Thanks Tamir, much appreciated that you took the time to read it! I am
far too close to the document, need someone with new and neutral eyes to
do the reality check.
I would not want to write off these mechanisms as useless....it is just
they are not a match for some of the other mandatory requirements, and
they are, as I put in the comments, the caboose at the end of the
train. Need to have the privacy policy first....
Cheers Steph
On 14-06-09 4:03 PM, Tamir Israel wrote:
> FWIW, it seems to me on a quick read that your concerns are on point,
> Steph.
>
> First, you flag that while one of the core objectives of this RDS was
> to provide some privacy over WHOIS, most individuals will not be able
> to shield their identity from the general public. Registrant name and
> address (but not email address) are 'gated' and hence not available to
> the general public. But, as you say in your note, all registrants are
> obligated to provide legal contact info which will be publicly
> available. This is evident in Annex E and also in footnote 39. While
> many big companies may use legal counsel or other proxies to register,
> most individuals and even small businesses will need to use their own
> name and contact info, thereby defeating the purpose of permitting
> their contact info to remain 'gated'. So the end result is that more
> data elements are collected and centralized, without the anticipated
> /pro quo/ of having less information 'gated' or 'publicly available'.
>
> Second, you flag that the RDS' very ambitious data protection project
> is problematic and will not serve to effectively protect even 'gated'
> data. I think I agree. As far as I can tell, the EWG proposes to adopt
> a tiered approach to data protection for RDS data. It is certainly
> innovative, but I think ultimately it'll be ineffective since the EWG
> report sets way too many parameters in stone to permit for the data
> protection mechanisms it adopts to operate.
>
> The privacy protection mechanisms suggested by the EWG are:
> (1) First, they wish to encode some basic privacy principles and apply
> them across all RDS players by means of contract law, backed up by
> regulatory enforcement in those jurisdictions that require such things
> (not clear how ICANN is going to 'harmonize a basic level of data
> protection rights', something that has been tried and failed
> repeatedly in multiple fora in the past).
> (2) Second, they intend to localize RDS data storage within a
> jurisdiction(s) with strong and existing data protection rules (it's
> not clear how this jurisdiction(s) will be picked).
> (3) Finally, there will be a 'rules engine' that seeks to somehow
> codify data protection rules for all the world's jurisdictions and to,
> again somehow, apply these to different data elements based on where
> these are transferred to, processed, etc. Presumably, data will be
> marked up based on jurisdictions in which it was stored/processed, and
> this will provide insight into applicable laws (this ignores realities
> of the laws of jurisdiction, unless they intend to impose some blanket
> forum selection clause in and impose it on all elements of the RDS
> ecosystem).
>
> Ultimately, though, as Steph notes, these efforts are not helpful, as
> Registrants are forced to 'consent' to a long and extremely broad
> permissible purposes at point of collection (p. 42 -- Stephs' dissent
> is noted in footnote 7). Once this consent is obtained, a large number
> of entities can access, use and further disclose the information in
> question for the many permissible purposes. While the form of consent
> is subject to the over-arching harmonized privacy principles (1) and
> to whatever additional jurisdictional rules are piled on (2) and (3),
> the list of permissible purposes is not variable, and appears offered
> on a 'take it or leave it' basis. This leaves minimal latitude for any
> meaningful operation of data protection principles (except, perhaps,
> those relating to data security, access and accuracy/integrity).
>
> Nor is there any opportunity to minimize collection, as this too is
> 'hard wired' into the EWG's report, which provide a very long list of
> mandatory data elements. By contrast, an explicit 'opt-in' mechanism
> is adopted for governing whether any data elements a registrant
> provides that are gated by default can be made public. This is good,
> but it's not clear to me how it helps, as the core identifying data
> elements are already public.
>
> In terms of law enforcement access, they basically write off any issue
> since apparently the data in question is not private enough in their
> opinion to warrant any legal protection at all under any jurisdiction.
> Nonetheless, they feel the need to locate RDS data in "jurisdiction(s)
> where law enforcement is globally trusted". Not sure what that means.
>
> Perhaps ironically, the document recognizes the need for anonymity in
> this context. But it only does so in the context of the proxy service
> and secure protected credentials which, as steph points out in her
> note, are ineffective in the context of individual registrants.
>
> Overall, this seems like an incredibly and unnecessarily complex
> system that could be managed far more efficiently with simple
> contactability, plus an ICANN-run mechanism for identification upon
> demonstration of clear need.
>
> I could be missing something, though. And also apologies for the very
> lengthy email....
