[Gdd-gnso-ppsai-impl] Action items from today's IRT call
Nick Shorey
lists at nickshorey.com
Fri Mar 9 10:52:25 UTC 2018
Hi everyone
Very interested to read the various potential challenges which could impact ability to respond to legal requests.
I note that many registrars (including those on this list) advertise 24/7 support services. Assuming you have mitigation strategies in place for such challenges / events - how do you maintain these advertised services, which no doubt form part of the appeal of choosing a particular registrar for domain registrants?
That aside, the main element of my intervention here is to note that back when I was a LEA officer, I used to be part of the 24/7 response team (shared around the team on a rota, we each typically did one week on each month).
I had a laptop and phone which enabled me to make / receive calls, and connect into the corporate system. I would receive a small payment on top of my base salary for the time that I was on call, with an additional overtime payment if the phone actually rang. In return I would handle enquiries including data preservation requests / threat to life enquiries that came in outside office hours.
Now naturally we couldn’t always solve everything within the 24hr window over a weekend, get all the evidence, find the bad people, put them in jail, but as required we were able to be called upon to do - at the minimum - an initial triage and provide information, analysis or guidance which would enable those in charge of running the threat to life operation or urgent case to make an assessment of risk, and determine the most effective course of action to mitigate the risk.
Maybe providing this service is something that could be handled by pre-existing 24/7 services? Maybe it might incur an additional cost? I’m fully aware that different providers have different budgets and margins, and I won’t attempt to dictate to the experts how to do this, but I don’t think that this is an impossible task.
In my personal view, there is an overriding public interest for at least the minimal response within a 24hr timeframe to High Priority requests as outlined in the draft, and we have a social obligation as a community to figure it out from this starting point.
Kind regards,
Nick
Nick Shorey
Phone: +44 (0) 7552 455 988
Email: lists at nickshorey.com
Skype: nick.shorey
Twitter: @nickshorey
LinkedIn: www.linkedin.com/in/nicklinkedin
Web: www.nickshorey.com
> On 8 Mar 2018, at 22:48, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid at fasthosts.com> wrote:
>
> Agree with Sara, we had the same issues with our offices as Michele and Chris.
>
> Many thanks
>
> Lindsay
>
> Sent from my iPhone
>
> On 8 Mar 2018, at 19:05, Chris Pelling <chris at netearth.net <mailto:chris at netearth.net>> wrote:
>
>> We also had to close our offices last week due to lack of actual employees being able to get in.
>>
>> So I find Sarah's argument totally acceptable.
>>
>> Kind regards,
>>
>> Chris
>>
>> From: "Michele Neylon" <michele at blacknight.com <mailto:michele at blacknight.com>>
>> To: gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>
>> Sent: Thursday, 8 March, 2018 19:01:01
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours.
>> --
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting, Colocation & Domains
>> https://www.blacknight.com/ <https://www.blacknight.com/>
>> https://blacknight.blog/ <https://blacknight.blog/>
>> https://ceo.hosting/ <https://ceo.hosting/>
>> Intl. +353 (0) 59 9183072
>> Direct Dial: +353 (0)59 9183090
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,R93 X265,
>> Ireland Company No.: 370845
>> From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>> on behalf of Sara Bockey <sbockey at godaddy.com <mailto:sbockey at godaddy.com>>
>> Reply-To: "gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Date: Thursday 8 March 2018 at 14:58
>> To: "gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Sure, Steve.
>>
>> There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable.
>>
>> sara bockey
>> sr. policy manager | GoDaddy™
>> sbockey at godaddy.com <mailto:sbockey at godaddy.com> 480-366-3616
>> skype: sbockey
>>
>> This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
>>
>>
>> From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>> on behalf of "Metalitz, Steven" <met at msk.com <mailto:met at msk.com>>
>> Reply-To: "gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Date: Thursday, March 8, 2018 at 11:48 AM
>> To: "gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to?
>>
>> Steve Metalitz
>>
>>
>> Sent with BlackBerry Work
>> (www.blackberry.com <http://www.blackberry.com/>)
>>
>> From: Sara Bockey <sbockey at godaddy.com <mailto:sbockey at godaddy.com>>
>> Date: Thursday, Mar 08, 2018, 11:04 AM
>> To: gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org> <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Amy,
>>
>> It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it.
>>
>> Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”.
>>
>> It’s incredibly frustrating that staff does not appear to hear what we are saying.
>>
>> Sara
>>
>> sara bockey
>> sr. policy manager | GoDaddy™
>> sbockey at godaddy.com <mailto:sbockey at godaddy.com> 480-366-3616
>> skype: sbockey
>>
>> This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
>>
>>
>> From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>> on behalf of Amy Bivins <amy.bivins at icann.org <mailto:amy.bivins at icann.org>>
>> Reply-To: "gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Date: Thursday, March 8, 2018 at 8:04 AM
>> To: "gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Thanks, Lindsay! <>
>>
>> I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law.
