1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie
*Each EPDP meeting's links to documents, transcripts, MP3 audio and Adobe Connect recording, will be posted here, as made available by ICANN (links to EPDP meetings' transcripts are usually posted on the GNSO calendar within 24 hours). See also EPDP Team wiki, mail list, Temp Spec, EPDP Charter (pdf), and AC/SOs responses to request for early input.
UPDATES 29-30 Aug:
a. Editor's note: the core questions completely missing thus far in the EPDP: Specifically, WHAT registrant data does ICANN need registrars to collect from registrants, and WHY? My answer (which I have given before): NAME of the legal entity or person registering the domain name (i.e., the "registrant"); ADDRESS of the registrant (for contacting registrant concerning the domain name); EMAIL address for contacting the registrant concerning the domain name; PHONE number for contacting the registrant concerning the domain name. Anything more (for ICANN's purposes), is redundant, unnecessary, violative of the GDPR, including data minimization requirements (see ICANN vs EPAG), and in the case of fax numbers, an even more serious cybersecurity risk. The registrar may collect billing and other data in compliance with the GDPR, but that is none of ICANN's business, and should be beyond the scope of the EPDP, Temp Spec and policy. Frankly, the faster the EPDP can reach consensus on the above, the faster they can begin addressing access & accreditation issues.
b. Special interests push U.S. Congress to override ICANN’s WHOIS policy process--internetgovernance.org 29 Aug 2018--copy of the draft legislation (pdf) embed in full below:
c. EPDP Meeting #9 (Agenda in slides embed below), Thursday, 30 August 2018, 13:00 UTC, 9am EDT:
Notes:
- Aug 30 meeting transcript (pdf). Chat transcript (pdf); Adobe Connect replay, MP3;
- High-Level Notes and Action Items are here.
- EPDP Team DSI Appendix Cv2 (pdf);
UPDATES 28 Aug 2018:
- Aug 28 Adobe Connect Recording (allow video to load); MP3 audio, meeting transcript (pdf);
- Meme of the Aug 28 meeting by James Bladel (GoDaddy) (EPDP Team member) via Twitter.
- Chat Transcript (pdf) embed below; Notes & Action Items; RySG and RrSG Request GDPR Training for EPDP members and alternates.
Note: input received on Triage Report and section category allocation (pdf). Aug 28 chat transcript:
UPDATE from the EPDP mail list 27 Aug 2018:
"... The basic task of ePDP is to ratify or modify the temp spec. Here is the relevant statement from the charter:
"This EPDP Team is being chartered to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law."
"Regarding access, the charter says, 'Work on this topic shall begin once the gating questions above have been answered and finalized in preparation for the Temporary Specification initial report'
"So: 1) temp spec first; 2) "other relevant privacy and data protection law" is applicable, not just GDPR; 3) we deal with access to redacted Whois data after we have resolved the status of the temp spec."--Professor Milton Mueller (NCSG)
Editor's note: For info and updates on last week's meetings, go to last week's News Review, here's a peek:
Little of substance has been accomplished thus far, as the EPDP Team has essentially wasted the month of August preparing a "Triage Report" for the GNSO Council that could have been completed in the first week with a simple survey, or even better, eliminated from the Charter altogether. EPDP Team Chair Kurt Pritz continues with his long, rambling monologues, mostly ignoring suggestions and comments from the more functional, and definitely brighter, EPDP team members. A face-to-face EPDP meeting has been scheduled for September 24-26 in Los Angeles, but at this rate, it's looking increasingly doubtful whether much will get done.
I've yet to see a cogent work plan that first addresses the fundamental questions which ICANN org glossed over or failed to grapple with BEFORE slapping together the Temporary Specification in a rush due to the incompetent ICANN management team wasting 2 years and failing to properly prepare for the GDPR, which became enforceable May 25, 2018 (ICANN management, as late as April, 2018, were laboring under a delusional fantasy that ICANN and its contracted parties would be granted a moratorium from GDPR enforcement.)
The EU GDPR was adopted on 27 April 2016 and published in the EU Official Journal on 4 May 2016. ICANN has had an office in Brussels for more than 10 years (pdf) and European Data Protection authorities have been warning ICANN about its public WHOIS data since 2003, and yet, neither ICANN nor the U.S. government's NTIA warned the "global multistakeholder community" about the ramifications of GDPR for ICANN and its public WHOIS directory, before the IANA transition was completed October 1, 2016. Neither the dysfunctional "ICANN Community" nor their expensive law firms, which received $15 million in legal fees preparing for the IANA transition, ever mentioned the GDPR as a "risk factor" or otherwise.
I've yet to see a cogent work plan that first addresses the fundamental questions which ICANN org glossed over or failed to grapple with BEFORE slapping together the Temporary Specification in a rush due to the incompetent ICANN management team wasting 2 years and failing to properly prepare for the GDPR, which became enforceable May 25, 2018 (ICANN management, as late as April, 2018, were laboring under a delusional fantasy that ICANN and its contracted parties would be granted a moratorium from GDPR enforcement.)
The EU GDPR was adopted on 27 April 2016 and published in the EU Official Journal on 4 May 2016. ICANN has had an office in Brussels for more than 10 years (pdf) and European Data Protection authorities have been warning ICANN about its public WHOIS data since 2003, and yet, neither ICANN nor the U.S. government's NTIA warned the "global multistakeholder community" about the ramifications of GDPR for ICANN and its public WHOIS directory, before the IANA transition was completed October 1, 2016. Neither the dysfunctional "ICANN Community" nor their expensive law firms, which received $15 million in legal fees preparing for the IANA transition, ever mentioned the GDPR as a "risk factor" or otherwise.
 |
| Definition: "train wreck" (noun) a chaotic or disastrous situation that holds a peculiar fascination for observers. |
Note also:
- Government of India's views (pdf) on ICANN's Unified Access Model (pdf) ("overly complex") and EPDP.
