2018-10-07

News Review | GDPR, EPDP, and ICANN WHOIS Data Liability

graphic "News Review" ©2016 DomainMondo.com
Domain Mondo's weekly internet domain news review (NR 2018-10-07 with analysis and opinion: Features •  1) GDPR, EPDP, and ICANN WHOIS Data Liability,  2)Other ICANN news: KSK Roll Oct 11, and more, 3) a. Malicious Domains, b..COM Domainers re: Verisign, NTIA & ICANN, c. WIPO Workshopand more, 4) ICYMI Internet Domain News, 5) Most Read.

1) GDPR, EPDP, and ICANN WHOIS Data Liability
ICANN EPDP Meetings this coming week Tuesday Oct 9, and Wednesday Oct 10 (small group), and Thursday Oct 11: 2 meetings, see below. Non-members of the EPDP working group can follow these meetings via Adobe Connect, or audio cast via browser or applicationLinks to all EPDP meetings' transcripts and recordings are on the GNSO calendar. Other EPDP links: wiki, mail list, action items, Temp Spec, EPDP Charter (pdf), GNSO's EPDP page and updates.

Recording, Attendance & AC chat (Editor's note: the correct Adobe Connect replay link) for the EPDP call to discuss Independent legal counsel to assist the EPDP working group held on Wednesday, 10 October 2018 at 22:00 UTC. Chat transcript (pdf).

Thursday Oct 11 EPDP small group (agenda, links to chat transcript, Adobe Connect replay, MP3), 17:00 UTC (1pm EDT). Natural person vs legal entity 11 Oct 2018 (pdf).

Thursday Oct 11 EPDP Meeting (agenda, links to chat transcript, Adobe Connect replay, MP3), 13:00 UTC (9am EDT). Purpose B workbook (pdf); Meeting Transcript (pdf).

Wednesday Oct 10 small group (agenda, links to chat, Adobe replay, MP3), Small Team #3 relevant input (pdf), upd Background Info (pdf). This Small Group's working document:

Tuesday Oct 9 EPDP meeting wiki link (agenda), chat transcript (pdf), MP3Adobe Connect replay,  Lawful Basis Memo (pdf); data elements workbook (including Purpose A), work products (pdfs) in relation to agenda item three: Data Elements Matrix, Purpose APurpose M, Purpose N.  The meeting's focus was on Purpose A, leaving no time for Purposes M & N which also might involve transfer of Registrant data from Registrar to the Registry.

