IGF 2018 - Day 3 - Salle IX - WS50 Who is Collected, Disclosed and Protected: CERTs Viewpoint

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR:  Okay.  We've only got one hour for this session.  If people could come in if you're coming in and depart if you're departing so we can close the door.

>> MODERATOR:  Good afternoon, everyone.  I'm Duncan Hollis.  I am a professor of law and a nonresident fellow in the Carnegie endowment.  I am joined by Madeleine Carr who is a professor in cybersecurities at security college in London.

We're sad that our load star could not join us.  He had to return to Australia sooner than expected.  Pablo was the inspiration for today's round table.  We hope we can live up to his vision today.

Pablo, Madeleine and I are pleased to have spent the three IGFs working to bridge Internet's conversations to include new Groups and issues.  Three years ago, we began by bringing the UNGGE dialoguing and bringing that into the governance community as the two processees were D linked.  You can see some products in that to bring Paris call to the IGF.  Last year, we sought to bring the CERT community, computer emergency response team community asking if 7 should engage in science diplomacy.

This year we're coming to a familiar and pressing issue.  Databases, which has been the sent of so much attention given the impact and the receipt implementation of GDPR.  We're trying to bring new voices to the conversation seeking to join the Internet governance community with those from the CERT and law enforcement.  Our larger goal is to frame this discourse around a single concept and that is accountability.  Usually when we talk about who is the GDPR, it quickly deinvolves between privacy and security.  They're both important values and the attention between them is well known and not limited to the Internet Governance context.  We wanted to ask more about account ant and to what extent do actors need to be accountable.  When I say actors, I don't mean just the third party users who seek access, but including all easers that is even those being asked to input their information into these data basses.  In an ideal world in the next 56 minutes, we emerged with what account ant means, how much overlap there is and also where the courageiences or blockages lie.  If you have been with us, you know Pablo inspired that to have it thinkf it as speed dating with questions and comments from the floor, which I should add are going to be equally short.  We've going in the interest of time to ask all interventions to not exceed two minutes.  I am law professor.  I am used to cutting people off.

So maybe we'll do a very brief introduction of some speakers.  I will turn to Madeleine.  Maybe you can make introductions.

>> MADELINE CARR:  As dunk an said, we didn't want to do panel presentations and except a few questions from the floor given the short time today.  Our panelists are really sitting in amongst you and that's kind of indicative of the conversation that we want to have.  To dunk an's right, we have Paul Wilson, the regional registry for Asia Pacific.  Over on my right, we have Christine who is the general manager.  Raise your hand.  The general manager for the Brazil CERT.  So she's going to talk today about the prospective of the certs and use of ‑‑ Greg is head of outreach for your Pope.  He has this law enforcement perspective we wanted to bring in.  Down here we have Becky Burr.  She's also an ICANN board member.  We've got Farzaneh and we'll introduce human rights perspective which is so fundamental to these debates.  And that isor line up.  Dunk an, proceed.

>> Dun can:  I think we're looking to loosely break it into three parts.  1, maybe level the playing field of what is, who is, who use its and what are the different stakeholders interested in the dialogue.  Past 2, talk about who is as important and why stakeholders think it is important.  That purpose might help us inform what do people think of when they think of accountability.  And part 3, a look ahead moving forward.  What's the status at Iran including the role of the expedited it is moving us forward.

Ideally I would like to alert all the speakers that I will come back to you.  We maybe do a tour to rise and ask everyone to do that in a take away you think needs to be answered and maybe a position that you think if there could be some consense U.S. it is to build a bridge and a deep divide.  Before I do that, I thought I wassing ‑‑ Paul of the ranch is we wanted him to start.  All, I'm wondering if you can briefly situate the room can you talk briefly about what is, who is, what does it mean and maybe who are what is?

