Logo

Julie Bisland's Personal Meeting Room
Thomas Rickert (ISPCP)
44:07
I am in another meeting so I will try to follow as much as I can.
Hadia Elminiawi (ALAC)
44:22
Hello all
Amr Elsadr (NCSG)
44:31
Hi all.
Becky Burr
44:32
Good morning from DC
Becky Burr
44:50
I’m here
Alan Woods (RySG) (Donuts)
45:02
BRB - my audio is not working
James Bladel (RrSG)
45:05
Good morning from Iowa, Becky. It is 5 degrees here. :)
Becky Burr
45:43
It’s 55 F here James, but your weather is heading east tonight ...
Volker Greimann (RrSG)
46:17
14° C and sunny here
Volker Greimann (RrSG)
46:35
or as some call it: "winter"
Julf Helsingius (NCSG)
46:45
+10C/50F here
Amr Elsadr (NCSG)
47:14
Since we’re sharing weather updates, 18C in the suburbs west of Giza, and sunny, but warmer today than it has been over the past week, or so. :)
Stephanie Perrin (NCSG)
47:18
-9 C and heading for 20 below cold snap after 10 inches of snow, so y’all just keep quite ok?
Stephanie Perrin (NCSG)
47:38
quiet, that was….
Amr Elsadr (NCSG)
48:23
I seem to have lost audio. Just me?
Amr Elsadr (NCSG)
48:28
Audio back now.
Alan Greenberg (ALAC)
48:35
ok here
Amr Elsadr (NCSG)
48:46
Must be on my end. Thanks, Alan.
Amr Elsadr (NCSG)
49:26
@Stephanie: Happy to trade some sand for snow.
Amr Elsadr (NCSG)
52:15
Having connectivity issues. Will try to fix them, then rejoin the call.
Stephanie Perrin (NCSG)
56:26
+1 Volker
Stephanie Perrin (NCSG)
57:09
Key words in Volker’s contribution: legal clarity.
Volker Greimann (RrSG)
57:23
To those groups I would like to say: Is having no change over the status quo really preferrable over the hybrid model?
Volker Greimann (RrSG)
58:02
as the hybrid model has a centralized part to it, it makes adapting it to be more permissive later on easier
Stephanie Perrin (NCSG)
58:05
We can talk about how important our consensus position is, but we need to focus on legal certainty. Hybrid model is the only possibility.
Amr Elsadr (NCSG)
58:30
@Stephanie: +1
Volker Greimann (RrSG)
58:53
status qou is the fully decentralized model, btw
Matt Serlin (RrSG)
58:57
Also just to be clear, the hybrid model we have proposed provides for many improvements over what exists today
Volker Greimann (RrSG)
58:58
quo
Hadia Elminiawi (ALAC)
59:23
We could be think about a hybrid model based on the centralized model
Matt Serlin (RrSG)
59:37
If all requests flow through a central gateway, it allows for full tracking of those requests and assurances that the correct CP must respond, provide information, etc
Volker Greimann (RrSG)
59:45
do we want to wait another year then? or do we build the hybrid model and then incorporate the new learnings down the road?
Hadia Elminiawi (ALAC)
59:51
we could consider a hybrid model based on the centralized model
Alan Woods (RySG - Donuts)
59:57
+1 james
Volker Greimann (RrSG)
01:00:11
+1 James
Amr Elsadr (NCSG)
01:00:29
@Matt: +1, which is one of the best features of the centralized model, which also makes the hybrid model appealing.
Matt Serlin (RrSG)
01:01:13
And to be clear, if we got off this call today and all agreed on the hybrid model, we would still be crunched for time to get our work done in the allotted time
Volker Greimann (RrSG)
01:02:39
Lets not build the egg-laying woolmilkpig right away. let's first get something that lays eggs and breed it for additional features later
Alan Greenberg (ALAC)
01:02:55
I wish we could stop talking about at 100% centralized model. I don't see how we could ever get there as there will always be cases where CP have access to data needed to make a fair decision. To force 100% centralized, we are virtually guaranteeing rejection of requests that might be valid.
Brian King (IPC) (MarkMonitor)
01:03:55
+1 Laureen
Hadia Elminiawi (ALAC)
01:04:55
We could start with a policy that allows for a mature system that is centralized but currently working mostly in a hybrid way with regard to the decision making
Alan Greenberg (ALAC)
01:05:09
@Laureen, that is exactly what some of us are proposing. Identify specific classes of requests that may be "simple" but high volume, that we could automate immediately.
James Bladel (RrSG)
01:05:41
+1 Laureen. LEA requests can be automated today, if we can do some jurisdiction matching/vetting (part of accreditation?).
