<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><title>Information Security Program Charter</title><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Very much +1. Well said Becky.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>P<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Paul Rosenzweig<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><a href="mailto:paul.rosenzweigesq@redbranchconsulting.com"><span style='color:#0563C1'>paul.rosenzweig@redbranchconsulting.com</span></a> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>O: +1 (202) 547-0660<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>M: +1 (202) 329-9650<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>VOIP: +1 (202) 738-1739<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Skype: paul.rosenzweig1066<o:p></o:p></span></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span style='font-size:11.0pt;color:#1F497D'><a href="http://www.redbranchconsulting.com/index.php?option=com_content&view=article&id=19&Itemid=9"><span style='color:#0563C1'>Link to my PGP Key</span></a><o:p></o:p></span></p><p class=MsoNormal><a href="http://www.rsaconference.com/events/us16?utm_source=signature&utm_medium=email&utm_campaign=speakers-us2016"><span style='font-size:11.0pt;color:#1F497D;text-decoration:none'><img border=0 width=578 height=87 id="Picture_x0020_7" src="cid:image001.png@01D16019.FC743C60"></span></a><span style='font-size:11.0pt;color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Burr, Becky [mailto:Becky.Burr@neustar.biz] <br><b>Sent:</b> Friday, February 5, 2016 1:03 PM<br><b>To:</b> Accountability Community <accountability-cross-community@icann.org><br><b>Subject:</b> [CCWG-ACCT] Responses to Rafael's Questions<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>I</span><span style='font-family:"Times New Roman",serif;color:black'> am going to attempt to respond to Rafael’s questions, below. This is a long post, so apologies in advance. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;color:black'>I’d like to start out by saying that my proposal does not in any way prevent the GAC from participating in any community discussion whatsoever, or from continuing to provide advice on public policy matters whenever and however it chooses. Rather, the compromise would limit the GAC’s ability to participate as a <i>decision-maker</i> in the very limited situation in which the community takes exception to the Board’s implementation of GAC Advice and a community discussion is initiated to explore use of a community power to challenge the Board’s action. Even in those limited situations where the carve out would apply, the GAC is still able to participate in discussion, to engage in advocacy, to persuade, to issue more advice, etc. The only impact is that at the end of the day the GAC would not count towards the thresholds necessary to block or support exercise of the relevant power. So please, do not say that anyone is trying to silence the GAC or to in any way limit its current authority. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;color:black'>Rafael’s questions appear in </span><i><span style='font-family:"Times New Roman",serif;color:blue'>blue italic</span></i><span style='font-family:"Times New Roman",serif;color:black'> below, and my answers follow:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Times New Roman",serif;color:black'> <o:p></o:p></span></p></div><div><div><blockquote style='margin-left:30.0pt;margin-right:0in'><blockquote style='margin-left:30.0pt;margin-right:0in'><p class=MsoNormal><i><span style='color:blue'>1. We have previously discussed it, but we still fail to understand why this “carve-out” is only applicable to the GAC. If this measure is foreseen to avoid the “two-bites-at-the-apple” situation, for instance the GNSO is as well in a position of being “judge and part” when it comes to decisions of the Board based on a PDP. In these cases, the GNSO is part (has proposed a policy and the Board has accepted it) and judge (through its participation in the EC, it can participate through its vote in the rejecting of the challenge to this policy). This situation is unfair to the rest of SO/ACs. What are the reasons for such a privilege? In this vein, although the GAC has a “mutually agreeable procedure to TRY to find a solution”, it CANNOT force the Board to act according to its advice, therefore a Board decision based on GAC Advice is as free as a Board decision based on GNSO or CCNSO PDP or GNSO Guidance (all three with a 2/3 threshold for rejection by ICANN Board). Why is the GAC singled out then?</span></i><span style='color:black'><o:p></o:p></span></p></blockquote></blockquote><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>I have previously explained this, as have others on the calls and in the chat. My previous response follows. The fact is that the Board’s obligation to work to try to find a mutually agreeable solution before rejecting GAC Advice gives the GAC both a formidable and unique power to stop a process in its tracks and compel the Board to negotiate. The fact that in the end a mutually acceptable solution may not be found does not change the nature of that power. And GAC advice is not constrained in any material way – it can involve any topic with “public policy” implications, and it can be issued at any time before, during, or after a policy development process has concluded, and indeed midway during implementation of such policy. No other SO or AC has that authority. <b>The GAC is singled out because it, and it alone, has this authority.