2018-08-09 EPDP Team call #3

Notes/ Action Items

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/2IpHBQ.

High-level Notes/Actions:

1. Confirmations regarding the face-to-face meeting are expected to be sent out shortly. The message will also include details on how to make travel arrangements.

2. The leadership and support team is considering how to speed up triage effort - for example, we might continue the  triage effort off-line based on survey responses so that we can start substantive discussion sooner, as early as next week. An assessment will be made after today’s meeting. The EPDP Leadership Team compiled the survey results and prepared “issue summaries” to capture the themes within the rationale reported by the Team members. These summaries are a tool to facilitate the discussion and should not be viewed as authoritative; the Team may provide feedback on the issue summaries by responding to the list.

3. The next meeting is Tuesday 14 August at 13.00 UTC. The deadline for submission of Part 2 of the survey is Friday 10 August at 19:00 UTC, for part 3 the deadline is Wednesday 15 August at 19.00 UTC.

Questions for ICANN Org from the EPDP team:

1. Regarding Temporary Specification section 4.4.8 - Supporting a framework to address issues involving domain name registrations: the team request additional specificity. Does this mean that registrars and registries must support a uniform access mechanism when approved or is there some present requirement.

2. Regarding Temporary Specification section 4.4.13 - Handling contractual monitoring requests: which data sets will be required to measure compliance against which contractual provisions?

All Action items:

• EPDP Team members to complete survey part 2 by Friday 10 August at 19.00 UTC

• EPDP Team members to complete survey part 3 by Wednesday 15 August at 19.00 UTC

• Question for Org Liaisons: what is the intention behind section 4.4.8?

• Staff to communicate details regarding EPDP Team meeting as soon as possible.

1. Roll Call & SOI Updates

• Attendance will be taken from Adobe Connect

• Remember to mute your microphones when not speaking and state your name before speaking for transcription purposes.

• Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

2. Welcome and Updates from EPDP Team Chair

• Getting close on confirming location and timing of F2F meeting. Announcement is expected to be made later today, including information about how to arrange travel.

• Please note that third survey is due Wednesday 15 August at 19.00 UTC

• Leadership considering how to speed up triage effort - for example, continue triage effort off-line based on survey responses and dive into substantive discussion sooner, as early as next week. Will see how this meeting goes and write up thoughts about next steps to be shared with the EPDP Team for input.

3. Summary of responses to EPDP Input Survey Part 1 - Results for Appendix A – Registration Data Directory Services

• See summary of responses in slide deck

• Even though the green sections indicate agreement, it sometimes is more about the sentiment that is agreed with, but there are still edits suggested, so review still needed.

4. Substantive Discussion of Temporary Specification (beginning with Section 4.4.7 – 4.4.13, 4.5 and Appendix A - Registration Data Directory Services) – see updated spreadsheet attached.

   Part 1 of the Survey can be found at https://www.surveymonkey.com/r/CC6F9F8   

4.4.7. Enabling the publication of technical and administrative points of contact administering the domain names at the request of the Registered Name Holder;

Issue summary: Opinions not in favor of this section question the utility of this voluntary data submission and whether voluntary data submissions should be included in the temporary specification.

• RrSG: not so much questioning the voluntary nature but these technical and administrative contacts are a relic from a previous era and hard to justify collection in the context of data minimization principles as outlined under the GDPR.  If the contacts are the same/duplicate, then it is not minimized data. If they are different, then how do we track consent between Registrant and the other (Admin/Tech) contacts?

• Admin/Tech does have utility in some instances - how do registrars establish that these are no longer in use?

• ICANN policies have different roles and responsibilities relating to those contacts, such as IRTP, WHOIS data reminder, UDRP. This is data that is used to satisfy ICANN policies.

• 90-95% are estimated to be duplicates between registrant / tech / admin / billing contact. Why collecting and sharing this duplicative information?

• Tracking consent is an issue when contacts are different.

• SAC044 specifies:  Maintaining administrative and technical contacts plays a role in reducing single points of failure or attack.

4.4.8. Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;

Issue summary: Explanation opposed to this section is not sufficiently detailed to adequately describe the issue. For example, what is the distinction among DNS Abuse, cybercrime and intellectual property theft?

4.4.9. Providing a framework to address appropriate law enforcement needs;

Issue summary: There is a suggestion that LEA access to personal data needn't pass the balancing that data can be disclosed when legitimate and not overridden by fundamental rights. The preamble should refer to Art.6 of the GDPR. Must LEAs demonstrate the right to access data?

• GAC: Issue summary is correct on 4.4.8 and 4.4.9 - situation needs to be described better.

• NCSG: 4.4.8 do agree, but with a qualifier / suggestion. Detailing framework for access will come later but need to pinpoint who are the actors with legitimate interests. Also linked to the discussion on ICANN's mission. Put forward proposed replacement text.  

