[GNSO-TPR] Notes and action items - TPR WG Meeting #80 - 14 February 2023 at 16:00 UTC
julie.hedlund at icann.org
Tue Feb 14 17:37:27 UTC 2023
Dear TPR WG members,
Please find below the notes and action items from today’s meeting.
The next meeting will be on Tuesday, 21 February 2023 at 16:00 UTC.
Emily, Julie, Berry, and Caitlin
Actions from Meeting on 14 February: None identified.
Transfer Policy Review - Meeting #80
14 February 2023
1. Roll Call & SOI updates
* See Steinar Grøtterød SOI<https://community.icann.org/pages/viewpage.action?pageId=162890286>.
2. Welcome and Chair Updates
* Starting our Phase 2 discussions this week and circle back to our Phase 1b discussions next meeting.
* As we move into Phase 2 we’ll send out a request for early input on the charter questions to all the SOs and ACS; we’ll be sending that to you for review.
* Update from Steinar/ALAC: Circulated to the CPWG the proposal from Rick on having a shorter TTL for registries – lively discussion but no consensus.
3. Introduction to Phase 2 topics: Transfer Emergency Action Contact (TEAC), Transfer Dispute Resolution Policy (TDRP), and Fast Undo – see the attached slides.
* For more reading on the TEAC, please see page 33 of the Final Issue Report: https://gnso.icann.org/sites/default/files/file/field-file-attach/final-issue-report-pdp-transfer-policy-review-12jan21-en.pdf.
* For details about the ETRP proposal, see pages 49-54 here: https://gnso.icann.org/sites/default/files/filefield_12531/irtp-b-initial-report-29may10-en.pdf.
* See also: Public comments on the IRTP-B Initial Report. You can find the comments here: https://forum.icann.org/lists/irtp-b-initial-report/
4. Time permitting, begin discussion of fast undo -- what is different since the rejection of the Expedited Transfer Reverse Policy (ETRP) proposal?
See TDRP decisions at: https://www.adndrc.org/decisions/tdrp and https://www.adrforum.com/domain-dispute/search-decisions
* Useful to discuss some type of rollback.
* Think we should look at the TEAC process first and the changes that might be required, then look at the dispute process, followed by the undo feature.
* It is a question whether the recommendations we have established in Phase 1a - in particular the proposed security improvement, will make the ETRP less complexed.
* Wonder if we'll need a fast-undo separate from the TDRP... depends on what the TDRP looks like -- do like my idea of figuring out the components of any dispute process and then thinking about how to put it all together.
* It is difficult to create a policy to solve a problem when we don’t know what the problem is.
* So do we need two timeframes (fast undo and normal undo) or do we need one process that lets us indicate urgency (as you just said)?
* Move into a discussion of pain points relating to the TEAC.
Discussion of Pain Points Relating to the TEAC:
* Not much data, easy to game.
* Since TEAC contacts are via phone hard for registries to capture timelines.
* I do think some type of expedited transfer issue channel is needed, but not the current version of TEAC.
* If this mechanism is going to be maintained ICANN could provide a list of authoritative contacts to the registries.
* What does the group think about the idea of making a list of components for a transfer undo process, which we can then turn into a policy? Does that seem like a useful path? am I getting ahead of myself since we decided to look at the TEAC first?
* Re data: We found that it is not something ICANN org tracks – when the TEAC is being used. But there is a summary of inputs, including answers to survey questions, that is in the Policy Status Report.
* Initial thought is that unless there is a new concept that can be raised to possibly solve the known issues in principle, then it may not be worth-while embarking on that.
* What is the problem we are targeting – is it hijacking for the purpose of abuse?
* When you are looking at the dispute mechanism you are trying to correct something that occurred erroneously for whatever reason – maybe there are specific paths for why that occurred.
* We should have a way to address a transfer that occurred because the bad actor accessed the RNH's account or email and did the transfer.
* See various scenarios involving high-value names, including fake court orders.
* i’m just reacting to this frequent use of “hijack” in the discussion. I understand that it’s a transfer dispute. the reason doesn’t matter. the complicating factor is whether or not there’s an urgency factor, which only the RNH can answer I would think. or am I oversimplifying?
* It’s broader than hijacking – it’s about any transfer that shouldn’t have occurred.
* It doesn’t matter why the dispute over the transfer is occurring, just whether it’s urgent or not.
* We should start by looking at the concerns that came in from the public comment period.
* Once we work through the TEAC and TDRP we may eliminate the need for a roll back, or identify a gap where it is needed.
* One of the intention of including the proposal from IRTP (ETRP) and comments is to have that information in the background. If it’s useful to clarify the points previously raised we can do that, but it is meant as background information.
* The TEAC came out of IRTP Part B, the same one that considered and rejected the ETRP. The group was looking at these things as part of a dispute process.
Is additional data needed to support evaluation of the effectiveness of the TEAC?
* Helpful for the WG to consider what, if any, data might be available.
Is there merit to concerns that the requirement disproportionately impacts certain registrars, namely:
* Registrars located in regions outside of the Americas and Europe?
* Small and medium-sized registrars, which may not have a sufficiently large team to have 24x7 staff coverage with the necessary competency?
Registrars in countries where English is not the primary language?
To what extent should the 4-hour time frame be revisited in light of these concerns? Are there alternative means to address the underlying concerns other than adjusting the time frame?
* Need to consider guidance for responsiveness and what is a reasonable period of time.
* There is a lack of window of when this should be done – maybe that should be bounded.
* The 4-hour window is a loop hole to do damage.
* So we should consider if the timeframes achieve what we want to achieve.
* Have seen hijacks timed to occur at the start of a holiday to take advantage of the timeframe when no one might notice.
* Would a longer response time result in fewer problems? Not sure, but open to discussions.
* Important to think about the degree of impact – does it have to be a complete reversal of ownership; think there are degrees of transfer and criticality. Something to consider with timelines.
Is additional guidance needed to define a “reasonable period of time” after which registrars should be expected to use a standard dispute resolution process?
* Impact defines reasonable – could be an hour, could be 10 days. It depends.
* If someone doesn’t notice the transfer, seems like the TEAC might not be appropriate.
* Do think the policy should be changed to include a notification to the registrar.
* The TEAC isn’t a dispute mechanism, it's a point of contact -- so I think we need one policy (not two) which contains emergency and non-emergency requirements.
* It feels like the requests for disclosure process in the EPDP with two sections (urgent and not urgent).
* May need guidance on what might be an emergency.
* If it is an emergency, need to define “reasonable” and “actionable.”
Do telephone communications provide a sufficient “paper trail” for registrars who may later wish to request a transfer “undo” based on failure by a TEAC to respond?
* Should the requirement for communication by phone be eliminated?
* May have seemed like phone was the quickest method of communication, but not the best for an audit trail.
* Does the communication have to be specified?
* Issues of accuracy and privacy – phone numbers often are wrong and due to privacy we can’t monitor those calls.
Several factors make a Registry Operator’s obligation to “undo” a transfer under Section 6.4 of the Transfer Policy challenging – are updates needed?
To what extent are changes to the policy needed to address these concerns? Are there other pain points for Registry Operators that need to be considered in the review of the policy in this regard?
* These charter questions are fairly specific, but can be helpful to take a broader view of what problems we are trying to solve. Helpful to find the pain points.
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TEAC + TDRP + EDRP Slides.pdf
Size: 447094 bytes
Desc: TEAC + TDRP + EDRP Slides.pdf
More information about the GNSO-TPR