[Gnso-epdp-team] SSAC minority statement

Volker Greimann vgreimann at key-systems.net
Fri Aug 21 12:33:13 UTC 2020

Hi Rod,

it seems the SSAC has not understood some of the core features of the SSAD,
such as the response time SLAs. Phase two does not in fact allow disclosing
parties to respond more slowly than phase one. I invite the SSAC to revisit
the report and try to understand what these two phases actually are and how
they work. I admit, it is a complicated model, but once you understand the
difference between the two different targets (both of which will apply in
phase two) it, it will make sense.

I understand your objections to the prioritization of cybersecurity
concerns, but your statement reads as if the SSAC did not have a
representative on the ePDP who ultimately agreed (or chose not to object)
with the compromise that was reached. Ultimately, this question boils down
to two questions: What is achievable in a manually operated disclosure
process and what is desirable? In our case, we defined a narrow category of
instances where priority 1 would kick in and that does include
cybersecurity issues that match the category. It was also understood that
the disclosure of registration data would not resolve the cybersecurity
issues you describe. The attacks would continue even after disclosure is
granted. Disclosure of personal data is not an effective response to the
attack in and of itself, at least not compared to actual mitigation, it may
just be a tool amongst many that may help further investigation of the

Your comments regarding the enfoceability of the SLAs and the options to
circumvent the SLAs seem to assume bad faith on the side of the responders.
This is offensive to all contracted parties, to be frank. You are
absolutely correct when you note that there is an exception to this right
in investigatory context. This applies exactly in those cases where the
requestor can make a legally binding request non-disclosure, and this is
covered by our recommendation.

You also object against a right of data subjects to be informed about any
disclosures of their data to third parties. This seems to indicate a lack
of understanding of the rights of data subjects to know what happens with
their data to enable them to act appropriately. It assumes all subjects of
disclosure are criminals, but the opposite is true. Ultimately we must
always act on the base assumption of innocence, unless proven otherwise.

You question whether the financial model violates the GDPR, but that
question was deliberated at length and decided by determining that the SSAD
would not be designed for the data subjects as they can and should exercise
their direct rights towards their service providers. This right is already
sufficiently covered in the rights of the registrant under existing
policies and the RAA. They have no need for the SSAD and should be directed
towards the registrars when they make an SSAD request.

You also object to the financing of the system, which was built on the
basic principle of "He who wants the music pays the band". Who else should
pay for this service? The millions of registrants who never registered a
malicious domain in their lives? The contracted parties, who are already
saddled with the cost of providing the output of the system? You seem to
assume that registrars and registrants are a cornucopia of resources that
can be drawn from whenever the community decides upon a new service. They
are not that. You state that this would be the cost of doing business in
the gTLD world. Is it though? It has not been in the past. Why should it be
that now? And why is the cost of having the SSAD not the cost of doing
business in the general world of the requestors then?
Requestors are free to start civil claims actions to recover their costs
from those registrants that are found to have violated the rights of the
requestors in most jurisdictions. This is done already for other
infringements, such as trademark infringements, file sharing activities,
etc. But first they have to pay for a court order to get that data. The
SSAD will reduce those costs of obtaining the data significantly compared
to other legal venues.

Finally, your statement also seems to be devoid of alternate proposals that
would be implementable. No suggestions for a better SLA, no suggestions for
appropriate response times. The SSAC was a member of the team with full
voting rights all this time, yet only now we hear your objections and even
now no alternative solutions are presented?

Well, you do suggest that the use of ICANN funds is an alternative, but is
it really? ICANN operating costs are at or near the income, so the only
option for financing SSAD from ICANN funds would be to increase
registration fees, which ultimately forces millions of innocent registrants
to pony up the funds needed. Does that sound appropriate to you? Because it
does not to me. If we could find a way to make abusers pay, that would be
the ideal choice. But we can't, at least not within the realm of ICANN. But
requestors do have the legal option to recover their costs from the abusers
in court.

You claim that Recommendation 18 diverges from standard GNSO decision
making processes and that may very well be the case, but does not the
concept of the evolutionary mechanism in and of itself diverge from the
standard GNSO mechanisms to amend the results of a PDP? And the need to
find consensus cuts both ways, as any changes the contracted parties may
feel necessary will also have to find approval in the non-contracted space.

In closing, the statement of the SSAC reads as if the SSAC had not
participated in the discussions and determinations leading up to the report
and had not been privy to all the thinking that led to each recommendation.

Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.


On Fri, Aug 21, 2020 at 12:25 AM Rod Rasmussen <rod at rodrasmussen.com> wrote:

> Dear Rafik, Staff, and the ePDP team,
> [Resending with proper subject line] Per the deadline for
> minority statements, the SSAC is providing the enclosed document, SAC112,
> which encapsulates our minority statement.  This document provides further
> background and rationale for the SSAC’s non-support of some of the
> recommendations in the final report, discusses issues not addressed by the
> report, and details concerns with some items we supported with
> reservations.  This is an SSAC published document that has gone through our
> full review process and is thus the consensus view of the SSAC.  We greatly
> appreciate having the deadline for minority statements extended so that we
> and other ACs could go through their formal processes to provide fully
> considered feedback outside of the GNSO processes that the EPDP works under.
> On a practical consideration, we do anticipate that the EPDP staff may
> wish to strip the SSAC document boilerplate from our statement for
> inclusion into the final report.  Please work with the SSAC support staff
> if there are questions on how to best do that.  Speaking of the EPDP staff,
> I would like to take this opportunity to extend a huge thank you to the
> EPDP support staff for their amazing work over the past years!
> Thank you to all for the massive amount of work that went into this
> document and the opportunity to participate and share our views as part of
> the process.  We look forward to continuing to move forward constructively
> on finding a balanced, practical, consistent, and efficient solution for
> providing legal access to domain registration data.
> Thank You,
> Rod Rasmussen
> SSAC Chair
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200821/134087af/attachment.html>

More information about the Gnso-epdp-team mailing list