IGF 2017 - Day 2 - Room XXI - OF50 ICANN - Looking Ahead Challenges & Opportunities


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> Ladies and gentlemen, the next session is the ICANN open forum. If you are coming in for that, please take your seats, thank you.

>> Please take your seats ladies and gentlemen, we are about to start. Thank you very much. If you are not staying for the ICANN open forum, please leave the room.

>> MODERATOR: Good afternoon everybody, please take your seats. We're about to begin. Good afternoon everybody. Welcome to the traditional ICANN forum. I am Chris, a member of the ICANN board. We want this to be interactive with some questions, you never know, maybe even some answers.

We're going to hear briefly from our chairman and are going to address one specific issue briefly, but otherwise it is a very much open session and the topics that we talked about really are in your hands entirely.

Before we start can I ask those of you in the room who are familiar with ICANN in the sense you know what ICANN stands for. If I say GNSO, you know what that means.  Can you raise your hands, please? 

If you wouldn't mind, those of you less familiar raise your hands for me. Thank you.

Those of you who may not be as familiar we will do our best to use as little code as possible and try to speak clearly and use long words rather than acronyms. 

I will start by asking our chairman to say a few words, so over to you.

>> CHERINE CHALABY:  Welcome to the ICANN open forum. This is my first IGF as chairman of the board and I am very glad to be with you here today.  I appreciate you taking time out to be with us.  I know that everyone is very busy, so thank you for coming here.

For those of you not familiar with ICANN you may wonder why we are hosting this forum. And the answer to this is really straightforward. Issues are being discussed everywhere, Internet governance forum and these have an impact on ICANN's mandate.

For example here at the IGF we have discussions around topics such as privacy, such as intellectual property, jurisdiction, cybersecurity and many more.

If ICANN is not represented in those discussions, points of view would not be considered as policies, legislations and priorities are formed around the world. So that is why we are here in Geneva.

IGF is an important venue for ICANN and has been for the past 12 years.  We have been strong supporters of the IGF since inception, active at all levels, local, regional and global.

We have been and continue to be active because the IGF is a unique platform for global dialogue on the development of the Internet and involving stakeholders from the wider Internet community. If you are new to ICANN you may think great, I now understand why they are here. But then you might ask the question what do they actually do? 

The answer again is in simple terms we have a technical mandate. And to explain the technical mandate, to reach another person on the Internet you have to type an address on your computer, a name or a number. That address has to be unique so computers now where to find each other.

ICANN coordinates the unique identifiers across the world. Without that coordination, we would not have one global Internet.

If you are here today and you're not already involved in the ICANN community, I hope you will consider working with us and sharing your interests and experience. If you are already active as an ICANN community member, please take the time to welcome some of our newcomers here at the IGF.

I see some familiar faces when I look around and I also see new faces.  I hope as Chris said that you will all feel equally comfortable coming up to the microphone and of course aing any questions you may have. So let's have a good exchange of ideas this afternoon, thank you.

And now I want to hand over to my colleague and good friend, the ICANN perfect and C.E.O.

>> Thank you Cherine. Let me ask a question, how many of you has attended an ICANN meeting?  This is going to be a very interesting Q and A.

And talking about coordination, we are very good at coordination, ICANN, but we fully fail.  I actually have the same speech as Cherine, so I would like to cover what we do -- actually I have to invent something from here.

>> That's the advantage of going first.

>> You're the boss. For me personally IGF is a fantastic place to be because it's actually where a lot of discussions that people sometimes want to have at ICANN meetings.

ICANN has the very peculiar and very important way of doing things, which are very specific.  We are in other words as Cherine said, we provide you with the user interface to the Internet.  We are not the Internet. It means many of the questions that actually relate to the Internet has to be taking place somewhere and I think the IGF is the place to have them.

This, the sessions I have been to and the sessions I intervened in have often been about words like regulation, about problems on Internet, on all the bad things that's happening. To some extent those things are a feature. Every day, 3.5 to 4 billion people are assessing this global Internet system.  They do what they want with it. They share I.D.s, share information, they buy things, they sell things, they do whatever they want. That interconnectivity is what actually makes Internet.  It's important to have the discussion, it's important to have the discussion of what to improve. But never forget it is a fantastic resource. And make sure when we go into any discussion so we don't make sure we road to hell is paved with good intentions. Make sure we don't do anything to hurt the interconnectivity of the Internet.

