Re: [gnso-dataprotection-thickwhois] statement on data protection

[Don Blumenthal <dblumenthal@xxxxxxx>]

Some quick answers in line that may help inform the discussion as we move
along.

On 3/27/13 2:46 PM, "Balleste, Roy" <rballeste@xxxxxxx> wrote:

>
>Don,
>
>Thank you.  I appreciate your views and wanted to share how I perceived
>the discussions going so far, and also my observations and concerns.  If
>we are going to have a good and fruitful discussion, it is important that
>we share completely our views.  If I am wrong, then I want to be
>educated.   I suppose that I could say more, but I will only clarify here
>a few items.
>
>1. By "inapplicable," I mean, innaplicable to our discussion.

Again, in what way? Out of scope or does it also include a situation in
which we decide that concerns are legitimate but that we are not in a
position to provide conclusive answers?

>2. Regarding the report? Could it include a section on the minority view?
>(If there is no concensus?)

I believe that precedent exists for minority views.

>3. The observation about the cross-border issue is a reminder that we
>will not get an answer on that issue without the appropite expert in that
>field.

Who will define "appropriate?"

>4. The letter from Mr. Fadi can be interpreted in more than one way.  It
>is unclear if the Article 29 WP will work via the GAC.  Would they choose
>that route?

I think that Fadi's suggest was clear. The GAC is the established
mechanism for presenting government views. Can the WP 29 WP really refuse
that route and maintain broad credibility if the EC has a place at the
table? 

>5. I distinctively remember the discussion about the Whois data being
>about its vulnerability.  If 'thin' has a problem, it would be great to
>have examples.  I did not say that the discussion was about VeriSign.

I also remember a discussion of vulnerability but also remember a request
for concrete examples. I don't have them. Do you?

>But if a comment is about "thin" Whois, then, VeriSign is in the equation.

Not true since I believe that we agreed that our approach is that we are
addressing what exists now but also what might be required in additional
new gTLD rounds. 

>
>I look forward to the discussion in the best interest of all stakeholders.

Same here.

Don

>-----Original Message-----
>From: Don Blumenthal [mailto:dblumenthal@xxxxxxx]
>Sent: Wednesday, March 27, 2013 1:49 PM
>To: Balleste, Roy; gnso-dataprotection-thickwhois@xxxxxxxxx
>Subject: Re: [gnso-dataprotection-thickwhois] statement on data protection
>
>I appreciate the effort and agree with many of the points here in general
>but have to raise some issues. Our time to have draft preliminary
>thoughts is getting tight, so I'll jump in now rather than waiting for
>this afternoon's call.
>
>First, I think it's premature to characterize the positions of the group.
>The time to summarize stances is when a report has been prepared and
>presented for comment and support. As an aside, my reading of attitudes
>differs from what I see in the document.
>
>
>To be more specific:
>
>Observation 1
>
>
>"These observations, although acknowledged by the sub-group, have not
>persuaded most of its members. The ten issues subsequently presented by
>the NCUC have also been acknowledged, but also found not persuasive, or
>inapplicable.
>
>Most? Maybe a majority of active participants last week but that's far
>from most of the subteam's members. Inapplicable to what? I think it's
>fair to say that some subteam members acknowledge the issues but do not
>believe that we have the resources to provide formal legal opinions or
>risk analyses. Others might suggest that the issues are valid but beyond
>our scope. Again, that's something that may become clear after we draft a
>report.
>
>I'm not clear on the point about registries and registrars in the US vs
>elsewhere. First, the numbers are off. There are many fewer than 21
>unrestricted gTLDs and, knowing PIR's business partners if nothing else,
>gTLD registrars are not limited to Europe and Hong Kong. As long as we're
>cataloguing jurisdictional coverage, I'll also point out that .info is
>managed by an Irish company. As for cross-border jurisdiction, that's an
>ongoing battle in many respects and, on a personal level, many of us in
>the community have been fighting USG attempts to broaden jurisdiction
>through DNS-based measures. With respect to LE, I agree with your point
>about differing views of what it's for. That issue has been part of the
>debate about tiered access at least since the days of CRISP and should be
>raised when ICANN tackles policy issues around a Whois protocol
>replacement, but I don't see the relevance here.
>
>As for Fadi's letter, can't it  be said that it shows that ICANN is aware
>of potential problems and is looking for ways to address them, including
>inviting the Article 29 WP to the table through EC participation in the
>GAC? What more can the PDP WG offer? What might the group say about the
>validity of data protection arguments if the EC doesn't pick up on the
>Article 29 positions in the GAC or if the GAC doesn't press the concerns?
>
>Observation 2
>
>I don't believe that the statement about scattered availability of Whois
>data was focused on Verisign. If it was, the statement was too limited. I
>also don't recall any comment that thin systems are more or less
>vulnerable than thick. The point was that most abuses can be traced to
>VRSN domains but it was acknowledged that the reason is the dominance of
>.com and .net, not necessarily weakness in the registry model. Beyond
>that, our call last week discussed risks but little substance was
>included. Do you have examples?
>
>Your final point was covered in my notes about the call, which you
>couldn't have seen before drafting the memo. However, with regard to the
>last statement, "If privacy cannot be guaranteed, then thick Whois will
>never be a real choice for consumers," has privacy every been guaranteed
>in thing registry setups?
>
>I look forward to continuing our discussions this afternoon. I would like
>to have a broader focus though so we can begin to identify what will be
>in our initial report.
>
>Don
>
>
>From: <Balleste>, Roy <rballeste@xxxxxxx<mailto:rballeste@xxxxxxx>>
>Date: Tuesday, March 26, 2013 6:03 PM
>To: 
>"gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thick
>whois@xxxxxxxxx>" 
><gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thick
>whois@xxxxxxxxx>>
>Subject: [gnso-dataprotection-thickwhois] statement on data protection
>
>Dear colleagues,
>
>This statement (which I submit as an individual with some input from our
>colleagues Avri Doria, Amr Elsadr, and Joanna Kulesza, a lawyer from
>Poland, and expert on European privacy and data protection laws) is
>intended to address a couple of observations made at our last meeting of
>March 20, 2013.  The two additional attachments refer to information
>within the statement.
>
>Kind Regards,
>
>
>Roy
>
>
>
>
>