Logo

051040043 - EPDP-Phase 2 April Team Call - Shared screen with speaker view
BECKY BURR (ICANN Board Liaison)
33:41
@terri and Caitlin, Chris D. has informed me that he will be a few minutes late in joining this call
Terri Agnew
35:06
Thank you Becky and noted
Brian King (IPC)
35:40
Merger?! Assuming that was GoDaddy's idea ;-)
Julf Helsingius (NCSG)
37:48
Apologies for joining late, GNSO council meeting ran a bit over.
Terri Agnew
38:12
Reminder to select all panelist and attendees for chat option.
Julf Helsingius (NCSG)
38:50
Ack
Brian King (IPC)
53:04
Agree, Marc. And agree query policy is good place to address this (not SLAs)
James Bladel (RrSG)
56:19
I would at -EXTREMELY- hypothetical.
James Bladel (RrSG)
56:21
thx.
Brian King (IPC)
58:41
Identity Validation Procedures
Brian King (IPC)
59:00
(in lieu of "authentication" in the third line)
Laureen Kapin (GAC)
01:01:04
Margie raises some important concerns.
Georgios Tselentis (GAC)
01:02:02
Isn't similar to presumption of innocense?
Brian King (IPC)
01:02:07
To clarify, this is not accreditation, just an identity provider
Brian King (IPC)
01:02:35
This isn't for bad guy requestors
Brian King (IPC)
01:02:44
That's a different section
James Bladel (RrSG)
01:03:16
Suspension of accreditation = suspension of access?
Brian King (IPC)
01:03:30
Yes b/c access requires accreditation
Margie Milam (BC)
01:03:53
if an identity provider is WIPO as an example — that means that all underneath it - all IP holders would be suspended during the appeal
Brian King (IPC)
01:04:16
+1 Margie. We're sympathetic to the concerns raised by James. This is the wrong section though.
Margie Milam (BC)
01:04:52
+1 Alan G
James Bladel (RrSG)
01:05:03
This isn’t all that dissimilar to when an SSL authority is revoked.
Stephanie Perrin (NCSG)
01:05:55
This does require further thought, I agree with Alan but if there is abuse you need to stop it right away. The controller will be liable if it provides access with knowledge of abuse….
Stephanie Perrin (NCSG)
01:06:48
So you need secondary procedures for the instances when an identity provider has a credibility issue
Marc Anderson (RySG)
01:07:12
The authorization policy for Identity providers SHOULD include graduated penalties. In other words, not every violation of the policy will result in De-authorization; however, De-authorization may occur if it has been determined that the Identity Provider has materially breached the conditions of its contract and failed to cure based on: a) a third-party complaint received
Laureen Kapin (GAC)
01:07:15
You're fading out Marc.
Stephanie Perrin (NCSG)
01:07:36
Yes you are wobbling Marc
Mark Svancarek (BC)
01:08:04
+1 Marc
Brian King (IPC)
01:08:13
Clearer now Marc thanks
Stephanie Perrin (NCSG)
01:09:55
This does require further thought, I agree with Alan but if there is abuse you need to stop it right away. The controller will be liable if it provides access with knowledge of abuse….
So you need secondary procedures for the instances when an identity provider has a credibility issue
Amr Elsadr (NCSG)
01:10:04
@AlanW: +1
Marc Anderson (RySG)
01:10:17
another excerpt from that sectionDepending upon the nature and circumstances leading to the de-authorization of an Identity Provider, some or all of its outstanding credentials may be revoked or transitioned to a different Identity Provider
Stephanie Perrin (NCSG)
01:10:29
Thanks AlanW for remembering this is about the data subject’s rights
Amr Elsadr (NCSG)
01:10:37
The rights of the data subject cannot be waived until the identity provider issue is resolved.
James Bladel (RrSG)
01:10:40
Agree Alan, but it is also to protect the integrity (and legality) of the SSAD itself.
Alan Woods (RySG)
01:11:00
Agreed James , I think the two are hand in hand.
Chris Lewis-Evans (GAC)
01:11:03
+1 James (and Marc from before)
Mark Svancarek (BC)
01:11:04
Since we now recall the graduated responses, let's move on
Stephanie Perrin (NCSG)
01:11:09
Don’t forget the liability issue James.
Amr Elsadr (NCSG)
01:11:38
@Stephanie: +1. Doesn’t the liability issue become even more serious, if breaches by the identity provider are identified?
James Bladel (RrSG)
01:11:41
One can imagine that an SSAD that is unable to enforce its own controls would be (1) sued to death by data subjects or (2) ruled as not fit for purpose/incompetent by some DPA somewhere.
