[Gdd-gnso-ppsai-impl] Action items from today's IRT call
Roman, Peter (CRM)
Peter.Roman at usdoj.gov
Fri Mar 9 16:34:32 UTC 2018
A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law
B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary.
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW
Washington, DC 20530
(202) 305-1323
peter.roman at usdoj.gov<mailto:peter.roman at usdoj.gov>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Amy Bivins
Sent: Friday, March 9, 2018 9:05 AM
To: gdd-gnso-ppsai-impl at icann.org
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here?
Sent from my iPhone
On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey at godaddy.com<mailto:sbockey at godaddy.com>> wrote:
There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2.
Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email.
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html
https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html
Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it?
Yes, we need to consider additional language to 4.2.2 as it is too narrow.
Many thanks,
Sara
sara bockey
sr. policy manager | GoDaddy™
sbockey at godaddy.com<mailto:sbockey at godaddy.com> 480-366-3616
skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org<mailto:gdd-gnso-ppsai-impl-bounces at icann.org>> on behalf of Amy Bivins <amy.bivins at icann.org<mailto:amy.bivins at icann.org>>
Reply-To: "gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>>
Date: Thursday, March 8, 2018 at 10:05 AM
To: "gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sara and all,
This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement.
There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2.
Amy
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Sara Bockey
Sent: Thursday, March 8, 2018 11:04 AM
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Amy,
It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it.
Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”.
It’s incredibly frustrating that staff does not appear to hear what we are saying.
Sara
sara bockey
sr. policy manager | GoDaddy™
sbockey at godaddy.com<mailto:sbockey at godaddy.com> 480-366-3616
skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces at icann.org<mailto:gdd-gnso-ppsai-impl-bounces at icann.org>> on behalf of Amy Bivins <amy.bivins at icann.org<mailto:amy.bivins at icann.org>>
Reply-To: "gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>>
Date: Thursday, March 8, 2018 at 8:04 AM
To: "gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>" <gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Lindsay!
I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law.
What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information?
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Lindsay Hamilton-Reid
Sent: Thursday, March 8, 2018 10:00 AM
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Hi Amy
Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations.
Many thanks
Lindsay
Lindsay Hamilton-Reid
Senior Legal Counsel
Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid at 1and1.co.uk<mailto:Lindsay.Hamilton-Reid at 1and1.co.uk>
www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/>
<image001.jpg>
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
<image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Amy Bivins
Sent: 08 March 2018 12:07
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise.
Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline):
4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website.
3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.”
Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)?
Peter, what would you and your PSWG colleagues think about this?
Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico.
I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars).
Best,
Amy
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Roman, Peter (CRM)
Sent: Wednesday, March 7, 2018 1:08 PM
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process.
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW
Washington, DC 20530
(202) 305-1323
peter.roman at usdoj.gov<mailto:peter.roman at usdoj.gov>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces at icann.org] On Behalf Of Amy Bivins
Sent: Tuesday, March 6, 2018 11:42 AM
To: gdd-gnso-ppsai-impl at icann.org<mailto:gdd-gnso-ppsai-impl at icann.org>
Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Dear Colleagues,
Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018
If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage.
Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft.
We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification.
The proposed language is:
4.1.2 Where a disclosure request has been categorized as High Priority, this
must be actioned within 24 hours. The LEA Requestor will detail the
threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language.
IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know.
Best,
Amy
Amy E. Bivins
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins at icann.org<mailto:amy.bivins at icann.org>
www.icann.org<http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl at icann.org<mailto:Gdd-gnso-ppsai-impl at icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180309/5c757d80/attachment-0001.html>
More information about the Gdd-gnso-ppsai-impl
mailing list