[ALAC] ALAC Statement regarding EPDP
Alan Greenberg
alan.greenberg at mcgill.ca
Wed Aug 8 16:37:54 UTC 2018
Thanks Jonathan.
And note that Registrars and Registries (who have
similar goals - to ensure that they comply and
are not subject to being non-compliant and fined)
have 6 voices as does the NCSG. We have 2.
Alan
At 08/08/2018 11:41 AM, Jonathan Zuck wrote:
>Folks,
>Handicapping the outcome and determining the
>interests we will attempt to represent are two
>very different exercises that we would do well
>not to conflate. It may very well be the case
>that whois is not currently GDPR compliant. That
>does nothing to change the fact that end users
>benefit from cybersecurity research,
>reputational databases and IP enforcement (as it
>often pertains to malware). So the point is NOT
>to be the smartest person in the room who
>already has the answers. The point is to
>vigorously represent those who, at present, have
>no voice in this discussion: the typical end
>user engaged in end user activities on the
>internet. None of that implies non-compliance
>with the GDPR but it might mean choosing a few
>places to “test the fences,†so to speak,
>or creative alternatives for facilitating the
>work of the 3rd parties on which end users rely.
>
>Everyone seems to be freaking out about this
>statement when it’s not the case where ours
>will be the only voice. There are many voices,
>of which we are simply one. We serve our
>constituency better by being only one and not
>attempting to be the “every voice.†The
>biggest business interest in this is registrars
>and registries and they are well represented by
>both themselves and the NCUC under cover of
>representing the registrant. We don’t
>denigrate the registrant but instead are there
>to represent end users. There’s nothing wrong
>with being a minority voice and losing more
>battles than we win. We should still be doing
>our best to represent those interests.
>
>From: ALAC
><alac-bounces at atlarge-lists.icann.org> on behalf
>of Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
>Date: Wednesday, August 8, 2018 at 9:27 AM
>To: John Laprise <jlaprise at gmail.com>
>Cc: At-Large Worldwide
><alac at atlarge-lists.icann.org>, Alan Greenberg <alan.greenberg at mcgill.ca>
>Subject: Re: [ALAC] ALAC Statement regarding EPDP
>
>We certainly need to have legal bases
>corresponding to the stated purposes, I am not sure that we do have these now
>
>hadia
>
>From: John Laprise [mailto:jlaprise at gmail.com]
>Sent: Wednesday, August 08, 2018 3:22 PM
>To: Hadia Abdelsalam Mokhtar EL miniawi
>Cc: Alan Greenberg; At-Large Worldwide; Holly Raiche
>Subject: Re: [ALAC] ALAC Statement regarding EPDP
>
>Full disclosure: I am one of the GDPR leads at
>the (non-internet) non profit I work for. I'm up
>to my eyeballs in GDPR implementation. I
>understand the technical specification and it's
>rationale but do not think IMO that the WHOIS
>regime is GDPR compliant. ICANN collects far
>more data than required from a contractual point
>of view and violates GDPR's data minimzation principles.
>On Wed, Aug 8, 2018, 7:10 AM John Laprise
><<mailto:jlaprise at gmail.com>jlaprise at gmail.com> wrote:
>GDPR only recognizes data subjects (their
>associated PII), controllers, and processors. So
>should we. We should avoid confusion by singling
>out groups and in most balance tests, privacy
>interests of data subjects is the guiding factor.
>On Wed, Aug 8, 2018, 6:40 AM Hadia Abdelsalam
>Mokhtar EL miniawi <<mailto:Hadia at tra.gov.eg>Hadia at tra.gov.eg> wrote:
>Hi Holly and all,
>
>Sorry could not reply earlier though I read the
>email and all the later comments because I was
>at the MEAC SIG and going through the EPDP survey.
>
>So for sure I am not asking for access for
>individual consumers, I edited Alan's original
>statement adding to it the customers but missing
>that the statement askes for access, my mistake.
>So first I don't think that in our statement we
>should specifically refer to access (Which is
>referenced in Annex A of the temporary
>specification) but we should rather state our
>position with regard to the whole EPDP. The EPDP addresses four parts
>1. Purposes for processing Registration Data
>2. Required Data Processing activities (with 10
>items one of which addresses access)
>3. Data Processing terms
>4. Updates to other Consensus Policies
>
>The most important of which in my opinion is the
>purposes for processing registration data based
>on which the access would be granted. By no
>means do we want to send the message that data
>privacy is not important and that we are only
>concerned with law enforcement and
>cybersecurity. As I mentioned before the impact
>of the GDPR on WHOIS will be felt by the
>individual internet customers and not
>only those who identify cyber attackers and the law enforcement agencies.