>> I will try to use a simple analogy.  I come from AP Nick.  And the second R in RAR stands for registry.  That's what we are.  And the word registry is used across the Internet community with respect to clinical resources and it is a very English word.  The registry is where registers or records are kept.  We all know about land titles.  It is a public resource that is administered in a given geography.  If any member wants to know who is older, then it goes to the registry and we'll find out.  We've got selfdifferent sets.  We have in the technical to identify, we have domain numbers and numbers.  Both of those are allocated or requiring registries so they can find out who is the registered holder of a given resource.  The registries we see in the names world, the global generic top level and 2,000 morph been created recently are the ccTLD which are separate edgistries.  So even across the names, we have thousands of registries.  These are independently operated.  Each of the organizations for each is an independent body.  I don't have to adhere to exactly the same standards.  Many of them have got their own reasons for doing them.  The saint thing goes for internet numbers.  We have one single global we have one for IP version 6.  The resource was administered by a single ridgistly about it became here that ridge it was decided by the communities that the registry should be split into five and be rougal.  These days we have five separate number edgist registries ‑‑ number registries.  So a number of the public who wants to know what is going on and who happens to have a regular IP address, he can go to that and find out.  I guess we'll hear how important that is.  The point is we're got a bunch of separate resources registered in a bunch of different geographies, but we have a registry in each case and they're operating independently.  The point of who is, whois is a generic term which is for the registry itself.  Each of those registries, although they can be implemented and managed are generally regarded as whois can databases.  It is a unix line command that gave you the from from a particular registry that you were entiring.  I suppose that's about we are as fairly simple.  There are some basics of why and I think it is better to start from.

>> MODERATOR:  Thank you, Paul.  One of the things I take away from that is we proceed our conversation and we talk about who is and not a monolithicune vary.  We're talking about multiple databases that maybe serves multiply they are interdependent.

>> SPEAKER:  I'm wondering if I can invite Chris for you to weigh in coming from Brazil and the Brazil CERT, maybe for the audience, talk about what ‑‑ I think maybe, but not all.  So what functions does the Brazil serve and then what is whois, what does it mean to you and I suspect some of them ‑‑ if I can ask you three questions at once, what's the role of Gd PR?  How is it the last few months, but Chris, the floor is yours.

>> Talking about what is a mission and what is a CERT, I don't know if anyone is acquainted to the work that precede the best practice form.  We had in the ‑‑ best practices for establishing and support CERTs.  We have two reports in the work that describe what C CERTs are, what's the importance.  The best definition that came from the 2015 report is that a C CERTa a team of experts.  It defines and exchanges information with others and assist constituents with the mitigation.  So it's ‑‑ this I'm reading straight from the report to the IGF and I think it's important to see what we're talking about technical coordination and we're talking about helping networks and about helping people to resolve issues.  So even when we as a Technical Community talk about investigating things, we are talking more in the research and about discovering what happened and how to prevent.  We see that's a common word and people we use it very naively, but really you want to know who was affected, why did they we work into helping the community in Brazil to identify the tact incident.  So we do some different uses of who is, but the most important one for us is really to identify who owns a given network and owns in the sense of who is the administrator&who is spot for abuse.  For us it is important who is databases because then we can find who is the person we can contact that can actually solve a problem and clean an infected machine.  I'm going to use some examples to explain how whois is important because I think just saying that is important to some issues and maybe it doesn't make clear how do we use it.  So in the recent path, we had an event that happened earlier and everyone talking we had from 150,000 to 200,000 routers in Brazil that were compromised by a crypto Jacking malware.  So they were there doing routing but neigh managed to compromise because of a vulnerability and they were doing crypto mining and stealing resources.  Stealing resources from the users of that.  So we had some research organizations that passed to us those IPs.  We needed to use the whois database to find out who were the natural owners and say to them they were compromised and how to recover.  In Brazil, we have more than 5,000 ISBs and we have a very broad ecosystem.  Whois is important.  But it is not only important for national teams, we have small or big organizations that need access to whois to quickly find their peers in another network and to be able to exchange information and help solve an instant.  We see a lot of organizations under the attacks and they need to identify who is the owner that are amplifying the matter.  So the biggest way not to go through hoops and find national teams and other teams and find who is the contact in that organization and telling them you have a misconfigured DNS or something and could you solve the problem and stop the attack.  And we also have some other cases that affect routing problems.  So when we have a Ruth problem in the Internet, we need to find who is the contact for the other network.  People talk about hijacking ins sense of organized crime and setting up their own autono mouse systems and you need to find quickly who they are.  And I would say that CERTs in other parts of the security community cannot have access to whois is anymore.  It is practically impeding us from working.  So our work starts with a whois query and who is responsibility for us to solve data.  Who did what, but who can help us to solve the problem and to mitigate the affects of everything from Datalinks to other problems and I think this is more or less how we use data and why is it it's so important.  This is our daily work even when we deliver training, we have special sessions on how to find content information on whois because that determines the course of action from going forward.  This sums up to what I had to say for now.  Thank you.

