Logo

Update session in SSAD ODP (Council & GNSO EPDP members) - Shared screen with speaker view
Nathalie Peregrine - ICANN Org
37:20
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.
Brian King
39:05
Shouldn't the deliberations be recorded as well? Doesn't seem to be consistent with objectives of transparency.
Margie Milam
39:15
+1 Brian
Olga Cavalli
39:19
+1 to Brian King
Margie Milam
39:22
What’s the reason not to record?
Olga Cavalli
39:29
Why not record all_
Olga Cavalli
42:36
Eleeza your sound is not very clear
Milton Mueller
42:47
So we can be “frank and candid” ;-)
Thomas Rickert
43:56
So it’s BAU for you, Milton :-)
Milton Mueller
44:12
Bau wow wow
Milton Mueller
45:08
From the dog house to the BAUhaus
Thomas Rickert
45:24
:-)
Philippe Fouquart
45:25
if we are meant to see slides I'm still on the agenda, am I on my own?
Olga Cavalli
45:33
no change in slides
Thomas Rickert
45:34
Nope, same here Philippe
Olga Cavalli
45:49
nobody sees the chat
Goran Marby
46:04
I can see the chat?
Philippe Fouquart
46:15
thanks Goran
Olga Cavalli
46:28
I meant nobody is reading it
Eleeza Agopian
46:30
Apologies for the audio trouble. Internet unstable over here, so I’m going to try to stay off video for a time.
Diana Middleton
46:40
Also, Eleeza was having connection issues which is why you couldn’t hear, she’s rejoining now to see if it resolves the issue.
Olga Cavalli
46:41
thanks Eleeza
Thomas Rickert
47:35
No worries, Eleeza. The sound was not great, but at least I could understand you well.
Maxim Alzoba (RySG)
51:15
the DUMs are not evenly distributed among CPs, so majority does not have majority of DUMs
Amr Elsadr
52:45
# of requests per month? Per year?
Eleeza Agopian
52:58
These estimates are on an annual basis.
Amr Elsadr
53:07
Thanks, Eleeza.
Maxim Alzoba (RySG)
53:40
requests are processed by lawyers / legal advisors, so number of 12M requests seem to be too high (CPs do not use services fo 10Ks of layers )
Goran Marby
54:15
As a number to compare, compliance gets about 30 000 complaints per year. So this number is low.
Maxim Alzoba (RySG)
56:30
Goran, quite a lot of those are auto generated
Goran Marby
57:18
Not arguing, just pointing that are very few complaints
Maxim Alzoba (RySG)
57:39
question: what happens if the number of users is low = 10k USD requests?
Brian King
57:57
To be clear, complaints about WHOIS disclosure denials are not submitted to Compliance because that path does not lead to obtaining the data.
Olga Cavalli
58:44
Eleeza sound is good now
Maxim Alzoba (RySG)
59:02
with 100M ICANN pool will be depleted in 3 years
Goran Marby
01:00:05
Brian, now I am not really sure I understand. The rules says that the CPH needs to answer, yes or no. If the requester does not get a yes or no, they should complain.
Maxim Alzoba (RySG)
01:00:12
we should not forget that the system is a front end for the CPs people, who make legal decisions (it is not possible to automate so far)
Diana Middleton
01:02:08
All webinars are posted here: https://www.icann.org/ssadodp
Brian King
01:03:15
@Goran how likely do you think it is that a CP provides the requested data once they've been burdened with a Compliance Inquiry? From the requestor perspective, success does not appear likely.
Jeff Neuman (GNSO Liaison to GAC)
01:03:28
Just to clarify that the Costs here represents ICANN's costs plus outsourced vendors costs
Jeff Neuman (GNSO Liaison to GAC)
01:03:31
?
Goran Marby
01:04:03
According to the PDP, all costs should be carried by the users. Not ICANN
Xavier Calvez
01:04:20
@Jeff: Yes, all of which are ICANN’s costs.
Goran Marby
01:04:23
The lack of access to data, that is GDPR
Jeff Neuman (GNSO Liaison to GAC)
01:04:34
Thanks Xavier.
Amr Elsadr
01:05:12
@Xavier: Contracted Parties’ costs in processing disclosure requests not included?