With that I open for questions.

>> Anything else that you want to ask?  Otherwise it is going to be a very quick session. Please.


>> This is the first time in world history.

>> There is a gentlemen with his hand up over there who has broken the dam and agreed to ask a question.

>> My question, I am interested in who holds the real power in ICANN?  Who is in power for decision-making?  Is it industry?  Is it people like us?  Or politics or who else? 

>> I think this is definitely a question for the chairman to answer at this stage.


>> I am going to take one for the team here, all right. Good question, very good question. ICANN has a model of governance that is unique. Called the multi-stakeholder model of governance which you probably heard of about in IGF by many, many actors and participants.

In this model of governance, clearly many, many stakeholders, whether they are government, businesses, civil societies, economics, all of them come together to create policies. And these policies, once they are developed and formed, are sent to the board for review and approval. So that's one way of making decisions. In the ICANN it is probably the most important way of making decisions.

The other way we make decisions is we get advice from our supporting organizations. ICANN has various organizations and various advisory committees and they send us advise and expect us to respond and act and take advice and that's another way of following that in the organization.

Now the transition from the U.S. governments took place about a year or so ago in October, September 2016. At that time the bylaws were 50 pages long before the transition and became 250 pages long afterwards. In the new bylaws there are several new powers that the board now shares with the community, with the stakeholders.

So really today there are no two sides, the board and the community of together, and the stakeholders working together in one direction. And sometimes we have difference of opinion, sometimes we disagree, but on the whole we have one objective, right, and going in one direction, and that is to make sure that we fulfill our mission. And our mission is a very, very technical mission and about the security and stability of the domain access, right?  And the details on that.

And so there wasn't really a power broker within ICANN, is doesn't exist. If the board makes decisions that are not consistent with what the community expects, the community has the power to remove individual board members or indeed the board as a whole.

But the board is also the community, wants the board to meet, so it's not there just as a figure, but it's also willing to meet, but do it the right way in respecting this model. Have I answered your question?  Thank you.

>> One second, thank you for that. I wonder if the answer would have been slightly different a year ago. Because someone in the audience might have said if you didn't have the transition then (?) Doesn't it doesn't exist anymore. But the transition, yes, sir. You wanted to say something? 

>> AUDIENCE: I am from the Internet society and I want to start my question by the comment of the chair, what is narrowly defined, but in looking ahead on challenges and communities, I noticed the idea that emerging technologies and quite a lot of discussions taking place about emerging technologies, especially in the area of identifiers which is very much related to the work that ICANN does. Identifiers is ICANN paying attention to I identifier front. And quite related, not unrelated ICANN is the technology of being lock chain technology.

And one thing that disturbed me a little, how many are open, what part of the technologies are open. How many are apparently open but not really open?  How many of the technologies are open for the time being but eventually need -- that is something that I think ICANN should pay attention.

And then I came across the block chain governance related to Internet governance. Why should we talk about the governance for a new technology, the governance for block chain, for GPS, and then have the Internet governance, everybody should be grouped together.

These are some of the broader issues that ICANN has a broader responsibility to pay attention to. And my only discussion is looking forward is for ICANN to act in a more responsible manner, thank you.

>> Thank you. I answered first in part and then Goran will follow. And thank you again for raising this question.

The board of ICANN has five key responsibilities. And one of those responsibilities is called strategic thinking and forward-looking. It is our duty and our responsibility to all the time look at the threats, the opportunities, whether they are technical and business and assess all the time their impact on ICANN.  We are keeping very close watch on what's happening in those areas.  You mentioned block chain, you mentioned you IoT and all sorts of new technologies, whether it is 5G and others.  And we constantly monitor what's happening there.

In fact, we have created a new committee on the board called the Board Technical Committee that has parts of its mandate specifically looking at the newer technologies and advising the boards accordingly.

At the same time you know we have I -- ICANN working with committees and rest assured it is our responsibility in keeping a close watch on that. Goran, do you want to --

>> GORAN MARBY: Thank you. Do we spend enough time and attention is always a good question, probably not.  We have an issue, adding on to what Cherine said, community discussions about alternative identifiers in the ICANN meetings.

