[GNSO-EPDPP2-SmallTeam] RDRS Confidentiality feature

Steve Crocker steve at shinkuro.com
Tue May 16 15:10:09 UTC 2023 

[Adding PSWG members Laureen Kapin, Chris Lewis-Evans and Gabe Andrews to
this thread]

Yuko,

Thanks for this summary.  The following comments reflect my understanding
of LEA needs.  That said, it's far better to hear directly from them, so
I've added them to this thread.

When confidentiality is required, it's needed at both the RDRS and the
registrars.  And the assurance that confidentiality will be protected is
needed *before* any element of the request is provided.  It's not clear
that the proposed enhancement will achieve this.

If I understand the proposed enhancement, the only thing an
investigative agent could do that would be consistent with their
requirements would be  to enter a request for assurance that
confidentiality will be maintained *without providing any details of the
request except the name of the registrar.*  The registrar would then
respond out of band to the requester, and the requester would then provide
the domain name through some sort of secure channel unrelated to the RDRS.
This implies if the requester checks the box asking for assurance of
confidentiality, the only other info to be filled in is the name of the
registrar.  What will be forwarded to the registrar is a request that is
blank except for the fact that confidentiality is being requested and who's
making the request.

I can also imagine the law enforcement agencies might require additional
confidentiality.  For example, does the fact that a confidential request is
being made to a particular registrar carry any risk?  Is the aggregate
number of confidential requests considered sensitive?

I would guess that LEA would not find it useful to use the RDRS to pass
along a request for confidentiality.  Rather, I would expect LEA would seek
to establish its own channels directly with registrars.

In summary, it does NOT look like the proposed enhancement will meet the
needs of law enforcement agencies.  Of course, as I said at the top, this
is really for them to say.  I'm just raising a warning flag that there
appears to be a disconnect.  If I'm wrong, that's fine with me.

Thanks,

Steve

On Mon, May 15, 2023 at 7:32 PM Yuko Yokoyama <yuko.yokoyama at icann.org>
wrote:

> Dear Small Team members,
>
>
>
> This is a follow up email based on today’s Small Team meeting to provide
> Org’s response to PSWG’s request that came out of the GNSO Small Team and
> PSWG Call that took place on 10 May.
>
>
>
> We understood the ask from the PSWG to be:
>
>
>
>    1. *The ability to request for confidential treatment*: This is for
>    LEA to request Registrars not to inform the data subject about their
>    information being disclosed, so not to jeopardize the ongoing investigation.
>
>    2. *The ability to confirm with the Rr that the confidential treatment
>    can be granted before proceeding with the request*: LEA may not wish
>    to proceed with the request if the confidentiality treatment cannot be
>    granted.
>
>
>
> The idea of offering a simple check box was considered during the call and
> well received. The ICANN Project Team has discussed and confirmed that we
> can add a simple checkbox for requestors to utilize. The checkbox would
> have a verbiage in the nature of: "Due to the nature of this request
> involving law enforcement matters, I request strict confidentiality. I also
> ask that the registrar overseeing this request acknowledges and confirms
> the confidential treatment before proceeding with the processing."
>
>
>
> Please note, the system will not offer systematic solution for requestors
> to receive such “acknowledgement and confirmation” from registrars. Please
> also note, the “acknowledgement and confirmation” from the registrars will
> take place outside the RDRS, as the system does not have a feature for data
> requestor and registrar to communicate. This is in line with SSAD
> recommendations thus with RDRS design, envisioned in the design paper
> <https://www.icann.org/en/system/files/files/whois-disclosure-system-design-paper-13sep22-en.pdf>.
> Lastly, I’d like to remind you that the RDRS, the voluntary service to
> Registrars, cannot impose specific behavior or actions from registrars.
>
>
>
> Thank you,
>
>
>
> Yuko Yokoyama
>
> Program Director
>
> Strategic Initiatives, Global Domains & Strategy
>
> Internet Corporation for Assigned Names and Numbers (ICANN)
>
>
>
> Direct Line:  +1 310 578 8693
>
> Mobile: +1 310 745 1517
>
> E-mail:  yuko.yokoyama at icann.org
>
> www.icann.org
>
>
> _______________________________________________
> GNSO-EPDPP2-SmallTeam mailing list
> GNSO-EPDPP2-SmallTeam at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdpp2-smallteam
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-epdpp2-smallteam/attachments/20230516/536ae27c/attachment.html>

More information about the GNSO-EPDPP2-SmallTeam mailing list