<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1
- To: Thick Whois <gnso-thickwhoispdp-wg@xxxxxxxxx>
- Subject: Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1
- From: Amr Elsadr <aelsadr@xxxxxxxxxxx>
- Date: Mon, 23 Sep 2013 22:24:31 +0200
Hi Steve,
Some thoughts on your edits:
> We recommend that the ICANN Board request an independent legal review to be
> undertaken as part of the implementation of the transition to thick whois on
> the privacy implications of a transfer of registrant data between
> jurisdictions.
I see no reason not to add the clarification that this recommendation is part
of the implementation, however, removing the phrase "before transition to thick
whois" entirely changes the purpose of the recommendation. How is the legal
review meant to "identify and mitigate" the risks if it is not conducted before
the transition takes place? What is the point of the recommendation at all,
then? This also applies to the edits on the section on page 30.
> The WG did not feel it was competent to fully discuss these privacy issues
> and some members of the WG were not able to fully separate the privacy issues
> involved in such a move from the general privacy issues that need to be
> resolved in Whois.
It seems to me that no one on the WG has been able to provide a concrete
analysis separating privacy issues from whois in any of its forms, thin, thick
or in a transition from one to the other. To say that some of the WG members
could not make this separation implies that it has indeed been previously
examined, the evidence has been provided and "some" are critical of this
evidence.
> We recommend that the ICANN Board request a GNSO issues report to cover the
> issue of Privacy as related to WHOIS if it concludes that this issue is not
> adequately addressed within the scope of the Board-initiated PDP on gTLD
> registration data services, or otherwise.
>
I understand that there is apprehension amongst some that there will most
likely be a duplication or waste of efforts in addressing privacy issues
considering that the nature of the privacy (and data protection) concerns will
likely change following a PDP on gTLD registration data services. This is
probably true for many (if not all) the topics this WG was chartered to to
consider, and if not by the PDP on gTLD registration data services, then by
others.
The recommendation Mikey drafted will (the way I see it) request an issue
report addressing privacy associated with the state of these concerns
consistent with the findings of the final report we've worked the better part
of a year to come up with. This is the single most relevant reason why I
personally agreed to it. To recommend a shift of this decision to the board in
the context of another PDP, which we have not at all addressed, is just not a
recommendation I see as an appropriate conclusion to the work we have all been
doing. The issue report recommendation should be just as independant of future
PDPs as is the recommendation to tradition from thin to thick.
Thanks.
Amr
On Sep 23, 2013, at 8:05 PM, "Metalitz, Steven" <met@xxxxxxx> wrote:
> Mikey,
>
> Thanks for drawing this proposal into one document, and I hope you are
> feeling better.
>
> You wrote on last Friday that "putting a recommendation in 7.1 puts it into
> consensus policy, putting a recommendation in 7.3 puts in in the
> "suggestions" pile." Based on that distinction I still don't understand
> why your proposal in item 1 fits into consensus policy. I look forward to
> discussing that on our call tomorrow.
>
> I also offer the attached edits to your text for consideration by the group.
>
>
> Steve
>
>
>
>
>
> -----Original Message-----
> From: Mike O'Connor [mailto:mike@xxxxxxxxxx]
> Sent: Sunday, September 22, 2013 9:47 AM
> To: Metalitz, Steven
> Cc: Avri Doria; Thick Whois
> Subject: Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1
>
> hi Steve,
>
> i realized that i didn't really respond to your whole argument with my reply.
> i'm working my way through Lyme's Disease or Ehrlichiosis (nobody is quite
> sure which) and some days my energy level is a little lower -- your note
> caught me on one of those days. my apologies for that.