Editor's note: the ICANN EPDP working group grinds on under the inept 'leadership' of former ICANN 'Chief Strategy Officer' Kurt Pritz (appointed EPDP Chair by the GNSO Council), who has apparently been supplanted by CBI.org facilitators Gina Bartlett and David Plumb, when available, in leading EPDP meeting discussions:
Kurt Pritz, EPDP Chair: "I want to welcome David Plumb [CBI.org facilitator] who's on the call who will lead those discussion items. So I'm pretty darn pleased with that."  EPDP Oct 4 meeting, p.3.
Highlights from EPDP meetings last week (ending Oct 5):
Emily Taylor (RrSG): "Just to support Lindsay Hamilton-Reid’s remarks, in practice the technical contacts are often are all almost always duplicates of other contacts. If there’s a technical issue with a domain name there are two possible courses. One is contact the registrant and one is contract the registrar. Both of those details are in separate fields .... my own personal view is that these ancillary fields admin technical billing are all sort of relic from the old Whois format which is, you know, desired way back when in the 80s before there was really a hard concept of a domain name registrant having rights and responsibilities and before there was ever such a thing as a registrar. The market has moved on considerably and the Whois fields have not kept up to date. It’s way past the time where we have a good look at these fields and ... get rid of [some of] them entirely." [EPDP Oct 2 meeting, p. 38] 
Editor's noteMy view is the same as Ms. Taylor's re: admin and technical contacts in the WHOIS directory. That kind of information, like billing contacts and credit card information, if needed at all, should only be held by and between the registrar and registrant. The WHOIS directory is like the Registrar's Office of real estate deeds showing who is the legal owner, or in the case of domain names, the domain name holder (registrant) of recordWhen you buy a car, the government agency that issues auto license plates, doesn't ask you who your mechanic (or 'technical contact') is, does it? My suggestion for revised WHOIS registrant data fields is here (pdf).
Stephanie Perrin (NCSG): "... The current educational resources/registrants rights and responsibilities package has been neglected for years ... Registrars should have procedures in place to inform registrants of their constitutional and charter rights, as well as their rights under GDPR ... note that the registrars will be held accountable for how well informed the individual [registrant] is. If they give away their rights because they were not well informed, it will be the registrars fault ... Caution is required here ... if civil society were to sue under the GDPR, in my view (remember, I am not even a lawyer let alone a litigator) the strategy would be to go for ICANN as data controller  responsible for the policy, and the registrar as data controller for the client relationship data." [EPDP Oct 3 chat, p.3]
Thomas Rickert (ISPCP): "Regarding a direct contract between ICANN and registrants: We are to review to the TS [temporary specification] and not to recreate a completely new gTLD world." Emily Taylor (RrSG): "Well said @Thomas." [EPDP Oct 4 chat, p. 3]
Stephanie Perrin (NCSG): "It is very very clear that the purpose of the GDPR is to address the imbalance of power in the data relationships of the Information Society." [EPDP Oct 4 chat, p.7]
 Questions for ICANN Org from EPDP meeting Oct 4, 2018:
  1. ICANN org should have a general retention policy. As part of its GDPR-compliant data processing regime. If so, can this be provided to the EPDP Team?
  2. We have spent most of this meeting exploring the role of compliance at ICANN, in order to support a proposal that ICANN has an implicit contract with the registrant and that therefore 6 1 b applies as a grounds for processing.  This would also facilitate ICANN operating a UAM on behalf of those who want the data.  It might also explain Goran’s [Marby, ICANN CEO] initiative in seeking some kind of recognition by EU authorities that ICANN has a kind of quasi-regulator status, as the authority vested with the responsibility to manage the DNS.  Given that all of this is outside the current configuration of ICANN as data controller, which would be more clear had we done a DPIA and had we adequate data maps to work with….can we either get back to our Charter questions that we were mandated to address by the GNSO, or get a full explanation of what is going on and why we continue to be focused on the access question? [emphasis and links added]
  3. Is there a date limit for ICANN accepting a complaint or request to audit regarding a registration that has been deleted? If not, what is the case of the longest period of a deleted registration that was accepted and acted upon?
Request for independent legal counsel to assist the EPDP from  RySG (Registries Stakeholder Group), RrSG (Registrar Stakeholder Group), and NCSG (Non-Commercial Stakeholder Group)--Letter October 5, 2018 (pdf).

26 Sep 2018 Letter from Registrar Stakeholder Group (RrSG) to ICANN CEO Göran Marby, ICANN Board Chairman Cherine Chalaby, and ICANN DPO Daniel Halloran (pdf) published by ICANN 4 Oct 2018, embed below (Editor's note: read this carefully):

More info on Oct 2-5 EPDP meetings on last week's News Review.
Photo of ICANN CEO Goran Marby, with words below:" ICANN's  GDPR Train Wreck"  ©2018 DomainMondo.com
Definition of "train wreck" -- a chaotic or disastrous situation that holds a peculiar fascination for observers.
Note also:
  • ICANN Webinar (one hour) data protection/privacy (GDPR) update now scheduled for Oct 8, 2018, 15:00 UTC (11am EDT) via Adobe Connect. Dial-in info, questions, etc., here
UPDATE: Question asked: :Why hasn’t a Data Protection Impact Assessment (DPIA) been carried out to clarify data flows and ICANN’s relationship with the data subject in light of its acknowledged role as a joint controller and Article 35 of the GDPR?
RESPONSE: This question was also asked during the Data Protection/Privacy Update Webinar hosted by ICANN org on 8 October 2018. John Jeffrey, ICANN’s General Counsel and Secretary provided the following response:
“This is something that has been considered since the very beginning. One of the issues is when to do that in a way that is most timely and useful and how to do that. We continue to evolve the thinking of how the interpretation of GDPR applies to WHOIS. We have a number of questions which have been addressed directly to the DPAs and the EDPB and we’ve have an ongoing discussion with the EC about how to interpret the GDPR. We believe that those are a better format at this point than doing the assessment, but we continue to evaluate whether that assessment would be the right thing to do and when.”
ICANN 8 Oct 2018 Webinar replay (Adobe Connect & audio) and presentation (slides) here.
  • Pre-ICANN63 Policy Open House webcast: Thursday, 11 October 2018, 10:00 UTC and 19:00 UTC. The open house will run in English with simultaneous Spanish interpretation. The presentation materials will be translated into Spanish, and posted following the open house with the recordings of the sessions here. Register via this form by 8 Oct 2018. More info here. ICANN63 Full Schedule.

