Thanks for Stephanie, for the Insight. On Mon, 26 Feb 2024, 4:47 pm Stephanie E Perrin, < [log in to unmask]> wrote: > I am very sorry to have missed the discussion today. Thanks very much for > your informative summary Ken. I will listen to the recording of the > session today when it arrives, and chime in on the list. I have been > sitting on the RDRS group for some time. > > I hope that the issue of ICANN's controllership came up, and the cost > issues. ICANN has been reluctant to take on the responsibility of > controllership for personal information of registrants, so the registrars > and registries are the data controllers....which means they get to decide > whether and when to release personal data, absent a court order. Persons > whose information is being processed (and released) do indeed have a right > to know on what basis that data is being released, and to whom. To me > this is the crux of the matter, the extent to which ICANN wanted to assume > more of a controller role and set policy on how much data has to be > released, what prices could be charged, when the individual would be told > of the release etc. Arguably all the years that it ignored data protection > law it was assuming a controller role, because it insisted that the data be > released, and any registrar (who clearly are controllers and collect a lot > more data which is more useful, notably financial data) who wished to > comply with local data protection law had to make a case for doing so and > appeal to ICANN's legal department for permission. > > We argued that requestors do not have a right to get personal information > of individuals. I expect we will continue to have to argue that as and > when ICANN moves forward with the scoping team on accuracy of data. The > GNSO Council just voted to kick that can down the road for a few more > months, but the demand for more accurate data persists. Statistics from > the current exercise will be useful when that exercise gets going. > > Kind regards > > Stephanie Perrin > On 2024-02-23 12:51 p.m., Ken Herman wrote: > > Thanks, Farzaneh, for the clarifications. Always a learning experience for > me. It’s likely I didn’t quite capture all the nuances, and it’s also > possible that these points weren’t addressed. > > > > Regarding the processes used by registrars, that sounds to me like the > crux of the issue. Regardless of the system, it is left to the registrars > to validate the requestors and it doesn’t appear that there are any > standards or really anything that will help registrants know if their > registrar is likely to reveal their private, sensitive personal information. > > > > It would be terrific if you can participate on Monday as I’m sure other > comments like yours will surface. > > > > And, well, maybe “ignore” wasn’t one of the options used, but it sure > seemed that way to me, as in “maybe we won’t get to this” And maybe the > registrars aren’t “obliged” to respond, but statistics on responses are > being kept. Probably I could have phrased that better. > > > > Ken > > > > *From:* farzaneh badii <[log in to unmask]> > <[log in to unmask]> > *Sent:* Friday, February 23, 2024 12:12 PM > *To:* Ken Herman <[log in to unmask]> <[log in to unmask]> > *Cc:* NCSG-Discuss <[log in to unmask]> > <[log in to unmask]>; [log in to unmask] > *Subject:* Re: [NCUC-DISCUSS] RDRS Special Event Summary > > > > Ken > > Just a quick reaction to this: > > - Registration data, knowing who owns what domain name and how that > owner can be contacted, is a central component of the Internet. > > Registration of data was never ever about "who owns" the domain name. It > was about contactibility of registrant. We have been correcting ICANN board > and others on this issue since the beginning of these discussions. > > - Prior to 2018, ownership data was easily available and public. After > the EU GDPR in 2018, Ownership data became redacted. > > The term ownership is interesting. Never ever ownership was redacted. > Domain name registrant is not even necessarily the owner. Also are > registrars accepting that domain names are property to be owned? Great. but > domain name registration data is not the ownership ledger. > > > > - As privacy laws like the GDPR began to restrict access to the > information about owners and operators of domain names, new systems, like > the RDRS, were developed to manage the process of revealing private > information to those with a need to know it. > > it was never about access to information. It was access to private, > sensitive personal information of people. Also the system was developed to > give access to people who actually have a legitimate interest not people > with a need to know it!! > > > > - *Each registrar has its own process for validating requestors, with > no input or guidance from ICANN.