A philosophical perspective we are here to provide information for the world, what we do for ICANN, provide the user interface. If someone comes along with a better solution to that, that's fine. We are not here to sell domain names.

And the technology that is invent add very short time ago is something that will not stay forever. Nothing stays forever.

The sort of underlying problem is I would say today there are 3.5 to 4 billion uses in one interconnected system. And there are many discussions how to evolve that and do that. And the multi-stakeholder model is not technology, to say we can come together with policies in the community that has an effect on this interconnectivity and we have to take that us with. Figure out ways to look at technologies, bring and discussion them in the community, but to make those choices.

We also are spending more and more time and resources on new ideas seeing what we can incorporate in the currencies temperatures. ICANN is not solely responsible for this. Our technical partners, all be it the ITF, are also very important in this. And more and more those discussions happening.

We have -- the system has been very good at adopting new things, and that's why we have so many Internet uses. But we have had this discussion before and please continue to chase us, because we need that, thank you.

>> Thank you, Goran. Do we have any other questions at this stage?  We're going to talk about some privacy issues shortly, but yes, sir, go ahead.

>> AUDIENCE: Hello everyone I would like to ask about the ICANN, it is an important organization.

For example we have this (?) And so on.

All of them are doing the same job. So are you looking at changing the structure?  I am not sure.

>> Thank you. That's a really interesting question. And they do the same job for different communities. So the supporting organizations have one real role in the ICANN structure, which is to make policy. You do other things as well, but in fundamental terms about making policy and GNSO is the generic name supporting the organization. And the CSN, the country codes and their job.

Speaking of something that comes from the country code community I can tell you that the types of issues the overlap, there are issues specific to the country code. For example, currently working on a policy for how you would retire a CCTO, country code top level domain after that country no longer exists for whatever reason. That is not something that would fit in the generic names organization.

That said, anyone who knows ICANN well, knows they spend a lot of times including reviews itself. And the structure is always being looked at, always being questioned and consideration always given to changes. And each one of those supporting organizations, including the address supporting organization, ASO, goes through a completely independent review and those reviews generally include looking at structure and advising whether the structure needs to change.

Thank you very much for the question. Cherine? 

>> And in addition to supporting organization there are the advice and committees. And with the advisory committees and those operating strong and efficiency. And the governmental advisory committee is crucial to the success of ICANN and the multi-stakeholder model.

And who looks at end-user brings advise to us concerning issue. They look alike but do things differently. And I think it is important to keep that diversity, because they do represent all the stakeholders around the world and we need to have that, thank you.

>> Thank you very much. Do we have any other questions at this time or comments?  Advice? 

Okay. In that case I will ask Becky Burr, one of the board members to talk about privacy and protection and so on and then we will take questions and comments about that. Becky, over to you.

>> BECKY BURR:  Thank you very much and good afternoon. The enforcement provisions come into effect in May of 2018.  The regulation itself is in effect, but the real enforcement provisions come in there and ICANN and the ICANN community is spending a lot of time betting ready for this. At many, many levels.  It is an enormous job. There is a huge amount of documentation and inventorying and documentation of processes that needs to go on.

New rights of data subjects relating to access and correction and ratio of data that need to be put into place.

I am not going to spend much time on that. I will tell you that from the perspective of what's new in the regulation from the existing European Data protection, the answer is a small but very significant amount of change.

For one thing, the ability to rely on implied consent for processing is quite curtailed. The geographic scope of the law is quite enhanced currently. The directive applies to processing that takes place within the European Union. Applying to any processing undertaken by an entity that is established in the European Union, wherever that processing takes place. And for anyone engaged in providing products or services in Europe. Any processing involving personal information about your eresidence.

Now we are a global business and most registries and registrars do business internationally. It means all of the registrars are involved. 

And registries, registrars and ICANN do quite a lot of collection, retention, escrow, and publication of personal data related to domain name registrations. All of that is processing, all of that is covered by the GDPR.