</b> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='color:black'>My previous response to this same question from Jorge follows:</span></b><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Jorge asks why I am drawing a distinction between GAC Advice and the output (e.g., a policy developed through a PDP) of a supporting organization or this new “GNSO Guidance." The differences between a PDP (or Guidance on implementation of a PDP) and GAC Advice are both structural and substantive. In short, the process for issuing GNSO policy and guidance has built-in safeguards to prevent Mission creep and promote transparency and public consultation. For many reasons, including some that I consider entirely appropriate, that’s not the case with GAC Advice. </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>On the one hand, the GAC can give Advice </span><i><span style='color:blue'>on any topic</span></i><span style='color:black'> it likes. Yes, technically it must relate to “public policy” - but as we know that is a very broad concept. The GAC can also give that Advice </span><i><span style='color:blue'>at any time</span></i><span style='color:black'> it likes - before, during, or well after a PDP or even the Board’s acceptance of a PDP. There is no rule that says that GAC Advice must relate to a topic within ICANN’s Mission or that such Advice must be consistent with ICANN’s Bylaws. Both the flexibility with respect to topic and timing mean that GAC Advice can be disruptive to ongoing policy development and/or implementation. And, under Rec. 11 as currently proposed, the Board must accept that Advice unless 66% of the Board opposes it. That’s the case no matter what that Advice is and </span><i><span style='color:blue'>even if a majority of the Board thinks it would violate ICANN’s Bylaws to implement that Advice</span></i><span style='color:black'>. </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>A PDP, on the other hand, takes place in a highly structured environment that is strictly controlled both by subject matter and sequencing. Even before the PDP really gets off the ground it is subject to review by ICANN’s General Counsel as to whether or not it is within ICANN’s Mission. That is a critical structural safeguard against scope creep that distinguishes a PDP from GAC Advice. </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>The PDP process is highly structured, with numerous safeguards that protect against scope creep and ensure transparency:</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>a. Final Issue Report requested by the Board, the GNSO Council ("Council") or Advisory Committee. The issue report must affirmatively address the following issues:</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.5in'><span style='color:black'>The proposed issue raised for consideration;<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.5in'><span style='color:black'>The identity of the party submitting the request for the Issue Report;<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.5in'><span style='color:black'>How that party is affected by the issue, if known;<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.5in'><span style='color:black'>Support for the issue to initiate the PDP, if known;<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.5in'><span style='color:black'>The opinion of the ICANN General Counsel regarding whether the issue proposed for consideration within the Policy Development Process is properly within the scope of the ICANN's mission, policy process and more specifically the role of the GNSO as set forth in the Bylaws.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;text-indent:-.5in'><span style='color:black'>The opinion of ICANN Staff as to whether the Council should initiate the PDP on the issue<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>b. Formal initiation of the Policy Development Process by the Council;</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>c. Formation of a Working Group or other designated work method;</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>d. Initial Report produced by a Working Group or other designated work method;</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>e. Final Report produced by a Working Group, or other designated work method, and forwarded to the Council for deliberation;</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>f. Council approval of PDP Recommendations contained in the Final Report, by the required thresholds;</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>g. PDP Recommendations and Final Report shall be forwarded to the Board through a Recommendations Report approved by the Council]; and</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>h. Board approval of PDP Recommendations.