Thanks Tamir, you already summarized some points that we can use for the draft comment ! It will be great to have other privacy experts opinions in this list. Rafik 2014-06-10 5:03 GMT+09:00 Tamir Israel <[log in to unmask]>: > FWIW, it seems to me on a quick read that your concerns are on point, > Steph. > > First, you flag that while one of the core objectives of this RDS was to > provide some privacy over WHOIS, most individuals will not be able to > shield their identity from the general public. Registrant name and address > (but not email address) are 'gated' and hence not available to the general > public. But, as you say in your note, all registrants are obligated to > provide legal contact info which will be publicly available. This is > evident in Annex E and also in footnote 39. While many big companies may > use legal counsel or other proxies to register, most individuals and even > small businesses will need to use their own name and contact info, thereby > defeating the purpose of permitting their contact info to remain 'gated'. > So the end result is that more data elements are collected and centralized, > without the anticipated *pro quo* of having less information 'gated' or > 'publicly available'. > > Second, you flag that the RDS' very ambitious data protection project is > problematic and will not serve to effectively protect even 'gated' data. I > think I agree. As far as I can tell, the EWG proposes to adopt a tiered > approach to data protection for RDS data. It is certainly innovative, but I > think ultimately it'll be ineffective since the EWG report sets way too > many parameters in stone to permit for the data protection mechanisms it > adopts to operate. > > The privacy protection mechanisms suggested by the EWG are: > (1) First, they wish to encode some basic privacy principles and apply > them across all RDS players by means of contract law, backed up by > regulatory enforcement in those jurisdictions that require such things (not > clear how ICANN is going to 'harmonize a basic level of data protection > rights', something that has been tried and failed repeatedly in multiple > fora in the past). > (2) Second, they intend to localize RDS data storage within a > jurisdiction(s) with strong and existing data protection rules (it's not > clear how this jurisdiction(s) will be picked). > (3) Finally, there will be a 'rules engine' that seeks to somehow codify > data protection rules for all the world's jurisdictions and to, again > somehow, apply these to different data elements based on where these are > transferred to, processed, etc. Presumably, data will be marked up based on > jurisdictions in which it was stored/processed, and this will provide > insight into applicable laws (this ignores realities of the laws of > jurisdiction, unless they intend to impose some blanket forum selection > clause in and impose it on all elements of the RDS ecosystem). > > Ultimately, though, as Steph notes, these efforts are not helpful, as > Registrants are forced to 'consent' to a long and extremely broad > permissible purposes at point of collection (p. 42 -- Stephs' dissent is > noted in footnote 7). Once this consent is obtained, a large number of > entities can access, use and further disclose the information in question > for the many permissible purposes. While the form of consent is subject to > the over-arching harmonized privacy principles (1) and to whatever > additional jurisdictional rules are piled on (2) and (3), the list of > permissible purposes is not variable, and appears offered on a 'take it or > leave it' basis. This leaves minimal latitude for any meaningful operation > of data protection principles (except, perhaps, those relating to data > security, access and accuracy/integrity). > > Nor is there any opportunity to minimize collection, as this too is 'hard > wired' into the EWG's report, which provide a very long list of mandatory > data elements. By contrast, an explicit 'opt-in' mechanism is adopted for > governing whether any data elements a registrant provides that are gated by > default can be made public. This is good, but it's not clear to me how it > helps, as the core identifying data elements are already public. > > In terms of law enforcement access, they basically write off any issue > since apparently the data in question is not private enough in their > opinion to warrant any legal protection at all under any jurisdiction. > Nonetheless, they feel the need to locate RDS data in "jurisdiction(s) > where law enforcement is globally trusted". Not sure what that means. > > Perhaps ironically, the document recognizes