Logo

GNSO: EPDP Phase 2 (SSAD) - Shared screen with speaker view
Berry Cobb - ICANN Org
37:26
Hello, my name is Berry Cobb and I will be monitoring this chat room. When submitting a question or comment that you want me to read out loud, please start with a <QUESTION> and end with a <QUESTION>, or <COMMENT> <COMMENT>. I will read them aloud during the time set by the Chair or Moderator of this session. Text outside these quotes will be considered part of “chat” and will not be read out loud. If you wish to speak during this session, raise your hand in Zoom or queue at the aisle microphone as directed.
Berry Cobb - ICANN Org
37:42
Taking part via audio: If you are remote, please wait until you are called upon and unmute your Zoom microphone. For those of you in the main room, please raise your hand in Zoom, and when called upon unmute your table mic. In the secondary room, please raise your hand in Zoom, and go to the standalone mic when called upon.
Berry Cobb - ICANN Org
37:57
Please note that chat sessions are being archived and are governed by the ICANN Expected Standards of Behavior. http://www.icann.org/en/news/in-focus/accountability/expected-standards.
Goran Marby
37:57
Hi all
Lawrence Olawale-Roberts (MicroBoss)
39:09
Hello Goran and hi all
Imran Hossen
39:25
Hi All
Maxim Alzoba (RySG)
47:36
Hello all
DANKO Jevtović
49:50
Hi Max!
Paul D. McGrady
50:29
I like WHOIS Disclosure System as a name. More accurate and less "sad" sounding
Goran Marby
51:45
We have a new theory, to call things for what they are…
Terri Agnew - ICANN Org
52:24
**Reminder, if you are in the room, pleases turn off your computer speakers to avoid feedback.
Milton Mueller
52:42
how about calling it the Whois Disclosure REQUEST sytem, then? ;-)
Jan Jansen
53:14
RDAP disclose system ? As whois no longer exists ?
Goran Marby
54:09
We thought about that but from a user perspective, WHOIS is much more well known. Including in some legal texts.
SANTANU ACHARYA
55:00
Can any registry create their own WHOIS system in addition to the ICANN guidelines
Jan Jansen
55:25
This seems to lack the "unform" way a request should be processed.
Goran Marby
55:47
Of course but the difference is that if this a policy accepted, it becomes mandatory for the CPH.
Sarah Wyld (RrSG)
56:12
The data in [4] is the requestor's personal data? (It must be, at this point, right?)
Goran Marby
56:40
Or maybe I misunderstood your question, it is the contracted parties who has all data, ICANN does not have the data.
Goran Marby
57:09
Sarah, that is the assumption yes
Sarah Wyld (RrSG)
57:13
Thank you Goran
Maxim Alzoba (RySG)
57:24
what is the reason to store PII data in the system?
Sarah Wyld (RrSG)
57:39
Maxim wouldn't it be necessary to identify who the requestor is?
Milton Mueller
57:48
the "encrypted PII" is the PII of the requestor?
Paul D. McGrady
57:56
Very glad to hear about the reports.
Jan Jansen
58:09
I imagined the Rars would get support in their handeling the "disclore". As in a set of forms they would run through.
Goran Marby
58:20
We will not store that data, we will delete in the end process
desiree miloshevic
58:32
Is there more information on icann’s website about current uses of Name Services portal?
Maxim Alzoba (RySG)
59:21
@Sarah, if it is the requestor’s PII, or the avoidance of confusion it should be on the picture
Jan Jansen
59:21
Salesforce equals expensive unfortunately
Maxim Alzoba (RySG)
59:37
Salesforce is extremely slow in CZDS
Goran Marby
59:39
Jan, if you wonder why the data goes from the CP to the requester is due to data minimization from GDPR.
Sarah Wyld (RrSG)
59:40
Maxim I think that was [4] in the previous slide?
Maxim Alzoba (RySG)
59:54
the CZDS is few times slower than the previous system of CZDS
Milton Mueller
59:56
Are ICANN's Salesforce account fees usage sensitive?
Amr Elsadr
01:00:05
Registries and Registrars receiving disclosure requests will be granted access to user data in Okta for user ID verification purposes?
Paul D. McGrady
01:00:18
It seems very sensible to build all of this on top of technology and internal expertise that ICANN altready has.
