[Gdd-gnso-ppsai-impl] Final IRT Feedback Due EOD Sunday 28 Jan: draft LEA framework

[theo geurts]

Hi Amy,

Now we could mark the LEA disclosure framework specification as 
unresolved and hope that someone in the community posts a comment that 
is the silver bullet.

Or we try to gain better insight here, though it feels very close to 
policy-making, on the other hand, the current issue is already policy 
making and out of scope in my opinion but let's be practical about this.

There are 331 million domain names, 147 million are ccTLDs, the majority 
has no data publicly available regarding the registrant.

184 million gTLDs, 25% of those are protected by privacy.
 From a registrar perspective, we are dealing with a vast amount of 
domain names where data is not available in the WHOIS, and so far we do 
not think the requirements discussed yesterday are needed.

So perhaps it is an idea we reach out to some of the larger ccTLD 
registries and see how they deal with direct threats like terrorism, 
kidnappings etc.
Most, if not all of the ccTLDs operators are not to profit and have 
vasts interests in serving the broader public and its safety.
I am personally of the opinion we could learn something here and gain 
new perspectives which might allow us to put matters into perspective.

Thanks,

Theo Geurts


On 23-1-2018 20:52, Amy Bivins wrote:
>
> Dear Colleagues,
>
> Thanks so much for your active participation on today’s Privacy/Proxy 
> Accreditation Program IRT call. If you were unable to attend, I 
> encourage you to listen to the recording.
>
> Today, we continued discussing the LEA disclosure framework 
> specification in the draft PPAA (pp. 50-54 of the draft contract, 
> attached).  The discussion today confirmed that there is continued 
> uncertainty regarding two items in the draft framework. *Please submit 
> any final feedback that you have on these topics to the list this 
> week. *After this final feedback period, if this issue/these issues 
> are unresolved, they will be specifically identified as unresolved in 
> the call for public comments.
>
> *_Section 3.1_*: As drafted, this section requires Providers to 
> publish on their websites the designated LEA contact (e.g. email 
> address, telephone number, form or other means for LEA to obtain the 
> designated LEA contact information).
>
> *_Summary of Issue:_* Many members of the IRT support the deletion of 
> the requirement that this contact (or a means to obtain this contact) 
> appear on the Provider’s website. The RAA does not require registrars 
> to publish the registrar LEA contact on the registrar website (See RAA 
> 3.18.2). There appear to be at least a few possible paths forward:
>
>  1. Keep language as-is.
>  2. Delete the second sentence of 3.1, which requires that this
>     information be posted on the Provider website.
>  3. Replace the second sentence of 3.1 with language such as that
>     suggested by Steve Metalitz, "Provider shall provide to LEA an
>     appropriate means for LEA to obtain the designated LEA contact
>     information.”
>  4. Language from Section 3.18.2 of the RAA could be adapted for this
>     agreement by changing “Registrar” to “Provider” or by making
>     additional edits: /3.18.2 Registrar shall establish and maintain a
>     dedicated abuse point of contact, including a dedicated email
>     address and telephone number that is monitored 24 hours a day,
>     seven days a week, to receive reports of Illegal Activity by law
>     enforcement, consumer protection, quasi-governmental or other
>     similar authorities designated from time to time by the national
>     or territorial government of the jurisdiction in which the
>     Registrar is established or maintains a physical office.///
>  5. We could keep the language as-is for now, note any remaining
>     disagreement about whether the contact (or a way to obtain it)
>     should be posted on the Provider’s website during the public
>     comment period, and request community feedback on potential paths
>     forward.//
>  6. Some other path (please explain).//
>
> *_Timeline for Providers to Action “High Priority” Requests From LEA_*
>
> *_Summary of Issue: _*The current PPAA draft contains a two-step 
> process for Providers upon receipt of a request from LEA. (1) Within 
> two business days, the Provider must review the request and confirm to 
> the LEA requester that it has been received and contains the relevant 
> information required to meet the minimum standard for acceptance (See 
> 3.2.1). (2) The Provider must then action the request in accordance 
> with the priority level (within 24 hours for “high priority” requests 
> (4.1.2); or within the timeline requested by LEA, if possible, for 
> other requests (See 4.1.3).
>
> _Note 1:_The RAA requires (See Section 3.18.2) that “Well-founded 
> reports of Illegal Activity submitted to these [dedicated LEA] 
> contacts must be reviewed within 24 hours by an individual who is 
> empowered by Registrar to take necessary and appropriate actions in 
> response to the report.”
>
> _Note 2: _There is some uncertainty, as this is currently drafted, as 
> to whether the 2 business day review period applies before the 24 hour 
> response time for “high priority” requests. Section 4.1.1 states that 
> “Upon completion of the Receipt Process Specified in Section 3 of this 
> Specification, Provider will action, in accordance with Sections 4.2 
> and 4.3 of this Specification, the disclosure request in accordance 
> with the Priority Level.” Upon the resolution of the issue below, we 
> will review the specification as a whole to ensure it reflects the 
> intended result.
>
> *IRT questions: *
>
>  1. Should Providers be required to action all “high priority”
>     requests within 24 hours of receipt, as recommended by PSWG (and
>     not apply the 2 business day “receipt period” first)?//
>  2. If no, do you see a compromise short of applying the current 2
>     business day receipt period prior to the 24-hour period for
>     actioning a “high priority” request?//
>
> Thanks so much for your continued input on these topics. Next week, we 
> will pick up our discussion with the IP Disclosure Framework 
> Specification.
>
> Best,//
>
> Amy
>
> *Amy E. Bivins*
>
> Registrar Services and Engagement Senior Manager
>
> Registrar Services and Industry Relations
>
> Internet Corporation for Assigned Names and Numbers (ICANN)
>
> Direct: +1 (202) 249-7551
>
> Fax:  +1 (202) 789-0104
>
> Email: amy.bivins at icann.org <mailto:amy.bivins at icann.org>
>
> www.icann.org <http://www.icann.org>
>
>
>
> _______________________________________________
> Gdd-gnso-ppsai-impl mailing list
> Gdd-gnso-ppsai-impl at icann.org
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180124/b3b820e3/attachment.html>