[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

[Michele Neylon - Blacknight]

I agree with Sara

The assumption that the requests are always going to be valid is erroneous. So the language should be changed from “actioned” to “responded” or similar.

The 24 hour time period is directly linked to the “actioned”, which, as Sara outlines, causes problems for providers.

While I can sympathise with what LEA might be trying to achieve my sympathy does not extend to the point where I’d voluntarily enter into an agreement of this nature knowing that I’d run a very high risk of being out of compliance due to factors outside my control.

Regards

Michele



--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
http://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org> on behalf of Sara Bockey <sbockey at godaddy.com>
Reply-To: "gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
Date: Monday 5 February 2018 at 17:06
To: "gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

A few items.

Again, I’m concerned that we are creating policy, not implementing it.  Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs.

That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts.  Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed.  However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.


sara bockey
sr. policy manager | GoDaddy™
sbockey at godaddy.com<mailto:sbockey at godaddy.com>  480-366-3616
skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.


From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org> on behalf of Amy Bivins <amy.bivins at icann.org>
Reply-To: "gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
Date: Monday, February 5, 2018 at 7:51 AM
To: "gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

Dear Colleagues,

As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).

Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February.

To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).


The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).


Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”

The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.

Please provide your feedback on this proposed change no later than this Friday,  9 Feb. And if you have further comments on this, please share those as well.

Best,
Amy


Amy E. Bivins
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax:  +1 (202) 789-0104
Email: amy.bivins at icann.org<mailto:amy.bivins at icann.org>
www.icann.org<http://www.icann.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180205/e1400856/attachment-0001.html>