Greg DiBiase (Amazon Registrar)
01:00:25
agreed Paul
desiree miloshevic
01:00:37
My question has been answered by the current slide…
Goran Marby
01:00:50
The contracted party needs to know who the requester is, it is part of the balancing test
Thomas Rickert
01:00:57
Agreed. Good to build on existing work products.
Julie Bisland - ICANN Org
01:01:26
@all panelists - Please be sure to change your chat drop down to Everyone, thank you!
Amr Elsadr
01:01:30
@Goran: Agree, so trying to understand how that'd work in this scenario.
Susan Payne
01:01:36
Question: @Ashwin, could you explain further the reason for the encrypted PII data please. If the disclosure is by the CP to the requestor then what is the purpose of this system having the PII data, what is it to be used for?
Berry Cobb - ICANN Org
01:02:03
Hello, my name is Berry Cobb and I will be monitoring this chat room. When submitting a question or comment that you want me to read out loud, please start with a <QUESTION> and end with a <QUESTION>, or <COMMENT> <COMMENT>. I will read them aloud during the time set by the Chair or Moderator of this session. Text outside these quotes will be considered part of “chat” and will not be read out loud. If you wish to speak during this session, raise your hand in Zoom or queue at the aisle microphone as directed.
Maxim Alzoba (RySG)
01:02:05
Salesforce is extremely slow in CZDS, it is few times worse than the previous czds system
Volker Greimann (RRSG)
01:02:46
what are the actual steps a CP would have to complete in responding? Are you expecting us to send the response in our own ticketing system and then manually updating the Ticket in the ICANN system?
Goran Marby
01:02:53
Susan, as it said on the previously page. The private date will not be stored, it will be deleted.
Brian King
01:04:25
In hindsight, ICANN could/should have done this in 2018. Still, seems like a good step to start with today, albeit insufficient to resolve EPDP long-term as accreditation, automation, etc. still need to be built out over time.
Maxim Alzoba (RySG)
01:04:33
and speaking about Salesforce, scaling the system to full will not make it faster than the pilot (so it could be another stand alone system with authorization via some existing one)
Sarah Wyld (RrSG)
01:04:57
Are these slides available? I couldn't find it in the meeting agenda link.
Marika Konings - ICANN Org
01:05:14
@Sarah - we will post these on the agenda wiki page shortly.
Sarah Wyld (RrSG)
01:05:19
Thanks Marika
Serena Lai
01:05:42
ejbccctnntghddltlghifdhdelughcghvhnhkvtulbgb
Paul D. McGrady
01:06:49
@Brian, hindsight may be 20/20 but the next best time to do this is as soon as practical after today. :-) I expect we will learn a lot through this effort which can inform future work and thinking. I'm so impressed by Ash's presentation - it makes it all seem so straightforward and understandable for us non-coders.
Alan Woods
01:08:21
Serena +!
Maxim Alzoba (RySG)
01:08:42
the most important part is a legal work by the hands of the legal advisors of the particular contracted party (it is not going to be automated)
Alan Woods
01:08:57
Serena +1
Marika Konings - ICANN Org
01:09:27
Please note that attendees are also able to raise hands and get in the queue
Sarah Wyld (RrSG)
01:09:43
Good point Thomas, there would need to be some retention period sufficient to review use
Milton Mueller
01:09:47
+1 Thomas. Why should requestors be anonymous?
Sarah Wyld (RrSG)
01:10:05
Data should not be retained forever, but also it should be kept for the necessary period
Greg DiBiase (Amazon Registrar)
01:10:08
it should at least be an option to not be anonymous
Becky Burr
01:10:27
trade off on data minimization and accountability, but Thomas has a good point
Marika Konings - ICANN Org
01:10:35
Note that raising hands and speaking is also possible for those in the secondary room - please raise your hand and you can use the standing mic in the room.
Sarah Wyld (RrSG)
01:10:35
It's all about finding the right balance
Griffin Barnett
01:10:42
+1 to Thomas's comment - I think it will be important to track certain info about the use of this system … will be good to know types of requestors, numbers of requests, and number of types of responses to see how the system is working in terms of facilitating requests, how often it results in disclosure or rejection, if there are any issues in ensuring contracted parties timely respond etc.
Maxim Alzoba (RySG)
01:10:47
anonymous requestors is not going to fly , in many jurisdictions
Thomas Rickert
01:10:59
From a GDPR perspective, we can make my suggestion work with no problem. I am happy to help with specifics.
