[ALAC] ALAC Statement regarding EPDP

Carlton Samuels carlton.samuels at gmail.com
Thu Aug 9 10:10:50 UTC 2018


+1

-Carlton

On Wed, 8 Aug 2018, 10:41 am Jonathan Zuck, <JZuck at innovatorsnetwork.org>
wrote:

> Folks,
>
> Handicapping the outcome and determining the interests we will attempt to
> represent are two very different exercises that we would do well not to
> conflate. It may very well be the case that whois is not currently GDPR
> compliant. That does nothing to change the fact that end users benefit from
> cybersecurity research, reputational databases and IP enforcement (as it
> often pertains to malware). So the point is NOT to be the smartest person
> in the room who already has the answers. The point is to vigorously
> represent those who, at present, have no voice in this discussion: the
> typical end user engaged in end user activities on the internet. None of
> that implies non-compliance with the GDPR but it might mean choosing a few
> places to  “test the fences,” so to speak, or creative alternatives for
> facilitating the work of the 3rd parties on which end users rely.
>
>
>
> Everyone seems to be freaking out about this statement when it’s not the
> case where ours will be the only voice. There are many voices, of which we
> are simply one. We serve our constituency better by being only one and not
> attempting to be the “every voice.” The biggest business interest in this
> is registrars and registries and they are well represented by both
> themselves and the NCUC under cover of representing the registrant. We
> don’t denigrate the registrant but instead are there to represent end
> users. There’s nothing wrong with being a minority voice and losing more
> battles than we win. We should still be doing our best to represent those
> interests.
>
>
>
> *From: *ALAC <alac-bounces at atlarge-lists.icann.org> on behalf of Hadia
> Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> *Date: *Wednesday, August 8, 2018 at 9:27 AM
> *To: *John Laprise <jlaprise at gmail.com>
> *Cc: *At-Large Worldwide <alac at atlarge-lists.icann.org>, Alan Greenberg <
> alan.greenberg at mcgill.ca>
> *Subject: *Re: [ALAC] ALAC Statement regarding EPDP
>
>
>
> We certainly need to have legal bases corresponding to the stated
> purposes, I am not sure that we do have these now
>
>
>
> hadia
>
>
>
> *From:* John Laprise [mailto:jlaprise at gmail.com]
> *Sent:* Wednesday, August 08, 2018 3:22 PM
> *To:* Hadia Abdelsalam Mokhtar EL miniawi
> *Cc:* Alan Greenberg; At-Large Worldwide; Holly Raiche
> *Subject:* Re: [ALAC] ALAC Statement regarding EPDP
>
>
>
> Full disclosure: I am one of the GDPR leads at the (non-internet) non
> profit I work for. I'm up to my eyeballs in GDPR implementation. I
> understand the technical specification and it's rationale but do not think
> IMO that the WHOIS regime is GDPR compliant. ICANN collects far more data
> than required from a contractual point of view and violates GDPR's data
> minimzation principles.
>
> On Wed, Aug 8, 2018, 7:10 AM John Laprise <jlaprise at gmail.com> wrote:
>
> GDPR only recognizes data subjects (their associated PII), controllers,
> and processors. So should we. We should avoid confusion by singling out
> groups and in most balance tests, privacy interests of data subjects is the
> guiding factor.
>
> On Wed, Aug 8, 2018, 6:40 AM Hadia Abdelsalam Mokhtar EL miniawi <
> Hadia at tra.gov.eg> wrote:
>
> Hi Holly and all,
>
> Sorry could not reply earlier though I read the email and all the later
> comments because I was at the MEAC SIG and going through the EPDP survey.
>
> So for sure I am not asking for access for individual consumers, I edited
> Alan's original statement adding to it the customers but missing that the
> statement askes for access, my mistake. So first I don't think that in our
> statement we should specifically refer to access (Which is referenced in
> Annex A of the temporary specification) but we should rather state our
> position with regard to the whole EPDP. The EPDP addresses four parts
> 1. Purposes for processing Registration Data
> 2. Required Data Processing activities (with 10 items one of which
> addresses access)
> 3. Data Processing terms
> 4. Updates to other Consensus Policies
>
> The most important of which in my opinion is the purposes for processing
> registration data based on which the access would be granted. By no means
> do we want to send the message that data privacy is not important and that
> we are only concerned with law enforcement and cybersecurity. As  I