>
>I don't think that it serves us right to be
>speaking solely about cybersecurity and law
>enforcement agencies or being regarded as their
>advocates as for sure we are the advocates of the Internet end users.
>
>So I suggest the following edits with regard to
>item 4 of Alan's statement inviting others to
>modify/add if more clarity is required
>
>"our main concern is about protecting the rights
>and interests of individual internet users and
>consumers as well as third parties like consumer
>protection agencies, law enforcement,
>cybersecurity researchers, those combating fraud
>in domain names, and others who help protect
>users from phishing, malware, spam, fraud, DDoS
>attacks. Those who work to ensure that the
>Internet is a safe and secure place for users
>and to do so need timely information about
>certain websites, all within the constraints of GDPR of course."
>
>
>Best
>Hadia
>
>-----Original Message-----
>From: Holly Raiche [mailto:h.raiche at internode.on.net]
>Sent: Monday, August 06, 2018 12:47 AM
>To: Hadia Abdelsalam Mokhtar EL miniawi
>Cc: Jonathan Zuck; Carlton Samuels; Evan
>Leibovitch; At-Large Worldwide; Alan Greenberg
>Subject: Re: [ALAC] ALAC Statement regarding EPDP
>
>Sorry Hadia, but I absolutely cannot agree to your paragraph.
>
>We have made it clear from the beginning that
>whatever the final outcome reached by the EPDP,
>it must come within the GDPR. As I have stated
>many times, the GDPR has to cover many
>industries, businesses, governmental practices,
>and therefore, is necessarily general - which
>gives room when applying those general rules to
>particular situations. So there is room to talk
>about circumstances in which particular parties
>will have access to some/all of the information.
>
>We can argue for access within the recognised
>category of cybersafety, misuse of information,
>etc. But one thing the GDPR will not do is
>permit ordinary individuals unfettered access to
>personal information. So arguing for
>individual, unfettered access puts us outside of
>the GDPR - and outside of the remit of the EPDP.
>
>Holly
>
>On 6 Aug 2018, at 12:31 am, Hadia Abdelsalam
>Mokhtar EL miniawi <<mailto:Hadia at tra.gov.eg>Hadia at tra.gov.eg> wrote:
>
> > Hi All,
> >
> >
> > As Alan mentioned that we (the members and
> alternates) had agreed on the statement,
> however I was of the view of adding a few lines
> about the consumers, all Internet users are
> consumers in a way or another. The conflict
> between the obligations of the GDPR and WHOIS
> will hinder the work of those who work on
> identifying cyber attackers and the law
> enforcement agencies but more importantly the
> impact of the GDPR on WHOIS will be felt by the
> individual internet customers. Therefore as the
> representatives of the interests of the end
> users I see that we need to mention them in our
> statement. I also suggest removing WHOIS and
> just putting the need for access in a timely
> manner instead. We could end up with another
> system not necessarily WHOIS, so below is my suggestion for item number 4
> >
> >
> > "Although some Internet users consult WHOIS
> and will not be able to do so in some cases
> going forward, our main concern is access for
> individual consumers as well as third parties
> like consumer protection agencies, law
> enforcement, cybersecurity researchers, those
> combating fraud in domain names, and others who
> help protect users from phishing, malware,
> spam, fraud, DDoS attacks, those who work to
> ensure that the Internet is a safe and secure
> place for users and to do so need timely
> information about certain websites, all within
> the constraints of GDPR of course."
> >
> > Kind Regards
> > Hadia
> >
> > ​
> >
> >
> > ________________________________
> > From: ALAC
> <<mailto:alac-bounces at atlarge-lists.icann.org>alac-bounces at atlarge-lists.icann.org>
> on behalf of Jonathan Zuck
> <<mailto:JZuck at innovatorsnetwork.org>JZuck at innovatorsnetwork.org>
> > Sent: 04 August 2018 18:29
> > To: Carlton Samuels; Evan Leibovitch
> > Cc: At-Large Worldwide; Alan Greenberg
> > Subject: Re: [ALAC] ALAC Statement regarding EPDP
> >
> > Wow. A “rancid falsehood.†Agree, of course, but love the language.
