contracted parties’ agreements with ICANN.
Narrowed purpose to focus on ICANN compliance (rather than broader contractual compliance) and use of data by ICANN for this purpose

Regulatory Enforcement

Information accessed by regulatory entities to enable contact with the registrant to ensure compliance with applicable laws.
Tightened the definition to eliminate overlap with Legal Actions

Legal Actions

Includes assisting certain parties (or their legal representatives, agents or service providers) to investigate and enforce civil and criminal laws, protect recognized legal rights, address online abuse or contractual compliance matters, or to assist parties defending against these kinds of activities, in each case with respect to all stages associated with such activities, including investigative stages; communications with registrants, registration authorities or hosting providers, or administrative or technical personnel relevant to the domain at issue; arbitrations; administrative proceedings; civil litigations (private or public); and criminal prosecutions.
Removed due process from definition since ICANN60. Other minor edits to the document.

Criminal Activity/DNS Abuse - Investigation

Information to be made available to regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders for the purpose of enabling identification of the nature of the registration and operation of a domain name linked to abuse and/or criminal activities to facilitate the eventual mitigation and resolution of the abuse identified: Domain metadata (registrar, registration date, nameservers, etc.), Registrant contact information, Registrar contact Information, DNS contact, etc..
Rolled up use cases into groups, resulting in three distinct purposes - investigation, notification, and reputation
For other purposes: may wish to consider splitting apart investigation from taking action (which may be contacting the registrant or designated contacts)
Question: Is there a real distinction between regulatory compliance, legal actions, and criminal activity investigation or reputation? For example, is blocking spam for the purpose of enforcing anti-spam regulations or laws? (not really - reputation is used for defense of networks and not by a regulatory authority for enforcement)
Answer: There is definitely a large amount of overlap between LE/Abuse/Regulatory reasons. Use case is largely the same but actors and basis for activities are different.
Investigate and contact apply to almost all purposes - who is making the request and what they intend to do with the information is what varies across purposes

Criminal Activity/DNS Abuse - Notification

Information collected and made available for the purpose of enabling notification by regulatory authorities, law enforcement, cybersecurity professionals, IT administrators, automated protection systems and other incident responders of the appropriate party (registrant, providers of associated services, registrar, etc), of abuse linked to a certain domain name registration to facilitate the mitigation and resolution of the abuse identified: Registrant contact information, Registrar contact Information, DNS contact, etc..

Criminal Activity/DNS Abuse - Reputation

Information made available to organizations running automated protection systems for the purpose of enabling the establishment of reputation for a domain name to facilitate the provision of services and acceptance of communications from the domain name examined: Domain metadata (registrar, registration date, nameservers, etc.), Registrant contact information, Registrar contact Information, DNS contact, etc..
Different because you are not going to contact the registrant or other responsible party - you are going to do something else as a result (e.g., reputation - protect your own network).
This involves access to data already collected vs. collecting data specifically for the stated purpose
Reputation is not a universal concept -subject to ranking of a particular CyberSecurity organization. All such lists have their own parameters and construction, much less timeliness, accuracy, etc.

Investigation vs. contact - do these concepts apply to every purpose?

Consider these questions as we try to start using these definitions for deliberation
Tech Issue Resolution – may involve investigation and then contact for resolution
Public Internet Research – involves investigation but not necessarily contact
DN Management - may not fit this model, as contact is not always involved
Contact can involve registrant, registrar, registry, or another designated contact or responsible party - do not presume that contact must be between registrant and requestor of data

3. Leadership proposal for moving forward

Take building block approach to deliberation by considering possible purposes one by one
- Consider whether the purpose is legit and why
- Consider data needed and if it can be collected for that purpose
- Propose starting with Technical Issue Resolution as a way to move forward, hopefully by agreeing on at least one legitimate purpose and the data needed (and to be collected) for that purpose
- If we have that foundation, we can examine other possible purposes and whether they legitimately uses data collected for other purposes - vs - they need additional data collected specifically for the purpose
- Need to be mindful of whether or not purposes are overly broad and consistent with ICANN's mission - may be divergent opinions on this
- As we create building blocks, we may also create workflows and scenarios where data is used for other purposes

4. Confirm action items and proposed decision points

Action Item: DT1 is asked to complete discussion and finalize its output no later than Friday 17 November to allow WG review for deliberation in next week's WG call.

Action Item: All WG members to review Tech Issue Resolution purpose (final output) in advance of next week's call to prepare for deliberation on that purpose.

5. Confirm next WG meeting: Tuesday, 21 November 2017 at 17:00 UTC

Content

Space Tools

Versions Compared

Old Version 21

New Version 22

Key