> mentioned before the impact of the GDPR on WHOIS will be felt by the
> individual internet customers and not only  those who identify cyber
> attackers and the law enforcement agencies.
>
> I don't think that it serves us right to be speaking solely about
> cybersecurity and law enforcement agencies or being regarded as  their
> advocates as for sure we are the advocates of the Internet end users.
>
> So I suggest the following edits with regard to item 4 of Alan's statement
> inviting others to modify/add if more clarity is required
>
> "our main concern is about protecting the rights and interests of
> individual internet users and consumers as well as third parties like
> consumer protection agencies, law enforcement, cybersecurity researchers,
> those combating fraud in domain names, and others who help protect users
> from phishing, malware, spam, fraud, DDoS attacks. Those who work to ensure
> that the Internet is a safe and secure place for users and to do so need
> timely information about certain websites, all within the constraints of
> GDPR of course."
>
>
> Best
> Hadia
>
> -----Original Message-----
> From: Holly Raiche [mailto:h.raiche at internode.on.net]
> Sent: Monday, August 06, 2018 12:47 AM
> To: Hadia Abdelsalam Mokhtar EL miniawi
> Cc: Jonathan Zuck; Carlton Samuels; Evan Leibovitch; At-Large Worldwide;
> Alan Greenberg
> Subject: Re: [ALAC] ALAC Statement regarding EPDP
>
> Sorry Hadia, but I absolutely cannot agree to your paragraph.
>
> We have made it clear from the beginning that whatever the final outcome
> reached by the EPDP, it must come within the GDPR.  As I have stated many
> times, the GDPR has to cover many industries, businesses, governmental
> practices, and therefore, is necessarily general - which gives room when
> applying those general rules to particular situations.  So there is room to
> talk about circumstances in which particular parties will have access to
> some/all of the information.
>
> We can argue for access within the recognised category of cybersafety,
> misuse of information, etc. But one thing the GDPR will not do is permit
> ordinary individuals unfettered access to personal information.  So arguing
> for individual, unfettered access puts us outside of the GDPR - and outside
> of the remit of the EPDP.
>
> Holly
>
> On 6 Aug 2018, at 12:31 am, Hadia Abdelsalam Mokhtar EL miniawi <
> Hadia at tra.gov.eg> wrote:
>
> > Hi All,
> >
> >
> > As Alan mentioned that we (the members and alternates) had agreed on the
> statement, however I was of the view of adding a few lines about the
> consumers, all Internet users are consumers in a way or another. The
> conflict between the obligations of the GDPR and WHOIS will hinder the work
> of  those who work on identifying cyber attackers and the law enforcement
> agencies but more importantly the impact of the GDPR on WHOIS will be felt
> by the individual internet customers. Therefore as the representatives of
> the interests of the   end users I see that we need to mention them in our
> statement. I also suggest removing WHOIS and just putting the need for
> access in a timely manner instead. We could end up with another system not
> necessarily WHOIS, so below is my suggestion for item number 4
> >
> >
> > "Although some Internet users consult WHOIS and will not be able to do
> so in some cases going forward, our main concern is access for individual
> consumers as well as third parties like consumer protection agencies, law
> enforcement, cybersecurity researchers, those combating fraud in domain
> names, and others who help protect users from phishing, malware, spam,
> fraud, DDoS attacks, those who work to ensure that the Internet is a safe
> and secure place for users and to do so need timely information about
> certain websites, all within the constraints of GDPR of course."
> >
> > Kind Regards
> > Hadia
> >
> > ​
> >
> >
> > ________________________________
> > From: ALAC <alac-bounces at atlarge-lists.icann.org> on behalf of Jonathan
> Zuck <JZuck at innovatorsnetwork.org>
> > Sent: 04 August 2018 18:29
> > To: Carlton Samuels; Evan Leibovitch
> > Cc: At-Large Worldwide; Alan Greenberg
> > Subject: Re: [ALAC] ALAC Statement regarding EPDP
> >
> > Wow. A “rancid falsehood.”  Agree, of course, but love the language.
> >
> > From: ALAC <alac-bounces at atlarge-lists.icann.org> On Behalf Of Carlton
> Samuels
> > Sent: Saturday, August 4, 2018 11:54 AM
> > To: Evan Leibovitch <evan at telly.org>
> > Cc: At-Large Worldwide <alac at atlarge-lists.icann.org>; Alan Greenberg <