>
> Best,
> Tamir
>
> On 6/8/2014 10:54 AM, Stephanie Perrin wrote:
>> Folks let me say this:
>> 1. Milton, you were not supposed to publish it! I needed to edt it
>> to reflect the new status of it being a minority report, and also no
>> mention of JF Baril
>> 2. We need to be sure I am correct. IF they are right and i have
>> misread the report, then I look like an idiot.
>> 3. Most of the report is still concensus. AS I think I said in the
>> 3 pager, recently, certain principles put everything slightly out of
>> balance....
>> Sheesh. Can they bann me from ICANN?
>> ON a positive note, I must say your blog is well read Milton, I got a
>> sweet note from Mikey. I guess he knows what I feel like right now...
>> cheers steph
>>
>> On 2014-06-08, 3:48 AM, Rafik Dammak wrote:
>>>
>>> probably "occupy" the 2 public sessions for EWG i.e. attending them
>>> , ask the hard questions and debunk the myth of having consensus.
>>> privacy issue was suggested by Marilia as 1 of the topics for the
>>> meeting with Board too,
>>> we also should comment the report itself in due time.
>>>
>>> Rafik
>>>
>>> Hi
>>>
>>> p. 6 "This Final Report, including its recommendations and proposed
>>> principles for the next- generation RDS, reflects a consensus.”
>>>
>>> p. 164 "With the delivery of this Final Report and its 180
>>> consensus-supported principles, the Board’s vision has indeed
>>> materialized.”
>>>
>>> p. 165 "Among the EWG members were seasoned entrepreneurs and global
>>> leaders (Ajayi, Ala- Pietilä, Neylon, Rasmussen, and Shah). Their
>>> collective expertise in balancing risks and their results-oriented
>>> problem solving style paved the way to reaching an early consensus
>>> among the EWG.”
>>>
>>> This characterization doesn’t seem to quite fit with Stephanie’s
>>> excellent and (astonishingly) suppressed Dissenting Report…
>>>
>>> How shall we proceed in London?
>>>
>>> Bill
>>>
>>>>
>>>> *From:*Denise Michel [mailto:[log in to unmask]]
>>>> *Sent:*samedi 7 juin 2014 19:36
>>>> *Subject:*Expert Working Group on gTLD Directory Services (EWG)
>>>> Final Report
>>>> Dear All:
>>>> The Expert Working Group on gTLD Directory Services (EWG) has
>>>> issued their Final Report
>>>> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>.
>>>> Given your group's interest in this topic, I wanted to bring this
>>>> to your attention, along with the public sessions the EWG has
>>>> scheduled at the ICANN London meeting:
>>>>
>>>> * An introduction to the Final Report: EWG Overview of Final
>>>> Report
>>>> <http://london50.icann.org/en/schedule/mon-ewg-final-overview>,
>>>> Monday, 23 June, 1515 – 1615
>>>> * Two cross-community discussion sessions:
>>>> o EWG Final Report Discussion Session
>>>> <http://london50.icann.org/en/schedule/mon-ewg-final-discussion>, Monday,
>>>> 23 June, 1700 - 1900
>>>> o EWG Final Report Discussion Session
>>>> <http://london50.icann.org/en/schedule/wed-ewg-final-discussion>,
>>>> Wednesday, 25 June, 0800 – 1000
>>>>
>>>> The Final Report fulfills the ICANN Board's directive to help
>>>> redefine the purpose and provision of gTLD registration data, and
>>>> provides a foundation to help the ICANN community (through the
>>>> GNSO) create a new global policy for gTLD directory services. This
>>>> report represents the culmination of an intense 15 month period of
>>>> work during which this diverse group of volunteers
>>>> <https://www.icann.org/resources/pages/gtld-directory-services-2013-02-14-en> created
>>>> an alternative to today's WHOIS to better serve the global Internet
>>>> community -- a next-generation Registration Directory Service (RDS).
>>>> The EWG looks forward to discussing this with the ICANN community.
>>>> Thank you for sharing this notice broadly.
>>>> Regards,
>>>> Denise
>>>> Denise Michel
>>>> VP Strategic Initiatives
>>>> ICANN
>>>> [log in to unmask] <mailto:[log in to unmask]>
>>>
>>> ***********************************************
>>> William J. Drake
>>> International Fellow & Lecturer
>>> Media Change & Innovation Division, IPMZ
>>> University of Zurich, Switzerland
>>> Chair, Noncommercial Users Constituency,
>>> ICANN, www.ncuc.org <http://www.ncuc.org>
>>> [log in to unmask] <mailto:[log in to unmask]> (direct),
>>> [log in to unmask] <mailto:[log in to unmask]> (lists),
>>> www.williamdrake.org <http://www.williamdrake.org>
>>> ***********************************************
>>>
>>
|