Alan Woods (RySG - Donuts)
01:06:36
+ 1 Ben … I agree I think that it is a great approach, and the most sensible TBH
Alan Greenberg (ALAC)
01:08:30
I have an ongoing power outage so I may disappear as one device loses battery power and I switch to another one.
Matt Serlin (RrSG)
01:09:01
+1 Brian - for sure…lots of work to be done but boy I think our work could be successful if we agreed on a model and dug in, rolled up our sleeves and did it in the coming months rather than go round and round on the model
Terri Agnew
01:09:07
@Alan, noted
Brian King (IPC) (MarkMonitor)
01:10:33
@Matt, I almost agree with you. We cannot "agree on a model" until we know that it can meet our needs. We are happy to agree to get to work on policy development around a model, but we cannot write a blank check. I hope that makes sense.
Steve DelBianco (BC)
01:13:52
Hybrid model has structural elements (centralized gateway and logging, RDAP relay, etc). But it also has Operational elements such as maximum response time for disclosure or denial, and a Service Level Agreement such as 95% of responses to accredited requests within x hours.
Amr Elsadr (NCSG)
01:13:58
A deadline for noon tomorrow gives us less than 48 hrs to review and discuss the draft questions.
Thomas Rickert (ISPCP)
01:15:38
we all need to commit to work on the basis of their advice.
Thomas Rickert (ISPCP)
01:15:50
bravo, Alan W
James Bladel (RrSG)
01:21:20
Lots of useful tools went away with changes in the law.
Alan Woods (RySG - Donuts)
01:21:47
lots of 'useful' tool existed at the time despite the law too.....
Becky Burr (ICANN Board Liaison)
01:21:54
understood James.
Becky Burr (ICANN Board Liaison)
01:22:21
But my understanding of the situation with the PDP was as described by Janis
Brian King (IPC) (MarkMonitor)
01:22:23
What we're asking is how the law applies to this
James Bladel (RrSG)
01:22:52
@Brian - ok, that’s fair. But why? For a future PDP?
Mark Svancarek (BC) (marksv)
01:23:19
Tools may have gone away with changes of law even though the law did not definitively require them to go away.
Alan Woods (RySG - Donuts)
01:23:26
I think you are not quite seeing Amr's point Brian. The point is that we should not expend our time and indeed funds on a matter that is not in scope.
Alan Woods (RySG - Donuts)
01:23:39
Examples Mark?
Mark Svancarek (BC) (marksv)
01:24:08
Access to the contact info of legal persons, for example
Milton Mueller (NCSG)
01:24:10
Well said, Amr
Milton Mueller (NCSG)
01:24:57
Mark, access to contact info of legal persons is not a distinct tool, as far as I can tell. It’s a policy decision regarding what data is redacted and what is not
Brian King (IPC) (MarkMonitor)
01:24:58
We have language in the draft initial report that would make it consensus policy to prohibit reverse lookups. If it's within our remit to prohibit it, wouldn't it be within our remit to allow it, if legally permissible?
Amr Elsadr (NCSG)
01:25:50
The views I referred to were expressed in EPDP plenary calls, not on the legal committee (or if they were on the legal committee, I don’t know about it).
Becky Burr (ICANN Board Liaison)
01:26:59
This particular question was actually approved by the Legal Committee before I replaced Leon, so I am unable to speak in detail regarding the discussion in the committee. What I can say is that all parts of the community have been represented in the Committee discussions, we have had good participation and vigorous debate.
Becky Burr (ICANN Board Liaison)
01:27:45
That said, if reverse lookup has been rejected as a policy matter by the plenary, moving forward doesn’t make a lot of sense
Amr Elsadr (NCSG)
01:29:50
@Becky: My take on reverse lookup isn’t so much a policy one, but a procedural one. EPDPs (as opposed to PDPs) have very narrow remits, in which reverse lookup doesn’t fit.
Amr Elsadr (NCSG)
01:30:48
@Hadia: I just said that not all our concerns are legal. Our = NCSG. I understand that you don’t share those concerns, but we do.
Becky Burr (ICANN Board Liaison)
01:32:48
If I am understanding this discussion, we need to reach agreement about whether this is in or out of scope.
Amr Elsadr (NCSG)
01:34:25
Thanks, Becky.
Hadia Elminiawi (ALAC)
01:35:28
@Amr the concerns in relation to Natural vs legal are legal by nature. If you regard the law (GDPR) wrong about having legal persons data not protected under GDPR - we can't do anything in this regard
Berry Cobb
01:35:35
I will stop my share momentarly to prep for next agenda item.
