Thanks Tamir, much appreciated that you took the time to read it! I am far too close to the document, need someone with new and neutral eyes to do the reality check. I would not want to write off these mechanisms as useless....it is just they are not a match for some of the other mandatory requirements, and they are, as I put in the comments, the caboose at the end of the train. Need to have the privacy policy first.... Cheers Steph On 14-06-09 4:03 PM, Tamir Israel wrote: > FWIW, it seems to me on a quick read that your concerns are on point, > Steph. > > First, you flag that while one of the core objectives of this RDS was > to provide some privacy over WHOIS, most individuals will not be able > to shield their identity from the general public. Registrant name and > address (but not email address) are 'gated' and hence not available to > the general public. But, as you say in your note, all registrants are > obligated to provide legal contact info which will be publicly > available. This is evident in Annex E and also in footnote 39. While > many big companies may use legal counsel or other proxies to register, > most individuals and even small businesses will need to use their own > name and contact info, thereby defeating the purpose of permitting > their contact info to remain 'gated'. So the end result is that more > data elements are collected and centralized, without the anticipated > /pro quo/ of having less information 'gated' or 'publicly available'. > > Second, you flag that the RDS' very ambitious data protection project > is problematic and will not serve to effectively protect even 'gated' > data. I think I agree. As far as I can tell, the EWG proposes to adopt > a tiered approach to data protection for RDS data. It is certainly > innovative, but I think ultimately it'll be ineffective since the EWG > report sets way too many parameters in stone to permit for the data > protection mechanisms it adopts to operate. > > The privacy protection mechanisms suggested by the EWG are: > (1) First, they wish to encode some basic privacy principles and apply > them across all RDS players by means of contract law, backed up by > regulatory enforcement in those jurisdictions that require such things > (not clear how ICANN is going to 'harmonize a basic level of data > protection rights', something that has been tried and failed > repeatedly in multiple fora in the past). > (2) Second, they intend to localize RDS data storage within a > jurisdiction(s) with strong and existing data protection rules (it's > not clear how this jurisdiction(s) will be picked). > (3) Finally, there will be a 'rules engine' that seeks to somehow > codify data protection rules for all the world's jurisdictions and to, > again somehow, apply these to different data elements based on where > these are transferred to, processed, etc. Presumably, data will be > marked up based on jurisdictions in which it was stored/processed, and > this will provide insight into applicable laws (this ignores realities > of the laws of jurisdiction, unless they intend to impose some blanket > forum selection clause in and impose it on all elements of the RDS > ecosystem). > > Ultimately, though, as Steph notes, these efforts are not helpful, as > Registrants are forced to 'consent' to a long and extremely broad > permissible purposes at point of collection (p. 42 -- Stephs' dissent > is noted in footnote 7). Once this consent is obtained, a large number > of entities can access, use and further disclose the information in > question for the many permissible purposes. While the form of consent > is subject to the over-arching harmonized privacy principles (1) and > to whatever additional jurisdictional rules are piled on (2) and (3), > the list of permissible purposes is not variable, and appears offered > on a 'take it or leave it' basis. This leaves minimal latitude for any > meaningful operation of data protection principles (except, perhaps, > those relating to data security, access and accuracy/integrity). > > Nor is there any opportunity to minimize collection, as this too is > 'hard wired' into the EWG's report, which provide a very long list of > mandatory data elements. By contrast, an explicit 'opt-in' mechanism > is adopted for governing whether any data elements a registrant > provides that are gated by default can be made public. This is good, > but it's not clear to me how it helps, as the core identifying data > elements are already public. > > In terms of law enforcement access, they basically write off any issue > since apparently the data in question is not private enough in their > opinion to warrant any legal protection at all under any jurisdiction. > Nonetheless, they feel the need to locate RDS data in "jurisdiction(s) > where law enforcement is globally trusted". Not sure what that means. > > Perhaps ironically, the document recognizes the need for anonymity in > this