Amr Elsadr (NCSG)
01:11:55
@James: +1
Stephanie Perrin (NCSG)
01:13:49
Absolutely, that was what I was aiming at in response to Alan G. These accreditation instruments are to streamline the process and relieve burden on data controllers, but if they have been shown to be responsible for data breach (i.e. inappropriate release) then you have to stop the streamlined approach and find a way to reintroduce the rigour in the requestor validation process. I will resist the urge to refer again to the famous Equifax case….
Marc Anderson (RySG)
01:14:23
Page 20 in the initial report
Caitlin Tubergen
01:16:10
Examples of additional information the Accreditation Authority or IdentityProvider MAY require an applicant for accreditation to provide could include:o a business registration number and the name of the authority thatissued this number (if the entity applying for accreditation is a legalperson);o information asserting trademark ownership
Volker Greimann (RrSG)
01:18:31
better call Saul
Brian King (IPC)
01:18:46
lol my thoughts exactly Volker
Milton Mueller (NCSG)
01:19:19
why do we need this clarification?
Stephanie Perrin (NCSG)
01:20:13
I don’t believe we do need it, I think it actually un-clarifies it. Lawyers can act for anyone.
Stephanie Perrin (NCSG)
01:20:43
Security researchers may also appoint sole operators, other firms, etc.
Stephanie Perrin (NCSG)
01:21:09
Retired cops may be hired by law enforcement authority….I shall not go on.
Matt Serlin (RrSG)
01:23:35
I need to drop for another call so Sarah Wyld will be taking over for me…thanks
Sarah Wyld (RrSG)
01:23:44
Thanks!
Sarah Wyld (RrSG)
01:26:01
Thanks to Staff for that and for all your hard work on this. Rec 2 was formatted very well, so Rec 1 would benefit from that type of change. And definitely support taking the Definitions out to their own section.
Marc Anderson (RySG)
01:27:37
+1 to taking the definitions out to their own section
BECKY BURR (ICANN Board Liaison)
01:29:03
bye all
Amr Elsadr (NCSG)
01:34:40
@Laureen: +1
Mark Svancarek (BC)
01:39:36
+1 Stephanie
Mark Svancarek (BC)
01:39:44
Very interesting suggestion
James Bladel (RrSG)
01:40:36
Agree Stephanie. Also raises the potential for due process issues.
Laureen Kapin (GAC)
01:41:09
Thx for raising these issues re: delegation to 3rd parties and the need to ensure trustworthiness Stephanie.
Alan Woods (RySG)
01:41:13
+1 Stephanie
Georgios Tselentis (GAC)
01:41:38
@Stephanie: There should be a clear reference to a law to entrust the third non-governmental party
Brian King (IPC)
01:41:49
@Stephanie thanks for raising those important points
Sarah Wyld (RrSG)
01:43:32
Rec 2 had very clear section headers, we should consider using that for the combined rec
Volker Greimann (RrSG)
01:48:28
new category: other
Terri Agnew
01:52:44
30 seconds left
Sarah Wyld (RrSG)
01:53:45
sorry, accept what?
Alan Woods (RySG)
01:55:00
Sorry - no I do have issue with the 2nd bullet point.
Margie Milam (BC)
01:55:11
+1 Laureen
Alan Woods (RySG)
01:55:15
But again … let’s hear the B&B response
Sarah Wyld (RrSG)
01:55:15
Re the second bullet on the left-side page, we need to be careful to balance standardization of request format (e.g. checkboxes, dropdowns) against the ability of requestors to simply select what they think will be most expedient rather than what is true.
Amr Elsadr (NCSG)
01:55:24
So do I. Is this the bullet about pre-populated dropdown menus?
Alan Woods (RySG)
01:55:30
yup
Sarah Wyld (RrSG)
01:55:51
Re Item 1. remaining, I do not think we need a list of purposes. We already have a Phase 1 rec. on purposes, and we shouldn't restrict requestors in this way. It should be a free-form text box.
Amr Elsadr (NCSG)
01:56:36
@Sarah: +1, and no need to provide a cheat-sheet of permissible purposes either.
Sarah Wyld (RrSG)
01:57:24
well said Amr. Plus, although it's a potentially permissible purpose it still depends on the specific case at hand.
Brian King (IPC)
01:57:48
Just note that Phase 1 purposes were purposes for the collection. We're talking about purposes for third parties here. Important distinction.
Sarah Wyld (RrSG)
01:58:15
They were purposes for processing data
Sarah Wyld (RrSG)
01:58:28
though, icann purposes, not third-party, that's a good point
Stephanie Perrin (NCSG)
01:58:41
Agree with Amr on cheat sheet.
Sarah Wyld (RrSG)
01:59:04
So, Phase 1 purposes aside, the point still stands that requestors will be able to identify why they need the data and clearly indicate their purpose without a menu of options
Sarah Wyld (RrSG)
01:59:27
I just think we can spend our time on other more essential topics rather than a non-exhaustive list of purposes.