Amr Elsadr (NCSG)
01:35:50
@Janis: Wether it’s compliant or not, wether it’s desirable or not…, makes no difference. It’s out-of-scope.
James Bladel (RrSG)
01:36:07
There were two objections: Legality and Scope. Bird & Bird may be asked on the legality, but that’s irrelevant for the scope of this PDP. So the future PDP should pay for their own advice.
Amr Elsadr (NCSG)
01:36:20
@James: +1
Brian King (IPC) (MarkMonitor)
01:37:03
You might be surprised, but we'd be just as happy to call this out of scope - however, this means that reverse lookups cannot be prohibited either, and that draft language must be changed.
Brian King (IPC) (MarkMonitor)
01:37:32
I don't think it's de facto out of scope, but we'd be happy to focus elsewhere and be silent on reverse lookups
Amr Elsadr (NCSG)
01:37:42
@Brian: I’m perfectly happy with no mention of reverse lookups, one way or the other, in our report.
Becky Burr (ICANN Board Liaison)
01:37:45
yes, we will do that if people respond by email with objections. Please be as specific as possible
James Bladel (RrSG)
01:37:46
@Brian - I am looking over the initial report, and don’t see it. Can you show me where it is prohibited?
James Bladel (RrSG)
01:37:57
but otherwise fine that we don’t mention it at all
Brian King (IPC) (MarkMonitor)
01:37:59
Query policy I believe
Brian King (IPC) (MarkMonitor)
01:38:02
I'll find it
James Bladel (RrSG)
01:38:10
ok, I’ll look there
Brian King (IPC) (MarkMonitor)
01:38:42
Preliminary Rec 9, query policy
Matt Serlin (RrSG)
01:38:57
Yeah I do recall that…so maybe that’s the best option is just for us to be silent on it
James Bladel (RrSG)
01:39:37
Probably one of those days when I was skipping school....
Thomas Rickert (ISPCP)
01:42:08
we nees to finish at least some important ones and include them
Thomas Rickert (ISPCP)
01:42:17
need
Amr Elsadr (NCSG)
01:42:44
Agree that the highlighted text on the screen is accurately representative of what their purpose within our deliberations were.
Thomas Rickert (ISPCP)
01:45:37
absent details on how decisions are being made in certain cases, the EDPB will not be able to assess GDPR compliance. period
Stephanie Perrin (NCSG)
01:46:08
I think dropping things in the interests of going forwards merely prolongs the agony
Thomas Rickert (ISPCP)
01:46:27
if we drop work on use cases, we need to lower our expectations
Stephanie Perrin (NCSG)
01:46:42
and plus 1000 Thomas.
Amr Elsadr (NCSG)
01:46:48
@Alan W and Alan G: +1
Thomas Rickert (ISPCP)
01:47:47
they are not ready for prime time, though.
Milton Mueller (NCSG)
01:48:56
Yes, discussing use cases did exactly what we wanted, which was clarify issues in the request and disclosure process. We are now done with it
Franck Journoud (IPC)
01:49:31
Thomas: “absent details on how decisions are being made in certain cases, the EDPB will not be able to assess GDPR compliance. period” I couldn’t agree more.
Alan Woods (RySG - Donuts)
01:51:38
the EDPB will look to the application of GDPR on a case by case basis. I'd rather the decision maker being able to show their own consideration and not merely point and shrug at a use case. Completely agree with Thomas they are not fit for purpose and I have no problem with the reference that they helped us on the path, but we need to be very very clear and explicit that they are illustrative not binding.
Alan Woods (RySG - Donuts)
01:52:19
(sorry putting word in Thomas' mouth - that they need work )
Mark Svancarek (BC) (marksv)
01:53:16
"illustrative and not binding" is an appropriate representation IMO
Mark Svancarek (BC) (marksv)
01:56:14
"they"
Steve DelBianco (BC)
01:57:06
Exactly, Mark SV. Requestors will approach registrars and registries directly with data requests and we cannot prevent that. Recc 18 from Phase 1 is supposed to implement methods for responding.
Stephanie Perrin (NCSG)
01:58:05
Who in SSAD will be accountable for reviewing the procedures and practices of LEAs, and determining whether they are consistent with the EU Charter/UDHR?
Stephanie Perrin (NCSG)
01:59:18
I believe that ICANN has pumped a lot of money into the Internet and Jurisdiction project and they still don’t have an answer to that question, but I stand ready to be corrected by those in the know....
Volker Greimann (RrSG)
02:00:16
...but you accepted it. Let's ot walk back reached agreements!
Steve DelBianco (BC)
02:00:38
I hope the GAC responds directly to Stephanie’s question, but I don’t see how our SSAD can claim it has authority to review internal processes at a law enforcement agency.