Becky Burr
01:11:27
agree @Maxim re anonymous requestor
Sarah Wyld (RrSG)
01:11:47
No billing here, and then transition to full SSAD with billing, will be a difficult transition, I think
Goran Marby
01:12:26
The billing function is not inexpensive
Berry Cobb - ICANN Org
01:12:29
@Milton - please raise your hand in chat.
Susan Payne
01:12:32
@Goran, could you not as a minimum ask for consent to retain the data for tracking and reporting purposes. If there is no consent it is deleted as you propose, if there is consent you keep it?
Berry Cobb - ICANN Org
01:12:35
In zoom
Milton Mueller
01:12:50
got it. When I first logged in there was no hand raise function
Amr Elsadr
01:12:52
@Kurt: +1
Becky Burr
01:13:13
I. agree with Thomas that retention for some reasonable period should be consistent witth GDPR
Griffin Barnett
01:14:05
Agree that the intake of disclosure requests should be via a form to help maximize efficiency/effectiveness - I think contracted parties have already done some work in the area of a disclosure request form
Sarah Wyld (RrSG)
01:14:37
To Griffin's point: https://rrsg.org/wp-content/uploads/2020/10/CPH-Minimum-Required-Information-for-a-Whois-Data-Requests.docx.pdf
Alex Deacon
01:14:59
The Phase 1 policy already defines what data must be provided in a request.
Alex Deacon
01:15:37
The Phase 1 policy already defines what data must be provided in a request.
Goran Marby
01:15:51
A good reminder, thanks. I was more thinking about the actual format being workable.
Thomas Rickert
01:17:26
Nothing is as permanent as a temporary solution :-)
Maxim Alzoba (RySG)
01:17:34
+1
Goran Marby
01:17:35
We have things to talk about, that is why we need more time to develop the system
Goran Marby
01:17:41
Aka the six weeks
Owen Smigelski (Namecheap)
01:17:42
+1 Thomas
Maxim Alzoba (RySG)
01:18:27
there should be an option to donate ‘cost of number of tickets’ - so some party could send it tokens , for example to Interpol
Farzaneh Badii
01:18:53
I really don't understand why ICANN should be involved with this. but that ship has sailed. I just have to transmit my skepticism.
Alex Deacon
01:19:07
I'm also interested in understanding if this is simply a step on our path to a system that fully supports the recommendations in the Phase 1 policy ... or something else.
Farzaneh Badii
01:19:15
so we will address access authorization another time?
Griffin Barnett
01:19:15
+1 Alex
Thomas Rickert
01:19:31
If at all possible with proportionate efforts, there should be a charge. Lots of folks will work on requests and the requestor should be seriously considering the need for data and pay a charge - even for the temporary system.
Maxim Alzoba (RySG)
01:20:05
if everything fails - there should be a detailed explanation in many languages - how to request the data directly
Farzaneh Badii
01:20:14
didn't we set that policy about costs already? yes temp solution must have a billing mechanism
Milton Mueller
01:20:33
Credit cards are pretty global
Griffin Barnett
01:20:34
Regardless of billing/no billing etc. I would caution against judging overall demand for a system that provides reasonable access to registration data to legitimate access seekers based on this solution
Amr Elsadr
01:20:35
Including billing in SSAD Light would also provide more realistic stats on user adoption, if seeking missing data is the objective.
Farzaneh Badii
01:20:48
what do you mean Maxim?
Owen Smigelski (Namecheap)
01:20:57
+1 Amr
Farzaneh Badii
01:21:15
+1 Amr.
Milton Mueller
01:21:18
+1 Amr. We can't consider this a proof of concept unless there is some cost associated with requests
Thomas Rickert
01:21:19
+1 Amr
Maxim Alzoba (RySG)
01:21:50
@Farzaneh, I mean if the party has no positive answer - then the link to the detailed explanation should be offered
Maxim Alzoba (RySG)
01:21:59
in many langauges
Farzaneh Badii
01:22:16
that is a bit too excessive for a light system, don't you think?
Harald Alvestrand
01:22:39
wouldn't one think that the demand on a free system would be strictly larger than the demand on a system that requires payment?
