[ALAC] ALAC Statement regarding EPDP

Hadia Abdelsalam Mokhtar EL miniawi Hadia at tra.gov.eg
Wed Aug 8 11:41:14 UTC 2018 

Hi Holly and all,

Sorry could not reply earlier though I read the email and all the later comments because I was at the MEAC SIG and going through the EPDP survey.

So for sure I am not asking for access for individual consumers, I edited Alan's original statement adding to it the customers but missing that the statement askes for access, my mistake. So first I don't think that in our statement we should specifically refer to access (Which is referenced in Annex A of the temporary specification) but we should rather state our position with regard to the whole EPDP. The EPDP addresses four parts
1. Purposes for processing Registration Data
2. Required Data Processing activities (with 10 items one of which addresses access)
3. Data Processing terms
4. Updates to other Consensus Policies

The most important of which in my opinion is the purposes for processing registration data based on which the access would be granted. By no means do we want to send the message that data privacy is not important and that we are only concerned with law enforcement and cybersecurity. As  I mentioned before the impact of the GDPR on WHOIS will be felt by the individual internet customers and not only  those who identify cyber attackers and the law enforcement agencies.

I don't think that it serves us right to be speaking solely about cybersecurity and law enforcement agencies or being regarded as  their advocates as for sure we are the advocates of the Internet end users.

So I suggest the following edits with regard to item 4 of Alan's statement inviting others to modify/add if more clarity is required

"our main concern is about protecting the rights and interests of  individual internet users and consumers as well as third parties like consumer protection agencies, law enforcement, cybersecurity researchers, those combating fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks. Those who work to ensure that the Internet is a safe and secure place for users and to do so need timely information about certain websites, all within the constraints of GDPR of course."


Best
Hadia

-----Original Message-----
From: Holly Raiche [mailto:h.raiche at internode.on.net] 
Sent: Monday, August 06, 2018 12:47 AM
To: Hadia Abdelsalam Mokhtar EL miniawi
Cc: Jonathan Zuck; Carlton Samuels; Evan Leibovitch; At-Large Worldwide; Alan Greenberg
Subject: Re: [ALAC] ALAC Statement regarding EPDP

Sorry Hadia, but I absolutely cannot agree to your paragraph.

We have made it clear from the beginning that whatever the final outcome reached by the EPDP, it must come within the GDPR.  As I have stated many times, the GDPR has to cover many industries, businesses, governmental practices, and therefore, is necessarily general - which gives room when applying those general rules to particular situations.  So there is room to talk about circumstances in which particular parties will have access to some/all of the information.  

We can argue for access within the recognised category of cybersafety, misuse of information, etc. But one thing the GDPR will not do is permit ordinary individuals unfettered access to personal information.  So arguing for individual, unfettered access puts us outside of the GDPR - and outside of the remit of the EPDP. 

Holly

On 6 Aug 2018, at 12:31 am, Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg> wrote:

