News Review | ICANN GNSO Struggles to Draft EPDP Charter re GDPR

graphic "News Review" ©2016 DomainMondo.com
Domain Mondo's weekly internet domain news review (NR 2018-07-15) with analysis and opinion: Features •  1ICANN GNSO Council Struggles to Draft EPDP Charter re GDPR & ICANN Temp Spec2) Other ICANN news: a. EPAG Comments on ICANN Appeal b. GDPR & ICANNno more la-la land? c. More ICANN Dysfunction? d. RSSAC Reviewe. Should the IANA Transition Be Unwound? 3) Names, Domains & Trademarks, 4) ICYMI, 5) Most Read.

20 July 2018
German Court Rules Against ICANN Again--excerpt (ICANN is the "applicant," EPAG is the "defendant") highlighting added:
More information:
ICANN's response: "In referring the matter to the Higher Regional Court in Cologne, the Regional Court did not change its original determination not to issue an injunction against EPAG. The Regional Court also rejected the alternative claims submitted by EPAG in recent court filings. Notably, the Regional Court issued this second ruling without consideration of the additional court filings submitted earlier this week by ICANN and ICANN's Intellectual Property Constituency. Those filings will be part of the record to be transferred to the Higher Regional Court for the appeal. ICANN will continue to pursue this matter as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system. ICANN awaits further direction from the Higher Regional Court on next steps, which could include referring the matter to the European Court of Justice, issuing a decision based upon the papers already submitted, requesting additional briefings or scheduling a hearing with the parties."--ICANN.org
19 July 2018
EPDP Charter (pdf) and EPDP Initiation Request (pdf) Final 19 July 2018.
GNSO Council Meeting July 19 approving:
Agenda | Chat Transcript and Mp3 and Adobe Connect Recording
1. The GNSO Council hereby approves the EPDP Initiation Request and as such initiates the EPDP.
2. The GNSO Council approves the EPDP Team Charter and appoints Rafik Dammak as the GNSO Council liaison to the EPDP Team on the Temporary Specification for gTLD Registration Data;
3. The GNSO Council hereby appoints Kurt Pritz as the Chair(s) of the EPDP Team.
4. The GNSO Council directs staff to communicate the results of this motion to the GNSO SG/Cs as well as ICANN SO/ACs and to make arrangements for the EPDP Team to commence its deliberations as soon as feasible.

Statements of abstention: Ayden Fedérline (pdf) also below, and Tatiana Tropina (pdf). Stephanie Perrin also abstained (beginning at 1:01:07 on the Adobe Recording above).

18 July 2018
The ICANN Intellectual Property Constituency (IPC), mostly trademark lawyers, apparently not satisfied with how ICANN and its law firm, Jones Day, are arguing their case in Germany, have joined the fray through their own submission (English excerpt above) to the Court in Germany. The filing is in German (pdf), with an unofficial English translation (pdf) provided by ICANN on the ICANN v. EPAG Domainservices, GmbH litigation page.

The draft EPDP Charter (now includes the "scope") and the EPDP initiation request will be considered by the GNSO Council at its meeting Thursday, July 19 (12:00 UTC).

17 July 2018:
Ok, I will surrender to the will of the group (as usual). Just out of interest though, who of you who said lets all trust in good faith are planning to work on the EPDP? there is nothing like eating your own cooking to improve the drive for perfection.....  The purpose of a well scoped Charter and set of deliverables is to make the task of the working group clear and simple. I humbly submit, for the record, that we have left a number of vague terms and timing criteria in there, and it may cause problems later. A stitch in time saves nine, as the old proverb says.-Cheers Stephanie Perrin