• It seems to imply / create the impression that LEA are always legitimate, but there are plenty of arguments between DPAs and LEA concerning the proportionality.

• GAC: Article 2 of GDPR states that several categories/types of processing fall outside its scope and thus are NOT subject to the balancing test of Article 6(1)(f). This includes processing for criminal law enforcement and by competent authorities for safeguarding against and the prevention of threats to public security, which falls outside the scope of the GDPR and instead is subject to Directive (EU) 2016/680. Moreover, Article 6 of the GDPR provides for lawful processing in a number of circumstances as set forth in Article 6(1)(a) - (e), such as processing necessary for the performance of a task carried out in the public interest, that also are not subject to the balancing test of “overridden by the interest or fundamental rights” in (f). Finally, Article 6(1) also states that (f) “shall not apply to processing carried out by public authorities in the performance of their tasks.”

• RrSG: concern about going into content - so summary is correct on 4.4.8.  

• Spec 11 / framework for registry operators to respond to security threats includes what is considered within scope for ICANN (phishing, malware distribution, botnets). May be worth reviewing in this context.

• Question for Org: what is the intention behind section 4.4.8?

• There is data that LEA can legally require of organizations - that is limited to the jurisdiction they’re in, work on cross-border transfer in EU being discussed. Tech industry have started recognizing requests for certain types of data from outside its jurisdiction as long as they are not breaking local privacy laws.

• This voluntary collaboration may not be supported in all jurisdictions. Not ICANN's role to fix MLATs.  

4.4.10. Facilitating the provision of zone files of gTLDs to Internet users;

Issue summary: Given the distinction between zone file data and registration data, whether zone file contains personal data, and the fact that zone file data is currently available - can this section remain?

• NCSG & RrSG: not clear on how registration data facilitates provision of zone files of gTLDs to Internet users.

• Does this belong in a WHOIS spec? There are other processes that support use cases requiring zone file data.

• Need to also consider other parts of processing, not only collection. May need to be more specific what applies in certain instances? For example, you may collect here for the purpose of safeguarding, but it is actually not shared.

• Part of the reason for focusing on collection is to think through all the steps that would follow, what processing would take place in addition to collection - if you cannot answer that it the affirmative, should you be collecting the data in the first place?

4.4.11. Providing mechanisms for safeguarding Registered Name Holders' Registration Data in the event of a business or technical failure, or other unavailability of a Registrar or Registry Operator;

Issue summary: Is it accurate to say there is general approval of this data use so long as ICANN does not have access to the registration data (which is thought to be the case)?

• RrSG: response to business failure of contracted party is handled by a separate mechanism than WHOIS so it is not relevant. Escrow system is used for that.

• Isn't escrow escrowing WHOIS data? It is escrowing a subset and a superset of WHOIS data. Some of the information is not published in WHOIS.

• Isn't it necessary to include it here as it is being used for purposes like escrow? Isn't that one of the reasons why that information is collected? There may be other ways in which the same purpose can be achieved.

• May need a graphic to describe different steps in detail.

• Should be clear about what our mission is - main goal is to go through the temp spec and determine whether it should become a consensus policy. Does the temp spec actually deal with everything so that it is compliant with GDPR? There may be some omissions that need to be addressed. If it is registration data it includes all the data that is submitted but also data that may be automatically generated as a result of the domain name registration, which may also become personal information.

• Need to make sure that we use the same terminology - WHOIS is a display mechanism, registration data itself can have other purposes.

4.4.12. Coordinating dispute resolution services for certain disputes concerning domain names; and

Issue summary: Except for the standard registry response, there appears to be consensus support for this section. Recommendations for enhancement can occur in the next step.

4.4.13. Handling contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Registrars, Registered Name Holders, and other Internet users.

Issue summary: Where there is disagreement with this section, the disagreement focuses on those specific data needs, without which the compliance task would be impossible to accomplish.

• What are the reasons for compliance having access to this information? Broad array of uses for WHOIS as it relates to compliance activity of ICANN. Important to have access to effectively do their job. May need to ask for specification on what that job to assess if it is a legitimate purpose outweighing the privacy of individuals.

4.5. In considering whether Processing of Personal Data contained in Registration Data is consistent with Article 6(1)(f) of the GDPR, the GDPR requires ICANN to balance the legitimate interests described above with the interests, rights, and freedoms of the affected data subject. ICANN finds that the Processing is proportionate for the following reasons: see 4.5.1., 4.5.2.

4.5.3, 4.5.4, 4.5.5.

Issue summary: Those not supporting this provision found the rationale in sections 4.5.1 et.seq. unconvincing.

The alternative approach might be, as discussed earlier, to discuss the data collection and disclosure purposes recommended in 4.1.1 et.seq. and develop this section, if needed, after that.

• Significant disagreement with this section. May need to be updated / mapped to outcome on other sections such as 4.1.1. and 4.4.

