[NCSG-PC] Fwd: [NCSG-Discuss] Comments on the Whois compliance models
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Mon Jan 29 19:57:42 EET 2018
Thanks Kathy, and I would just like to add that Goran basically
reinforced his message about not being slavish about model 1, 2 oe 3
when he spoke to us this morning. And thanks for posting the link to
the ECO model on the list. It has been out there since December 11, and
to be frank I thought more people would have looked at it.
cheers Stephanie
On 2018-01-29 12:52, Kathy Kleiman wrote:
>
> Hi All,
>
> I would like to support Stephanie's comments and I am sorry her
> computer broke down at such a critical moment. But I do want to share
> that her comments are brilliant and well-reasoned -- and walk us
> through the complexities of a very difficult area. As befits the
> co-author of the Canadian data protection law, her analysis of the
> requirements of GDPR and the short-comings of the models is important
> and badly needed. It's a "real-world" analysis for a situation we have
> in front of us - ICANN and real companies in the registration industry
> trying to comply with the GDPR and data protection laws around the
> world. I fully endorsing adopting as much as possible from her comments.
>
> Also safe travels to LA!
>
> Best regards, Kathy
>
>
> On 1/28/2018 8:14 AM, Stephanie Perrin wrote:
>>
>> I am sorry I let you down. To be frank, the discussion on the main
>> list was all over the map, my desire to throw my comment out there to
>> be trashed by folks not following these matters was pretty minimal.
>> However, I have had a complete meltdown with my computer and my ISP,
>> which slowed me down enormously, and there was no room for error.
>>
>> Here are a few compromise positions:
>>
>> 1. I can summarize at the end of the analysis of the different
>> positions, the various views (I acknowledged EFF's position but did
>> not go into it.
>>
>> 2. I can add a more thorough discussion of the law enforcement ask,
>> the IP lawyer ask, etc. and why option 3 deals with those issues
>> successfully.
>>
>> 3. I can discuss the data commissioner's expressed views on these
>> matters. There will be no support from them for a wholesale cutting
>> off of access for cyber investigators. IF you have any ideas on how
>> to square that circle, I am all ears. It is a big problem....while I
>> can be accused of caving in to a moderate position because I have
>> been both a govt policy/legislative wonk and an exec in a privacy
>> commissioner's office, I think you have to acknowledge I have decades
>> of experience fighting off law enforcement in back rooms. If we want
>> to be taken seriously, we have to acknowledge there is a problem. (it
>> is of course their fault there is a problem, but that is another
>> narrative....)
>>
>> I am also very happy saying there is a wide range of views in NCSG.
>> But if you want a narrow answer to the question of whether it is 2b
>> or 3, please pay attention to what Goran said in the IPC webinar the
>> other day...do not feel tied to 1,2, or 3, we simply pulled them into
>> models. COmments on all aspects raised, suggestions of other models
>> etc are welcome.
>>
>> SO I think we can say of your models we like 2b for this, 3 for that,
>> and our favorite proposal so far is the ECO one. Strategically, and
>> bearing in mind we still have years of pdps ahead of us and this is
>> an interim measure, supporting the registrars seems to me a good
>> idea, particularly when they have gone to the work and expense they
>> have to produce an excellent proposal.
>>
>> Have to go drop the dog at camp, perhaps we can talk this evening in
>> LA or tomorrow morning at breakfast?
>>
>> cheers Steph
>>
>> On 2018-01-28 10:36, farzaneh badii wrote:
>>> I tell you what is sticking in my throat Stephanie: You are way too
>>> late and we relied on you and you delivered late. I don't want Law
>>> Enforcement be viewed as legitimate force globally and you know
>>> where I am from. Does Eco model address my worry?
>>>
>>> Farzaneh
>>>
>>> On Sun, Jan 28, 2018 at 10:29 AM, Stephanie Perrin
>>> <stephanie.perrin at mail.utoronto.ca
>>> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>>>
>>> Well I am sorry that I did not get the comment in as well.
>>> There is a lot to read and I have read it (unlike many). WE
>>> need to know where the opposition is coming from.
>>>
>>> The ECO comments have been out there a while, and they deal with
>>> the models. There is absolutely nothing wrong with endorsing
>>> another group's position. Their legal analysis is excellent, in
>>> my view.
