<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-dataprotection-thickwhois] Draft Registry Agreement Posted Last Night
- To: Marie-Laure Lemineur <mllemineur@xxxxxxxxx>
- Subject: Re: [gnso-dataprotection-thickwhois] Draft Registry Agreement Posted Last Night
- From: Don Blumenthal <dblumenthal@xxxxxxx>
- Date: Thu, 2 May 2013 19:08:30 -0400
Marie-laure,
I had seen 2.18 but it struck me as boilerplate language like I've seen from
merchants about whether they will share information with third parties. It
hadn't occurred to me that Whois publication might be included, but I guess it
could be. Current gTLD contracts have the same language except that the draft
agreement adds (ii) require such registrar to obtain the consent of each
registrant in the TLD for such collection and use of Personal Data. I will run
the question by our GC group.
I also will look at text edits for your other comments. FYI, one of the current
WEIRDS processes is focusing on security issues.
Don
From: Marie-laure Lemineur <mllemineur@xxxxxxxxx<mailto:mllemineur@xxxxxxxxx>>
Date: Wednesday, May 1, 2013 1:19 PM
To: Don Blumenthal <dblumenthal@xxxxxxx<mailto:dblumenthal@xxxxxxx>>
Cc:
"gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thickwhois@xxxxxxxxx>"
<gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thickwhois@xxxxxxxxx>>
Subject: Re: [gnso-dataprotection-thickwhois] Draft Registry Agreement Posted
Last Night
Don and all,
My comments
1/ Regarding the new gTLD Registry Agreement: there is also 2.18 Personal Data
related to consent of registrant for the collection of PII:
2/ Section "Issue description" :
- First paragraph: To be in line with the RAA, we could add AND (WHERE
AVAILABLE) FAX to the sentence "Whois records contain domain registrant´s
......phone numbers." As well as POSTAL address instead of "address";
- I am aware that we already discussed that but I would like to go back to the
definition of "data at rest and data in motion" we are using for the following
reasons:
On one hand, if we want ot use the terms "data at rest" and "data in motion"
(and I am all for it), we have to take into consideration that when those terms
are used, it is generally understood that the reference is made to data being
stored on a computer system.Don ,you know that better than I do! Therefore, in
the second paragraph, where data in motion and data at rest are being defined,
we should specify "on a COMPUTER system". If the group feels it is necessary,
we can also insert the definition of a "computer system" and use the one used
in article one of the CoE Convention of Cybercrime although it might be a
little to much.....http://conventions.coe.int/Treaty/en/Treaties/Word/185.doc
On the other, once we specify "computer system" then we have to fix another
issue that emerges since "data in motion= data transferred from one computer
system to another system" therefore "data in motion" does not equal "data
being transferred from one legal jurisdiction to another".
Bearing that in mind, right now the wording used in the 2d paragraph as follows
""data in motion" is information that is being transferred from one system to
another" is not clear enough. Do we refer to "computer system" or "legal
system"? It might be confusing for the readers....
3/ Section on Data Protection and Privacy in a thin environment:
"data at rest. information will be protected to the extent that
registrars´security safeguards are in place".
a/ We should bear in mind that RFC 3912 (Whois protocol specification)
specifies the following:
Security Considerations
"5. The WHOIS protocol has no provisions for strong security. WHOIS
lacks mechanisms for access control, integrity, and confidentiality.
Accordingly, WHOIS-based services should only be used for information
which is non-sensitive and intended to be accessible to everyone."
b/ We introduce the notion of "security safeguards" in this section and all
through the others. We might want to be more specific and define what we means
by that. Since, depending on who is reading the interpretation might be
different. The notion of "security" is understood in different ways depending
on the context and who is reading: law enforcement, network security,
lawyers....
Well, that would be it for the moment, I hope it helps and does not add more
confusion!
Best,
mll
On Tue, Apr 30, 2013 at 9:03 PM, Don Blumenthal
<dblumenthal@xxxxxxx<mailto:dblumenthal@xxxxxxx>> wrote:
Two provisions apply to our topic, although arguably not to our work since the
contract is in the comment process
Port 43 services are required.
In addition, the last sentence arguably closes the RSEP back door to handling
WHOIS/privacy conflicts.
7.13 Severability; Conflicts with Laws. This Agreement shall be deemed
severable; the invalidity or unenforceability of any term or provision of this
Agreement shall not affect the validity or enforceability of the balance of
this Agreement or of any other term hereof, which shall remain in full force
and effect. If any of the provisions hereof are determined to be invalid or
unenforceable, the parties shall negotiate in good faith to modify this
Agreement so as to effect the original intent of the parties as closely as
possible. ICANN and the Working Group will mutually cooperate to develop an
ICANN procedure for ICANN’s review and consideration of alleged conflicts
between applicable laws and non-WHOIS related provisions of this Agreement.
Until such procedure is developed and implemented by ICANN, ICANN will review
and consider alleged conflicts between applicable laws and non-WHOIS related
provisions of this Agreement in a manner similar to ICANN’s Procedure For
Handling!
WHOIS Conflicts with Privacy Law.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|