[NCUC-DISCUSS] [Privacy] this is a space for privacy work

Amr Elsadr aelsadr at egyptig.org
Mon Apr 7 15:19:29 CEST 2014 

Hi,

The content of the etherpad on this topic has been substantively updated (check https://icannpriv.etherpad.mozilla.org/1?). I’ve gone through it, although admittedly rather quickly, and will need to go through it more carefully especially where links to other sites are provided.

I have to say though that I still have questions on what the game plan is here. I ask because the strawman action plan addresses privacy issues that can be categorised into two groups:

1. Privacy concerns involving gTLD policy affecting registrants. This is typically addressed in policies developed using the GNSO’s PDP. This has historically never been done to the satisfaction of the NCSG, and more recently hasn’t even met the requirements of questions that GNSO PDP working groups have been chartered to answer on one hand, or the RDS expert working group’s concerns in its status update report, and will hopefully be tackled in the post EWG PDP. There is also an implementation working group (IRP) following the “thick” whois PDP that will be tasked to take a look at implications concerning transfer of registrant whois data across jurisdictions from registrars to “thick” registries.

2. Privacy concerns involving the use of ICANN services such as websites, email lists, information of applicants to new gTLDs using ICANN online application forms, HR information, etc…, which do not affect registrants. These concerns are not typically addressed in the GNSO as they do not involve gTLD policy (although I’m not sure about the online application for new gTLDs).

The point I am trying to make is that there is a bottom-up MS process for dealing with one of these categories (the first), and I am all in favour of an NCSG (or NCUC) initiative to spearhead a policy reform in this area. I think I made that explicitly clear during the NCSG meeting with the ICANN board. The second hasn't (as far as I know) been previously addressed by the ICANN community, and I am still having difficulty understanding how we can propose one solution addressing both.

We’ve had at least one brief discussion recently in BA amongst GNSO councillors with expressions of opposing views on the use of an exhaustive process. Personally, I do not believe that process is the bane of an organisation. I think a solid process that is transparent and holds all accountable is something to be aspired to, even if it makes policy development a slow and arduous task.

I don’t think that a set of corporate binding rules for ICANN on privacy is a bad idea, as long as it doesn’t replace or undermine the process used for developing gTLD policy. These rules can require ICANN to directly address privacy issues not related to gTLD policy, but give the ICANN board and GNSO a mandate to ensure that the laws in high privacy regimes are adequately addressed within the PDP. Remember that when Fadi didn’t stick to policy developed using this process last year, we raised hell about it. Similarly in this situation, if we seek to empower the ICANN board to address privacy concerns without using the GNSO’s PDP, there’s nothing to guarantee that their policies won’t totally suck. In fact, their track record (as well as that of the GNSO’s) so far has been pretty awful, which is why we are where we are today.

So again…, what’s the game plan here? Where are we going with this? 

Thanks.

Amr

On Apr 7, 2014, at 7:08 AM, Robin Gross <robin at IPJUSTICE.ORG> wrote:

> I can't imagine what NCSG has resources for if not to fix ICANN's privacy problem.  That is what many of us are here for.  We need to fix ICANN's privacy problem.  Stephanie proposes a solution - let's support it and further develop it.  Let's actually fix ICANN's privacy problem, even if ICANN doesn't want NCSG to work on the issue.
> 
> Thanks,
> Robin
> 
> 
> On Apr 5, 2014, at 11:44 PM, Rafik Dammak wrote:
> 
>> Hi Stephanie,
>> 
>> I am afraid that the focus on thing like ICANN collecting data about volunteers and participants can divert the scarce resources we have , instead of working whois-related issues 
>> more clarity about the strategy and scope would be helpful
>> 
>> Best Regards,
>> 
>> Rafik 
>> 
>> 
>> 2014-04-06 15:41 GMT+09:00 Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>:
>> I am afraid I don’t understand the question Rafik..we offered to tell them what is wrong with their policy.  Item one, is the scope is too narrow.  A full policy covers everything.  This is what the law would demand, if they were in a jurisdiction with law.
>> 
>> On Apr 6, 2014, at 2:18 AM, Rafik Dammak <rafik.dammak at gmail.com> wrote:
>> 
>>> Hi Stephanie,
>>> 
>>> I read the document but I am somehow puzzled by the scope:
>>> - are we talking about privacy within ICANN in regard to the policies development there like in the case of RAA, Whois, new directory services? then providing a privacy framework for ICANN policies, systematic assessment of policy impact on privacy and data protection etc
>>> - or it is just about ICANN collecting personal data from the community , staff etc 
>>> 
>>> the scope matters because the resources and the focus we can have at NCSG level. as you know we have already an existing group to discuss privacy within NCSG , with those involved in several working group around whois.
>>> 
>>> Best Regards,
>>> 
>>> Rafik 
>>> 
>>> 
>>> 2014-04-02 20:07 GMT+09:00 Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>:
>>> Further to this note, there is an opening very draft preface to our comments on the ICANN privacy policy, on the pad set up by Niels.  I attach the word version here, for anyone who is interested in this project.  To join the work group, contact Stefania
>>> It is a conversation starter, no where near a final draft. 
>>> 
>>> 
>>> On Mar 30, 2014, at 2:45 PM, Stephanie Perrin <stephanie.perrin at mail.utoronto.ca> wrote:
>>> 
>>>>>> Further to Robin’s note, I am pasting in a thread that originated in NCUC following our meeting with the ICANN Board.  
>>>> 
>>>> Numerous members of the NCUC have already volunteered to work on developing a gap analysis of the existing ICANN privacy policies, with a view to providing advice back to the Board as to what needs to be done to bring ICANN privacy policies up to the expected levels.  Please join in, as you can see from Bruce Tonkin’s note back to us, there is a rather poor web policy, for which I promised to provide a critique.  I attach a few other jobs that need to be done rather soon, if anyone would like to volunteer.  Here is a snippet which I just sent out to the NCUC volunteers:  
>>>> 
>>>> OK, perhaps one group of folks would like to have a look at the policy for new Gtlds, available here, and prepare a critique of what is missing (gap analysis) 
>>>> gTLD Program is addressed in a separate personal data privacy statement at http://newgtlds.icann.org/en/applicants/agb/program-privacy.
>>>> 
>>>> We could also use some help from someone on analysing the transparency and accountability principles, where the disclosure stuff is apparently buried.  One of the major criticisms of these policies is that it is very difficult for a user/participant at ICANN to find out what is happening to their data. 
>>>> Another task where  I would love some help from an American Attorney, is whether it is legally possible to declare  a total disclaimer to breach liability in the state of California, where there are data breach disclosure rules.  (see the following snippet of the policy which I am dubbing a web policy):
>>>> Due to the open communication nature of the Internet, ICANN cannot represent, warrant or guarantee that communications stored on ICANN servers will be free from unauthorized access by third parties, loss, misuse or alterations. While ICANN will take reasonable and appropriate security measures to protect against unauthorized access, disclosure, alteration or destruction of personal information received, ICANN DISCLAIMS ANY AND ALL LIABILITY FOR UNAUTHORIZED ACCESS OR USE OR COMPROMISE OF YOUR PERSONAL INFORMATION. USERS ARE ADVISED THAT THEY SUBMIT SUCH PERSONAL INFORMATION AT THEIR OWN RISK.
>>>> 
>>>> I have to say this is one of the paragraphs that really put me right over the top….caps included.
