Re: [gnso-dataprotection-thickwhois] Draft Registry Agreement Posted Last Night

[Don Blumenthal <dblumenthal@xxxxxxx>]

Marie-laure,

I had seen 2.18 but it struck me as boilerplate language like I've seen from 
merchants about whether they will share information with third parties. It 
hadn't occurred to me that Whois publication might be included, but I guess it 
could be. Current gTLD contracts have the same language except that the draft 
agreement adds (ii) require such registrar to obtain the consent of each 
registrant in the TLD for such collection and use of Personal Data. I will run 
the question by our GC group.

I also will look at text edits for your other comments. FYI, one of the current 
WEIRDS processes is focusing on security issues.

Don

From: Marie-laure Lemineur <mllemineur@xxxxxxxxx<mailto:mllemineur@xxxxxxxxx>>
Date: Wednesday, May 1, 2013 1:19 PM
To: Don Blumenthal <dblumenthal@xxxxxxx<mailto:dblumenthal@xxxxxxx>>
Cc: 
"gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thickwhois@xxxxxxxxx>"
 
<gnso-dataprotection-thickwhois@xxxxxxxxx<mailto:gnso-dataprotection-thickwhois@xxxxxxxxx>>
Subject: Re: [gnso-dataprotection-thickwhois] Draft Registry Agreement Posted 
Last Night

Don and all,

My comments

1/ Regarding the new gTLD Registry Agreement:  there is also 2.18 Personal Data 
related to consent of registrant for the collection of PII:

2/ Section "Issue description" :

- First paragraph: To be  in line with the RAA, we  could add  AND (WHERE 
AVAILABLE) FAX to the sentence "Whois records contain domain registrant´s 
......phone numbers." As well as POSTAL address instead of "address";

- I am aware that we already discussed that but I would like to go back to the 
definition of "data at rest and data in motion" we are using for the following 
reasons:

On one hand, if we want ot use the terms "data at rest" and "data in motion" 
(and I am all for it), we have to take into consideration that when those terms 
are used, it is generally understood that the reference is made to data being 
stored on a computer system.Don ,you know that better than I do!  Therefore, in 
the second paragraph, where data in motion and data at rest are being defined, 
we should specify "on a COMPUTER system". If the group feels it is necessary, 
we can also insert  the  definition of a "computer system" and use the one used 
in  article one  of the CoE Convention of Cybercrime although it might be a 
little to much.....http://conventions.coe.int/Treaty/en/Treaties/Word/185.doc

On the other, once we specify "computer system" then we have to fix another 
issue that emerges since "data in motion= data transferred from one computer 
system to another system"  therefore "data in motion" does not equal "data 
being transferred from one legal jurisdiction to another".

Bearing that in mind, right now the wording used in the 2d paragraph as follows 
""data in motion" is information that is being transferred from one system to 
another" is not clear enough. Do we refer to "computer system" or "legal 
system"?  It might be confusing for the readers....

3/  Section on Data Protection and Privacy in a thin environment:

"data at rest. information will be protected to the extent that 
registrars´security safeguards are in place".

   a/ We should bear in mind that RFC 3912 (Whois protocol specification) 
specifies the following:

Security Considerations

"5. The WHOIS protocol has no provisions for strong security.  WHOIS
   lacks mechanisms for access control, integrity, and confidentiality.
   Accordingly, WHOIS-based services should only be used for information
   which is non-sensitive and intended to be accessible to everyone."

  b/ We introduce the notion of "security safeguards" in this section and all 
through the others. We might want to be more specific and define what we means 
by that. Since, depending on who is reading the interpretation might be 
different. The notion of "security" is understood in different ways  depending 
on the context and who is reading: law enforcement, network security, 
lawyers....

 Well, that would be it for the moment, I hope it helps and does not add more 
confusion!

Best,

mll

On Tue, Apr 30, 2013 at 9:03 PM, Don Blumenthal 
<dblumenthal@xxxxxxx<mailto:dblumenthal@xxxxxxx>> wrote:

Two provisions apply to our topic, although arguably not to our work since the 
contract is in the comment process

Port 43 services are required.

In addition, the last sentence arguably closes the RSEP back door to handling 
WHOIS/privacy conflicts.


7.13 Severability; Conflicts with Laws. This Agreement shall be deemed 
severable; the invalidity or unenforceability of any term or provision of this 
Agreement shall not affect the validity or enforceability of the balance of 
this Agreement or of any other term hereof, which shall remain in full force 
and effect. If any of the provisions hereof are determined to be invalid or 
unenforceable, the parties shall negotiate in good faith to modify this 
Agreement so as to effect the original intent of the parties as closely as 
possible. ICANN and the Working Group will mutually cooperate to develop an 
ICANN procedure for ICANN’s review and consideration of alleged conflicts 
between applicable laws and non-WHOIS related provisions of this Agreement. 
Until such procedure is developed and implemented by ICANN, ICANN will review 
and consider alleged conflicts between applicable laws and non-WHOIS related 
provisions of this Agreement in a manner similar to ICANN’s Procedure For 
Handling!
  WHOIS Conflicts with Privacy Law.