[Gnso-epdp-team] [GNSO-ePDP-Team] Changes to SSAC consensus designations
bbutler at godaddy.com
Wed Jul 29 23:53:29 UTC 2020
Dear Rafik, Staff, and ePDP team,
Per the deadline for consensus designations, the SSAC EPDP Work Party has reviewed and discussed the finalized language and would like to flag that we cannot support, as written, the following four recommendations. Please update the listed consensus designations accordingly. A brief rationale is provided for each, and we will provide more information in a minority statement including the nuances of where each recommendation falls short of achieving our support even if the intent was aligned with addressing our concerns. Beyond further information on these particular recommendations, that minority statement will contain concerns about some of the other recommendations that we can support, as well as our overall concerns with issues that remain unaddressed that the EPDP was originally chartered to handle. The SSAC’s EPDP team decisions on support/non-support for various recommendations are based on issues that were previously identified and documented in SAC101v2 and more recently SAC111 which contain the full SSAC consensus on those issues.
* Recommendation 6: Priority Levels
* We do not feel that operational and network security investigations should be seen as Priority 3 with the corresponding SLA. Things like phishing and malware attacks need to be resolved much more quickly than this would promote.
* Recommendation 10: Determining Variable SLAs for response times for SSAD
* Having SLAs for requests like Priority 3 go from 5 days to 10 days in Phase 2 is moving the needle in the wrong direction. The hope should be to strive for improvements that will make legitimate requests through the SSAD more efficient, not less.
* Recommendation 12: Disclosure Requirement
* The language in this Recommendation allows a disclosing party to provide a data subject with the identity of the specific entity making a request for the RDS data. The disclosing party should be prohibited from revealing the identity of a data requestor unless the data requestor goes through appropriate legal process. 1) The European Data Protection Board (EDPB) has told ICANN Org that revealing requestor data to data subjects is a problem. 2) Revealing the identities of requestors will compromise investigations, including those of law enforcement, and may place some data requestors in danger. 3) Per GDPR and the Temp Spec, it is sufficient for data controllers to inform data subjects about the types of groups to whom disclosure may occur.
* Recommendation 14: Financial Sustainability
* SSAC has several issues with the this Recommendation. We share concerns flagged in this consensus designation process by the ALAC, as well as concerns previously noted in SAC101v2 and more recently SAC111.
Thank you to all for the diligent efforts thus far, and we look forward in good faith to continuing to support and improve the SSAD.
Ben Butler (on behalf of the SSAC ePDP Work Party)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team