16 July 2018--before it's even 'out the gate' (EPDP Charter not yet adopted), the dysfunctional ICANN Community's EPDP (expedited policy development process) may already be "off the rails"--
"I would just like to remark that we were plagued in the [failed] RDS PDP with a plethora of security folks...researchers, contractors, corporate types, etc. who advanced only one point of view....keep open access to WHOIS, it is a) easy for us b) free c) uncomplicated, we have already built our ML and Analytic systems around it d) we need (name a product ) from the existing value added service providers (e.g.Domain Tools), e) criminals will take over the world if you don't listen to us. These are legitimate concerns, but if we are importing a whole range of actors from several ACs (GAC, ALAC, RSSAC, SSAC c.f. recent document SSAC 101) advancing the identical security specialist's viewpoint, which we ought to recognize by now ignores DP [Data Protection] law, I think we have destroyed the GNSO balance and are likely to revisit the morass we fell into on the RDS group. Now, I don't really care if the temp spec falls away because we either can't reach consensus, or wind up with a product that will not stand up in Court. However, the GNSO and ICANN ought to care deeply. So if we accept RSSAC can we limit the influence they will have on the consensus calculus, if I am correct in my fears? it is probably too late to try to exercise any restraint on the other parties (so far over five years, my batting average on risk assessment is really pretty outstanding. Nobody is listening yet....)"--Stephanie Perrin, July 16, 2018  (emphasis and link added). [Editor's note: Stephanie Perrin is one of the few people (perhaps the only person) at ICANN (community, org, or Board) who has the requisite knowledge about data protection laws to have a competent understanding of how the GDPR applies to ICANN and its contracted parties (registry operators and registrars) re: gTLD registration data. The incompetent ICANN management team failed to educate itself or the ICANN community about GDPR law in the two-year period leading up to the enforceable date of May 25, 2018, unlike Salesforce.com Inc., and other responsible multi-national corporations with competent leadership, headquartered in California, who undertook extensive GDPR education programs for management, staff and stakeholders, during the two-year period leading up to May 25, 2018.] 
Apparently former ICANN Chief Strategy Officer Kurt Pritz, who resigned due to a never disclosed "conflict of interest" (during Fadi Chehade's term as ICANN CEO) and is known as the "architect" of ICANN's disastrous new gTLDs program, has already been selected to be the Chair of the EPDP working group (yet to be formed). DomainIncite.com broke the story based on "sources" who say the GNSO Council leadership selection committee made the decision "minus Pritz’s wife, Donna Austin," (who works for domain registry services provider Neustar a/k/a ARI Registry, and is a GNSO Vice Chair), who "recused herself." Editor's note: there's nothing quite like incestuous ICANN--selection of a conflicted problem-plagued ex-employee / ex-officer of ICANN, to be Chair of its most important ICANN community working group! What could go wrong?

The latest version of the EPDP Charter (draft) can be found here according to ICANN staff. As to the missing (and all-important) "Scope section," Keith Drazek (Verisign) reported July 16, "The scope section is now stable and will be ready for inclusion in the full charter document by COB today." Later--Monday Jul 16 22:13:44 UTC 2018--Drazek said:
"The current version of the scope document (pdf) is the result of several weeks of work and substantial compromise, and, as discussed on our Wednesday Drafting Team call, the deadline for substantive comment was Friday. I worked over the weekend to incorporate the comments I received, doing my very best to find the right balance. I believe the scope section is as close as we will get without putting our Thursday vote at serious and certain risk. We are likely all equally unhappy with various parts of it, but sometimes that’s the nature of our work. I am finished with the scope document and it is now with Council leadership and staff for adding to the master Charter document." (emphasis and link added)
Another comment: "To me, the goal of the Temp Spec and this EPDP effort is very simple: to comply with the law. 'Avoid the fragmentation of WHOIS' or the idea of harmonization as a premise or goal is fundamentally flawed. As you know, there is already fragmentation of WHOIS in the cc world. As far as I know, .JP does not even have a WHOIS service. More importantly, I would like to point out the latest guidance regarding Codes of Conduct and Accreditation in the EDPB letter (see page 6 https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf). Specifically: 1. Certification and/or accreditation are voluntary measures, not mandatory. 2. The responsibility for designing a model that will provide the assurance [of compliance with the GDPR] is, in the first instance, up to the data controllers. The previous language and your latest suggested language pre-suppose there should be a "community-wide model for access or similar framework", which in my view, is inconsistent with the above guidance."--Pam Little (emphasis added)

Desperation started to set in late Monday, comment posted by Heather Forrest, GNSO Chair: 
"... The weight of the task is pushing us to our limits, and it kills me to see the significant efforts at compromise from Panama and the two weeks since come undone in the final 3 days. We've said many times - but I'll repeat it here as now it's urgent and very real - that the community's perception of the Council's ability to deliver on its Bylaws mandate by running this EPDP is at stake on Thursday. If we are unable to agree on the charter, there is a live risk that Pandora's box opens. We had a text that was fairly stable as of Sunday, based on the timeline that we agreed in the DT call last Wednesday. We need to resist the temptation of usurping the work of the EPDP Team. If language is redundant,they will work around it. If it is not perfect, we will empower them to refine, and come back to Council with questions where necessary. Let's get this team started, and see if these last minute issues are truly obstacles to their work. If we do not get them started, we may never find out. If you are willing to work with the text we have as per Keith's Sunday email and let the Team push forward, now is the time to speak up."