>> MODERATOR:  We'll open up to the floor now because I think what's been brought out here is this kind of tension.  As Paul has explained, we have these registers and always had them and Christine has just explained how this network of security professionals globally rely on them for their work on a day to day BASIS.  But these databases have personally identifiable information in them and that's the kind of information that we're not meant to be sharing without logistic.  Pass the mic.

>> Hi.  My name is Allen.  You're talking about personal information in whois database.  I think it's useful to draw a distinction between the DNS and who is the IP numbers.  There's really very much less personal information in the RIR whois databases.  They're already there for companies.  They're not really doing the vigils.

>> SPEAKER:  It is still something people need to be mindful of.  We were having this conversation at dinner last night and talking about these issues of accountability and, ah, and remembering for those of us old enough to remember that there didn't used to be this book with everybody's name, address and phone number in it that was distributed for free to all of our houses.  And that was the phone book.  We just ‑‑ it was the registry.  And we were perfectly comfortable with that, but as dunk an pointed out, there's this shift in the way we perceive these things.  It couldn't be exploited in the same way these online information sources could be, but it does kind of show this change in approaches to this.  We have another question in the back.  Could you identify yourself too, please.

>> Hello.  Rime researching at University of Geneva.  And I'm working in data protection and blockchain.  I was wondering.  Isn't the problem due to the fact that ICANN rules have no legal set of (?)?  So if we have law and no convention that describes ICANN rules, wouldn't GDPR respect it?  It is Facebook asking you something and you have to comply.  They have no legal status.  Since there's no legal status, there is nothing going towards those rules.  Couldn't we maybe reach something that will establish a legal status for ICANN rules.  Thank you.

>> MODERATOR:  It's a great question and I think it highlights how somebody who studies international law and international relations, ICANN is a multi‑stakeholder institution not necessarily what lawyers would call sweet generous, but I think the shift is towards more multi‑stakeholder and less treaty multi‑lateral solutions.  I do think ICANN is incorporated in California.  It is a company and it does engage not in law making, but in lawful activity that engages in contracts and the likes.  There is a legal forrest to enter deals.  But we have an ICANN board member who may be able to speak about from their perspective what sort of response to that sort of a challenge they think about.  Becky, maybe give the floor to you.

>> BECKY BURR:  I want to broaden this up a little bit.  GDPR is one data protection law.  They're all over the world that apply.  Category has adopted a data protection law that would essentially.  It is true that in the GDPR you have to have a lawful BASIS for processing the data and one of the lawful processees for processing data is the public interest.  But under GDPR, that public interest is typically laid down in European law or EU member state law.  ICANN is charged as it's bylaws by operating in the public interest.  We do not have the authority to cruet a public interest standard under GDPR.  So it is ‑‑ one approach to this would be to ‑‑ one approach to getting a consistent experience‑for‑users would be to recognize ICANN's.  That is not to say that would completely eliminate the issue.  You still have to address the ‑‑ you still have to process data legally and helpfully and so the double is in the details in termsf the standards.

>> SPEAKER:  Thank you, Becky.  Do we have any comments from the floor?  Yes.

>> Good morning, everyone.  I just wanted to add two elements to the debate.  First on the 25th of May, there was no major change in the European CCLD landscape.  If you look at things, there is that already look the quite different due to 2005.  So it would be interesting to hear from 7s or law enforcement on their sides.  They have felt even the change between 20th and 28th of May.  So that would be interesting.  Second point that I want to make it relates to something that Mickey mentioned.  It is not showing data in the who is, it's processing data.  From what I can see on the collection side of that process, few things have changed.  There are some discussions, some very public and then a data mennization.  CCDLD.  The difference is since it is about 10 years as I mentioned earlier, they're showing less publicly, but that information is still available.  We did a survey.  We have 54 members.  75% of them has a process by e‑mail where it can identify themselves instarts and identify themselves.  This is a handful of requests per week.  So the no automated processing seems to work well.

>> SPEAKER:  Thank you for those comments and in a sense, it's a good segway to Greg's comments ‑‑ I mean, Greg, that question from the floor, have you seen a change in the efficacy of your practice in law enforcement as a consequence or has it been business as usual?

>> SPEAKER:  Thank you.  Before I answer this question, I think it is important to say that from the law enforcement perspective, we think the information is really an international element.  I think we have to understand that this is one of the end of the play where you can find information and some of the companies were reissuing a leg and I think from the outset, coop that in mind and I relate.  The conversion to the land industry.  We use registration information of domains and a little bit in the way of the community.  The difference is all this mess is attribute of criminal activities.  We really are trying topped out who was involved and who did it basically.  You won't find your key evidence, but you will be able to find indicators, pointers, patents and edgestrations that will lead I, but certaintily one domain was involved and then you need to be able to very quickly find information and say who has registered the domain and when.  As a criminal, you're not going to glyph them your identity.  You still lose an identity or make it up.  But in the end, always be a piece of information that's been used and reuse.  I think this is important to explain ho we've using it.  Typically if you investigate a big domain that is based or frustration that is based on domains, you will have to make many for a week to be able to have direct says, like timely access very quickly to that information.  You can't rely on them to request to the registrar which is based in the U.S. which might be wrong and then waiting to get that information back.  You need to check.

Now, we have felt the impact of GDPR in nay and changing contract with contracted parties from Ican and the reductions of the personal information.  To give you an example, I mean, typically criminals who register domains?  Both make use of ‑‑ if your ridgist regard is making you a special offer.  Then we use them depending on the criminal activities on space.  So there is a time gap in terms of we Dean know what we don't know.  So some of the investigations we are conducting now still find information.  It is before the 25th of mare, but some of the investigations we're doing now.  It you don't find information and you can't ‑‑ do you see how many rue danes have been registered.  It is difficult to document, but we do have a number of numbers and activity going on.  We have (inaudible) the end of November and we know we did regularly and the report will be much less because we don't have access to that information.

>> Given to you, Chris.  We might have to ask this.  Particularly from Brazil seen an impact on your work as a result of GDPR?

>> The GDPR, if I am not mistaken, it states that CERTs are part of the legitimate interests that could have access to data.  Most of the time CERTs are protecting data and minimizing data when they shared.  We share data (inaudible) and they share information with teams in Europe.  That didn't change because it was always protect information and try to not expose victims and try to anonymous information.  From what we saw from this year's international research meeting, we have teams having more work with seldom plan.  In Brazil it is based on GTPT.  But there even from the people that broke the law and the first people who are trying to at what will be the legal BASIS for working.  They say that CERTs are part of the edge ‑‑ legitimate Christmas.  We are the ones that are attacking data likes and compromises and we could help them.  There's this discussion of the GDPR and (inaudible) the marketee thing, but more with the Aso I think it's not really that it changed and especially in the projects we have together with the European certs, nothing changed so far.  But because we already are protecting and minimized the information.