Stephanie Perrin (NCSG)
02:03:36
I agree Steve. National sovereignty still exists. TBDF will remain a difficult problem for the foreseeable future.
Stephanie Perrin (NCSG)
02:04:05
As it has for the past 60 years….
Thomas Rickert (ISPCP)
02:04:16
i need to drop. bye all!
Berry Cobb
02:06:56
check
Steve DelBianco (BC)
02:07:36
Janis — not everyone seeking RDS data will even know the SSAD exists, and we will have LEA, reporters, and others who phone a registrar, send a letter, knock on the door, etc. So we absolutely need a Recc 18 implementation to give CPH a policy they can follow
Franck Journoud (IPC)
02:08:07
+1 Steve
James Bladel (RrSG)
02:08:45
Hi folks. I’m losing my workspace here at the hotel, so will need to drop. Apologies.
Caitlin Tubergen
02:12:31
Thanks, Marc A. - we can do that.
Berry Cobb
02:15:12
Link to goog doc.
Stephanie Perrin (NCSG)
02:15:29
The whole thing hinges on who is the controller, and how much the policy constrains their actions. That is a legal question worth asking
Berry Cobb
02:16:04
https://docs.google.com/document/d/1rV0Iwo6HCABfP8oaxPC_u_D-vvjud15b/edit
Brian King (IPC) (MarkMonitor)
02:16:43
+1 Marc
Brian King (IPC) (MarkMonitor)
02:16:58
Hopefully we don't need this permanently, but I think we do need it now
Brian King (IPC) (MarkMonitor)
02:20:02
Cool
Brian King (IPC) (MarkMonitor)
02:20:20
Smaller, plz
Brian King (IPC) (MarkMonitor)
02:20:27
jk
Brian King (IPC) (MarkMonitor)
02:24:58
+1 Marc
Amr Elsadr (NCSG)
02:25:43
Agree with Marc, and agree with MarkSV that how logging will be conducted is something we should consider in our determination.
Matt Serlin (RrSG)
02:25:49
+1 Georgios
Amr Elsadr (NCSG)
02:26:08
@Georgios: +1 here too.
Chris Lewis-Evans (GAC)
02:26:59
+1 Georgios in country A requestor + country A CP gets more difficult if the authorization provider is in country B
Julf Helsingius (NCSG)
02:27:19
Lots of background noise
Stefan Filipovic (NCSG)
02:27:52
someone tuning a guitar
Chris Lewis-Evans (GAC)
02:28:01
@Alan but if they log based from the information then they are processing it...
Mark Svancarek (BC) (marksv)
02:28:45
I am happy to think about it
Amr Elsadr (NCSG)
02:28:47
I’m not clear on why data passing through multiple jurisdictions does not constitute processing, but happy to table this for now.
Mark Svancarek (BC) (marksv)
02:28:56
but would like help from Giorgios ;-)
Georgios Tselentis (GAC)
02:29:01
I can also join
Mark Svancarek (BC) (marksv)
02:29:06
thx
Alan Greenberg (ALAC)
02:29:22
@Chris, I'm not sure that the logging involves any personal data.
Alan Greenberg (ALAC)
02:29:43
(other than that of the requestor)
Hadia Elminiawi (ALAC)
02:30:09
yes
Alan Greenberg (ALAC)
02:30:13
internet routers log all sorts of data as well...
Stephanie Perrin (NCSG)
02:31:41
logging is processing. I think that is pretty well acknowledged, do we need to cite the guidance?
Amr Elsadr (NCSG)
02:36:29
I think we need to distinguish between the entity performing the function, and the entity holding responsibility in the centralized model (the latter being ICANN).
Amr Elsadr (NCSG)
02:36:35
@Alan G: +1
Mark Svancarek (BC) (marksv)
02:37:02
AlanG just made my intervention... I think Janis was accidentally saying "accreditation authority" rather than "authorization authority"
Amr Elsadr (NCSG)
02:37:28
@Janis: This comment is specifically addressing the possibility that we recommend a centralized model in deciding responses to disclosure requests.
Chris Lewis-Evans (GAC)
02:37:47
+1 Alan G, Mark
Brian King (IPC) (MarkMonitor)
02:40:16
thanks all
Marc Anderson (Verisign / RySG)
02:40:17
thanks all
Brian King (IPC) (MarkMonitor)
02:40:19
bye
Julf Helsingius (NCSG)
02:40:21
Thanks all!
Amr Elsadr (NCSG)
02:40:21
Thanks all. Bye.
Georgios Tselentis (GAC)
02:40:25
thanks bye