Original Post:
Editor's note: ICANN is proving yet once again how incompetent and unfit it is for the role it was given by the U.S. government in 1998 and then completely unleashed in 2016 by the U.S. government to wreak even more havoc on the internet's infrastructure and the global internet community, including domain name registrants worldwide. This week's News Review gives readers updates on:
  • The status of the dysfunctional ICANN community's Expedited Policy Development Process (EPDP) which is one of many consequences of ICANN's incompetent management team wasting 2 years and failing to properly prepare for the European Union's GDPR which became  enforceable May 25, 2018. The EPDP timeline is so short, and the process so rushed, that the GNSO Council has already issued a "Call for Volunteers" though the Council has yet to adopt a Charter for the EPDP;
  • An update on ICANN's legal action in Germany against domain name registrar EPAG (affiliate of Tucows) which chose to comply with EU law (GDPR) instead of ICANN's unlawful contractual terms, temporary specification, and policies;
  • There's much more illuminated in this week's News Review, including this quote, at 2)d. below:
"Root ops [root server operators] are concerned that ICANN does not have the best interests of everyone at heartHaving root servers independent is criticalICANN is corrupt and can’t be trusted."

1)  ICANN GNSO Council Struggles to Draft EPDP Charter re GDPR & ICANN Temp Spec
ICANN's GDPR Train Wreck  ©2018 DomainMondo.com (graphic)
No EPDP (expedited policy development process) Charter yet, but GNSO Council issued a "Call for Volunteers" 12 July 2018:

See also:

2) Other ICANN News
graphic "ICANN | Internet Corporation for Assigned Names and Numbers"
a. German Registrar EPAG Comments on ICANN Appeal--English translation (pdf)--excerpt:
"Contrary to what the Applicant [ICANN] claims, the Article 29 Working Party has not issued a clean bill of health for the Applicant's modified use of data. On the contrary: the European Data Protection Board [EDPB]- the successor of the Working Group – again delivered an opinion to the Applicant in a letter dated July 5, 2018 – and also referred to the present proceeding. A copy of the letter is handed over as Appendix AG 5.
"In the letter, the Board [EDPB] rejects any attempt to misinterpret the Board's opinions on specific issues as implicit "waving through" data processing; 
"Needless to say, the issues identified here are without prejudice to additional issues, further inquiries or findings being made by the EDPB or its Members at a later date.” (Appendix AG 5, p. 1; translation by the signatories). 
"In its letter, the Board expressly points out that the Applicant [ICANN] does not sufficiently distinguish between the Applicant's own and third parties’ purposes for processing and that it is not the task of the board, but rather the Applicant is to define retention periods."
Affidavit submitted on behalf of EPAG (English translation):

The 5 July 2018 EDPB letter (pdf) was also submitted by ICANN (after EPAG's submittal referenced above), along with more ICANN counsel's commentary differing with EPAG's comments. Copies of the filed documents (in German with some translated into English) are available on the ICANN litigation page ICANN v. EPAG Domainservices, GmbH.

b.  GDPR & ICANN: no more la-la land for ICANN's incompetent management team? 
"[T]he European Data Protection Board (EDPB) effectively said it [ICANN] needs to go back to the drawing board to make its rules around the collection and use of WHOIS data compliant with the General Data Protection Regulation (GDPR) ..."--Dublin-based Karen Gallagher of Pinsent Masons, an expert in data protection and intellectual property law, more infra--
"The EDPB's letter to ICANN 5 July 2018 (8-page / 737KB PDF) sets out a clear position on a number of queries that had been raised by ICANN. The watchdog said:
  • ICANN needs to define its specified purposes and lawful basis for processing personal data and should not conflate this with the legitimate interests and purposes of third parties who may subsequently seek access to the data;
  • that there is no basis for ICANN to insist upon the provision of additional information on administrative and technical contacts from registrants;
  • that the fact that registrants may be legal persons does not take WHOIS outside the scope of GDPR where ICANN is processing personal data relating to individuals within those organisations, and therefore the personal data of such individuals should not be made publically available by default; 
  • that ICANN is required to log access to personal data, but does not necessarily need to actively communicate (push) this log information to registrants or third parties;
  • that ICANN has failed to justify why it is necessary to retain personal data for two years post the expiry of the domain name registration ....
"The need for ICANN to move away from its model of unlimited publication of the contact details of domain name registrants has been in the cards for quite a while. The EDPB noted when commenting on its letter that its predecessor, the Article 29 Working Party, has been offering guidance to ICANN on how to bring the database into compliance with EU data protection law since 2003."--out-law.com 10 Jul 2018 (legal news and guidance from international law firm Pinsent Masons) (emphasis added).

c. More ICANN Dysfunction?
See also: Request 20180610-1, George Kirikos Request (10 June 2018) [PDF, 54 KB], and Response (10 July 2018) [PDF, 155 KB].

d. RSSAC ReviewInterisle Consulting Group, LLC, the independent examiner performing the second Root Server System Advisory Committee (RSSAC) Review, published its final report [PDF, 2.58 MB]. The RSSAC Review Work Party (RWP) will prepare a feasibility assessment and initial implementation plan (FAIIP) based on the final report. This will include an analysis of recommendations in the final report for usability and prioritization, provisional budget implications, anticipated resources and the proposed implementation timeline. Interisle and the RWP respectively will then present the final report and the FAIIP to the ICANN Board's Organizational Effectiveness Committee (OEC). The OEC will make a recommendation to the Board on next steps.--ICANN.org.