> >
> > From: ALAC
> <<mailto:alac-bounces at atlarge-lists.icann.org>alac-bounces at atlarge-lists.icann.org>
> On Behalf Of Carlton Samuels
> > Sent: Saturday, August 4, 2018 11:54 AM
> > To: Evan Leibovitch <<mailto:evan at telly.org>evan at telly.org>
> > Cc: At-Large Worldwide
> <<mailto:alac at atlarge-lists.icann.org>alac at atlarge-lists.icann.org>;
> Alan Greenberg <<mailto:alan.greenberg at mcgill.ca>alan.greenberg at mcgill.ca>
> > Subject: Re: [ALAC] ALAC Statement regarding EPDP
> >
> > I have to tell you my friend this one leaves
> me gobsmacked every time. And, underscores the
> immorality of the false equivalence.
> >
> > Sure, let us accept that the bye-law change
> was orchestrated by some rube from
> SoyaBeanField, Nebraska who may be challenged
> by the ordinary meaning of 'individual internet
> users" to which the bye-law of title refers.
> >
> > And let us concede the term 'individual
> internet users' may be subject to
> interpretation. But you cannot escape context in assessing meaning.
> >
> > If one knows anything of the domain name
> system and the domain name market, it should
> not be a stretch to consider and recognize that
> purely on these facts, if one chooses to take
> title to a domain name and become a registrant,
> the interests of a registrant will likely
> diverge, even pivot, from that of an individual internet user!
> >
> > This has troubled me as long as I have
> caucused with the At-Large. Yes, we should
> welcome every opinion in these councils. And
> yes, I will stand at the barricade to preserve
> the right for all opinions to contend and even be heard.
> >
> > But it is a rancid falsehood to ascribe the same value to all of them.
> >
> > -Carlton
> >
> >
> > ==============================
> > Carlton A Samuels
> > Mobile: 876-818-1799
> > Strategy, Process, Governance, Assessment & Turnaround
> > =============================
> >
> >
> > On Fri, Aug 3, 2018 at 4:28 PM Evan
> Leibovitch
> <<mailto:evan at telly.org>evan at telly.org<mailto:evan at telly.org>> wrote:
> > Hi all.
> >
> > I agree with Holly, Carlton and Kan. I am
> frankly surprised that this debate continues to
> be litigated. How little has changed after a decade of talk. Two things:
> >
> > 1. Alan's point that "if registrant needs
> differ from those of the 4 billion Internet
> users who are not registrants, those latter
> needs take precedence" ought not to be
> controversial, yet somehow it still is to some.
> The ICANN Bylaws assign to ALAC the role of
> representing the interests of those who are
> impacted by domains yet neither buy nor sell
> them. While there are those among us who own
> domains and even a few who sell them, such
> interests already have representation elsewhere
> in ICANN through multiple vectors. In the vast
> majority of instances the needs of domain
> owners align with those of the billions who
> would use those domains to access goods and
> services. Alan's statement, which is consistent
> with both the Bylaws and past practice, is that
> on the few occasions when those interests may
> collide, ALAC sides with those who have no
> other voice in ICANN. This is nothing new and
> has no reason to be renegotiated now.
> > 2. It is neither inconsistent with the GRPR
> nor mocking its intentions to state accurately
> that privacy has been demonstrably abused
> within the world of domains to enable unethical
> and illegal conduct. It wholly appropriate for
> At-Large -- in speaking for those who have been
> scammed and those who wish not to be scammed in
> the future -- to request that the legitimate
> need for privacy be accompanied by safeguards
> against shielding those who cause harm. To me
> this takes two forms: (a) demand for robust and
> efficient due process to address such abuse
> when discovered and (b) accuracy of information
> so that the result of valid due process reveals
> useful data. It is reasonable to assert that
> the unintended consequence of privacy without
> such public safeguards may be worse than the
> problems privacy rules seek to fix.
> > - Evan
> > _______________________________________________
> > ALAC mailing list
> > <mailto:ALAC at atlarge-lists.icann.org>ALAC at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/alac
> >
> > At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org
> > ALAC Working Wiki:
> <https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
>
>_______________________________________________
>ALAC mailing list
><mailto:ALAC at atlarge-lists.icann.org>ALAC at atlarge-lists.icann.org
>https://atlarge-lists.icann.org/mailman/listinfo/alac
>
>At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org
>ALAC Working Wiki:
><https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/alac/attachments/20180808/7297d610/attachment.html>
More information about the ALAC
mailing list