>
> i think that Section 5 *does* support the "legal review" modification being
> proposed. here are the paragraphs from Section 5 i would put forward to back
> that argument -- the paragraphs immediately preceding the language in my 2)
> suggestion. here's the quote -- it's the four paragraphs immediately
> preceding the Conclusions section you're referring to:
>
>
> "However, the fact that the WG has not seen analyses or objections from
> the contracted party community does not prove a lack of problems. In
> addition, data protection and privacy laws and regulations change over time
> so any analyses from the past might need to be revisited periodically. RSEPs
> (Registry Services Evaluation Panel) initiated by .cat and .tel suggest that
> they have identified data protection and privacy legal issues that they
> considered valid even if no formal government action was initiated. While
> registrars are required under the Registrar Accreditation Agreement to obtain
> registrants' consent to uses made of data collected from them, whether
> registrants are aware of the full ramifications of data publication, legal or
> real, might be questioned, and local rules concerning coercive contract
> provisions conceivably could come into play.
>
> "The WG has made every effort to examine thin vs. thick registry models
> in a broad sense. However, any requirement that all registries use the thick
> model will require that existing thin registries move to thick environments.
> This situation will raise concerns that, while limited in the long run, are
> significant given the numbers of domains and registrants involved. The WG
> expects that data transfers will be in volumes unprecedented in Whois
> operations and urges that increased information systems and protections are
> put in place, which are appropriate to handle the volumes.
>
> "Some registrations may have occurred based on a registrant's
> consideration of local rules governing a registrar or registry. In that
> event, registrants' data protection expectations will be affected when
> publication of Whois data moves to a registry that is in a different
> jurisdiction from the relevant registrar. Thorough examination must be given
> to the extent to which data protection guarantees governing a registrar can
> be binding on a registry. Should data protections in the jurisdiction of a
> registrant, registrar, or registry control? Should registry or registrar
> accreditation agreements contain language that specifies whose protection
> environment applies?
>
> "Again, these questions must be explored in more depth by ICANN Staff,
> starting with the General Counsel's Office, and by the community. As an added
> benefit, analyses concerning change of applicable laws with respect to
> transition from a thin to a thick environment also may prove valuable in the
> event of changes in a registry's management, presumably an increasing
> likelihood given the volume of new gTLDs on the horizon." [note, this is the
> paragraph i'm proposing to move down into the immediately-following
> Conclusions section you're quoting from]
>
>
>
> your #1 citation says "The WG finds that requiring thick Whois for all gTLD
> registries does not raise data protection issues that are specific to thin v.
> thick Whois." that quote refers to the topic of data protection, not privacy
> -- the sub-team went to a lot of trouble to separate those two issues and so
> i don't think that point is relevant to this discussion.
>
> your #2 citation says "There are currently issues with respect to privacy
> related to Whois and these will only grow in the future..... None of these
> issues *SEEM* to be related to whether a thick or thin Whois model is being
> used. " [emphasis mine] which doesn't rule out the possibility of a legal
> review, especially given the (i think) consensus view that we don't really
> have the expertise on this WG to evaluate the nuances of those issues.
>
> your #3 citation says "So although privacy issues may become a substantive
> issue in the future, and should certainly be part of the investigation of a
> replacement for Whois, it is not a reason not to proceed with the PDP WG
> recommending thick Whois for all." i'm not sure i follow how a legal review
> (which seems prudent in any case) contradicts that argument.
>
> Steve, is your concern that the legal review could be used to *block* the
> transition to thick Whois? if that's the case, i share your concern. but i
> view it more in the "identify and mitigate risks" department and hope that
> others would too. i would be open to clarifying that language if folks felt
> the need.
>
> regarding your point on the "undermine at the last minute" argument -- i
> think i mentioned this on the call. i as the Chair bear the responsibility
> for not testing more aggressively for consensus *much* earlier in the
> process. most of my frustration on the last call was with myself for
> allowing this issue to slide to the end. but the fact is, we don't have
> consensus yet and we need to work on getting there.
>
> to that end i've pulled my little 3-point recommendation into a Word document
> and include it into this post for people to contemplate and edit. i decided
> it was time to move the text into something that can be red-lined rather than
> using the pretty-limited text-only email format.
>
> thanks all for a spirited discussion -- let's contemplate this some more and
> see if we can get to a place where we can all live with the result.
>
> thanks,
>
> mikey
>
> <Thick Whois --redline of MOC draft of 092213 (5564537).DOC>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|