Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft Framework Elements for Unified Access Model

PublishSilas Cunningham Modified over 6 years ago

Similar presentations

Presentation on theme: "Draft Framework Elements for Unified Access Model"— Presentation transcript:

1

2 Draft Framework Elements for Unified Access Model
ICANN62

3 Background of Proposed Unified Access Model
Begun discussions on UAM with community in 2017 Contemplated in Calzone, Cookbook and Temporary Specification WP29 (predecessor to European Data Protection Board) noted in 11 April letter: “expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data. In this respect the WP29 encourages ICANN to develop appropriate policies and procedures applicable to incidental and systematic requests for access to WHOIS data, in particular for access by law enforcement entities.” Framework considers elements from other community discussions regarding access to non-public WHOIS data. Seeks to provide a unified approach for relevant Eligible User Groups to access non-public WHOIS data by complying with safeguards reflected in agreed on codes of conduct. ICANN intends to discuss this model with EDPB to gain further legal clarity, which will help community in its policy discussions. I’m sure you’ve all noticed, there’s been a lot of activity on ICANN’s preparations to ensure both the org and our contracted parties come into compliance with the General Data Protection Regulation (or GDPR). While the MSSI team has been coordinating the org’s strategy, this has really been a cross-departmental project with substantial work done by the GDD and legal teams, in particular. We’d like to recognize and thank them for all their hard work. Let’s recap what has happened in the past few months and what is on the schedule for ICANN62 in Panama. At ICANN61 we discussed the Proposed Interim Compliance Model with the community. The feedback we got from community members at that meeting and in subsequent conversations, including with the Article 29 Working Party (which became the European Data Protection Board on 25 May), helped shape the Temporary Specification for gTLD Registration Data, which the Boaord adopted on 17 May. As noted in the slide the temporary specification made some changes to what appears in the public version of WHOIS. (LIST FIRST TWO BULLETS) In addition, requests to grant access to non-public data will be determined by registries and accredited registrars to users who demonstrate a legitimate purpose for accessing such data, as provided for in the GDPR. It’s also important to note what did NOT change: the temporary specification did not change the requirement to continue collection of all Thick WHOIS data. Finally, the temp spec also triggered a request to the GNSO to begin a policy development process on the temp spec’s requirements. As you know, the spec can only be enacted for a year, by which time the GNSO has to determine whether the temporary specification ought to become a consensus policy. GDPR appears across the ICANN62 schedule in many different sessions. The GNSO has scheduled time on Tuesday to discuss the PDP. The GAC has scheduled several discussions on the topic, as have a number of other community groups. Two cross-community sessions that may garner more attention are the two listed here, both on Tuesday in back-to-back slots. Also wanted to note: There is a scorecard available on this topic on weCANN that is regularly updated. That said, given the highly visible and sensitive nature of the topic, we ask that any questions (particularly those from the media) be directed to Gwen and the comms team, and please keep myself, Theresa and Diana Middleton in the loop, as well.

4 Overview of Proposed Unified Access Model
High-level framework elements to be addressed in a proposed Unified Access Model for continued access to full WHOIS data for users with legitimate purposes. Shared with community for their feedback and input. Also intend to discuss with European Data Protection Board to ensure the model is in line with the GDPR. Aim to foster dialogue with DPAs to develop legal certainty for all parties, particularly as community progresses in policy development work. Elements include: Eligibility Process Details Technical Details Codes of Conduct for Accessing Non-Public WHOIS Data I’m sure you’ve all noticed, there’s been a lot of activity on ICANN’s preparations to ensure both the org and our contracted parties come into compliance with the General Data Protection Regulation (or GDPR). While the MSSI team has been coordinating the org’s strategy, this has really been a cross-departmental project with substantial work done by the GDD and legal teams, in particular. We’d like to recognize and thank them for all their hard work. Let’s recap what has happened in the past few months and what is on the schedule for ICANN62 in Panama. At ICANN61 we discussed the Proposed Interim Compliance Model with the community. The feedback we got from community members at that meeting and in subsequent conversations, including with the Article 29 Working Party (which became the European Data Protection Board on 25 May), helped shape the Temporary Specification for gTLD Registration Data, which the Boaord adopted on 17 May. As noted in the slide the temporary specification made some changes to what appears in the public version of WHOIS. (LIST FIRST TWO BULLETS) In addition, requests to grant access to non-public data will be determined by registries and accredited registrars to users who demonstrate a legitimate purpose for accessing such data, as provided for in the GDPR. It’s also important to note what did NOT change: the temporary specification did not change the requirement to continue collection of all Thick WHOIS data. Finally, the temp spec also triggered a request to the GNSO to begin a policy development process on the temp spec’s requirements. As you know, the spec can only be enacted for a year, by which time the GNSO has to determine whether the temporary specification ought to become a consensus policy. GDPR appears across the ICANN62 schedule in many different sessions. The GNSO has scheduled time on Tuesday to discuss the PDP. The GAC has scheduled several discussions on the topic, as have a number of other community groups. Two cross-community sessions that may garner more attention are the two listed here, both on Tuesday in back-to-back slots. Also wanted to note: There is a scorecard available on this topic on weCANN that is regularly updated. That said, given the highly visible and sensitive nature of the topic, we ask that any questions (particularly those from the media) be directed to Gwen and the comms team, and please keep myself, Theresa and Diana Middleton in the loop, as well.