Quotes from the report--
"Root ops [root server operators] are concerned that ICANN does not have the best interests of everyone at heartHaving root servers independent is criticalICANN is corrupt and can’t be trusted." (page 22 of 79)(emphasis added)
"Our research did, however, reveal a high-level concern about oversight:
"The NTIA contribution to the RSSAC was not just oversight. NTIA didn’t represent
“governments”, but they were aware of the issues that concern governments, and that
perspective is no longer at the table."
"No single entity now has complete oversight of the root server system. NTIA had that role (nominally) before the transition; no one has it now. The ICANN Board should not be expected to take on that responsibility." (p. 26 of 79) (emphasis added)
e.  Should the IANA Transition Be Unwound? Editor's note: Deadline to respond to the NTIA notice of inquiry (pdf) is July 17, 2018, 5:00 pm EDT. More info here. Read the ICANN Board's weak defense of incompetent and "corrupt" ICANN here (pdf).

3) Names, Domains & Trademarks
graphic "Names, Domains & Trademarks" ©2017 DomainMondo.com
a. Google Asks SEOs if Domain Changes Result in Loss of Traffic--"For the most part, SEOs agreed that domain [name] changes carry a lot of risk and will almost always result in a loss of traffic."--SearchEngineJournal.com (emphasis added).

b. Malformed Internationalized Domain Name (IDN) Leads to Discovery of Vulnerability in IDN Libraries--farsightsecurity.com. Editor's note: more ICANN incompetence revealed.

c. Top 20 countries with highest number of internet users--internetworldstats.com: 1) China, 2) India, 3) U.S., 4) Brazil, 5) Indonesia. More analysis at DataTrekResearch.com. Editor's note the missing ingredients include: 1) how are users in each country accessing the internet (percentage that have mobile wireless access only) and at what speed (3G or 4G)?--here's an account of what most internet users in the world deal with; 2) What is the average user spending online in each market? The differences in markets (economic factors such as GDP per capita, online spending, etc.), demographics, internet speed availability (e.g., 4G vs 3G),  presence of censorship (lack of free speech), are some of the many variables that differentiate internet users located in different parts of the world.

d. Google's Chrome browser now runs a different browser process for each internet domain, "Site Isolation," which is now enabled by default, and provides a defense against Meltdown and Spectre attacks--bleepingcomputer.com.

e. ICYMI: Interview of Domain King Rick Schwartz (podcast) | domainnamewire.com

4) ICYMI Internet Domain News 
graphic "ICYMI Internet Domain News" ©2017 DomainMondo.com
a. Cyberspace Lost: "The internet did not develop as [Perry] Barlow had hoped, as Jacob Mchangama illustrates in the latest episode of his podcast, Clear and Present Danger: A History of Free Speech. He notes that the “digital promised land turned into a dystopia of surveillance, disinformation, trolling and hate, to which governments responded with increasingly draconian measures”--Cato.org.

b. "Rampant data collection, surveillance, and censorship may have shattered idealistic notions of the internet's liberating potential. Nevertheless, the internet continues to present an ever-expanding threat surface for authoritarian regimes and information monopolists"--cfr.org.

c. Ugandan social media tax and VPN blocks represent an attack on internet freedom--bestvpn.com.

e. "Being an Afghan or Pakistani woman online attracts prejudice, even danger. But for many, technology is freedom from the past"--indexoncensorship.org.

f.  Zambia is the latest African state trying to muzzle social media with arbitrary laws--qz.com.

g. U.S. intel chief warns of devastating cyber threat to U.S. infrastructure--reuters.com.

h. High-level Panel on Digital Cooperation was established by United Nations Secretary-General Antonio Guterres on 12 July 2018. Editor's note: this group should be watched closely since former ICANN CEO Fadi Chehade is involved. Chehade also served as an advisor to China's Wuzhen Initiative a/k/a Wuzhen Summit a/k/a World Internet Conference. For more on Chehade's shenanigans with China read The Firewall Awakens: ICANN's exiting CEO takes internet governance to the dark side by Kieren McCarthy, The Register: "Chehade knows only too well what this initiative means and represents. Combined with the closed organizing committee, and the closed "advisory committee," the setup is little more than a Chinese-government-run effort to influence global internet governance."

Domain Mondo posts: