[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

theo geurts gtheo at xs4all.nl
Mon Feb 5 17:31:54 UTC 2018 

Agreed Sara,

It seems, or at least, we create a suggestion that if process X is 
followed, disclosure will happen, that is not the case, and never has 
been the case, providers must follow due process, always.

If we create a set of LEA procedures, they need to realistic and clear 
and never put a provider in a position where contractual agreements put 
pressure on a provider to comply with applicable law. But the first step 
in this process is to figure out if we are not out of scope as an IRT to 
create such procedures.

Theo


On 5-2-2018 18:05, Sara Bockey wrote:
>
> A few items.
>
> Again, I’m concerned that we are /_creating_/ policy, not implementing 
> it. Granted, the framework outlined in the Final Report is not as 
> robust as what is detailed for IPC, but then again LEA did not 
> participate in the PDP process. The IRT is _not_ the place to be 
> creating policy for LEAs.
>
> That said, the problem with a strict 24-hour period is that it doesn’t 
> acknowledge certain situations/matters may require additional time, 
> falling outside a 24-hour period *_despite a Provider’s best 
> efforts_*.  Language such as “Where a disclosure request has been 
> categorized as High Priority, this must be actioned within 24 hours” 
> are overly strict and sets the Provider up for failure/being out of 
> compliance due to circumstances beyond its control.
>
> Finally, I fear the LEA framework as currently written creates 
> unrealistic expectations/SLAs. There seems to be a presumption of 
> disclosure – if LEAs check all the right boxes, the information will 
> be disclosed.  However, this decision should reside with the provider, 
> who does not have to bypass due process just to please LEAs.
>
> *sara bockey*
>
> *sr. policy manager | **Go**Daddy^™ *
>
> *sbockey at godaddy.com <mailto:sbockey at godaddy.com> 480-366-3616*
>
> *skype: sbockey*
>
> //
>
> /This email message and any attachments hereto is intended for use 
> only by the addressee(s) named herein and may contain confidential 
> information. If you have received this email in error, please 
> immediately notify the sender and permanently delete the original and 
> any copy of this message and its attachments./
>
> *From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org> on 
> behalf of Amy Bivins <amy.bivins at icann.org>
> *Reply-To: *"gdd-gnso-ppsai-impl at icann.org" 
> <gdd-gnso-ppsai-impl at icann.org>
> *Date: *Monday, February 5, 2018 at 7:51 AM
> *To: *"gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
> *Subject: *[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA 
> Framework Specification, Receipt Process's Application to High 
> Priority Requests
>
> Dear Colleagues,
>
> As mentioned on the list a couple of weeks ago, the current draft PPAA 
> is still a bit ambiguous regarding how the review process outlined in 
> Section 3.2.1 applies to high priority requests. We need ensure that 
> the draft is clear about this requirement when we go out for public 
> comment (and if there is opposition to the proposed requirement by any 
> members of the IRT, this will be flagged in the call for comments).
>
> **
>
> *Upon reviewing the IRT’s input to date, I am proposing an edit that I 
> believe reflects the IRT discussion on this point. Please review and 
> provide your comments on this proposed language no later than this 
> Friday, 9 February. *
>
> To summarize, the current draft contains a two-step process for 
> Providers upon receipt of a request from LEA. (1) Within two business 
> days, the Provider must review the request and confirm to the LEA 
> requester that it has been received and contains the relevant 
> information required to meet the minimum standard for acceptance (See 
> 3.2.1 of Specification 4). (2) The Provider must then action the 
> request in accordance with the priority level (within 24 hours for 
> “high priority” requests (4.1.2); or within the timeline requested by 
> LEA, if possible, for other requests (See 4.1.3).
>
> *The current language may be a bit ambiguous as to whether the two 
> business day “review period” applies before the 24-hour period for 
> responding to high priority requests (as explained in more detail in 
> the attached message).*The view of registrar IRT members appears to be 
> that requiring action within 24 hours of receipt of an LEA request, 
> even if it is a high priority request, is unacceptable. PSWG members 
> of the IRT disagree. Other IRT members appear to have mixed views on 
> this (some referenced the RAA requirement that “Well-founded reports 
> of Illegal Activity submitted to these [dedicated LEA] contacts must 
> be reviewed within 24 hours by an individual who is empowered by 
> Registrar to take necessary and appropriate actions in response to the 
> report.” Registrar members of the IRT said that the RAA-required 
> review is less intensive than the PPAA review due to the specific 
> requirements in the PPAA draft).
>
> Based on the views expressed within the IRT, it appears that one 
> potential solution to this ambiguity would be to update Section 4.1.2 
> to state that (proposed edit in red), *“**Where a disclosure request 
> has been categorized as High Priority, this must be actioned within 24 
> hours of completion of the receipt process outlined in Section 3.2.” 
> The LEA Requestor will detail the threat type and justification for a 
> request with a Priority Level of High Priority.”*
>
> The practical impact of this proposed change would be that the 
> provider must action a high priority request within 24 hours of 
> determining that the request meets the minimum standard for 
> acceptance. If the provider completes the receipt process sooner than 
> 2 business days after receipt of the request, this would start the 
> 24-hour clock for actioning the request. Thus, this could shorten the 
> response window a bit, partially addressing the PSWG concerns of a 
> “two business days plus 24 hours” requirement, while also addressing 
> registrar concerns by not starting the clock until the provider has 
> time to review the request, if the full time of the receipt process is 
> required to conduct that review.
>
> *Please provide your feedback on this proposed change no later than 
> this Friday,  9 Feb. And if you have further comments on this, please 
> share those as well.*
>
> **
>
> Best,
>
> Amy
>
> *Amy E. Bivins*
>
> Registrar Services and Engagement Senior Manager
>
> Registrar Services and Industry Relations
>
> Internet Corporation for Assigned Names and Numbers (ICANN)
>
> Direct: +1 (202) 249-7551
>
> Fax:  +1 (202) 789-0104
>
> Email: amy.bivins at icann.org<mailto:amy.bivins at icann.org>
>
> www.icann.org<http://www.icann.org>
>
>
>
> _______________________________________________
> Gdd-gnso-ppsai-impl mailing list
> Gdd-gnso-ppsai-impl at icann.org
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180205/89d445e1/attachment.html>

More information about the Gdd-gnso-ppsai-impl mailing list