- ICANN Board reaffirmed Temporary Specification for an additional 90-day period on Aug 21.
- ICYMI: Internet overseer continues wall-punching legal campaign ICANN appeals its appeal and tells German courts yet again that they're wrong | theregister.co.uk: "... At some point, however, failed legal argument after failed legal argument starts to point to something much more concerning: that the organization [ICANN] in charge of overseeing the internet's naming and numbering systems is not capable of doing its job."--former ICANN staffer Kieren McCarthy.
- ICYMI: ICANN's ePDP - An Insider's Perspective | circleid.com: "... There really is no clear path forward if this group is unable to produce a final report with specific policy to replace the temporary specification when it expires in May of 2019. If that were to happen, it's not a stretch to think it would call into question the overall ability of ICANN (and the community) to manage the global DNS ..."--EPDP Team member Matt Serlin.
2) Other ICANN News
 |
| What to Expect During the Root SKS Rollover (pdf) |
"... the user will start seeing failure sometime in the 48 hours after the rollover. Users will see different symptoms of failure depending on what program they are running and how that program reacts to failed DNS lookups. In browsers, it is likely that a web page will become unavailable ... In email programs, the user might not be able to get new mail, or parts of message bodies may show errors. The failures will cascade until no program is able to show new information from the Internet. Note that the term “users” here does not just indicate humans. Automated systems that are also using unprepared resolvers for their DNS resolution will start to fail, possibly catastrophically."--What To Expect During the Root KSK Rollover, supra, p. 5, (emphasis added).Root KSK Rollover--SSAC: Let's 'Roll the Dice' on Crashing the Internet!--SAC102: SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover English [PDF] excerpt from the dissenters*:
"The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc. While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties. We would like to reiterate that we understand our colleagues' position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision ..."--SAC102 Dissent, p.4*Dissenters:
- Danny McPherson (Chief Security Officer for Verisign);
- Warren Kumari (Senior Network Engineer/Senior Network Security Engineer with Google);
- KC Claffy (founder and director of the Center for Applied Internet Data Analysis (CAIDA), based at the University of California's San Diego Supercomputer Center, and Adjunct Professor in the Computer Science and Engineering Department at UCSD);
- Jay Daley (techobscura.com, interim President & CEO PIR.org );
- Lyman Chapin (co-founder and partner at Interisle Consulting Group).
b. DotConnectAfrica Trust v. ICANN (Trial Court Proceeding) 1 August 2018
Court Order: Trial date vacated; Status Conference scheduled for 25 September 2018.
c. ICANN Public Comment Periods closing in September (on each date indicated at 23:59 UTC) subject to change by ICANN:
- Proposals for Devanagari, Gurmukhi, and Gujarati Scripts' Root Zone Label Generation Rules 10 Sep 2018
- Draft ICANN Africa Strategic Plan 2016-2020 Version 3.0 10 Sep 2018
- Study on Technical Use of Root Zone Label Generation Rules 11 Sep 2018
- Recommendations for Managing IDN Variant Top-Level Domains 17 Sep 2018
- Proposals for Kannada, Oriya and Telugu Scripts' Root ZoneLabel Generation Rules 20 Sep 2018
- Modification of Domains Protected Marks List Service 24 Sep 2018
- Initial Report on the New gTLD Subsequent Procedures Policy Development Process (Overarching Issues & Work Tracks 1-4) 26 Sep 2018
d. ICANN Global Domains Division (GDD) General Operations Handbook for Registrars 21 Aug 2018: registrar-handbook-21aug18-en.pdf [421 KB], and Registrar Billing Frequently Asked Questions (FAQ) 21 Aug 2018 registrar-billing-faq-21aug18-en.pdf [323 KB].
3) Names, Domains & Trademarks
b. China's first internet court handles over 10,000 cases | xinhuanet.com: mainly civil cases such as contract disputes involving online shopping, service and small loans, copyright and infringement lawsuits, domain name disputes, internet defamation, and some administrative lawsuits.
c. Post GDPR gTLD Domain Name Transfers--realtimeregister.com.
4) ICYMI Internet Domain News
- Google refused a warrant issued by a U.S. District Court Judge to release huge amounts of data. "Will other companies bow under pressure?"--WashingtonPost.com: “Where big data policing and data trails are available it becomes tempting, and maybe too tempting, to take shortcuts with process that should be used as a last resort,” Andrew Ferguson, a criminal law attorney and author of "The Rise of Big Data Policing: Surveillance, Race, and the Future of Law Enforcement."
- Congress should consider small-business exception to internet sales tax--TheHill.com.
b. China:
- From laboratory in far west, China's surveillance state spreads quietly--reuters.com.
- Google is welcome to return to China—but only if it complies with the censorship regime enforced by the government of China’s internet regulator, according to a report in Chinese state media (the People's Daily)--Newsweek.com.
c. Russian hackers targeted U.S. conservative think-tanks, says Microsoft--reuters.com.
d. AI: New genre of artificial intelligence programs take computer hacking to another level | trust.org.
e. India: India Steps Towards Internet Freedom: DoT Bars ISPs From Blocking Internet Content | inc42.com.