> alan.greenberg at mcgill.ca>
> > Subject: Re: [ALAC] ALAC Statement regarding EPDP
> >
> > I have to tell you my friend this one leaves me gobsmacked every time.
> And, underscores the immorality of the false equivalence.
> >
> > Sure, let us accept that the bye-law change was orchestrated by some
> rube from SoyaBeanField, Nebraska who may be challenged by the ordinary
> meaning of 'individual internet users" to which the bye-law of title refers.
> >
> > And let us concede the term 'individual internet users' may be subject
> to interpretation.  But you cannot escape context in assessing meaning.
> >
> > If one knows anything of the domain name system and the domain name
> market, it should not be a stretch to consider and recognize that purely on
> these facts, if one chooses to take title to a domain name and become a
> registrant, the interests of a registrant will likely diverge, even pivot,
> from that of an individual internet user!
> >
> > This has troubled me as long as I have caucused with the At-Large. Yes,
> we should welcome every opinion in these councils. And yes, I will stand at
> the barricade to preserve the right for all opinions to contend and even be
> heard.
> >
> > But it is a rancid falsehood to ascribe the same value to all of them.
> >
> > -Carlton
> >
> >
> > ==============================
> > Carlton A Samuels
> > Mobile: 876-818-1799
> > Strategy, Process, Governance, Assessment & Turnaround
> > =============================
> >
> >
> > On Fri, Aug 3, 2018 at 4:28 PM Evan Leibovitch <evan at telly.org<mailto:
> evan at telly.org>> wrote:
> > Hi all.
> >
> > I agree with Holly, Carlton and Kan. I am frankly surprised that this
> debate continues to be litigated. How little has changed after a decade of
> talk. Two things:
> >
> >  1.  Alan's point that "if registrant needs differ from those of the 4
> billion Internet users  who are not registrants, those latter needs take
> precedence" ought not to be controversial, yet somehow it still is to some.
> The ICANN Bylaws assign to ALAC the role of representing the interests of
> those who are impacted by domains yet neither buy nor sell them. While
> there are those among us who own domains and even a few who sell them, such
> interests already have representation elsewhere in ICANN through multiple
> vectors. In the vast majority of instances the needs of domain owners align
> with those of the billions who would use those domains to access goods and
> services. Alan's statement, which is consistent with both the Bylaws and
> past practice, is that on the few occasions when those interests may
> collide, ALAC sides with those who have no other voice in ICANN. This is
> nothing new and has no reason to be renegotiated now.
> >  2.  It is neither inconsistent with the GRPR nor mocking its intentions
> to state accurately that privacy has been demonstrably abused within the
> world of domains to enable unethical and illegal conduct. It wholly
> appropriate for At-Large -- in speaking for those who have been scammed and
> those who wish not to be scammed in the future -- to request that the
> legitimate need for privacy be accompanied by safeguards against shielding
> those who cause harm. To me this takes two forms: (a) demand for robust and
> efficient due process to address such abuse when discovered and (b)
> accuracy of information so that the result of valid due process reveals
> useful data. It is reasonable to assert that the unintended consequence of
> privacy without such public safeguards may be worse than the problems
> privacy rules seek to fix.
> > - Evan
> > _______________________________________________
> > ALAC mailing list
> > ALAC at atlarge-lists.icann.org
> > https://atlarge-lists.icann.org/mailman/listinfo/alac
> >
> > At-Large Online: http://www.atlarge.icann.org
> > ALAC Working Wiki:
> https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
>
> _______________________________________________
> ALAC mailing list
> ALAC at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/alac
>
> At-Large Online: http://www.atlarge.icann.org
> ALAC Working Wiki:
> https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
>
> _______________________________________________
> ALAC mailing list
> ALAC at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/alac
>
> At-Large Online: http://www.atlarge.icann.org
> ALAC Working Wiki:
> https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/alac/attachments/20180809/f9fb8f22/attachment.html>


More information about the ALAC mailing list