2) Other ICANN News
graphic "ICANN | Internet Corporation for Assigned Names and Numbers"
a. KSK Roll October 11--the change or "roll" of the cryptographic key for the internet DNS root on 11 October 2018. "It will mark the first time the key has been changed since it was first put in use in 2010"--ICANN.org. More information here and here (pdf).

b. ICANN Board Report September 2018 (pdf)
Board Report Sep 2018
"... we held an Executive Team retreat in Visby, Sweden from 23-26 July."--Goran Marby, ICANN President & CEO (p. 3). Editor's note: No disclosure of the itemized and total costs paid by ICANN org for this annual extravagance.

c. If you think ICANN, notwithstanding its incompetence, conflicts of interest, and/or corruption, has a viable future, you may be interested in the ICANN Board and organization webinar on 9 October 2018 at 14:00 UTC (10am EDT) on ICANN strategic planning. More info here.

d. End of the Line: "Resolved (2018.10.03.02), the Board directs the President and CEO, or his designee(s), that the pending application for .HALAL and the pending application for .ISLAM not proceed ... Resolved (2018.10.03.01), the Board adopts the portion of the IRP Panel's recommendation that the application for .PERSIANGULF submitted in the current new gTLD round not proceed and directs the President and CEO, or his designee(s), to take all steps necessary to implement this decision."--Approved Board Resolutions | Special Meeting of the ICANN Board 03 Oct 2018.

e.  ICANN's new gTLD .BRAND Extortion Racket losing more: .epost and .bond. terminating.

3) Names, Domains & Trademarks
graphic "Names, Domains & Trademarks" ©2017 DomainMondo.com
a. Malicious Domains: "using a cooling-off period for domain names can help catch those registered by known bad actors"--DarkReading.com.

b. .COM Domainers re: Verisign, NTIA & ICANN--StopThePriceIncreaseOf.com.

c. WIPO Advanced Workshop on Domain Name Dispute Resolution: Update on Precedent and Practice, Geneva, Switzerland, Tuesday and Wednesday, October 9 and 10, 2018.

d. Domainers Lament "Too many domains, no buyers"--Everyone Trying to Sell Their Portfolios but NOBODY is Buying Them. Now What? | ricksblog.com.

e. Alphabet’s new domain name tool could limit malware, censorship, and spying--internet domain lookups are typically unencrypted, meaning hackers and governments can manipulate them to block certain sites or serve up malware--FastCompany.com.

4) ICYMI Internet Domain News 
graphic "ICYMI Internet Domain News" ©2017 DomainMondo.com
UPDATE on the UN Secretary-General's High-level Panel on Digital Cooperation @UNSGdigicoop:
  • Censorship could be just as common in an open internet as a closed one--qz.com.
  • China: Why Would Google’s Ex-CEO Predict a Separate Chinese Internet?--nymag.com
  • Zambia’s social media tax isn’t really about social media or freedom of speech--qz.com
  • India: Reactions to the Aadhaar Judgement--internetfreedom.in; See also indianexpress.com: Surveillance after the Aadhaar judgment: What Internet freedom?
  • Internet: Inside the Harvard research hub chronicling our relationship with the internet--siliconrepublic.com.

5) Most Read Posts this past week on DomainMondo.com: 
graphic "Domain Mondo" ©2017 DomainMondo.com



-- John Poole, Editor  Domain Mondo 

feedback & comments via twitter @DomainMondo


DISCLAIMER

Domain Mondo posts: