[ALAC] ALAC Statement regarding EPDP

John Laprise jlaprise at gmail.com
Wed Aug 8 13:22:08 UTC 2018


Full disclosure: I am one of the GDPR leads at the (non-internet) non
profit I work for. I'm up to my eyeballs in GDPR implementation. I
understand the technical specification and it's rationale but do not think
IMO that the WHOIS regime is GDPR compliant. ICANN collects far more data
than required from a contractual point of view and violates GDPR's data
minimzation principles.

On Wed, Aug 8, 2018, 7:10 AM John Laprise <jlaprise at gmail.com> wrote:

> GDPR only recognizes data subjects (their associated PII), controllers,
> and processors. So should we. We should avoid confusion by singling out
> groups and in most balance tests, privacy interests of data subjects is the
> guiding factor.
>
> On Wed, Aug 8, 2018, 6:40 AM Hadia Abdelsalam Mokhtar EL miniawi <
> Hadia at tra.gov.eg> wrote:
>
>> Hi Holly and all,
>>
>> Sorry could not reply earlier though I read the email and all the later
>> comments because I was at the MEAC SIG and going through the EPDP survey.
>>
>> So for sure I am not asking for access for individual consumers, I edited
>> Alan's original statement adding to it the customers but missing that the
>> statement askes for access, my mistake. So first I don't think that in our
>> statement we should specifically refer to access (Which is referenced in
>> Annex A of the temporary specification) but we should rather state our
>> position with regard to the whole EPDP. The EPDP addresses four parts
>> 1. Purposes for processing Registration Data
>> 2. Required Data Processing activities (with 10 items one of which
>> addresses access)
>> 3. Data Processing terms
>> 4. Updates to other Consensus Policies
>>
>> The most important of which in my opinion is the purposes for processing
>> registration data based on which the access would be granted. By no means
>> do we want to send the message that data privacy is not important and that
>> we are only concerned with law enforcement and cybersecurity. As  I
>> mentioned before the impact of the GDPR on WHOIS will be felt by the
>> individual internet customers and not only  those who identify cyber
>> attackers and the law enforcement agencies.
>>
>> I don't think that it serves us right to be speaking solely about
>> cybersecurity and law enforcement agencies or being regarded as  their
>> advocates as for sure we are the advocates of the Internet end users.
>>
>> So I suggest the following edits with regard to item 4 of Alan's
>> statement inviting others to modify/add if more clarity is required
>>
>> "our main concern is about protecting the rights and interests of
>> individual internet users and consumers as well as third parties like
>> consumer protection agencies, law enforcement, cybersecurity researchers,
>> those combating fraud in domain names, and others who help protect users
>> from phishing, malware, spam, fraud, DDoS attacks. Those who work to ensure
>> that the Internet is a safe and secure place for users and to do so need
>> timely information about certain websites, all within the constraints of
>> GDPR of course."
>>
>>
>> Best
>> Hadia
>>
>> -----Original Message-----
>> From: Holly Raiche [mailto:h.raiche at internode.on.net]
>> Sent: Monday, August 06, 2018 12:47 AM
>> To: Hadia Abdelsalam Mokhtar EL miniawi
>> Cc: Jonathan Zuck; Carlton Samuels; Evan Leibovitch; At-Large Worldwide;
>> Alan Greenberg
>> Subject: Re: [ALAC] ALAC Statement regarding EPDP
>>
>> Sorry Hadia, but I absolutely cannot agree to your paragraph.
>>
>> We have made it clear from the beginning that whatever the final outcome
>> reached by the EPDP, it must come within the GDPR.  As I have stated many
>> times, the GDPR has to cover many industries, businesses, governmental
>> practices, and therefore, is necessarily general - which gives room when
>> applying those general rules to particular situations.  So there is room to
>> talk about circumstances in which particular parties will have access to
>> some/all of the information.
>>
>> We can argue for access within the recognised category of cybersafety,
>> misuse of information, etc. But one thing the GDPR will not do is permit
>> ordinary individuals unfettered access to personal information.  So arguing
>> for individual, unfettered access puts us outside of the GDPR - and outside
>> of the remit of the EPDP.
>>
>> Holly
>>
>> On 6 Aug 2018, at 12:31 am, Hadia Abdelsalam Mokhtar EL miniawi <
>> Hadia at tra.gov.eg> wrote:
>>
>> > Hi All,
>> >
>> >
>> > As Alan mentioned that we (the members and alternates) had agreed on
>> the statement, however I was of the view of adding a few lines about the
>> consumers, all Internet users are consumers in a way or another. The
>> conflict between the obligations of the GDPR and WHOIS will hinder the work
>> of  those who work on identifying cyber attackers and the law enforcement
>> agencies but more importantly the impact of the GDPR on WHOIS will be felt
>> by the individual internet customers. Therefore as the representatives of
>> the interests of the   end users I see that we need to mention them in our
>> statement. I also suggest removing WHOIS and just putting the need for
>> access in a timely manner instead. We could end up with another system not
>> necessarily WHOIS, so below is my suggestion for item number 4
>> >
>> >
>> > "Although some Internet users consult WHOIS and will not be able to do
>> so in some cases going forward, our main concern is access for individual