Some of it is quite obvious. Registrars need to collect the information in order to get your domain registered to bill you for services and to provide customer service.  They need to pass information on to registries who need to collect it in order to provide the registry itself, in some cases, to enforce registry-specific policies and to identify and mitigate cyber threats.

And both registries and registrars currently have obligations to collect and process data to provide with the ICANN contracts and abide by certain consensus policies that are the product of bottom-up multi-stakeholder development process at ICANN.

The data projection authorities have been asking questions about the need for public publication of all data for about 15 years. This is not a new thing. I believe the first article 29 working party working statement on this came out in 2002. And they recently made it abundantly clear that the sort of current public who is can't be reconciled with the GDPR, so this will require some change. And given that the GDPR is principles-based opposed to prescriptive, the other day Goran gave the best description I will steal it from him. Suggested when he was 16 and going out his mother would tell him to behave. And he would go out and learn that that is not exactly what she meant by behave. And that's problem we have and I love it.

The goal is to come into compliance with the GDPR while respecting existing a consensus policy and consensus, the policy development process to the maximum extent possible.

There are probably several ways to do that, ideally we can keep it simple and as uniform as possible. To respect consensus policy and multi-stakeholder process we should try to facilitation reasonably fractionless access to data uses. Until the policy is modified or replaced from the bottom-up process specifically designed to identify global public interest, this is a compliance issue and a matter for the organization, not the Board of Directors. I have just done the simple part and now I will turn it over to Goran for the hard part.

>> GORAN MARBY: Thank you for stealing my only joke for GDPR.

To take us back, GDPR is really the first time the legislation directly hits, the policy making process of ICANN.

It is even more interesting because it also has an direct effect and I have to put some emphasis on this, we are actually still working on the legal fine-tuning of this. But if ICANN org is also, we have no process for that. I ask for the community to give me input about doing my taxes.  It is the law and we have to be compliant with the law, anything we do, any policy we have taken local will supersede this.

And ICANN as an organize, had another purpose when we were created, and the process we are in and admittingly saying we relate to the process as many others are. We started a process, and the first thing we actually had to invent the process within the ICANN process to be able to look at this.

So during the summer we went out to the community and asked for user cases.  The reason for that, why we did that, is because one of the things in this law is that you can't even store any data if you don't have a good reasoning for it. So that was the first step we did to make sure that we actually can explain why there is a system in the first place.

And we also share that information with the community, also with the DPAs.

And the next thing we did is hire an external law firm, really to make sure the community can ask questions. Not only through us, also to other ones.  So we hired a law firm in Europe and provided with questions to them and we actually now in the second round now just yesterday published information, question from the community about the law.

Becky said something very important. It is a law that is trying to change a behavior. So as my discussion with my mother, she apparently often didn't think I did behave what I was 16, I don't know why. But we don't really know. But for us as ICANN, there are policies that puts permissions into our contract. Our contract is for what kind of information they should submit into the system that is our benchmark set by the community and our law.

And we can go only away precise as much as we think going to be compliant with the law. There is a balance in there we are trying to fight. 

And the next thing we did is gone out and ask the community for proposed models, how this could work out, and we are receiving those models and looking at it, and also together with our external law firm.

And in a very short period of time we come up with three different models. I always like three different models, that will be composed for the community so the community can comment on potential solutions to this problem. And after that, as Becky said, I have to make a decision. Because as the President and CEO of ICANN I have to make a decision how my organize will be compliant with the law.

And we will use that, that is also what we are going to have in relationship to our contracted parties. So that will be the demand on them.

And I'll have to say that I am internally grateful for the multi-stakeholder model and engagement we are seeing from so many different parties from different sides of the aisles. The whole system is used for many purposes, bookkeeping to access for police forces, anti-spam, all of them are very legitimate reasons.

And the way this has been -- restarted late, but the multi-stakeholder model in the community has been receptive in taking the challenge with coming up with solutions.

I will not go into the potential solutions I have lawyers around me and there is something that could hit me in front of them. But the continued dialogue has to continue until we set the stop-date that would be somewhere in the beginning, somewhere in January we hope so.

But I want to point out, if you bring out GDPR in a little bit higher perspective and that is that there are many areas around the world that are now talking about GDPR like legislations. This is probably the first time, but probably not the last time where we're going to have the same conversations or have other effects on the policy-making.

And to make sure that we actually don't miss the train before it leaves the station, we are now engaging with our communities around the world to get to know a little bit about proposals around the world, not only for GDPR but for other things. Because now the Internet seems to be here, and it has actually changed the society, the legislative people gets involved in it, for good reasons.  They want to be able to protect their citizens. We have to find a better way of actually standing in the room and not taking sides on any policies. 

Many people ask me if I like GDPR or not. I have absolutely no opinion about it. It's the law and it's the legislation. But we probably should be better at standing in the room, and I need your help with that, to explain how the Internet actually works. Because it is a very simple box, but it has very strong parameters. As I said many times, we don't want -- the road to hell is paved with good intentions and we want to make sure that the legislatures get what they want without breaking the interconnectivity with Internet.

I stop there and open for questions.

>> MODERATOR: Yes, go ahead, thank you.

>> AUDIENCE: Hi. I'm from the IPC, but my company also represented some registry operators and have a registrar business. 

Interested in understanding your three proposed models and whether you are saying the three models will be the only models acceptable, or whether if an individual or a group of companies wants to come up with an alternative model that isn't one of the three that you propose to put out to public comment, whether those models will be an acceptable way forward?  Or are you coming up with a solution, which is the only way forward? 

>> GORAN MARBY: This is what makes it so interesting.  We are going to have one model. And the reason we are having one model, that's how we are going to be complying with the law. And because this is one of those things I don't think that we actually thought about before, is that in ICANN org is the date controller, it is actually who has to be compliant. It would be strange if we asked contacted parties to have compliance.

With that, if the local law, the local DPA theoretically would impose something that is sort of harder, local law always supersedes that.

And the community and the way we can enforce them in a large portion of the world, therefore we have suggestions, we have -- the community has to continue the discussion about the policies set for the whole ways going forward because I think this would be -- personally I think not a good thing if there is a difference in the policies and the enforcing of those policies, thank you.

>> MODERATOR: Yes, sir, go ahead.

>> AUDIENCE: Is ICANN late with its compliance efforts because it's counting on at least a temporary waiver for the GDPR.

>> GORAN MARBY: We are not counting on any waivers for GDPR.

>> MODERATOR: "Late" is in the eye of the beholder. One of the largest organizations in the UK just realized we had an issue with the GDPR and probably should do something about it. Go ahead

>> GORAN MARBY: And one of the other things we look into, we as ICANN are a multi-national organization. Support from communities, anything from travel support and many other systems that we actually have data.

And we are at the same time now looking into if they are going to be compliant with the law as well, is there an interest, and that's also we have to make sure we figure out before this next, you know, the implementation of the law. And that can have a direct effect, also.  For instance for us coming up toe a meeting, how do we organization the participation in a meeting?  Fellowship programs from all of them? 

We, of course, try to figure out the best middle way but I am thinking of I saw a t-shirt in our meeting, a t-shirt "it's the law."

>> And essentially ICANN as an organization needs to be GDPR compliant and there is GDPR compliance with respect to which is kind of separate from ICANN as an organization.

And other questions?  Doesn't have to be about GDPR, can be some other acronym.

>> AUDIENCE: Is there a question about who can be separated from ICANN? 

>> Anything can always be separated from anything. It's a part of the contacted part. What the community decides should be part of it. And it's a resource. And it won't hold any problem because the problems related to -- I am going to rephrase that, because then I am sort of saying the GDPR is a problem, and I don't make that statement. It's a law, we have to be compliant with the law. And we have to make sure that we balance what the community has decided when it comes to the system. But it's something we have to deal with. Like a taxation law or speeding tickets or my mother's intentions.

>> MODERATOR: Go ahead, Becky.

>> BECKY BURR:  The concept of operating who is service from ICANN involves more processing of personal data. And ideally you want to avoid processing that's not necessary.

Also the nature of the data, the data the registrars collect on their customers. So just handing it out to third parties, it is probably not likely to be acceptable to registrars.

>> it is worth noting, just in passing there is a lot of work happening in respect that has nothing to do with this, a lot of work happening with respects to protocol, the RDAP, a new protocol for use. There is a GNSO, generic supporting organization, looking at registry services including who operates it all that happening irrespective to GDPR. And what we can say is it will abide by the law that it needs to abide by.

