[Gdd-gnso-ppsai-impl] [Ext] Re: Final IRT Feedback Due EOD Sunday 28 Jan: draft LEA framework

[Amy Bivins]

Hi Theo,

Thank you for your suggestion! I'm interested to hear what others think.

This is interesting information that could benefit the community through the sharing of existing practices and lessons learned. But it's possible this may be beyond scope of our work here, which is determining: (1) whether LEA abuse contact information (or a way to obtain that information) should be required to be posted on a provider's website, and (2) what a provider's required response time should be to "high priority" LEA requests (involving an imminent threat to life, serious bodily injury, critical infrastructure or child exploitation. On point 2, the PSWG has recommended that the response time required under the accreditation agreement be 24 hours from the time of the request or less. Most registrar members of the IRT have said that while they would work to respond to such requests as expeditiously as possible, they prefer a longer required response time to be written into the contract.

We heard the point raised by registrar members of the IRT (yesterday and previously) that the burden of maintaining processes (and staff) to field such a request from LEA within 24 hours, when such a request may only rarely or never occur, may be too great. I believe Peter's counter-point to that yesterday was that even if the need for a specific provider to respond to such a request is exceedingly rare (or even if this never occurs), having a process in place that helps in even one of these situations is a net benefit to such a requirement.

Best,
Amy


From: theo geurts [mailto:gtheo at xs4all.nl]
Sent: Wednesday, January 24, 2018 6:58 AM
To: gdd-gnso-ppsai-impl at icann.org; Amy Bivins <amy.bivins at icann.org>
Subject: [Ext] Re: [Gdd-gnso-ppsai-impl] Final IRT Feedback Due EOD Sunday 28 Jan: draft LEA framework


Hi Amy,

Now we could mark the LEA disclosure framework specification as unresolved and hope that someone in the community posts a comment that is the silver bullet.

Or we try to gain better insight here, though it feels very close to policy-making, on the other hand, the current issue is already policy making and out of scope in my opinion but let's be practical about this.

There are 331 million domain names, 147 million are ccTLDs, the majority has no data publicly available regarding the registrant.

184 million gTLDs, 25% of those are protected by privacy.
>From a registrar perspective, we are dealing with a vast amount of domain names where data is not available in the WHOIS, and so far we do not think the requirements discussed yesterday are needed.

So perhaps it is an idea we reach out to some of the larger ccTLD registries and see how they deal with direct threats like terrorism, kidnappings etc.
Most, if not all of the ccTLDs operators are not to profit and have vasts interests in serving the broader public and its safety.
I am personally of the opinion we could learn something here and gain new perspectives which might allow us to put matters into perspective.

Thanks,

Theo Geurts

On 23-1-2018 20:52, Amy Bivins wrote:
Dear Colleagues,

Thanks so much for your active participation on today's Privacy/Proxy Accreditation Program IRT call. If you were unable to attend, I encourage you to listen to the recording.

Today, we continued discussing the LEA disclosure framework specification in the draft PPAA (pp. 50-54 of the draft contract, attached).  The discussion today confirmed that there is continued uncertainty regarding two items in the draft framework. Please submit any final feedback that you have on these topics to the list this week. After this final feedback period, if this issue/these issues are unresolved, they will be specifically identified as unresolved in the call for public comments.

Section 3.1: As drafted, this section requires Providers to publish on their websites the designated LEA contact (e.g. email address, telephone number, form or other means for LEA to obtain the designated LEA contact information).

Summary of Issue: Many members of the IRT support the deletion of the requirement that this contact (or a means to obtain this contact) appear on the Provider's website. The RAA does not require registrars to publish the registrar LEA contact on the registrar website (See RAA 3.18.2). There appear to be at least a few possible paths forward:


  1.  Keep language as-is.
  2.  Delete the second sentence of 3.1, which requires that this information be posted on the Provider website.
  3.  Replace the second sentence of 3.1 with language such as that suggested by Steve Metalitz, "Provider shall provide to LEA an appropriate means for LEA to obtain the designated LEA contact information."
  4.  Language from Section 3.18.2 of the RAA could be adapted for this agreement by changing "Registrar" to "Provider" or by making additional edits: 3.18.2 Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week, to receive reports of Illegal Activity by law enforcement, consumer protection, quasi-governmental or other similar authorities designated from time to time by the national or territorial government of the jurisdiction in which the Registrar is established or maintains a physical office.
  5.  We could keep the language as-is for now, note any remaining disagreement about whether the contact (or a way to obtain it) should be posted on the Provider's website during the public comment period, and request community feedback on potential paths forward.
  6.  Some other path (please explain).



Timeline for Providers to Action "High Priority" Requests From LEA

Summary of Issue: The current PPAA draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for "high priority" requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).



Note 1: The RAA requires (See Section 3.18.2) that "Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report."

Note 2: There is some uncertainty, as this is currently drafted, as to whether the 2 business day review period applies before the 24 hour response time for "high priority" requests. Section 4.1.1 states that "Upon completion of the Receipt Process Specified in Section 3 of this Specification, Provider will action, in accordance with Sections 4.2 and 4.3 of this Specification, the disclosure request in accordance with the Priority Level." Upon the resolution of the issue below, we will review the specification as a whole to ensure it reflects the intended result.



IRT questions:



  1.  Should Providers be required to action all "high priority" requests within 24 hours of receipt, as recommended by PSWG (and not apply the 2 business day "receipt period" first)?
  2.  If no, do you see a compromise short of applying the current 2 business day receipt period prior to the 24-hour period for actioning a "high priority" request?



Thanks so much for your continued input on these topics. Next week, we will pick up our discussion with the IP Disclosure Framework Specification.



Best,
Amy

Amy E. Bivins
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax:  +1 (202) 789-0104
Email: amy.bivins at icann.org<mailto:amy.bivins at icann.org>
www.icann.org[icann.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.icann.org&d=DwMD-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=uerz4ckt1v4Qhbv-TplkjKTey9bgtdWrvLyZDu0mXuk&m=S9_RMEmUh0n6WVpbl6AquNxoBzg7mTbHBaXPbK-Th40&s=RrdpNu3hVfARH9B9PmDKAb2_SjQlBJzUgvihAi3S_kE&e=>





_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl at icann.org<mailto:Gdd-gnso-ppsai-impl at icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180124/8e3f34b4/attachment-0001.html>