>>
>> What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information?
>>
>> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>] On Behalf Of Lindsay Hamilton-Reid
>> Sent: Thursday, March 8, 2018 10:00 AM
>> To: gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Hi Amy
>>
>> Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations.
>>
>> Many thanks
>>
>> Lindsay
>>
>> Lindsay Hamilton-Reid
>> Senior Legal Counsel
>> Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid at 1and1.co.uk <mailto:Lindsay.Hamilton-Reid at 1and1.co.uk>
>> www.fasthosts.co.uk <http://www.fasthosts.co.uk/> www.1and1.co.uk <http://www.1and1.co.uk/>
>> <image001.jpg>
>>
>> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
>> This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
>> <image002.jpg> <http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg> <https://twitter.com/Fasthosts><image004.jpg> <https://www.facebook.com/fasthostsinternet><image005.jpg> <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg> <http://blogs.fasthosts.co.uk/><image007.jpg> <http://www.youtube.com/user/Fasthostsinternet>
>>
>> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>] On Behalf Of Amy Bivins
>> Sent: 08 March 2018 12:07
>> To: gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise.
>>
>> Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline):
>>
>> 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
>>
>> As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website.
>>
>> 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
>>
>> If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.”
>>
>> Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)?
>>
>> Peter, what would you and your PSWG colleagues think about this?
>>
>> Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico.
>>
>> I’ll note that the poll is still open through EOD Friday,https://www.surveymonkey.com/r/CMGF8FZ <https://www.surveymonkey.com/r/CMGF8FZ>. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars).
>>
>> Best,
>> Amy
>>
>>
>>
>> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>] On Behalf Of Roman, Peter (CRM)
>> Sent: Wednesday, March 7, 2018 1:08 PM
>> To: gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>
>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process.
>>
>> Peter Roman
>>
>> Senior Counsel
>> Computer Crime & Intellectual Property Section
>> Criminal Division
>> Department of Justice
>> 1301 New York Ave., NW
>> Washington, DC 20530
>> (202) 305-1323
>> peter.roman at usdoj.gov <mailto:peter.roman at usdoj.gov>
>>
>> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org <mailto:gdd-gnso-ppsai-impl-bounces at icann.org>] On Behalf Of Amy Bivins
>> Sent: Tuesday, March 6, 2018 11:42 AM
>> To: gdd-gnso-ppsai-impl at icann.org <mailto:gdd-gnso-ppsai-impl at icann.org>
>> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
>>
>> Dear Colleagues,
>>
>> Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording,https://community.icann.org/display/IRT/06+March+2018 <https://community.icann.org/display/IRT/06+March+2018>
>>
>> If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ <https://www.surveymonkey.com/r/CMGF8FZ> Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage.
>>
>> Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft.
>>
>> We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification.
>>
>> The proposed language is:
>>
>> 4.1.2 Where a disclosure request has been categorized as High Priority, this
>> must be actioned within 24 hours. The LEA Requestor will detail the
>> threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
>>
>> Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
>>
>> I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 <http://4.2.2.2/> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language.
>>
>> IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know.
>>
>> Best,
>> Amy
>>
>> Amy E. Bivins
>> Registrar Services and Engagement Senior Manager
>> Registrar Services and Industry Relations
>> Internet Corporation for Assigned Names and Numbers (ICANN)
>> Direct: +1 (202) 249-7551
>> Fax: +1 (202) 789-0104
>> Email: amy.bivins at icann.org <mailto:amy.bivins at icann.org>
>> www.icann.org <http://www.icann.org/>
>>
>>
>> _______________________________________________
>> Gdd-gnso-ppsai-impl mailing list
>> Gdd-gnso-ppsai-impl at icann.org <mailto:Gdd-gnso-ppsai-impl at icann.org>
>> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
>> _______________________________________________
>> Gdd-gnso-ppsai-impl mailing list
>> Gdd-gnso-ppsai-impl at icann.org <mailto:Gdd-gnso-ppsai-impl at icann.org>
>> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl><image001.jpg><image006.jpg><image005.jpg><image004.jpg><image002.jpg>_______________________________________________
> Gdd-gnso-ppsai-impl mailing list
> Gdd-gnso-ppsai-impl at icann.org <mailto:Gdd-gnso-ppsai-impl at icann.org>
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180309/a9a8ed7a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180309/a9a8ed7a/signature-0001.asc>
More information about the Gdd-gnso-ppsai-impl
mailing list