Maxim Alzoba (RySG)
01:22:40
it could be in English only for the pilot
Jan Jansen
01:22:42
Two main questions remain : what is needed to submit a request and (from a GDPR point) how do you guarantee the requests are handled equal i.e. what does the balancing test look like
Maxim Alzoba (RySG)
01:23:07
and there are already texts with roles and options to try
Farzaneh Badii
01:23:23
also are we charging everyone? including law enforcement? credit cards don't work in some countries but I am comfortable with those countries law enforcement not having access to people's data tbh
Milton Mueller
01:24:15
We should charge everyone. The idea that Interpol or FBI or national police forces can't afford paying for requests is not credible
Marc Anderson (RySG / Verisign)
01:24:18
thank you Ashwin
Maxim Alzoba (RySG)
01:24:38
@Farzaneh, the local law usually prescribes how to interact with LEAs , and foreign LEAs do not exist from the local perspective (if there are no intergovernmental agreements of cross recognition of LEAs is in place )
Alex Deacon
01:24:45
One of the issues with using RDAP is that RDAP is an access protocol, but SSAD is a request protocol.
Maxim Alzoba (RySG)
01:26:17
is it possible to use average data (like a continent, type of the requestor (not precise , just a LEA, researcher e.t.c.)?
Griffin Barnett
01:26:18
+1 Steve
Milton Mueller
01:26:19
A question for Steve DelBianco and BC/IPC: wouldn't the standardization of the interface and the central point of request be a major convenience improvement for requestors?
Stephanie Perrin
01:27:29
You have to maintain information of requestor for accountability purposes, Get Bird and Bird to answer that question, if you don't believe me.
Milton Mueller
01:27:37
Also there is a logical flaw in Steve's argument about the volume of requests: he seems to be saying that stronger guarantees of disclosure will increase the amount of requests, but no ICANN system can guarantee disclosure
Paul D. McGrady
01:28:54
Speaking Personally: @Milton - there are some of us within the IPC that think it will be a significant convenience over tracking down individual requests processes across all the various registrar websites. And, again personally, I think some data is better than no data as to how many requests are being made, by whom, to whom, on what basis, and how it was handled. .
Milton Mueller
01:29:14
+1 Steve
Volker Greimann (RRSG)
01:29:17
i hope the feedback loop is as low maintenance as possible. Ideally the requests would flow into our ticketing system, so the response to the requestor can flow from there, and include a link for each response type. No logging into the bloody Okta platform, please!
Paul D. McGrady
01:31:07
+1 Goran - a great discussion and your team is very impressive.
Eleeza Agopian - ICANN Org
01:33:00
Hi -- yes I am back.
Goran Marby
01:33:02
Thanks Volker for your kind words..but the answer is really a policy question…how should the reporting look like…?
desiree miloshevic
01:33:24
We seem to be talking about a technical proof of concept but we seem to be focusing on the proof of use. technical solution is about seeing if the process can be streamlined and easier to use by CPH. It is not a proof of concept of use for now - is how I read it.
desiree miloshevic
01:33:50
current proposal seems like a step in the right direction.
Steve DelBianco (BC)
01:35:10
@Milton -- BC believes that a centralized SSAD operated by ICANN would provide a faster and more fair evaluation of the GDPR balance text. The BC voted against the SSAD reccomendation because it did not centralize decision making. So we understand that no system can guarantee disclosure, we seek a centralized system where appropriate disclosure happens reliably and quickly enough to mitigate fraud and security threats.
John McElwaine
01:35:14
@Sebastien lowering my hand. That was my exact question.
Milton Mueller
01:35:53
understand, Steve. But that ship has sailed, no?
Sebastien Ducos
01:35:56
@John Thank you
Owen Smigelski (Namecheap)
01:36:02
+1 Milton
desiree miloshevic
01:36:14
@Sebastian - lowered my hand
Sebastien Ducos
01:36:38
@Desiree thank you
Goran Marby
01:36:42
Steve, that was the Strawberry project, we never really got an answer to it.
Paul D. McGrady
01:37:03
The 6 weeks seems like a good investment to take concrete steps to begin to solve a problem that has plagued the community for years. I know there are many that are anxious for the next round to start, and I am sympathetic. But, this WHOIS Disclosure System can be a meaningful step to making the ecosystem much safer.