> Hi All,
> 
> 
> As Alan mentioned that we (the members and alternates) had agreed on the statement, however I was of the view of adding a few lines about the consumers, all Internet users are consumers in a way or another. The conflict between the obligations of the GDPR and WHOIS will hinder the work of  those who work on identifying cyber attackers and the law enforcement agencies but more importantly the impact of the GDPR on WHOIS will be felt by the individual internet customers. Therefore as the representatives of the interests of the   end users I see that we need to mention them in our statement. I also suggest removing WHOIS and just putting the need for access in a timely manner instead. We could end up with another system not necessarily WHOIS, so below is my suggestion for item number 4
> 
> 
> "Although some Internet users consult WHOIS and will not be able to do so in some cases going forward, our main concern is access for individual consumers as well as third parties like consumer protection agencies, law enforcement, cybersecurity researchers, those combating fraud in domain names, and others who help protect users from phishing, malware, spam, fraud, DDoS attacks, those who work to ensure that the Internet is a safe and secure place for users and to do so need timely information about certain websites, all within the constraints of GDPR of course."
> 
> Kind Regards
> Hadia
> 
>> 
> 
> ________________________________
> From: ALAC <alac-bounces at atlarge-lists.icann.org> on behalf of Jonathan Zuck <JZuck at innovatorsnetwork.org>
> Sent: 04 August 2018 18:29
> To: Carlton Samuels; Evan Leibovitch
> Cc: At-Large Worldwide; Alan Greenberg
> Subject: Re: [ALAC] ALAC Statement regarding EPDP
> 
> Wow. A “rancid falsehood.”  Agree, of course, but love the language.
> 
> From: ALAC <alac-bounces at atlarge-lists.icann.org> On Behalf Of Carlton Samuels
> Sent: Saturday, August 4, 2018 11:54 AM
> To: Evan Leibovitch <evan at telly.org>
> Cc: At-Large Worldwide <alac at atlarge-lists.icann.org>; Alan Greenberg <alan.greenberg at mcgill.ca>
> Subject: Re: [ALAC] ALAC Statement regarding EPDP
> 
> I have to tell you my friend this one leaves me gobsmacked every time. And, underscores the immorality of the false equivalence.
> 
> Sure, let us accept that the bye-law change was orchestrated by some rube from SoyaBeanField, Nebraska who may be challenged by the ordinary meaning of 'individual internet users" to which the bye-law of title refers.
> 
> And let us concede the term 'individual internet users' may be subject to interpretation.  But you cannot escape context in assessing meaning.
> 
> If one knows anything of the domain name system and the domain name market, it should not be a stretch to consider and recognize that purely on these facts, if one chooses to take title to a domain name and become a registrant, the interests of a registrant will likely diverge, even pivot, from that of an individual internet user!
> 
> This has troubled me as long as I have caucused with the At-Large. Yes, we should welcome every opinion in these councils. And yes, I will stand at the barricade to preserve the right for all opinions to contend and even be heard.
> 
> But it is a rancid falsehood to ascribe the same value to all of them.
> 
> -Carlton
> 
> 
> ==============================
> Carlton A Samuels
> Mobile: 876-818-1799
> Strategy, Process, Governance, Assessment & Turnaround
> =============================
> 
> 
> On Fri, Aug 3, 2018 at 4:28 PM Evan Leibovitch <evan at telly.org<mailto:evan at telly.org>> wrote:
> Hi all.
> 
> I agree with Holly, Carlton and Kan. I am frankly surprised that this debate continues to be litigated. How little has changed after a decade of talk. Two things:
> 
>  1.  Alan's point that "if registrant needs differ from those of the 4 billion Internet users  who are not registrants, those latter needs take precedence" ought not to be controversial, yet somehow it still is to some. The ICANN Bylaws assign to ALAC the role of representing the interests of those who are impacted by domains yet neither buy nor sell them. While there are those among us who own domains and even a few who sell them, such interests already have representation elsewhere in ICANN through multiple vectors. In the vast majority of instances the needs of domain owners align with those of the billions who would use those domains to access goods and services. Alan's statement, which is consistent with both the Bylaws and past practice, is that on the few occasions when those interests may collide, ALAC sides with those who have no other voice in ICANN. This is nothing new and has no reason to be renegotiated now.
>  2.  It is neither inconsistent with the GRPR nor mocking its intentions to state accurately that privacy has been demonstrably abused within the world of domains to enable unethical and illegal conduct. It wholly appropriate for At-Large -- in speaking for those who have been scammed and those who wish not to be scammed in the future -- to request that the legitimate need for privacy be accompanied by safeguards against shielding those who cause harm. To me this takes two forms: (a) demand for robust and efficient due process to address such abuse when discovered and (b) accuracy of information so that the result of valid due process reveals useful data. It is reasonable to assert that the unintended consequence of privacy without such public safeguards may be worse than the problems privacy rules seek to fix.
> - Evan
> _______________________________________________
> ALAC mailing list
> ALAC at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/alac
> 
> At-Large Online: http://www.atlarge.icann.org
> ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)

More information about the ALAC mailing list