>> And we are acting. The board recently took a decision to delay a decision on policy do you remember to the fact we have to figure out GDPR before we have that policy, so we are acting.

But please engage with us when it comes to bringing the user cases, why it is essential or why data not be stored.

When we talk about user cases, when we asked them we doesn't go to one side of the house and ask why did you use them, we ask people to come in and say why it is uses or why access is blocked for everybody. That information is important for to us have the discussions with the DPAs going order and they set the standards for this. Please continue to provide us with information until the final date.

And the question, why are we late?  One of the reasons we are actually delaying some things is because some different parts of the communities have asked us to wait because they want to provide us with more information and we are waiting for that information so we make sure that when we make a decision it is as good as possible.

Balances as much as possible with different interests based on the policies, thank you.

>> MODERATOR: Yes, sir, another question down at the end there.

>> AUDIENCE: Hello. Tom McKenzie from Items International. On this question of GDPR, I've been working with registries, domain name registries and registrars in Europe, some of which that are the most advanced on this issue of GDPR have spent the best part of the past year in making sure that their internal organization, their policies are all in conformity. And I think all of them would say that really it's necessary to spend, to have at least six months preparation time for this before GDPR comes into effect.

There is a strong incentive because the penalties for non-compliance is too high.

Can you give some assurances to the registries and registrars that haven't yet started that process that you are going to have some sort of recommendation in place or some set of guidelines this place giving them sufficient time to do the necessary work?  And that will necessarily be more than two or three months. We are now six months away. How soon are you going to have completed this work? 

>> I am going to take a shot at that. As a registry, I can tell you that it is up to individual registries and regular -- registrars to ensure they are compliant, just like it is up to ICANN to determine that its internal policies and processes and procedures are compliant.

So there's a lot of work going on with all of the contracted parties and ICANN with respect to that.

We are discussing a fairly discreet portion of the processing that takes place, which is the processing that is required by ICANN contracts and ICANN consensus policy. And so it's not as if we're starting from near zero.

I don't believe ICANN is going to issue guidelines or instructions about how I handle my internal processes, and I would be fairly annoyed if they tried to do it.

On the other hand, with respect to the relatively discreet requirements related to who is, related to data escrow and related to some of the data retention requirement that are in contracts, that is what ICANN is going to come forward with a model based on input from the three models. If you want to say more about that.

>> Becky's point is important because it's not when we would -- the enforcement of our contracts with our contracted parties is not a recommendation, it's the law. It's our law because it is set by the community. And we don't have the ability to go in and intervene in the policy-making process.

What we are talking about, it has to be compliant and that's a decision that I have to make. But we also said that is because also we can't have asymmetry between that and our contracts, and therefore that model I am choosing for my own compliance leads to what we enforce for the contracted parties.

And therefore, I'm seeking input. I am seeking input for when I make that decision. It is a complicated thing which we never foresaw and therefore for the community. And the more community input I get, the more coercion against one model the better the relationship in the DPAs because it is actually part of the description in the law you have to have a good reason for storing data.

>> MODERATOR: Any other questions?  Any owe comments?  Please go ahead.

>> AUDIENCE: Hello everyone. My question certainly isn't related to the (?) -- however I would like to ask do you consider important that (?) If so what is the mechanisms? 

>> Thank you very much. As a child yourself.

>> Thank you. I think one of the things that we often struggle with, people don't always understand how the Internet works. They may think it is boring. I am a nerd, so I actually think it is interesting. The interfunctions of the currencies tell we define as Internet is something that sets a limit or gives the possibility of interaction on the Internet. So I think you should -- I think it would be very beneficial, the same way I have been teaching my kids, when you cross the street you look left and right or left, whatever you are on, to make sure there are no cars there. To make sure we provide the educational system with tools to understand how it works.

I think that because it also gives the opportunity for people to ask the right questions. Are we doing it right?  Should we change this?  What are the limitations to the systems when it comes to security, privacy, innovation and all of those things.

Then the question is, do you pay for it?  We don't have for it in our mission but we also participate also on a governmental way to create awareness and to train governments about the domain name system. And maybe we can also help the governments then to formulate that, to put that into a school system.  I think it would be a very beneficial idea and why they gave me an opportunity to answer it because they know that I like this very much.

