Re: [gnso-dataprotection-thickwhois] statement on data protection

[Don Blumenthal <dblumenthal@xxxxxxx>]

I appreciate the effort and agree with many of the points here in general but 
have to raise some issues. Our time to have draft preliminary thoughts is 
getting tight, so I'll jump in now rather than waiting for this afternoon's 
call.

First, I think it's premature to characterize the positions of the group. The 
time to summarize stances is when a report has been prepared and presented for 
comment and support. As an aside, my reading of attitudes differs from what I 
see in the document.

To be more specific:

Observation 1


"These observations, although acknowledged by the sub-group, have not persuaded 
most of its members. The ten issues subsequently presented by the NCUC have 
also been acknowledged, but also found not persuasive, or inapplicable.

Most? Maybe a majority of active participants last week but that's far from 
most of the subteam's members. Inapplicable to what? I think it's fair to say 
that some subteam members acknowledge the issues but do not believe that we 
have the resources to provide formal legal opinions or risk analyses. Others 
might suggest that the issues are valid but beyond our scope. Again, that's 
something that may become clear after we draft a report.

I'm not clear on the point about registries and registrars in the US vs 
elsewhere. First, the numbers are off. There are many fewer than 21 
unrestricted gTLDs and, knowing PIR's business partners if nothing else, gTLD 
registrars are not limited to Europe and Hong Kong. As long as we're 
cataloguing jurisdictional coverage, I'll also point out that .info is managed 
by an Irish company. As for cross-border jurisdiction, that's an ongoing battle 
in many respects and, on a personal level, many of us in the community have 
been fighting USG attempts to broaden jurisdiction through DNS-based measures. 
With respect to LE, I agree with your point about differing views of what it's 
for. That issue has been part of the debate about tiered access at least since 
the days of CRISP and should be raised when ICANN tackles policy issues around 
a Whois protocol replacement, but I don't see the relevance here.

As for Fadi's letter, can't it  be said that it shows that ICANN is aware of 
potential problems and is looking for ways to address them, including inviting 
the Article 29 WP to the table through EC participation in the GAC? What more 
can the PDP WG offer? What might the group say about the validity of data 
protection arguments if the EC doesn't pick up on the Article 29 positions in 
the GAC or if the GAC doesn't press the concerns?

Observation 2

I don't believe that the statement about scattered availability of Whois data 
was focused on Verisign. If it was, the statement was too limited. I also don't 
recall any comment that thin systems are more or less vulnerable than thick. 
The point was that most abuses can be traced to VRSN domains but it was 
acknowledged that the reason is the dominance of .com and .net, not necessarily 
weakness in the registry model. Beyond that, our call last week discussed risks 
but little substance was included. Do you have examples?

Your final point was covered in my notes about the call, which you couldn't 
have seen before drafting the memo. However, with regard to the last statement, 
"If privacy cannot be guaranteed, then thick Whois will never be a real choice 
for consumers," has privacy every been guaranteed in thing registry setups?

I look forward to continuing our discussions this afternoon. I would like to 
have a broader focus though so we can begin to identify what will be in our 
initial report.

Don


From: <Balleste>, Roy <rballeste@xxxxxxx<mailto:rballeste@xxxxxxx>>
Date: Tuesday, March 26, 2013 6:03 PM
To: 
"gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thickwhois@xxxxxxxxx>"
 
<gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thickwhois@xxxxxxxxx>>
Subject: [gnso-dataprotection-thickwhois] statement on data protection

Dear colleagues,

This statement (which I submit as an individual with some input from our 
colleagues Avri Doria, Amr Elsadr, and Joanna Kulesza, a lawyer from Poland, 
and expert on European privacy and data protection laws) is intended to address 
a couple of observations made at our last meeting of March 20, 2013.  The two 
additional attachments refer to information within the statement.

Kind Regards,


Roy