[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

Roman, Peter (CRM) Peter.Roman at usdoj.gov
Thu Feb 8 15:07:04 UTC 2018 

Just to be clear, these two proposals are:


1.       Providers get to choose whether to respond to law enforcement requests at all

2.       Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time

Also, just to make sure we are all using the same terms in the same way:

Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action.  Dictionary.com, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018).

Imminent: likely to occur at any moment; impending.  Dictionary.com, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018).

Peter Roman

Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW
Washington, DC 20530
(202) 305-1323
peter.roman at usdoj.gov<mailto:peter.roman at usdoj.gov>

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Amy Bivins
Sent: Thursday, February 8, 2018 9:25 AM
To: gdd-gnso-ppsai-impl at icann.org
Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

Thank you, Sara, for this very specific proposed change. What do others think of this language?

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Sara Bockey
Sent: Thursday, February 8, 2018 9:22 AM
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

Dear Amy,

I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes.  Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework.  Therefore, the following is problematic:
You wrote:
“the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).”

At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.)  What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused.
Regarding high priority requests, Volker has proposed:

"Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this."

Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.”

Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable.

Thanks,

Sara

sara bockey
sr. policy manager | GoDaddy™
sbockey at godaddy.com<mailto:sbockey at godaddy.com>  480-366-3616
skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.


From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org<mailto:gdd-gnso-ppsai-impl-bounces at icann.org>> on behalf of Amy Bivins <amy.bivins at icann.org<mailto:amy.bivins at icann.org>>
Reply-To: "gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>>
Date: Monday, February 5, 2018 at 11:58 AM
To: "gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>>
Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

Hi, All,

Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th.

As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.”


  *   Jan 2016 Final Report: Guidelines re: any future LEA framework
  *   June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT).
  *   December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations.
  *   Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html.
  *   June 2017: PSWG shares strawman proposal with IRT
  *   Jun-Sept 2017: IRT discussions re: LEA framework (among other topics)
  *   Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW



Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a  deadline of 28 Jan. No responses were sent to the list.

This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date.

Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting.

Best,
Amy

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of theo geurts
Sent: Monday, February 5, 2018 12:32 PM
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>; Sara Bockey <sbockey at godaddy.com<mailto:sbockey at godaddy.com>>
Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests


Agreed Sara,

It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always.

If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures.

Theo

On 5-2-2018 18:05, Sara Bockey wrote:
A few items.

Again, I’m concerned that we are creating policy, not implementing it.  Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs.

That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts.  Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed.  However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.


sara bockey
sr. policy manager | GoDaddy™
sbockey at godaddy.com<mailto:sbockey at godaddy.com>  480-366-3616
skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.


From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org><mailto:gdd-gnso-ppsai-impl-bounces at icann.org> on behalf of Amy Bivins <amy.bivins at icann.org><mailto:amy.bivins at icann.org>
Reply-To: "gdd-gnso-ppsai-impl at icann.org"<mailto:gdd-gnso-ppsai-impl at icann.org> <gdd-gnso-ppsai-impl at icann.org><mailto:gdd-gnso-ppsai-impl at icann.org>
Date: Monday, February 5, 2018 at 7:51 AM
To: "gdd-gnso-ppsai-impl at icann.org"<mailto:gdd-gnso-ppsai-impl at icann.org> <gdd-gnso-ppsai-impl at icann.org><mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests

Dear Colleagues,

As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).

Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February.

To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).


The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).


Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”

The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.

Please provide your feedback on this proposed change no later than this Friday,  9 Feb. And if you have further comments on this, please share those as well.

Best,
Amy


Amy E. Bivins
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax:  +1 (202) 789-0104
Email: amy.bivins at icann.org<mailto:amy.bivins at icann.org>
www.icann.org<http://www.icann.org>




_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl at icann.org<mailto:Gdd-gnso-ppsai-impl at icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180208/71cc3f89/attachment-0001.html>

More information about the Gdd-gnso-ppsai-impl mailing list