>> MODERATOR: Thank you. Becky? 

>> A lot of technology companies including domain name technology companies, he very involved in the communities supporting science, technology, engineering, mathematics and education. And news source, one of the companies that does that in connection with the digital literacy program we sponsor in three states in the United States, students who graduate from the literacy program get a regular administration for a dot-us site. And I expect it is going on in a lot of countries, and proposed in Mexico.

>> And if you learn about the DNS, you are also in essence learning about ICANN running it the way that it does. And that teaches you then about the multi-stakeholder model. And this is only one multi-stakeholder model and there are many. But the multi-stakeholder way of learning how to do things, how to be a part of that, is beneficial going forward because not everyone understands how it works and the basics of it, and how important it can be in solving other problems other than that purely technical one.

We have a remote online contribution.

>> There's a question from the online WebEx session. How can I (?)

>> How have we determined only three models will be considered by the community.

>> We have asked the community for giving us models and we seem to -- and the reason I am saying three, it seems like the proposes we are getting in from the community actually rotates around three different solutions. So that's why. And we're going to publish them and we're going to ask community for input on that.

So we constructed a system for having that input, but then we have to respond because it is very hard to motivate, to go to the DPAs and say we think we now comply with the laws, but we also have three alternatives to be in compliance with the law. I think that would be a problem, and I say that as a former regulator.

>> MODERATOR: Thank you. Yes, go ahead, sir.

>> AUDIENCE: Good afternoon, thank you for the opportunity. I have a question regarding the GDPR and the information, personal information we give when we create the website.

It's good that we are looking forward, but is there a way to look backward?  Because when we register for a website, we give all of this information and then it's stored on the data base of the registrar. And say one year later we are no longer maintaining the website or domain name and we give it away, the information is still registered and some other websites retrieve this information, the personal information, address, phone number, first name and last name and list them on their website.

I had a case where I bought a domain name then I no longer used it. I started to search if my information is still on the web and I went up to the 20th or 30th page on Google, and then I found my personal information, address and phone number, listed on another data base which is not a Who Is data base but a mere public data base. Is there a way for the GDPR of cleaning the web of our personal information?  Thank you.

>> I am going to take a stab at it, but I am going to say in advance this is not legal advice.

So there are a million ways your name and address can persist on the Internet for years. So the first thing I would say, I would not assume that you found it on going the because it is in the Who Is date base.

Having said that, under GDPR if you decide that you do not want to use a domain name that you registered anymore, you have the right to unregister the name, and you have the right under certain conditions, and that, when you turn in that registration, that creates an obligation under GDPR with respect to everybody's retention of it, because you can't retain data for longer than it is necessary to perform the service and provide related functions. So that kicks in the need for data minimization.

Under certain circumstances you might have an opportunity to ask the registrar and the registries, whoever has your data, to break all connections with it. But I think as an initial matter, simply maintaining a registration but not relinquishing, not letting it expire. As soon as it expired it should disappear, not immediately but shortly thereafter, it should disappear from the active data base.

So there are lots of ways that you can, lots of steps you can take to get your information off the Internet. But I don't think that if you simply maintain the registration without turning it in you have grounds for getting it out of the Who Is data base. But it may not be available through GDPR but is for certain purposes.

>> And we are getting ready to wrap this up and a question.

>> I can allude to the models that would be helpful to know (?)

>> Yes. Like I said earlier, what you find on the website, the reason why we are later than respected is because the community has to provide us we are still waiting for additional models to take into account. But we're getting closer and can't wait much longer. So we are going to release those very, very soon.

But I took the decision because I thought it was so important to give the opportunity for the community to interact with us. And I also hope the models, the proposed models that you take the opportunity to react on them. Thank you.

>> MODERATOR: Okay thank you guys, thank you very much indeed. Thank you so all of the organizational group that put this together. And thank you for giving up your time incoming to the ICANN forum, especially those of you who are perhaps not quite so immersed in the ICANN communities as some of us are. It is always a pleasure to see new faces. Thank you all very much.

[The session concluded at 17:11 a.m.]