>> MODERATOR:  Thank you.  We left our last speakers out for now, but I think it is a super important voice.  I wonder if you can weigh in from the human rights perspective particularly with a question of accountability and who should be accountable for what.  I think that's ‑‑ we've heard from the CERT side, from the law enforcement side and a bit about how it is perceived from the Icam, but what about those who is personally identifiable information at a stake

So when we talk about toys, we should be clear who is lighted's criminals.  Not only several criminals, but people.  Who is being compared to traditional registriy we do not do suchage.  This is global.  Access to such registry, you can have sense so information should be safe guarded.  Of course the low information and cert has to do a joy the Jon which is to provide security in sign are space.  And that is vir important; however, the data in the information should not be abused.  It should not be we always talk about access to who is.  We need to also address the question of whois accessing what information?  It's your fax number, it's your phone number your e‑mail address, your positive address is it your residential address.  Those are elements that are accessing?  These are questions we need to respond to because our rights are at stake.  Our human rights, the advocates that have websites and all sorts of human rights issues can be at stake.  You can ask me if anyone has been killed because of access to it?  No.  I cannot give you that example, but the possibility when it is out there, we should not allow that.  We should prevent it.  Also we need to provide due process to people who the registrants.  If you have access to their data and you want to bring legal action to it.  It should not derive them from due process.  They should be able to provide ‑‑ to defend themselves and that's about it.  Thank you.

>> MODERATOR:  That's an important voice to be heard.  In terms of accountability, I will turn and ask you a question, if I might.  In terms of the personal information you described, do I infer there that though that there's an obligation on individual residents to provide that information?  When we think about accountability, there's a question about how much information should you provide when you're putting into the databases that if there's a law enforcement need or some other need, you can rely on the accuracy or you might find patterns that would do so.  It seems there's a larger question here of:  Do they have a right to know?  That's a question for all the speakers and maybe we'll then turn it over to the floor as well.  We think about accountability, that's one where I wonder if we step up to 30,000 we'll ‑‑ maybe I can ‑‑ so, you are asking whether domain name registry and I have like a family domain name.  If I am accountable and if that's a domain name that gets abused or like used for criminal activities.  So whether I am ‑‑ I think no.  I think we need to have measures in place that without accessing personal information of people, we can mitigate cyber abuse.  The problem is that who is 30‑year‑old protocol?  I think it was in place when Internet was not scaled so much.  We need is to come up with mechanisms and also bring security and holds people, holds those who are abusing it accountable in an easy manner.  It's not ‑‑ Utopia, but it is not that hard.  We need to work on that and be a little bit

>> Quickly, Jack snowed we were hoping that Jack would show up and we're specifically on human rights and particularly in the contextf gender.  Jack, be could I just flag that when we return in the last five minutes that maybe you could be prepared to rack KWRAOEUFT Jack?

>> I have to run so I wanted to quickly jump in.  I think this is a valley interesting conversation and also for unpacking.  I think I answered into that very not clear.  I thought when have I used to this and I have.  So the work that I do is also focusing on online gender base violence and Jf aye used when I am trying to find out who is doing something.  I think I want to bring in a few two or three points.  I just came from several ‑‑ I say this in relation to my own experience also is because many of our partners whom we work with or who experience gender base violence have no clue who is this.  This ‑‑ who is information helps a very specific Group of people who are doing very important and necessary work.  For CERT and so forth.  But the revelation of this information in order to defend my yourself at an individual level, the balance of that is off.  Who would be the ones who would be able to access and who will be able to explore this information is actually via towardsd direction of those perp traiting Ws.  Generally they are much more able to gain the technology in order to be able to do what they want to do to have the privacy.  That's an important principal to bare in mind.  Having a registry that has information any who owns a particular domain has its value.  I don't think it's an eye.  It is possible to build a level of privacy that's necessary as an in between.  It doesn't become accessible to every single person, but then it becomes accessible and the particular processes taking into the comment that you should be able to know, why you should what vite that weekend and this is already in place.  For example, an individual you can registry for but for a picture so GDPR removes the Reid in a spay.  But maybe accompanies in is a connection I think that piece is also missing in the conversation right now.

