Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1

[Amr Elsadr <aelsadr@xxxxxxxxxxx>]

I personally like the report. it does justice to the discussions we've had, and 
a lot of good people worked really hard to put it together. Although I am 
disagreeing with Steve's recommendations, I don't deny his constructive role 
and contributions in prepping the section on data protection and privacy. But 
that's just it for me…, I want the recommendations to communicate what I 
believe is in the report. No more, no less. If they do, I believe we could get 
a full consensus. Anything short of a responsible recommendation reflecting 
what the "experts" found will be, IMHO, be more damaging to ICANN than the 
alternative.

…, and I'd check with Mikey before assuming he's willing to chair this group of 
misfits again. :)

Amr

On Sep 23, 2013, at 10:38 PM, Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

> Punting on this issue of whois jurisdiction  on transfers will do ICANN no 
> good. Should we advocate for a Issues Report of PDP on the topic it will be 
> the same group of ICANN members (us) sitting down to has this same topic out. 
> In fact Mikey will probably be chair. 
> 
> We are the experts -- we should complete this report and issue it with no 
> minority language. Punting to some "legal team" is a cop-out of the first 
> degree.
> 
> We are the experts and we need to a consensus stand on the topic instead of 
> punting to another never ending work group.
> 
> Our goal should be to provide a yes or no answer to this migration instead of 
> yes-maybe with a minority report. 
> 
> I've removed the expletives, you do no service to the community if we can not 
> clearly communicate a binary answer to the question of thin to thick 
> migration.
> 
> -rick
> 
>  
> 
> 
> On Mon, Sep 23, 2013 at 1:24 PM, Amr Elsadr <aelsadr@xxxxxxxxxxx> wrote:
> Hi Steve,
> 
> Some thoughts on your edits:
> 
>> We recommend that the ICANN Board request an independent legal review to be 
>> undertaken as part of the implementation of the  transition to thick whois 
>> on the privacy implications of a transfer of registrant data between 
>> jurisdictions.
> 
> I see no reason not to add the clarification that this recommendation is part 
> of the implementation, however, removing the phrase "before transition to 
> thick whois" entirely changes the purpose of the recommendation. How is the 
> legal review meant to "identify and mitigate" the risks if it is not 
> conducted before the transition takes place? What is the point of the 
> recommendation at all, then? This also applies to the edits on the section on 
> page 30.
> 
>> The WG did not feel it was competent to fully discuss these privacy issues 
>> and some members of the WG were not able to fully separate the privacy 
>> issues involved in such a move from the general privacy issues that need to 
>> be resolved in Whois.
> 
> It seems to me that no one on the WG has been able to provide a concrete 
> analysis separating privacy issues from whois in any of its forms, thin, 
> thick or in a transition from one to the other. To say that some of the WG 
> members could not make this separation implies that it has indeed been 
> previously examined, the evidence has been provided and "some" are critical 
> of this evidence.
> 
>> We recommend that the ICANN Board request a GNSO issues report to cover the 
>> issue of Privacy as related to WHOIS if it concludes that this issue is not 
>> adequately addressed within the scope of the Board-initiated PDP on gTLD 
>> registration data services, or otherwise. 
>> 
> I understand that there is apprehension amongst some that there will most 
> likely be a duplication or waste of efforts in addressing privacy issues 
> considering that the nature of the privacy (and data protection) concerns 
> will likely change following a PDP on gTLD registration data services. This 
> is probably true for many (if not all) the topics this WG was chartered to to 
> consider, and if not by the PDP on gTLD registration data services, then by 
> others.
> 
> The recommendation Mikey drafted will (the way I see it) request an issue 
> report addressing privacy associated with the state of these concerns 
> consistent with the findings of the final report we've worked the better part 
> of a year to come up with. This is the single most relevant reason why I 
> personally agreed to it. To recommend a shift of this decision to the board 
> in the context of another PDP, which we have not at all addressed, is just 
> not a recommendation I see as an appropriate conclusion to the work we have 
> all been doing. The issue report recommendation should be just as independant 
> of future PDPs as is the recommendation to tradition from thin to thick.
> 
> Thanks.
> 
> Amr
> 
> On Sep 23, 2013, at 8:05 PM, "Metalitz, Steven" <met@xxxxxxx> wrote:
> 
>> Mikey, 
>> 
>> Thanks for drawing this proposal into one document, and I hope you are 
>> feeling better. 
>> 
>> You wrote on last Friday that "putting a recommendation in 7.1 puts it into 
>> consensus policy, putting a recommendation in 7.3 puts in in the 
>> "suggestions" pile."    Based on that distinction I still don't understand 
>> why your proposal in item 1 fits into consensus policy.  I look forward to 
>> discussing that on our call tomorrow.  
>> 
>> I also offer the attached edits to your text for consideration by the group. 
>>     
>> 
>> Steve
>> 
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> From: Mike O'Connor [mailto:mike@xxxxxxxxxx] 
>> Sent: Sunday, September 22, 2013 9:47 AM
>> To: Metalitz, Steven
>> Cc: Avri Doria; Thick Whois
>> Subject: Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1
>> 
>> hi Steve,
>> 
>> i realized that i didn't really respond to your whole argument with my 
>> reply.  i'm working my way through Lyme's Disease or Ehrlichiosis (nobody is 