>>>
>>> Ignoring the reality that there is a cybercrime problem out
>>> there is, in my view, not a thoughtful position to take. I can
>>> attempt to reword it if you point me to precisely what is
>>> sticking in your throats. We want layered access....a failure
>>> to support layered access at this point in time will set us back
>>> years, we finally have ICANN agreeing to it.
>>>
>>> I am happy to send my comments in myself if you don't support
>>> them. I think they are well informed and realistic. I think
>>> Option 3 was thrown out there as a poison pill and I am not
>>> taking it.
>>>
>>> let me know.....
>>>
>>> cheers Steph
>>>
>>> On 2018-01-28 09:50, farzaneh badii wrote:
>>>> Hello Stephanie
>>>>
>>>> Is eco model in the models that offered by Icann? Is it model
>>>> 2b which you supported in the doc you sent us? If not then we
>>>> cannot support it now. I suggest going for the highest
>>>> protection now until we work out something better. You can
>>>> always go down from highest protection to layered access etc
>>>> but for now and since we don't have much time to reach
>>>> consensus I think we can stick to model 3. I wish you had sent
>>>> us your document sooner so that we could work on it. Also your
>>>> argument for not supporting model 3 in the document is not
>>>> really based on substance it's based on the fact that it won't
>>>> get support in the community. There is a May deadline.
>>>> Community can come up with consensus after the deadline on
>>>> another leas protective model. but ICANN org can't wait!
>>>>
>>>> I suggest pc members weigh in on this deadline is tomorrow and
>>>> we would like to know our positoon before the intersessional.
>>>>
>>>> On Sun, Jan 28, 2018 at 9:17 AM Stephanie Perrin
>>>> <stephanie.perrin at mail.utoronto.ca
>>>> <mailto:stephanie.perrin at mail.utoronto.ca>> wrote:
>>>>
>>>> I will try to get the revised comments on the models that
>>>> have been submitted in before I run for the plane at 2
>>>> EDT...but that may not happen. The legal analysis will come
>>>> next week, it is a lot harder and more complex....but I
>>>> want to get my questions on the table. It will be a long
>>>> time before this is over....
>>>>
>>>> We need to endorse the ECO model very strongly, in my view.
>>>> While option 3 looks good, it is rather unworkable.
>>>>
>>>> cheers SP
>>>>
>>>> On 2018-01-27 14:09, Ayden Férdeline wrote:
>>>>> Thanks Rafik
>>>>>
>>>>> I’m going to hold off on endorsing this for 24 hours until
>>>>> I read the comments currently being drafted by Stephanie.
>>>>>
>>>>> To be clear, this is not to say that I do not endorse this
>>>>> statement. It sounds logical to me and consistent with our
>>>>> principles. But if Stephanie has a 15-page document coming
>>>>> I’d like to make sure we’re being consistent in our
>>>>> messaging.
>>>>>
>>>>> Of course, being so close to the final day for
>>>>> submissions, I’ll write again on-list tomorrow in the
>>>>> absence of any other statements being on the table, as we
>>>>> cannot miss this submission deadline.
>>>>>
>>>>> Sincere thanks to Milton for drafting this.
>>>>>
>>>>> Best wishes, Ayden
>>>>>
>>>>> Sent from ProtonMail Mobile
>>>>>
>>>>>
>>>>> On Sat, Jan 27, 2018 at 10:50, Rafik Dammak
>>>>> <rafik.dammak at gmail.com <mailto:rafik.dammak at gmail.com>>
>>>>> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> We got a comment for the GDPR compliance model. The
>>>>>> deadline for submission ins the 29th Jan, which is the
>>>>>> coming monday. We need act quickly within this weekend .
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Rafik
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: "Mueller, Milton L" <milton at gatech.edu
>>>>>> <mailto:milton at gatech.edu>>
>>>>>> Date: Jan 26, 2018 6:05 PM
>>>>>> Subject: [NCSG-Discuss] Comments on the Whois compliance
>>>>>> models
>>>>>> To: <NCSG-DISCUSS at listserv.syr.edu
>>>>>> <mailto:NCSG-DISCUSS at listserv.syr.edu>>
>>>>>> Cc:
>>>>>>
>>>>>> I offer the following as a first draft of the NCSG
>>>>>> position on the 12 January 2018 call for comments
>>>>>> released by ICANN org.