• Some of the terms in this section may need further clarification such as 'limited' and 'unjustified'.

APPENDIX A

1. Registration Data Directory Services

1.2 RDDS Search Capabilities

1.2. RDDS Search Capabilities

1.2.1. Where search capabilities are permitted and offered, Registry Operator and Registrar MUST: (1) ensure such search capability is in compliance with applicable privacy laws or policies; (2) only permit searches on data otherwise available to the querying user, based on whether the user only has access to data publicly available in RDDS or whether the user has access to non-public Registration Data; (3) only provide results otherwise available to the querying user based on whether the user only has access to data publicly available in RDDS or whether the user has access to non-public Registration Data; and (4) ensure such search capability is otherwise consistent with the requirements of this Temporary Specification regarding access to public and non-public Registration Data.

1.2.2. Where search capabilities are permitted and offered, Registry Operator and Registrar MUST offer search capabilities on the web-based Directory Service and the RDAP service (when implemented).

Issue Summary: All parties agree that RDAP will be implemented regardless of the date provided in Section 1.1 (which should be removed). There is some uncertainty as to whether a search capability should be a contractual requirement, and whether such a provision such as Section 1 is required at all given the current contract, and also that the risks associated with the aggregation of data must be addressed.

• RySG: search capabilities are not required for all registries, but new gTLD contract does include language requiring support for search capability. In the base registry agreement there is already language included that should be sufficient as such language in temp spec is unnecessary and more burdensome to implement.

• For LEA this search ability is really important, even if it is anonymized and likely a redline. Also important for commercial entities who do reverse WHOIS look-ups or correlation analysis. This has been hampered after 25 May so some are of the view that the search capability should be required instead of optional.  

• Does the Registry agreement require this functionality or just allow it? New gTLD RA allows it, but if applicant has said in application that it would offer searchable WHOIS, the applicant is required to include it in the RA. However, it is possible through RSEP to remove searchable WHOIS.

• RrSG does not support making this mandatory - questioning the legality of offering this as well as the scope of converting WHOIS in a pseudo surveillance system.  

 2.1 - 2.3 (when data is restricted)

Requirements for Processing Personal Data in Public RDDS Where Processing is Subject to the GDPR

2.1. Registry Operator (except where Registry Operator operates a "thin" registry) and Registrar MUST apply the requirements in Sections 2 and 4 of this Appendix to Personal Data included in Registration Data where:

1. the Registrar or Registry Operator is established in the European Economic Area (EEA) as provided in Article 3(1) GDPR and Process Personal Data included in Registration Data;

2. the Registrar or Registry Operator is established outside the EEA and offers registration services to Registered Name Holders located in the EEA as contemplated by Article 3(2) GDPR that involves the Processing of Personal Data from registrants located in the EEA; or

3. the Registrar or Registry Operator is located outside the EEA and Processes Personal Data included in Registration Data and where the Registry Operator or Registrar engages a Processor located within the EEA to Process such Personal Data.

2.2. For fields that Sections 2.3 and 2.4 of this Appendix requires to be "redacted", Registrar and Registry Operator MUST provide in the value section of the redacted field text substantially similar to the following: "REDACTED FOR PRIVACY". Prior to the required date of implementation of RDAP, Registrar and Registry Operator MAY: (i) provide no information in the value section of the redacted field; or (ii) not publish the redacted field.

2.3. In responses to domain name queries, Registrar and Registry Operator MUST treat the following Registrant fields as "redacted" unless the Registered Name Holder has provided Consent to publish the Registered Name Holder's data:

• Registry Registrant ID

• Registrant Name

• Registrant Street

• Registrant City

• Registrant Postal Code

• Registrant Phone

• Registrant Phone Ext

• Registrant Fax

• Registrant Fax Ext

Issue Summary: Some parties believe that section 2.1 (coupled with sec. 3) is overly broad in that:

GDPR data restrictions can be applied globally and include entities (registrars, registries, registrant) located outside the EEA, and data restrictions need not be applied to Legal persons where personal data is not included in the record.

Others say that the legal/natural distinction cannot be made a priori and such a distinction is not implementable. Also, the privacy language prescribed (sec. 2.2) could be required prior to RDAP implementation.  

Some urge additional data be redacted as personal information can be gained from them:  e.g., organization name, city, postal code. The Temporary Specification mentions "consent" without a requirement or specification for such. This group may take that up. Should thin registries should be required to move to thick as part of this Temporary Specification?

 Consider remaining sections at next meeting.

• Sharing of draft triage document with the EPDP Team will help in completing the triage effort. Leadership hopes to share this shortly with EPDP Team for review.  

5. Wrap and confirm next meeting to be scheduled for Tuesday 14 August at 13.00 UTC. (Part 2 Survey results due Friday, 10 August by close of business.)