>> quite sure which) and some days my energy level is a little lower -- your 
>> note caught me on one of those days.  my apologies for that.
>> 
>> i think that Section 5 *does* support the "legal review" modification being 
>> proposed.  here are the paragraphs from Section 5 i would put forward to 
>> back that argument -- the paragraphs immediately preceding the language in 
>> my 2) suggestion.  here's the quote -- it's the four paragraphs immediately 
>> preceding the Conclusions section you're referring to:
>> 
>> 
>>      "However, the fact that the WG has not seen analyses or objections from 
>> the contracted party community does not prove a lack of problems. In 
>> addition, data protection and privacy laws and regulations change over time 
>> so any analyses from the past might need to be revisited periodically. RSEPs 
>> (Registry Services Evaluation Panel) initiated by .cat and .tel suggest that 
>> they have identified data protection and privacy legal issues that they 
>> considered valid even if no formal government action was initiated.  While 
>> registrars are required under the Registrar Accreditation Agreement to 
>> obtain registrants' consent to uses made of data collected from them, 
>> whether registrants are aware of the full ramifications of data publication, 
>> legal or real, might be questioned, and local rules concerning coercive 
>> contract provisions conceivably could come into play.
>> 
>>      "The WG has made every effort to examine thin vs. thick registry models 
>> in a broad sense. However, any requirement that all registries use the thick 
>> model will require that existing thin registries move to thick environments. 
>> This situation will raise concerns that, while limited in the long run, are 
>> significant given the numbers of domains and registrants involved. The WG 
>> expects that data transfers will be in volumes unprecedented in Whois 
>> operations and urges that increased information systems and protections are 
>> put in place, which are appropriate to handle the volumes.
>> 
>>      "Some registrations may have occurred based on a registrant's 
>> consideration of local rules governing a registrar or registry.  In that 
>> event, registrants' data protection expectations will be affected when 
>> publication of Whois data moves to a registry that is in a different 
>> jurisdiction from the relevant registrar.  Thorough examination must be 
>> given to the extent to which data protection guarantees governing a 
>> registrar can be binding on a registry. Should data protections in the 
>> jurisdiction of a registrant, registrar, or registry control? Should 
>> registry or registrar accreditation agreements contain language that 
>> specifies whose protection environment applies? 
>> 
>>      "Again, these questions must be explored in more depth by ICANN Staff, 
>> starting with the General Counsel's Office, and by the community. As an 
>> added benefit, analyses concerning change of applicable laws with respect to 
>> transition from a thin to a thick environment also may prove valuable in the 
>> event of changes in a registry's management, presumably an increasing 
>> likelihood given the volume of new gTLDs on the horizon."  [note, this is 
>> the paragraph i'm proposing to move down into the immediately-following 
>> Conclusions section you're quoting from]
>> 
>> 
>> 
>> your #1 citation says "The WG finds that requiring thick Whois for all gTLD 
>> registries does not raise data protection issues that are specific to thin 
>> v. thick Whois."  that quote refers to the topic of data protection, not 
>> privacy -- the sub-team went to a lot of trouble to separate those two 
>> issues and so i don't think that point is relevant to this discussion.
>> 
>> your #2 citation says "There are currently issues with respect to privacy 
>> related to Whois and these will only grow in the future..... None of these 
>> issues *SEEM* to be related to whether a thick or thin Whois model is being 
>> used. " [emphasis mine]  which doesn't rule out the possibility of a legal 
>> review, especially given the (i think) consensus view that we don't really 
>> have the expertise on this WG to evaluate the nuances of those issues.
>> 
>> your #3 citation says "So although privacy issues may become a substantive 
>> issue in the future, and should certainly be part of the investigation of a 
>> replacement for Whois, it is not a reason not to proceed with the PDP WG 
>> recommending thick Whois for all."  i'm not sure i follow how a legal review 
>> (which seems prudent in any case) contradicts that argument.  
>> 
>> Steve, is your concern that the legal review could be used to *block* the 
>> transition to thick Whois?  if that's the case, i share your concern.  but i 
>> view it more in the "identify and mitigate risks" department and hope that 
>> others would too.  i would be open to clarifying that language if folks felt 
>> the need.
>> 
>> regarding your point on the "undermine at the last minute" argument -- i 
>> think i mentioned this on the call.  i as the Chair bear the responsibility 
>> for not testing more aggressively for consensus *much* earlier in the 
>> process.  most of my frustration on the last call was with myself for 
>> allowing this issue to slide to the end.  but the fact is, we don't have 
>> consensus yet and we need to work on getting there.  
>> 
>> to that end i've pulled my little 3-point recommendation into a Word 
>> document and include it into this post for people to contemplate and edit.  
>> i decided it was time to move the text into something that can be red-lined 
>> rather than using the pretty-limited text-only email format.
>> 
>> thanks all for a spirited discussion -- let's contemplate this some more and 
>> see if we can get to a place where we can all live with the result.
>> 
>> thanks,
>> 
>> mikey
>> 
>> <Thick Whois --redline of MOC draft of 092213 (5564537).DOC>
> 
>