>>>>>>
>>>>>> Principles
>>>>>>
>>>>>> Our evaluation of the models offered by ICANN are
>>>>>> based on three fundamental principles. No model that
>>>>>> fails to conform to all three is acceptable to the NCSG.
>>>>>>
>>>>>> 1. The purpose of whois must be strictly tied to
>>>>>> ICANN's mission. That is, the data that is collected
>>>>>> and the data that are published must directly and
>>>>>> demonstrably contribute to ICANN's mission as defined
>>>>>> in Article 1 of its new bylaws. We reject any
>>>>>> definition of Whois purpose that is based on the way
>>>>>> people happen to make use of data that can be
>>>>>> accessed indiscriminately in a public directory. The
>>>>>> fact that certain people currently use Whois for any
>>>>>> purpose does not mean that the purpose of Whois is to
>>>>>> provide thick data about the domain and its
>>>>>> registrant to anyone who wants it for any reason.
>>>>>>
>>>>>> 2. Whois service, like the DNS itself, should be
>>>>>> globally uniform and not vary by jurisdiction. ICANN
>>>>>> was created to provide globalized governance of the
>>>>>> DNS so that it would continue to be globally
>>>>>> compatible and coordinated. Any solution that
>>>>>> involves fragmenting the policies and practices of
>>>>>> Whois along jurisdictional lines is not desirable.
>>>>>>
>>>>>> 3. No tiered access solution that involves
>>>>>> establishing new criteria for access can feasibly be
>>>>>> created in the next 3 months. We would strongly
>>>>>> resist throwing the community into a hopeless rush to
>>>>>> come up with entirely new policies, standards and
>>>>>> practices involving tiered access to data, and we do
>>>>>> not want ICANN staff to invent a policy that is not
>>>>>> subject to community review and approval.
>>>>>>
>>>>>> Based on these three principles, we believe that
>>>>>> Model 3 is the only viable option available. Model 3
>>>>>> minimizes the data publicly displayed to that which
>>>>>> is required for maintaining the stability, security
>>>>>> and resiliency of the DNS. Model 3 could be applied
>>>>>> across the board, and would be presumptively legal
>>>>>> regardless of which jurisdiction the registrar,
>>>>>> registry or registrant are in. And Model 3 relies on
>>>>>> established legal due process for gaining access to
>>>>>> additional information.
>>>>>>
>>>>>> There is room for discussion about how much data
>>>>>> could be publicly displayed under Model 3 consistent
>>>>>> with ICANN's mission. E.g., it may be within ICANN's
>>>>>> mission to include additional data in the public
>>>>>> record, such as an email address for the technical
>>>>>> contact and even possibly the name of the registrant.
>>>>>>
>>>>>> The process of gaining access to additional data in
>>>>>> Model 1 is completely unacceptable.
>>>>>> Self-certification by any third party requestor is,
>>>>>> we believe, not compliant with GDPR nor does is such
>>>>>> access justified by the purpose of Whois or ICANN's
>>>>>> mission.
>>>>>>
>>>>>> Model 2 might possibly be acceptable if an suitable
>>>>>> set of criteria and processes were devised, but it
>>>>>> simply is not feasible for such a certification
>>>>>> program to be developed in 3 months. A certification
>>>>>> program thrown together in a rush poses huge risks
>>>>>> for loopholes, poor procedures, and a legal challenge
>>>>>> to ICANN, either from DPAs or from individuals affected.
>>>>>>
>>>>>> Dr. Milton L. Mueller
>>>>>>
>>>>>> Professor, School of Public Policy
>>>>>>
>>>>>> Georgia Institute of Technology
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> NCSG-PC mailing list
>>>>> NCSG-PC at lists.ncsg.is <mailto:NCSG-PC at lists.ncsg.is>
>>>>> https://lists.ncsg.is/mailman/listinfo/ncsg-pc <https://lists.ncsg.is/mailman/listinfo/ncsg-pc>
>>>> _______________________________________________ NCSG-PC
>>>> mailing list NCSG-PC at lists.ncsg.is
>>>> <mailto:NCSG-PC at lists.ncsg.is>
>>>> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>>>> <https://lists.ncsg.is/mailman/listinfo/ncsg-pc>
>>>>
>>>> --
>>>> Farzaneh
>>>
>> _______________________________________________
>> NCSG-PC mailing list
>> NCSG-PC at lists.ncsg.is
>> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20180129/16e2d7b7/attachment.htm>
More information about the NCSG-PC
mailing list