the need for anonymity in this > context. But it only does so in the context of the proxy service and secure > protected credentials which, as steph points out in her note, are > ineffective in the context of individual registrants. > > Overall, this seems like an incredibly and unnecessarily complex system > that could be managed far more efficiently with simple contactability, plus > an ICANN-run mechanism for identification upon demonstration of clear need. > > I could be missing something, though. And also apologies for the very > lengthy email.... > > Best, > Tamir > > > On 6/8/2014 10:54 AM, Stephanie Perrin wrote: > > Folks let me say this: > 1. Milton, you were not supposed to publish it! I needed to edt it to > reflect the new status of it being a minority report, and also no mention > of JF Baril > 2. We need to be sure I am correct. IF they are right and i have misread > the report, then I look like an idiot. > 3. Most of the report is still concensus. AS I think I said in the 3 > pager, recently, certain principles put everything slightly out of > balance.... > Sheesh. Can they bann me from ICANN? > ON a positive note, I must say your blog is well read Milton, I got a > sweet note from Mikey. I guess he knows what I feel like right now... > cheers steph > > On 2014-06-08, 3:48 AM, Rafik Dammak wrote: > > probably "occupy" the 2 public sessions for EWG i.e. attending them , ask > the hard questions and debunk the myth of having consensus. > privacy issue was suggested by Marilia as 1 of the topics for the meeting > with Board too, > we also should comment the report itself in due time. > > Rafik > Hi > > p. 6 "This Final Report, including its recommendations and proposed > principles for the next- generation RDS, reflects a consensus.” > > p. 164 "With the delivery of this Final Report and its 180 > consensus-supported principles, the Board’s vision has indeed materialized.” > > p. 165 "Among the EWG members were seasoned entrepreneurs and global > leaders (Ajayi, Ala- Pietilä, Neylon, Rasmussen, and Shah). Their > collective expertise in balancing risks and their results-oriented problem > solving style paved the way to reaching an early consensus among the EWG.” > > This characterization doesn’t seem to quite fit with Stephanie’s > excellent and (astonishingly) suppressed Dissenting Report… > > How shall we proceed in London? > > Bill > > > *From:* Denise Michel [mailto:[log in to unmask] > <[log in to unmask]>] > *Sent:* samedi 7 juin 2014 19:36 > *Subject:* Expert Working Group on gTLD Directory Services (EWG) Final > Report > > Dear All: > > The Expert Working Group on gTLD Directory Services (EWG) has issued their Final > Report > <https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf>. > Given your group's interest in this topic, I wanted to bring this to your > attention, along with the public sessions the EWG has scheduled at the > ICANN London meeting: > > > - An introduction to the Final Report: EWG Overview of Final Report > <http://london50.icann.org/en/schedule/mon-ewg-final-overview>, > Monday, 23 June, 1515 – 1615 > - Two cross-community discussion sessions: > - EWG Final Report Discussion Session > <http://london50.icann.org/en/schedule/mon-ewg-final-discussion>, Monday, > 23 June, 1700 - 1900 > - EWG Final Report Discussion Session > <http://london50.icann.org/en/schedule/wed-ewg-final-discussion>, > Wednesday, 25 June, 0800 – 1000 > > > The Final Report fulfills the ICANN Board's directive to help redefine > the purpose and provision of gTLD registration data, and provides a > foundation to help the ICANN community (through the GNSO) create a new > global policy for gTLD directory services. This report represents the > culmination of an intense 15 month period of work during which this diverse > group of volunteers > <https://www.icann.org/resources/pages/gtld-directory-services-2013-02-14-en> created > an alternative to today's WHOIS to better serve the global Internet > community -- a next-generation Registration Directory Service (RDS). > > The EWG looks forward to discussing this with the ICANN community. Thank > you for sharing this notice broadly. > > Regards, > Denise > > Denise Michel > VP Strategic Initiatives > ICANN > [log in to unmask] > > > *********************************************** > William J. Drake > International Fellow & Lecturer > Media Change & Innovation Division, IPMZ > University of Zurich, Switzerland > Chair, Noncommercial Users Constituency, > ICANN, www.ncuc.org > [log in to unmask] (direct), [log in to unmask] (lists), > www.williamdrake.org > *********************************************** > > >