Re: [gnso-dataprotection-thickwhois] Draft Registry Agreement Posted Last Night

[marie-laure Lemineur <mllemineur@xxxxxxxxx>]

Don and all,

My comments

1/ Regarding the *new gTLD Registry Agreement*:  there is also 2.18
Personal Data related to consent of registrant for the collection of PII:

*2/ Section "Issue description**"* :

- First paragraph: To be  in line with the RAA, we  could add  AND (WHERE
AVAILABLE) FAX to the sentence "Whois records contain domain registrant´s
......phone numbers." As well as POSTAL address instead of "address";

- I am aware that we already discussed that but I would like to go back to
the definition of "data at rest and data in motion" we are using for the
following reasons:

On one hand, if we want ot use the terms "data at rest" and "data in
motion" (and I am all for it), we have to take into consideration that
when those terms are used, it is generally understood that the reference is
made to data being stored on a computer system.Don ,you know that better
than I do!  Therefore, in the second paragraph, where data in motion and
data at rest are being defined, we should specify "on a COMPUTER
system". If the group feels it is necessary, we can also insert
 the  definition of a "computer system" and use the one used in  article
one  of the CoE Convention of Cybercrime although it might be a little to
much.....http://conventions.coe.int/Treaty/en/Treaties/Word/185.doc

On the other, once we specify "computer system" then we have to
fix another issue that emerges since "data in motion= data transferred from
one computer system to another system"  therefore "data in motion" does not
equal "data being transferred from one legal jurisdiction to another".

Bearing that in mind, right now the wording used in the 2d paragraph as
follows ""data in motion" is information that is being transferred from one
system to another" is not clear enough. Do we refer to "computer system" or
"legal system"?  It might be confusing for the readers....

*3/  Section on Data Protection and Privacy in a thin environment:*
**
"data at rest. information will be protected to the extent that
registrars´security safeguards are in place".

  * a/* We should bear in mind that RFC 3912 (Whois protocol specification)
specifies the following:

Security Considerations

"5. The WHOIS protocol has no provisions for strong security.  WHOIS
   lacks mechanisms for access control, integrity, and confidentiality.
   Accordingly, WHOIS-based services should only be used for information
   which is non-sensitive and intended to be accessible to everyone."

*  b/* We introduce the notion of "security safeguards" in this section and
all through the others. We might want to be more specific and define what
we means by that. Since, depending on who is reading the interpretation
might be different. The notion of "security" is understood in different
ways  depending on the context and who is reading: law enforcement, network
security, lawyers....

 Well, that would be it for the moment, I hope it helps and does not add
more confusion!

Best,

mll

On Tue, Apr 30, 2013 at 9:03 PM, Don Blumenthal <dblumenthal@xxxxxxx> wrote:

>
> Two provisions apply to our topic, although arguably not to our work since
> the contract is in the comment process
>
> Port 43 services are required.
>
> In addition, the last sentence arguably closes the RSEP back door to
> handling WHOIS/privacy conflicts.
>
>
> 7.13 Severability; Conflicts with Laws. This Agreement shall be deemed
> severable; the invalidity or unenforceability of any term or provision of
> this Agreement shall not affect the validity or enforceability of the
> balance of this Agreement or of any other term hereof, which shall remain
> in full force and effect. If any of the provisions hereof are determined to
> be invalid or unenforceable, the parties shall negotiate in good faith to
> modify this Agreement so as to effect the original intent of the parties as
> closely as possible. ICANN and the Working Group will mutually cooperate to
> develop an ICANN procedure for ICANN’s review and consideration of alleged
> conflicts between applicable laws and non-WHOIS related provisions of this
> Agreement. Until such procedure is developed and implemented by ICANN,
> ICANN will review and consider alleged conflicts between applicable laws
> and non-WHOIS related provisions of this Agreement in a manner similar to
> ICANN’s Procedure For Handling!
>   WHOIS Conflicts with Privacy Law.
>
>