>>>> Any volunteers for this task, I am working on the three pager and the basic critique of the web policy.
>>>> cheers steph
>>>> PS I have still not found the alleged staff policy, if anyone knows where it is please let me know
>>>>  
>>>> Kind regards, 
>>>> Stephanie Perrin
>>>> 
>>>>>> On 26 Mar 2014, at 1:59 pm, Stephanie Perrin <stephanie.perrin at mail.utoronto.ca> wrote:
>>>>>> 
>>>>>>> I will certainly volunteer to provide the first draft of a commentary on the “privacy policy”.  I believe I am already on the hook for that, and if folks can self identify if they have an interest in this area, we can call it a group and I will send out the marked up copy.  If people prefer to use a platform (e.g. googledocs) let us know. 
>>>>>>> cheers Stephanie Perirn
>>>>>>> On Mar 26, 2014, at 1:43 AM, William Drake <william.drake at uzh.ch> wrote:
>>>>>>> 
>>>>>>>> Hi
>>>>>>>> 
>>>>>>>> We have a number of folks who work on privacy policy.  Would anyone be interested in organizing a group to provide an input to ICANN on its policy regarding the collection and use of personal data?
>>>>>>>> 
>>>>>>>> Bill
>>>>>>>> 
>>>>>>>> Begin forwarded message:
>>>>>>>> 
>>>>>>>>> From: Bruce Tonkin <Bruce.Tonkin at melbourneit.com.au>
>>>>>>>>> Subject: RE: ICANN privacy policy
>>>>>>>>> Date: March 25, 2014 at 5:15:07 PM GMT+8
>>>>>>>>> To: William Drake <william.drake at uzh.ch>
>>>>>>>>> Cc: Rafik Dammak <rafik.dammak at gmail.com>, "marie-laure Lemineur (mllemineur at gmail.com)" <mllemineur at gmail.com>, David Cake	<dave at difference.com.au>, Maria Farrell <maria.farrell at gmail.com>, "magaly.pazello at gmail.com" <magaly.pazello at gmail.com>, "kdrstoll at gmail.com"	<kdrstoll at gmail.com>, "Amr Elsadr (aelsadr at egyptig.org)"	<aelsadr at egyptig.org>, Fadi Chehade <fadi.chehade at icann.org>, John Jeffrey	<john.jeffrey at icann.org>
>>>>>>>>> 
>>>>>>>>> Yes indeed - your addresses were just ones that I had to hand.
>>>>>>>>> 
>>>>>>>>> Regards,
>>>>>>>>> Bruce Tonkin
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: William Drake [mailto:william.drake at uzh.ch] 
>>>>>>>>> Sent: Tuesday, 25 March 2014 5:10 PM
>>>>>>>>> To: Bruce Tonkin
>>>>>>>>> Cc: Rafik Dammak; marie-laure Lemineur (mllemineur at gmail.com); David Cake; Maria Farrell; magaly.pazello at gmail.com; kdrstoll at gmail.com; Amr Elsadr (aelsadr at egyptig.org); Fadi Chehade; John Jeffrey
>>>>>>>>> Subject: Re: ICANN privacy policy
>>>>>>>>> 
>>>>>>>>> Hi Bruce
>>>>>>>>> 
>>>>>>>>> Thanks for this.  I assume this is an open invitation that we can share with our privacy mavens who are not not on the Cc, correct?
>>>>>>>>> 
>>>>>>>>> Best
>>>>>>>>> 
>>>>>>>>> Bill
>>>>>>>>> 
>>>>>>>>> On Mar 25, 2014, at 4:33 PM, Bruce Tonkin <Bruce.Tonkin at melbourneit.com.au> wrote:
>>>>>>>>> 
>>>>>>>>>> Hello All,
>>>>>>>>>> 
>>>>>>>>>> Regarding the discussion of ICANN's use of private information in the NCSG meeting with the Board today.
>>>>>>>>>> 
>>>>>>>>>> With respect to ICANN's policy for collection and use of personal data, we do have a published privacy policy.
>>>>>>>>>> 
>>>>>>>>>> See:  http://www.icann.org/en/help/privacy
>>>>>>>>>> 
>>>>>>>>>> We would welcome a review of this policy to determine if it needs to be improved.   IT was last updated in Oct 2012.
>>>>>>>>>> 
>>>>>>>>>> Also with respect to staff/HR information etc - I will see what information is available on internal policies.
>>>>>>>>>> 
>>>>>>>>>> Regards,
>>>>>>>>>> Bruce Tonkin
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Ncuc-discuss mailing list
>>>>>>>> Ncuc-discuss at lists.ncuc.org
>>>>>>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Ncuc-discuss mailing list
>>>>>>> Ncuc-discuss at lists.ncuc.org
>>>>>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>>>>> 
>>>> On Mar 30, 2014, at 2:34 PM, Robin Gross <robin at ipjustice.org> wrote:
>>>> 
>>>>> This is an open, archived list for those wishing to develop privacy policy.
>>>>> 
>>>>> Make the most of it!
>>>>> 
>>>>> _______________________________________________
>>>>> Privacy mailing list
>>>>> Privacy at ipjustice.org
>>>>> http://mailman.ipjustice.org/listinfo/privacy
>>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Ncuc-discuss mailing list
>>> Ncuc-discuss at lists.ncuc.org
>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> Ncuc-discuss mailing list
>> Ncuc-discuss at lists.ncuc.org
>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
> 
> _______________________________________________
> Ncuc-discuss mailing list
> Ncuc-discuss at lists.ncuc.org
> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20140407/1d6a408f/attachment-0002.html>

More information about the Ncuc-discuss mailing list