>> MODERATOR:  I really want to bring Chris back in and Becky.  Do we have any comments from the floor quickly before we ‑‑ yeah.

>> I'm Ethan Suite.  I wanted to ‑‑ I just wanted to talk about why the ‑‑ we know that the main privacy products are used by a lot.  And that really highlights ‑‑ what would an (?) and I would just say that as long as the internet industry is accountable to me in some way, they would not be sharing that information with anyone but us for any reason and I think that is all right.  I know we're had talk about C progress.  Obviously I don't think we'll ever get there quickly and working at what G process we have.  It would be a good pointing point for this.  Thank you.

>> Thanks very.  Finish that.  Chris, did you want to respond to the comments?

>> CHRIS BUCKRIDGE:  I think that really we need to start thinking this to have access to all or none.  I think this is really ‑‑ a discussion is not productive.  For example, we need access to e‑mail and organization.  And for CERTs, depending on the incident, domain is relevant, but most of the times the IP and information is more important.  I think discussing that PA and the information if they were the same thing, it's also not projective‑‑ I don't want to expose my personal information in a domain name.  So I think we need to discuss and to discuss not necessarily no easy is because other people besides CERTs can have very important need to have a need, but not necessarily for a domain name.  I think we need to discuss where we should go.  Speak peek and then that probably brings us back, Becky.  You probably have some comments you want to feed into how you see that evolving.

>> I want to take one step back and say who is ‑‑ there are various who is databases.  They come in different varieties and share the common functional job of enabling steak holders to get in touch with each other to resolve issues.  The kinds of issues you needed to resolve in 1988 evolved over time and once the interinate became commercial, the kinds of issues you needed to resolve continued to growth and small.  It impacted parties to communicate and resolve issues that related to the use of the domain name or the ice of IP address or the like.  I agree that talking about an all or nothing kind of situation is not useful.  The days are fully public who is publish over the Internet are simply gone.  And even though GDPR does specifically reference the use by 7s, use of this information by CERTs, it actually sat by saying the processing data is necessary and proportional.  The purpose is make sure we're not waiting in security.  The question is:  What is the extent of the necessary proportional for the purposes and those are the questions that we are asking fly the process here.  What information do you need?  What do you need it for?  What are the circumstances under which?  What safe yards need to be in place with respect to access to insure accountability for its use.  Those are conversations that ICANN community with respect to the domain name who is the database cannotting are will have now and build what data?  For what purposes?  With what safe guards in price?  That's the matrix that has to be built out and then how do youern that the person is ‑‑ is a cert?  How do you know a person is those things.  It is ‑‑ I know frustratingly difficult and slow, but if we all wrapped our reads around the notion on the one hand, fully public are footballd on the other is not a reality and a post GDPR resolve disputes about the use of domain names is a ledgist mate purpose.  Now what are the safe guards you need in place.  That's what we're trying to managa Dina.So I want to give maybe one more intervention from the floor.  I promised I would ask if you can fold your comments, but give us that one key away I'm from the international trademark association.  We have a deep interest in the contractability of information on the web with regard to registration of domain names.  Today though I intervene on behalf of the international trademark association.  Rhyme not spinning on behalf of the IPC.  I would say I agree with my colleague and talked about if you were going to talk about hotter or not you have full seas or no access, absolutely.  I agree with her the days of open access are overch today we're living with GDPR.  I think there are many of my members that would agree we at least need a minimum of 1 point of contact information and that would be the domain address ‑‑ I'm sorry.  The e‑mail address itself.  Having a contactable accurate live e‑mail address would solve a lot of the issues that my members are having with endorsement.  I agree.  There's a lot of sense.  So we can certainly respect that.  But at the same time what we've finding is we have a lot of members that have affiliates.  They have canters and what's happening now and particularly with NGOs, we have a member of the world wide NGO who doesn't know who to contact.  They report even reach out to ask a question.  When they attempt to do so to register, file an action, file a SAAB, give us a legal BASIS when in fact the simple contact request can be made and something feed out quickly and quarterly, it could Alight of let's say it's not a blendly site, but at least they're unnoticed something might be coming down the pike.  I would offer by way of a solution that the believe ination of an e‑mail address can be considered when people are talking about how to advocate for implementation.  I think there is over reliance on what ICANN can and cannot do this space.  If there's advocacy, it can be helpful too Itan.