Amr Elsadr (NCSG)
02:00:23
@MarkSV: The whole reason this system exists is because Registrants are criminals, even though they agree to registrar T&Cs, and a registration agreement.
Stephanie Perrin (NCSG)
02:00:23
Experience provides ample proof of that Mark SV. We are trying to create a system that assures trust.
Stephanie Perrin (NCSG)
02:01:42
The more a group of requestors thinks they are entitled to this information anyway (having, for instance, had free and unencumbered access to it for 20 years) the more they will treat the process as a cheat sheet.
Margie Milam (BC)
02:02:10
@Stephanie - I haven’t seen studies that support the type of abuse you are worried about;
Stephanie Perrin (NCSG)
02:02:37
Anyone who has dealt with requestors has encountered misrepresentation. We need to figure out how to defend against that, even if it slows things down
Stephanie Perrin (NCSG)
02:03:10
I would suggest a through read of some of the DPAs’ annual reports
Margie Milam (BC)
02:03:14
+1 Alan
Stephanie Perrin (NCSG)
02:03:18
thorough
Sarah Wyld (RrSG)
02:03:26
+1 stephanie
Brian King (IPC)
02:03:31
+1 AlanG
Sarah Wyld (RrSG)
02:03:42
Brian - could you remind me what B&B memo that was you referred to?
Brian King (IPC)
02:03:51
Yep, the one on automation
Sarah Wyld (RrSG)
02:04:02
Thanks
Stephanie Perrin (NCSG)
02:04:11
The fact that ICANN has not studied the issue of requestor abuse is in my view not enhancing its credibility in these matters.
Stephanie Perrin (NCSG)
02:04:32
We have umpteen research reports on registrant abuse.
Alan Greenberg (ALAC)
02:04:44
Pre-defined terms that are well defined gives more specificity, not less.
Alan Greenberg (ALAC)
02:05:07
Pre-defined terms that are well defined gives more specificity, not less.
Margie Milam (BC)
02:05:48
We are building in a lot of logging & audits to address abuse so the new system is already building in data that ICANN can look at to see the level of abuse by requestors
Sarah Wyld (RrSG)
02:05:52
As I said earlier, I don't think spending time on a necessarily incomplete list of purposes is the best use of our limite dtime here
Amr Elsadr (NCSG)
02:07:14
@AlanW: +1
Sarah Wyld (RrSG)
02:07:27
+1 Alan W
Stephanie Perrin (NCSG)
02:07:40
+1000 Alan W
Alan Woods (RySG)
02:08:53
Can we drop the SLA so lol?
Sarah Wyld (RrSG)
02:09:08
The benefit is that it requires the requestor to explain their purpose in their words.
Amr Elsadr (NCSG)
02:09:46
How does not having the checkbox make your life difficult, MarkSV?!
Alan Woods (RySG)
02:10:56
Grand, ignore our valid concerns should oyou believe our experience of applying the actual law is somehow inconvenient to your requests
James Bladel (RrSG)
02:11:02
Never in the history of checkboxes has a checkbox checked this many boxes.
Sarah Wyld (RrSG)
02:11:16
we should not put 'as applciable'
Amr Elsadr (NCSG)
02:11:25
To be clear, I’m not saying that anybody on this call is trying to game the SSAD. Everybody here will presumably be perfectly capable of submitting a solid disclosure request, wether pre-populated lists exist, or not.
Volker Greimann (RrSG)
02:12:01
I like options
Amr Elsadr (NCSG)
02:13:18
@Sarah: +1
Sarah Wyld (RrSG)
02:15:24
Is the sla for the incomplete request response not already 'without undue delay'?
Sarah Wyld (RrSG)
02:15:52
Agree with the expectation that the request cannot be submitted if it is incomplete
Stephanie Perrin (NCSG)
02:16:02
Thanks for clarifying the requirements Sarah!
Sarah Wyld (RrSG)
02:16:04
as Janis says, I think it's not a problem to solve
Sarah Wyld (RrSG)
02:16:57
SLA for an *amended* request is something we should discuss though yes
Sarah Wyld (RrSG)
02:17:16
In that case, the requestor would be subject to the SLA, not the CGM
Mark Svancarek (BC)
02:19:34
+1 Marc
Mark Svancarek (BC)
02:20:55
+1 Brian
James Bladel (RrSG)
02:23:02
I have a hard stop in a few min. Thx.
Amr Elsadr (NCSG)
02:28:41
Thanks all. Bye.
Sarah Wyld (RrSG)
02:29:15
Thanks, all
Rafik Dammak (GNSO Council Liaison)
02:29:17
Thanks all
Julf Helsingius (NCSG)
02:29:23
Thanka