>> consumers as well as third parties like consumer protection agencies, law
>> enforcement, cybersecurity researchers, those combating fraud in domain
>> names, and others who help protect users from phishing, malware, spam,
>> fraud, DDoS attacks, those who work to ensure that the Internet is a safe
>> and secure place for users and to do so need timely information about
>> certain websites, all within the constraints of GDPR of course."
>> >
>> > Kind Regards
>> > Hadia
>> >
>> > ​
>> >
>> >
>> > ________________________________
>> > From: ALAC <alac-bounces at atlarge-lists.icann.org> on behalf of
>> Jonathan Zuck <JZuck at innovatorsnetwork.org>
>> > Sent: 04 August 2018 18:29
>> > To: Carlton Samuels; Evan Leibovitch
>> > Cc: At-Large Worldwide; Alan Greenberg
>> > Subject: Re: [ALAC] ALAC Statement regarding EPDP
>> >
>> > Wow. A “rancid falsehood.”  Agree, of course, but love the language.
>> >
>> > From: ALAC <alac-bounces at atlarge-lists.icann.org> On Behalf Of Carlton
>> Samuels
>> > Sent: Saturday, August 4, 2018 11:54 AM
>> > To: Evan Leibovitch <evan at telly.org>
>> > Cc: At-Large Worldwide <alac at atlarge-lists.icann.org>; Alan Greenberg <
>> alan.greenberg at mcgill.ca>
>> > Subject: Re: [ALAC] ALAC Statement regarding EPDP
>> >
>> > I have to tell you my friend this one leaves me gobsmacked every time.
>> And, underscores the immorality of the false equivalence.
>> >
>> > Sure, let us accept that the bye-law change was orchestrated by some
>> rube from SoyaBeanField, Nebraska who may be challenged by the ordinary
>> meaning of 'individual internet users" to which the bye-law of title refers.
>> >
>> > And let us concede the term 'individual internet users' may be subject
>> to interpretation.  But you cannot escape context in assessing meaning.
>> >
>> > If one knows anything of the domain name system and the domain name
>> market, it should not be a stretch to consider and recognize that purely on
>> these facts, if one chooses to take title to a domain name and become a
>> registrant, the interests of a registrant will likely diverge, even pivot,
>> from that of an individual internet user!
>> >
>> > This has troubled me as long as I have caucused with the At-Large. Yes,
>> we should welcome every opinion in these councils. And yes, I will stand at
>> the barricade to preserve the right for all opinions to contend and even be
>> heard.
>> >
>> > But it is a rancid falsehood to ascribe the same value to all of them.
>> >
>> > -Carlton
>> >
>> >
>> > ==============================
>> > Carlton A Samuels
>> > Mobile: 876-818-1799
>> > Strategy, Process, Governance, Assessment & Turnaround
>> > =============================
>> >
>> >
>> > On Fri, Aug 3, 2018 at 4:28 PM Evan Leibovitch <evan at telly.org<mailto:
>> evan at telly.org>> wrote:
>> > Hi all.
>> >
>> > I agree with Holly, Carlton and Kan. I am frankly surprised that this
>> debate continues to be litigated. How little has changed after a decade of
>> talk. Two things:
>> >
>> >  1.  Alan's point that "if registrant needs differ from those of the 4
>> billion Internet users  who are not registrants, those latter needs take
>> precedence" ought not to be controversial, yet somehow it still is to some.
>> The ICANN Bylaws assign to ALAC the role of representing the interests of
>> those who are impacted by domains yet neither buy nor sell them. While
>> there are those among us who own domains and even a few who sell them, such
>> interests already have representation elsewhere in ICANN through multiple
>> vectors. In the vast majority of instances the needs of domain owners align
>> with those of the billions who would use those domains to access goods and
>> services. Alan's statement, which is consistent with both the Bylaws and
>> past practice, is that on the few occasions when those interests may
>> collide, ALAC sides with those who have no other voice in ICANN. This is
>> nothing new and has no reason to be renegotiated now.
>> >  2.  It is neither inconsistent with the GRPR nor mocking its
>> intentions to state accurately that privacy has been demonstrably abused
>> within the world of domains to enable unethical and illegal conduct. It
>> wholly appropriate for At-Large -- in speaking for those who have been
>> scammed and those who wish not to be scammed in the future -- to request
>> that the legitimate need for privacy be accompanied by safeguards against
>> shielding those who cause harm. To me this takes two forms: (a) demand for
>> robust and efficient due process to address such abuse when discovered and
>> (b) accuracy of information so that the result of valid due process reveals
>> useful data. It is reasonable to assert that the unintended consequence of
>> privacy without such public safeguards may be worse than the problems
>> privacy rules seek to fix.
>> > - Evan
>> > _______________________________________________
>> > ALAC mailing list
>> > ALAC at atlarge-lists.icann.org
>> > https://atlarge-lists.icann.org/mailman/listinfo/alac
>> >
>> > At-Large Online: http://www.atlarge.icann.org
>> > ALAC Working Wiki:
>> https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
>>
>> _______________________________________________
>> ALAC mailing list
>> ALAC at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/alac
>>
>> At-Large Online: http://www.atlarge.icann.org
>> ALAC Working Wiki:
>> https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/alac/attachments/20180808/fefaddb9/attachment.html>


More information about the ALAC mailing list