>> Thanks very much.  You raised this additional element which is not just as Chriseen pointed out.  Bulls as Greg highlighted, law enforcement does have access, butten in it becomes about the timeliness of the access.  I think, dunk an, we need to move on.

>> We need to figure out a way of going forward.  Maybe I will start with you, hall, to wrap this up and it will have to be quick.

>> There's a lot of awareness at ICANN and I think an assumption is where it all happens.  The processes happened at Ithe five different areas have got a set of policy development process which are similar to.  So if there are going to be changes or seeking changes to any of the REcircumstances are conducting, now they work and manage our registry databases.  It is those that we have.  So that's how the system works.  It is not all about ICANN in the number space.  So that's an open invitation to one who has an interest and look at IP address and management and registration in your region.  Thank you.

>> I know, Greg.  You have been wanting to.  I will turn to you next.

>> I do agree actually, I think what we're going through now is a very exciting time.  We need to devise a system of due process that can global globally, include checks and balances ‑‑ but it is super exciting and we'll manage to define who are the actors, who are their interest and what information they should have access to and what should be the safe yard.  Yes.  I am hopeful we'll manage to do the system.

>> Thank you and we're on the two minute mark.  So, Chris, I will hear you and then far asy and then Becky.

>> Thank you.  What are the things I would like to say is people which consider what is best.  We should have a male that is publicf creating identification that I willing is

>> We will charge to provide seas to all data.  This isch less controllable than having registries and e‑mail public and that is serving a broader community.  We have several communities that have very well established processees.  I could try to help explain that, but we have AP Asia and Japan.  We have Latin America moving to adopt there and I would say that the TI accredited and especially the other name that is certifying teams.  They would qualify there good.

>> So you asked me for a solution that's really difficult.

>> Or a question.  You can pose what's the question that we should be answering.

>> I just have a message.  I think we should not have weight for the GDPR to talk about this.  It is very upsetting to advocate for privacy.  In a multi‑stakeholder community where we are working on operation off the Internet as Los Angelesing I do not have ‑‑ I think that access to this data for the legitimate interest it is I have to add many more conditions.  That was my message.  Thank you.

>> MODERATOR:  Becky?

>> BECKY BURR:  I will try anding practical.  I like the conversation about what I really need if I'm a cert.  I need an e‑mail address.  I was an IP address, IP owner.  What I need most of all is the e‑mail address.  I think as we move towards solving this problem, I think the way.  It doesn't matter what regime pier in, what we need is the sit under what circus assistants and the morph people can sno on shoved

>> Thank you, Becky.  So thank you to everyone who has participated in this today.  When you think of questions of accountability, it is for anyone accessing data and using data and as far as they point it out, we shouldn't have to waitative years to have in my view, to get to a point where we incest on need safe yards.  I think we come away with a few concrete interesting, use.  Points, one of which is this annualarrity of access and really expressing stakeholders needs in a very specific way.  The other is the question of timeliness.  We'll be writing all this up into a report E, publish it online and hopefully yeah.  Much this is how to deal with these issues that appear to issue in fan quick, we find that there are ‑‑ thank you to all our speakers who participated.