* > > Can we at least know what those processes are? > > > > How are registrars obliged to respond but can ignore the request? Do they > tell the requestor: hey we are ignoring you? > > > > > > > > > > > > > > Farzaneh > > > > > > On Fri, Feb 23, 2024 at 12:01 PM Ken Herman <[log in to unmask]> wrote: > > Hello NCSG and NCUC members. > > > > Thanks to everyone who was able to attend this week’s briefing on ICANN’s > Remote Data Request System (RDRS). > > > > After an introduction by Wisdom, Kathy provided background and was > followed by a presentation by Ms. Diana Middleton of ICANN. The session > then invited Ms. Sarah Wyld and Ms. Reg Levy, both from the registrar > Tucows, to offer their perspective. > > > > The purpose of the session was to gather facts and provide an opportunity > for members of the non-commercial community to learn about the RDRS, both > from the perspective of ICANN and the point of view of a registrar. > > > > The presenters shared a lot of information about the RDRS and the > processes. I attached the slides from the ICANN presentation as well as the > latest ICANN RDRS statistics report. > > > > I have put here some (not all!) of the points presented, and I encourage > anyone who attended (or reviewed the transcript) to add anything important > that would be useful to share. > > - Registration data, knowing who owns what domain name and how that > owner can be contacted, is a central component of the Internet. > - Prior to 2018, ownership data was easily available and public. After > the EU GDPR in 2018, Ownership data became redacted. > - As privacy laws like the GDPR began to restrict access to the > information about owners and operators of domain names, new systems, like > the RDRS, were developed to manage the process of revealing private > information to those with a need to know it. > - RDRS is a pilot, intended to run for 2 years so the board can gather > statistics and experience before making any further decisions about its > future. > - The RDRS was developed to simplify the process used by interested > parties to request redacted data. > - Demand for the system is unknown; that is the reason for the pilot. > - Originally, a System for Standardized Access and Disclosure (SSAD) > was proposed, which included many features, but deemed too complex so the > RDRS was created instead. > - Parties interested in redacted data must register on the system and > identify their role (law enforcement, government agencies, intellectual > property professionals, cybersecurity researchers, et al.) > - The system presents these registered parties with a form to describe > their interest in a specific domain name. > - Registrars, which are the custodians of personal data) are invited > by ICANN to participate, but not all do. Participating registrars also have > access to the system and can view and are obliged to act upon requests. > - Participating registrars review the requests and decide what to do > with them, to either comply, reject or ignore. For requests that would go > to non-participating registrars, requestors have the option of printing a > pdf of the request to send to the appropriate registrar. > - Some registrars, like Tucows, already had a system to respond to > requests for redacted data. > - *Each participating registrar decides how to handle requests. This > includes validating the requestor’s credentials and determining whether or > not to comply with the request, taking into account their understanding of > the request and compliance with local laws. * > - *Each registrar has its own process for validating requestors, with > no input or guidance from ICANN.* > - *ICANN’s role is to accept the requests and tabulate the responses > by registrars.* > - *ICANN knows the details the requestor placed on the form.* > > > > ICANN publishes a monthly report with RDRS statistics. The second report > covers from the period from inception to January 31, and is attached, but > it can also be found at: > https://www.icann.org/en/system/files/files/rdrs-usage-metrics-16feb24-en.pdf > . > > > > Some interesting statistics: > > - 510 requests submitted to participating registrars. > - 274 requests submitted (estimated) to non-participating registrars. > - 35.5% of requests received from requestors self-identified as IP > holders. > - 11% of requests received from requestors self-identified as law > enforcement. > - 72% of requests received were denied. > - 29% of denied requests were denied due to “Contracted party cannot > disclose the data due to applicable law” (the most of all reasons). > > > > *All members are invited to join a follow-up session scheduled for Monday, > February 26 at 15:00 UTC. *This is intended to be an informal opportunity > for community members to discuss the information provided and to identify > any further questions to follow-up with ICANN for information that might be > useful. > > > > Thanks again to all who participated with special thanks to our speakers, > Diana Middleton from ICANN and Sarah Wyld and Reg Levy from Tucows, as well > as our own Kathy Kleiman, who provided the necessary background and Wisdom > who ably acted as Master of Ceremony for the event. Also, we are grateful > to Andrea or arranging the Zoom link and keeping track of questions in the > chat. She posted the link to the recording for those interested but could > not attend. > > > > Ken > > > > _______________________________________________ > Ncuc-discuss mailing list > [log in to unmask] > https://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss > >