Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1

[Tim Ruiz <tim@xxxxxxxxxxx>]

Agreed. The problem in the past has been exactly that, some feel they are 
experts where they are not. There simply are some areas where a consensus view 
is just not good enough, "We have full consensus there are no privacy issues, 
therefore there are none." Seriously?

Tim

On Sep 23, 2013, at 5:19 PM, "Mike O'Connor" 
<mike@xxxxxxxxxx<mailto:mike@xxxxxxxxxx>> wrote:

heck yeah, i'd chair this gang again in a heartbeat.

but i do need to find out what the rules are if i'm on the Council (which will 
happen in Argentina).

i want to push back on the "we are the experts" notion though.  i think that's 
at the heart of this discussion.  i'm now completely of the opinion that i'm 
*not* an expert on the privacy stuff, and (forgive me anybody if i paint with 
too broad a brush) i don't think any of us are.  that's always been my 
understanding of our unwillingness to tackle that stuff directly, while at the 
same time wishing that *somebody* would.

i like the notion of getting language in there that gets a group of real live 
privacy experts together to really bash through this issue once and for all -- 
i think there's broad support for that idea in the community.  to the extent 
that we can move the ball forward on that, while at the same time moving the 
ball forward on Thick Whois, i'm in.

mikey


On Sep 23, 2013, at 4:10 PM, Amr Elsadr 
<aelsadr@xxxxxxxxxxx<mailto:aelsadr@xxxxxxxxxxx>> wrote:

I personally like the report. it does justice to the discussions we've had, and 
a lot of good people worked really hard to put it together. Although I am 
disagreeing with Steve's recommendations, I don't deny his constructive role 
and contributions in prepping the section on data protection and privacy. But 
that's just it for me…, I want the recommendations to communicate what I 
believe is in the report. No more, no less. If they do, I believe we could get 
a full consensus. Anything short of a responsible recommendation reflecting 
what the "experts" found will be, IMHO, be more damaging to ICANN than the 
alternative.

…, and I'd check with Mikey before assuming he's willing to chair this group of 
misfits again. :)

Amr

On Sep 23, 2013, at 10:38 PM, Rick Wesson 
<rick@xxxxxxxxxxxxxxxxxxxxxxxx<mailto:rick@xxxxxxxxxxxxxxxxxxxxxxxx>> wrote:

Punting on this issue of whois jurisdiction  on transfers will do ICANN no 
good. Should we advocate for a Issues Report of PDP on the topic it will be the 
same group of ICANN members (us) sitting down to has this same topic out. In 
fact Mikey will probably be chair.

We are the experts -- we should complete this report and issue it with no 
minority language. Punting to some "legal team" is a cop-out of the first 
degree.

We are the experts and we need to a consensus stand on the topic instead of 
punting to another never ending work group.

Our goal should be to provide a yes or no answer to this migration instead of 
yes-maybe with a minority report.

I've removed the expletives, you do no service to the community if we can not 
clearly communicate a binary answer to the question of thin to thick migration.

-rick




On Mon, Sep 23, 2013 at 1:24 PM, Amr Elsadr 
<aelsadr@xxxxxxxxxxx<mailto:aelsadr@xxxxxxxxxxx>> wrote:
Hi Steve,

Some thoughts on your edits:

We recommend that the ICANN Board request an independent legal review to be 
undertaken as part of the implementation of the  transition to thick whois on 
the privacy implications of a transfer of registrant data between jurisdictions.

I see no reason not to add the clarification that this recommendation is part 
of the implementation, however, removing the phrase "before transition to thick 
whois" entirely changes the purpose of the recommendation. How is the legal 
review meant to "identify and mitigate" the risks if it is not conducted before 
the transition takes place? What is the point of the recommendation at all, 
then? This also applies to the edits on the section on page 30.

The WG did not feel it was competent to fully discuss these privacy issues and 
some members of the WG were not able to fully separate the privacy issues 
involved in such a move from the general privacy issues that need to be 
resolved in Whois.

It seems to me that no one on the WG has been able to provide a concrete 
analysis separating privacy issues from whois in any of its forms, thin, thick 
or in a transition from one to the other. To say that some of the WG members 
could not make this separation implies that it has indeed been previously 
examined, the evidence has been provided and "some" are critical of this 
evidence.

We recommend that the ICANN Board request a GNSO issues report to cover the 
issue of Privacy as related to WHOIS if it concludes that this issue is not 
adequately addressed within the scope of the Board-initiated PDP on gTLD 
registration data services, or otherwise.

I understand that there is apprehension amongst some that there will most 
likely be a duplication or waste of efforts in addressing privacy issues 
considering that the nature of the privacy (and data protection) concerns will 
likely change following a PDP on gTLD registration data services. This is 
probably true for many (if not all) the topics this WG was chartered to to 
consider, and if not by the PDP on gTLD registration data services, then by 
others.

The recommendation Mikey drafted will (the way I see it) request an issue 
report addressing privacy associated with the state of these concerns 
consistent with the findings of the final report we've worked the better part 
of a year to come up with. This is the single most relevant reason why I 
personally agreed to it. To recommend a shift of this decision to the board in 
the context of another PDP, which we have not at all addressed, is just not a 
recommendation I see as an appropriate conclusion to the work we have all been 
doing. The issue report recommendation should be just as independant of future 
PDPs as is the recommendation to tradition from thin to thick.

Thanks.

Amr

On Sep 23, 2013, at 8:05 PM, "Metalitz, Steven" 
<met@xxxxxxx<mailto:met@xxxxxxx>> wrote:

Mikey,

Thanks for drawing this proposal into one document, and I hope you are feeling 
better.

You wrote on last Friday that "putting a recommendation in 7.1 puts it into 
consensus policy, putting a recommendation in 7.3 puts in in the "suggestions" 
pile."    Based on that distinction I still don't understand why your proposal 
in item 1 fits into consensus policy.  I look forward to discussing that on our 
call tomorrow.

I also offer the attached edits to your text for consideration by the group.

Steve





-----Original Message-----
From: Mike O'Connor [mailto:mike@<mailto:mike@>haven2.com<http://haven2.com/>]
Sent: Sunday, September 22, 2013 9:47 AM
To: Metalitz, Steven
Cc: Avri Doria; Thick Whois
Subject: Re: [gnso-thickwhoispdp-wg] missing recommendation in 7.1

hi Steve,

i realized that i didn't really respond to your whole argument with my reply.  
i'm working my way through Lyme's Disease or Ehrlichiosis (nobody is quite sure 
which) and some days my energy level is a little lower -- your note caught me 
on one of those days.  my apologies for that.

i think that Section 5 *does* support the "legal review" modification being 
proposed.  here are the paragraphs from Section 5 i would put forward to back 
that argument -- the paragraphs immediately preceding the language in my 2) 
suggestion.  here's the quote -- it's the four paragraphs immediately preceding 
the Conclusions section you're referring to:


"However, the fact that the WG has not seen analyses or objections from the 
contracted party community does not prove a lack of problems. In addition, data 
protection and privacy laws and regulations change over time so any analyses 
from the past might need to be revisited periodically. RSEPs (Registry Services 
Evaluation Panel) initiated by .cat and .tel suggest that they have identified 
data protection and privacy legal issues that they considered valid even if no 
formal government action was initiated.  While registrars are required under 
the Registrar Accreditation Agreement to obtain registrants' consent to uses 
made of data collected from them, whether registrants are aware of the full 
ramifications of data publication, legal or real, might be questioned, and 
local rules concerning coercive contract provisions conceivably could come into 
play.

"The WG has made every effort to examine thin vs. thick registry models in a 
broad sense. However, any requirement that all registries use the thick model 
will require that existing thin registries move to thick environments. This 
situation will raise concerns that, while limited in the long run, are 
significant given the numbers of domains and registrants involved. The WG 
expects that data transfers will be in volumes unprecedented in Whois 
operations and urges that increased information systems and protections are put 
in place, which are appropriate to handle the volumes.

"Some registrations may have occurred based on a registrant's consideration of 
local rules governing a registrar or registry.  In that event, registrants' 
data protection expectations will be affected when publication of Whois data 
moves to a registry that is in a different jurisdiction from the relevant 
registrar.  Thorough examination must be given to the extent to which data 
protection guarantees governing a registrar can be binding on a registry. 
Should data protections in the jurisdiction of a registrant, registrar, or 
registry control? Should registry or registrar accreditation agreements contain 
language that specifies whose protection environment applies?

"Again, these questions must be explored in more depth by ICANN Staff, starting 
with the General Counsel's Office, and by the community. As an added benefit, 
analyses concerning change of applicable laws with respect to transition from a 
thin to a thick environment also may prove valuable in the event of changes in 
a registry's management, presumably an increasing likelihood given the volume 
of new gTLDs on the horizon."  [note, this is the paragraph i'm proposing to 
move down into the immediately-following Conclusions section you're quoting 
from]



your #1 citation says "The WG finds that requiring thick Whois for all gTLD 
registries does not raise data protection issues that are specific to thin v. 
thick Whois."  that quote refers to the topic of data protection, not privacy 
-- the sub-team went to a lot of trouble to separate those two issues and so i 
don't think that point is relevant to this discussion.

your #2 citation says "There are currently issues with respect to privacy 
related to Whois and these will only grow in the future..... None of these 
issues *SEEM* to be related to whether a thick or thin Whois model is being 
used. " [emphasis mine]  which doesn't rule out the possibility of a legal 
review, especially given the (i think) consensus view that we don't really have 
the expertise on this WG to evaluate the nuances of those issues.

your #3 citation says "So although privacy issues may become a substantive 
issue in the future, and should certainly be part of the investigation of a 
replacement for Whois, it is not a reason not to proceed with the PDP WG 
recommending thick Whois for all."  i'm not sure i follow how a legal review 
(which seems prudent in any case) contradicts that argument.

Steve, is your concern that the legal review could be used to *block* the 
transition to thick Whois?  if that's the case, i share your concern.  but i 
view it more in the "identify and mitigate risks" department and hope that 
others would too.  i would be open to clarifying that language if folks felt 
the need.

regarding your point on the "undermine at the last minute" argument -- i think 
i mentioned this on the call.  i as the Chair bear the responsibility for not 
testing more aggressively for consensus *much* earlier in the process.  most of 
my frustration on the last call was with myself for allowing this issue to 
slide to the end.  but the fact is, we don't have consensus yet and we need to 
work on getting there.

to that end i've pulled my little 3-point recommendation into a Word document 
and include it into this post for people to contemplate and edit.  i decided it 
was time to move the text into something that can be red-lined rather than 
using the pretty-limited text-only email format.

thanks all for a spirited discussion -- let's contemplate this some more and 
see if we can get to a place where we can all live with the result.

thanks,

mikey

<Thick Whois --redline of MOC draft of 092213 (5564537).DOC>





PHONE: 651-647-6109, FAX: 866-280-2356, WEB: 
www.haven2.com<http://www.haven2.com>, HANDLE: OConnorStP (ID for Twitter, 
Facebook, LinkedIn, etc.)