context. But it only does so in the context of the proxy service > and secure protected credentials which, as steph points out in her > note, are ineffective in the context of individual registrants. > > Overall, this seems like an incredibly and unnecessarily complex > system that could be managed far more efficiently with simple > contactability, plus an ICANN-run mechanism for identification upon > demonstration of clear need. > > I could be missing something, though. And also apologies for the very > lengthy email.... > > Best, > Tamir > > On 6/8/2014 10:54 AM, Stephanie Perrin wrote: >> Folks let me say this: >> 1. Milton, you were not supposed to publish it! I needed to edt it >> to reflect the new status of it being a minority report, and also no >> mention of JF Baril >> 2. We need to be sure I am correct. IF they are right and i have >> misread the report, then I look like an idiot. >> 3. Most of the report is still concensus. AS I think I said in the >> 3 pager, recently, certain principles put everything slightly out of >> balance.... >> Sheesh. Can they bann me from ICANN? >> ON a positive note, I must say your blog is well read Milton, I got a >> sweet note from Mikey. I guess he knows what I feel like right now... >> cheers steph >> >> On 2014-06-08, 3:48 AM, Rafik Dammak wrote: >>> >>> probably "occupy" the 2 public sessions for EWG i.e. attending them >>> , ask the hard questions and debunk the myth of having consensus. >>> privacy issue was suggested by Marilia as 1 of the topics for the >>> meeting with Board too, >>> we also should comment the report itself in due time. >>> >>> Rafik >>> >>> Hi >>> >>> p. 6 "This Final Report, including its recommendations and proposed >>> principles for the next- generation RDS, reflects a consensus.” >>> >>> p. 164 "With the delivery of this Final Report and its 180 >>> consensus-supported principles, the Board’s vision has indeed >>> materialized.” >>> >>> p. 165 "Among the EWG members were seasoned entrepreneurs and global >>> leaders (Ajayi, Ala- Pietilä, Neylon, Rasmussen, and Shah). Their >>> collective expertise in balancing risks and their results-oriented >>> problem solving style paved the way to reaching an early consensus >>> among the EWG.” >>> >>> This characterization doesn’t seem to quite fit with Stephanie’s >>> excellent and (astonishingly) suppressed Dissenting Report… >>> >>> How shall we proceed in London? >>> >>> Bill >>> >>>> >>>> *From:*Denise Michel [mailto:[log in to unmask]] >>>> *Sent:*samedi 7 juin 2014 19:36 >>>> *Subject:*Expert Working Group on gTLD Directory Services (EWG) >>>> Final Report >>>> Dear All: >>>> The Expert Working Group on gTLD Directory Services (EWG) has >>>> issued their Final Report >>>> <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>. >>>> Given your group's interest in this topic, I wanted to bring this >>>> to your attention, along with the public sessions the EWG has >>>> scheduled at the ICANN London meeting: >>>> >>>> * An introduction to the Final Report: EWG Overview of Final >>>> Report >>>> <http://london50.icann.org/en/schedule/mon-ewg-final-overview>, >>>> Monday, 23 June, 1515 – 1615 >>>> * Two cross-community discussion sessions: >>>> o EWG Final Report Discussion Session >>>> <http://london50.icann.org/en/schedule/mon-ewg-final-discussion>, Monday, >>>> 23 June, 1700 - 1900 >>>> o EWG Final Report Discussion Session >>>> <http://london50.icann.org/en/schedule/wed-ewg-final-discussion>, >>>> Wednesday, 25 June, 0800 – 1000 >>>> >>>> The Final Report fulfills the ICANN Board's directive to help >>>> redefine the purpose and provision of gTLD registration data, and >>>> provides a foundation to help the ICANN community (through the >>>> GNSO) create a new global policy for gTLD directory services. This >>>> report represents the culmination of an intense 15 month period of >>>> work during which this diverse group of volunteers >>>> <https://www.icann.org/resources/pages/gtld-directory-services-2013-02-14-en> created >>>> an alternative to today's WHOIS to better serve the global Internet >>>> community -- a next-generation Registration Directory Service (RDS). >>>> The EWG looks forward to discussing this with the ICANN community. >>>> Thank you for sharing this notice broadly. >>>> Regards, >>>> Denise >>>> Denise Michel >>>> VP Strategic Initiatives >>>> ICANN >>>> [log in to unmask] <mailto:[log in to unmask]> >>> >>> *********************************************** >>> William J. Drake >>> International Fellow & Lecturer >>> Media Change & Innovation Division, IPMZ >>> University of Zurich, Switzerland >>> Chair, Noncommercial Users Constituency, >>> ICANN, www.ncuc.org <http://www.ncuc.org> >>> [log in to unmask] <mailto:[log in to unmask]> (direct), >>> [log in to unmask] <mailto:[log in to unmask]> (lists), >>> www.williamdrake.org <http://www.williamdrake.org> >>> *********************************************** >>> >>