5 Proposed Unified Access Model: Eligibility
Who would be eligible, who would determine eligibility, how would the authentication requirements for legitimate users be developed. Who would be eligible for continued access Defined set of eligible user groups would be those with legitimate interests who are bound by codes of conduct requiring adequate measures of protection. Registry Operator and Registrar would continue to be required to provide reasonable access, consistent with the balancing required by the GDPR, to other third parties on the basis of a legitimate interest, except where overridden by GDPR. Who would determines eligibility: Governments within the European Economic Area (who also are members of the GAC) would identify or facilitate identification of broad categories of eligible user groups. ICANN org would engage with other governments through the GAC to identify specific eligible user groups, e.g. intellectual property rights holders, law enforcement authorities, operational security researchers, and individual registrants.

6 Proposed Unified Access Model: Eligibility
How would authentication requirements for legitimate users be developed? For law enforcement: Developed by their respective governments, who would serve as authenticating bodies. For private third-parties: ICANN would consult with the GAC on identifying relevant bodies with expertise to authenticate users If GAC is unable to assist in identifying Authenticating Bodies, ICANN would work with the broader community to identify such groups. Specific user groups automatically approved for access via the Unified Access Model for specific legitimate purposes include ICANN for the purpose of contractual compliance enforcement, and registrars for the purpose of facilitating the transfer of domain names.

7 Proposed Unified Access Model: Process Details
How would the overall process for accessing non-public data work? Registry operators and registrars would be required to provide access to non- public data under this model, as permitted under local laws and the demonstration of legitimate interests. A requestor would submit to the approval process required by the relevant Authenticating Body and would be required to sign the relevant Code of Conduct, if approved. A centralized “credential provider” would grant the required token/credential to be presented to the registry operator or registrar along with their legitimate purpose to access non-public WHOIS data before querying the requested records. There are two options for who this “credential provider would be: 1. The Authenticating Body would direct the user to a centralized “credential provider” who would grant the user the required token/credential to be presented to the registry operator or registrar; or 2. The Authenticating Body would itself provide the required token/ credential to be presented to the registry operator or registrar.

8 Proposed Unified Access Model: Process Details
ICANN org intends to seek input from EDPB on two approaches to the scope of data available to authenticated users: 1. Authenticated users granted query-based access to the level/scope of non-public WHOIS data consistent with the identified legitimate purpose. 2. Authenticated users granted query-based access to full WHOIS record. UAM would incorporate transparency requirements. For example, each Authenticating Body or centralized “credential provider” would maintain a list of the authenticated users. ICANN seeking further guidance from EDPB on requirements for logging queries. Some community members include the possibility of application fees and/or nominal fess to access non-public WHOIS data in their proposed models. This issue requires further study. The model would be regularly reviewed for effectiveness.

9 Proposed Unified Access Model: Technical Details
What technical measures are necessary to ensure the process works? Non-public WHOIS would be provided via the Registration Directory Access Protocol (RDAP) service. Tokens or certificates would be used to identify authenticated users. There would not be a central repository WHOIS data from which access would be granted.