Milton Mueller
01:37:08
wow, interesting idea, Thomas
Owen Smigelski (Namecheap)
01:37:36
@Steve: as was stated repeatedly during EDPD Phase 2, centralized decision making was a non-starter for contracted parties. They would still retain liability under GDPR for any fines, and thus need to retain the ability to make decisions. It's time to accept that fact and move on.
Milton Mueller
01:38:01
centralization was a non-starter for ICANN, too I believe.
Goran Marby
01:38:17
Sorry have to leave room
Stephanie Perrin
01:38:36
+1 Owen and Milton. There is the controllership issue.
Steve DelBianco (BC)
01:39:11
We are not likely to have time to discuss here, but the as-agreed NIS2 text will create new disclosure and accuracy obligations for registrars and registries. (I circulated the text today). How will NIS2 affect this project, in terms of measuring scope of disclosure, speed of disclosure, and accuracy of data?
Sarah Wyld (RrSG)
01:39:38
Steve DelB - I'm not sure that it does, I'd be interested in hearing more about what you think NIS2 changes for us
Alex Deacon
01:39:51
We seem to be designing a row boat....not the ship that the phase 1 final report defined.
Benjamin Akinmoyeje
01:40:16
@Stephanie do you mean censorship here 🤔, I am just thinking far
Brian King
01:40:17
@Owen @Milton not going to rehash the arguments here, but ICANN did offer to undertake centralized decisionmaking (strawberry project), and reasonable minds can differ as to whether CPs would have liability for ICANN-decided disclosure under the right model.
Farzaneh Badii
01:41:21
so what is the purpose for this system Steve is presenting on? are we going to have plural disclosure systems? and who is gonna run them?
Becky Burr
01:41:23
@milton, thinks it’s more accurate to say that ICANN agrees that because contracted parties will he held accountable for GDPR violations (which we think, absent input we sought from EDPB, is. the case) centralized. decision-making might well be inconsistent with GDPR
Becky Burr
01:41:38
@Milton, “I think”
Amr Elsadr
01:41:45
@Becky: +1
Owen Smigelski (Namecheap)
01:41:54
+1 Becky
Steve DelBianco (BC)
01:42:37
this diagram looks the power flow screen on a Prius
Owen Smigelski (Namecheap)
01:43:01
I agree completely Steve D!
Farzaneh Badii
01:43:10
so how is this system going to complement what ICANN presented?
Sarah Wyld (RrSG)
01:43:52
Support Farzaneh's question, how does this fit in with the current status of the SSAD recommendations?
Sarah Wyld (RrSG)
01:44:22
Are the operators of other data disclosure request platforms also going to be given a space to present their systems?
Thomas Rickert
01:44:32
Agreed, Farzi and Sarah!
Farzaneh Badii
01:44:50
oh finally we mentioned RDAP! calling it WHOIS disclosure might not be in trend
Jan Jansen
01:44:51
+1 Sarah
Becky Burr
01:45:11
the question I have on Steve's technology is how much. does he see decision-making being automated
Owen Smigelski (Namecheap)
01:45:32
Agree Farzi- I don't like that “whois" is making a comeback. I thought it was killed/replaced by “registration data" and “RDAP”
Paul D. McGrady
01:46:04
I guess I don't understand why a requestor would want to make the request in two places. If ICANN has a system up and running quickly, it seems like most folks would be happy to use that first-to-market option, especially if it is going to produce reports on usage which will be helpful to the entire community.
Jan Jansen
01:46:13
+1 Owen ... but it seems "whois" is what people know
Maxim Alzoba (RySG)
01:46:14
at least replaced with RDDS (RDAP, whois for some time)
Stephanie Perrin
01:46:14
if it is automated, who is the controller?
Maxim Alzoba (RySG)
01:47:17
could there be a cheaper /free option for the requestors - to check who is the party for the potential request?
Farzaneh Badii
01:47:24
I don't see how this system complements ICANN’s. also there are other operators so what are we gonna do with them? are they gonna present?
Maxim Alzoba (RySG)
01:47:26
without using the system
Stephanie Perrin
01:47:33
@ Benjamin, when I use the word controller I am referring to the accountable party under data protection law, who is answerable not only for the disclosure of PI that we anticipate, but for any unanticipated data breaches, security breaches, bias in any automation tools, etc
Paul D. McGrady
01:47:36
Thank you all! Great discussion!
Maxim Alzoba (RySG)
01:47:37
thanks all