</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><blockquote style='margin-left:30.0pt;margin-right:0in'><blockquote style='margin-left:30.0pt;margin-right:0in'><p class=MsoNormal><i><span style='color:blue'>2. If this “carve-out” were to be accepted, how would the exclusion of the GAC from a community decision-making process be triggered? Who would decide on such things? Who would control the legality of such a decision? The carve-out refers generically to “Board decisions” to “implement GAC advice”. But we need to bear in mind that Board decisions very often rely on many different inputs for any decision (a PDP, advice from advisory committees, including the GAC, legal advice, etc.), and rarely only stem exclusively from GAC advice. Would this “carve-out” mean that where there is a Board decision based on such multiple sources, only one of them being a GAC advice, the GAC would be excluded from any community power related to such a Board decision? How do we make sure that if such a “carve-out” is accepted it has not these effects, and ONLY applies when the Board acts based ONLY on GAC advice?</span></i><o:p></o:p></p></blockquote></blockquote><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>This seems fairly straightforward. The GAC keeps a “scorecard” regarding the Board’s handling of GAC Advice. GAC Advice is listed and tracked. ICANN tracks its responses formally. See, for example, <a href="https://www.icann.org/en/system/files/files/gac-advice-scorecard-07oct15-en.pdf">https://www.icann.org/en/system/files/files/gac-advice-scorecard-07oct15-en.pdf</a>. To the extent that other organizations have provided similar advice, they have not had the opportunity to compel the Board to the negotiation table with respect to that advice. In such cases, they could still participate in the decision making process in an effort to block exercise of a community power challenging the Board’s implementation of GAC Advice if, for example, they happened to agree with that Advice and/or thought the way the Board implemented that Advice was appropriate, etc. </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><blockquote style='margin-left:30.0pt;margin-right:0in'><blockquote style='margin-left:30.0pt;margin-right:0in'><p class=MsoNormal><i><span style='color:blue'>3. What happens if a Board decision is based on GAC advice which in turn is based on international law, relevant national law and/or important reasons of public policy? We should remember that under Rec11 GAC will be obliged to act under a “no formal objection rule” (full consensus). Should the community be able to overturn such a Board decision without giving the possibility to the GAC to intervene in such a process (based on a GAC consensus)?</span></i><o:p></o:p></p></blockquote></blockquote><p class=MsoNormal><span style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>It is not the case now, nor has it ever been the case that the position of the GAC will prevail simply because it asserts that its views are mandated by international law, relevant national law, and/or important reasons of public policy. </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><br><br></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>Now, and in the future, the Board must make this call in the first instance, subject to applicable law and in light of ICANN’s Mission, Commitments & Core Values. If enough of the community thinks the Board got it wrong, it has the right to challenge the Board’s implementation action – e.g., by rejecting a proposed Bylaws change, by bringing an IRP, or ultimately, by recalling the Board. Throughout this, the Board, the GAC, SOs, other ACs, etc. will have the opportunity to make their respective cases. The thresholds for the exercise of community powers have been deliberately set to require broad support. </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><br><br></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>Let me repeat again what I said at the outset – nothing prevents the GAC from “intervening” through debate, discussion, persuasion, advice or any other non-decisional role. </span><span style='color:black'><o:p></o:p></span></p></div><p class=MsoNormal style='margin-top:12.0pt'><b><span style='font-size:9.0pt;color:black'>J. Beckwith Burr</span></b><b><span style='font-size:10.0pt;color:#262626'> </span></b><b><span style='font-size:9.0pt;color:#3366FF'><br></span></b><b><span style='font-size:9.0pt;color:#008656'>Neustar, Inc.</span></b><b><span style='font-size:9.0pt;color:#068658'> </span></b><span style='font-size:9.0pt;color:#7D7D7D'>/</span><b><span style='font-size:9.0pt;color:#068658'> </span></b><span style='font-size:9.0pt;color:#7D7D7D'>Deputy General Counsel & Chief Privacy Officer<br>1775 Pennsylvania Avenue NW, Washington D.C. 20006</span><span style='font-size:9.0pt;color:gray'><br></span><b><span style='font-size:9.0pt;color:#008656'>Office:</span></b><b><span style='font-size:9.0pt;color:#7D7D7D'> </span></b><span style='font-size:9.0pt;color:#7D7D7D'>+1.202.533.2932 </span><b><span style='font-size:9.0pt;color:#008656'>Mobile:</span></b><b><span style='font-size:9.0pt;color:#7D7D7D'> </span></b><span style='font-size:9.0pt;color:#7D7D7D'>+1.202.352.6367 </span><strong><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#7D7D7D'>/</span></strong><span style='font-size:9.0pt;color:#068658'> </span><span style='font-size:10.5pt;color:black'><a href="http://www.neustar.biz"><b><span style='font-size:9.0pt;color:#008656'>neustar.biz</span></b></a><o:p></o:p></span></p></div></div></body></html>