10 Proposed Unified Access Model: Codes of Conduct
How would codes of conducted be developed and implemented? Codes of conduct would establish the appropriate limitations on the use of non- public WHOIS data by third parties, proper procedures for accessing the data, and other safeguards and public policy considerations relating to the responsibilities and practices for the eligible user groups. Each eligible user group would have a separate code of conduct. In consultation with the GAC and the EDPB, ICANN org would develop the standardized terms and safeguards common across each code of conduct: a. Appropriate limitations on use of the data; b. Proper procedures for accessing the data, including appropriate limitations on query volume to prevent abuse; c. Security measures for accessing the data; d. Limitations on onward transfers of the data; e. Safeguards for data subject rights; f. General data protection obligations of the data controllers; g. Fair and transparent processing requirements; and h. Other safeguards and public policy considerations relating to the responsibilities and practices for the Eligible User Group.

11 Proposed Unified Access Model: Codes of Conduct
Authenticating body for each eligible user group would develop additional safeguards specific to the relevant eligible user group, and incorporated in the code of conduct. Authenticated users would be required to declare adherence to relevant code of conduct. Authenticating body would be responsible for monitoring and enforcing compliance with code of conduct.

12 Thank You and Questions
Visit us at icann.org For more information see ICANN’s Data Protection/Privacy Issues page. Or

Download ppt "Draft Framework Elements for Unified Access Model"

Similar presentations

Update on ISPM 15 IPPC Secretariat June 2012.

Update on ISPM 15 IPPC Secretariat June 2012.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
Text #ICANN51. Text #ICANN51 15 October 2014 At-large policy round table Holly Raiche Panel 1: Privacy and Proxy 1000 – 1045 Hrs.

Text #ICANN51. Text #ICANN51 15 October 2014 At-large policy round table Holly Raiche Panel 1: Privacy and Proxy 1000 – 1045 Hrs.
WHOIS Policy Review Team Interaction with the Community 16 March 2011.

WHOIS Policy Review Team Interaction with the Community 16 March 2011.
Update report on GNSO- requested Whois studies Liz Gasster Senior Policy Counselor 7–12 March 2010.

Update report on GNSO- requested Whois studies Liz Gasster Senior Policy Counselor 7–12 March 2010.
GAC-GNSO Consultation Group On GAC Early Engagement in GNSO PDP London Progress Report 22/06/2014.

GAC-GNSO Consultation Group On GAC Early Engagement in GNSO PDP London Progress Report 22/06/2014.
Text. #ICANN49 Data & Metrics for Policy Making Working Group Thursday 27 March 2014 – 08:00.

Text. #ICANN49 Data & Metrics for Policy Making Working Group Thursday 27 March 2014 – 08:00.
Gulana Hajiyeva Environmental Specialist World Bank Moscow Safeguards Training, May 30 – June 1, 2012.

Gulana Hajiyeva Environmental Specialist World Bank Moscow Safeguards Training, May 30 – June 1, 2012.
Global Name Registry Proposal to Modify Appendix O: WHOIS Data Access.

Global Name Registry Proposal to Modify Appendix O: WHOIS Data Access.
WHOIS data The EU legal principles ICANN - GNSO meeting 2 March 2004 George Papapavlou, European Commission ICANN - GNSO meeting 2 March 2004 George Papapavlou,

WHOIS data The EU legal principles ICANN - GNSO meeting 2 March 2004 George Papapavlou, European Commission ICANN - GNSO meeting 2 March 2004 George Papapavlou,
Proposals for Improvements to the RAA June 22, 2010.

Proposals for Improvements to the RAA June 22, 2010.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Governmental Advisory Committee Public Safety Working Group 1.

Governmental Advisory Committee Public Safety Working Group 1.
GNSO Public Council Meeting Wednesday, 17 July 2013.

GNSO Public Council Meeting Wednesday, 17 July 2013.
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.

Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
Update on Consumer Choice, Competition and Innovation (CCI) WG Rosemary Sinclair.

Update on Consumer Choice, Competition and Innovation (CCI) WG Rosemary Sinclair.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Concerns of Noncommercial Users Constituency Privacy Conference November 29, 2005 Kathryn A. Kleiman, Esq. Internet Law and Policy Specialist, McLeod,

Concerns of Noncommercial Users Constituency Privacy Conference November 29, 2005 Kathryn A. Kleiman, Esq. Internet Law and Policy Specialist, McLeod,

Similar presentations

Ads by Google