Maxim Alzoba (RySG)
01:06:40
old style sending e-mail to a CP members seems to be bit cheaper
Shani Quidwai
01:06:53
These are purely ICANN’s costs, does not include the costs of the contracted parties
Xavier Calvez
01:07:05
@Amr: that is correct. The financial evaluation work so far has not included any consultation of the CPs on what there costs are today, or would be under an SSAD model.
Amr Elsadr
01:07:20
Thanks Xavier and Shani.
Jeff Neuman (GNSO Liaison to GAC)
01:07:40
So, if there are 3 million users, the estimated cost would be $107 million annually (which is about $35 per user)? Or at 12 million requests >$9 per request)?
Maxim Alzoba (RySG)
01:08:44
so far SAAD seems to be serving interests of venors
Maxim Alzoba (RySG)
01:08:54
vendors
Shani Quidwai
01:10:43
There are 3 different fees that we have modeled, each fee type has different costs: Accreditation Identify Verification, Requestor Declaration and Disclosure Request Processing
Brian King
01:11:14
Thank you, Goran, Eleeza, Yuko.
Brian King
01:11:27
From where I sit, the answers to those first three questions are "no, no, and no thank you."
Maxim Alzoba (RySG)
01:11:50
are measures to prevent data leaks from the requestors ? (like mechanics to block compromise passwords e.t.c.)
Milton Mueller
01:11:59
If you eliminate accreditation how do you prevent abuse of the system?
Amr Elsadr
01:12:06
+1 to Volker’s thanks to the ICANN team working on this.
Goran Marby
01:12:36
The responsibility for that lies with the requester, it is a part of the evidence they need to present
Amr Elsadr
01:12:40
…, for both the work done and for the multiple updates.
Stephanie Perrin
01:12:48
Yes I am sure this represents a lot of hard, detailed work. Kudos
Milton Mueller
01:14:32
But if all the centralized intake system is doing is relaying requests to CPs, why to just require Cps to have a standardized method of accepting requests? <ducks>
Maxim Alzoba (RySG)
01:15:19
CPs have to process things manually
Maxim Alzoba (RySG)
01:15:55
in different jurisdictions with different requirements , so the only similar thing - HTTPs for the web interface
Milton Mueller
01:17:14
Gee, I forgot that Goran
Thomas Rickert
01:17:19
If we did the simplified setup to start with, how fast could you launch!
Milton Mueller
01:17:24
LOL
Steve DelBianco (BC)
01:17:31
Requestor has to assert the legitimacy and legality of their request. I think that is not the same as “proving” it?
Thomas Rickert
01:18:28
I guess everything that helps expedite things and keep costs low as long as we do not know the demand is welcome, but I think it is imperative that „time to market“ is substantially less.
Becky Burr
01:19:55
How can compliance possibly help if you don’t report?
Maxim Alzoba (RySG)
01:20:23
whois is not correct example - it is used by tech systems too
Maxim Alzoba (RySG)
01:21:17
and by many data miners
Brian King
01:22:09
@Becky I'm not sure that's the right question. Compliance has told us they can't help (compel disclosure). I think the question to ask is why a requestor would waste their time when the expected outcome is a denial anyway.
Brian King
01:23:30
To be a bit holiday-season cheeky, from the requestor standpoint, we could complain to Compliance or Santa Claus, and they are equally capable of compelling a CP to disclose.
Goran Marby
01:23:31
Compliance cannot help with disclosure, that is due to the law.
Steve DelBianco (BC)
01:23:49
Would simplified intake system create "tickets" that can be tracked for disclosure/denial by CPs?
Volker Greimann (RRSG)
01:24:12
The way we designed it, yes
Stephanie Perrin
01:24:28
Where is the value add in a centraiized system , if you do not standardize request requirements and identity f requastors?
Brian King
01:24:36
I'm open to this intake system as a pilot. In fact, CZDS already works this way, and it's already built.
Maxim Alzoba (RySG)
01:26:01
contracted parties do not have obligation to breach personal information laws for the benefit of third parties, so the process in simple words is just making one unified portal (hope it works way better than CZDS - which is almost unusable for Registries)
Maxim Alzoba (RySG)
01:26:54
instead of using current free e-mails
Yuko Yokoyama
01:27:09
Would you go to slide 8, please
Yuko Yokoyama
01:27:25
Thank you!
Yuko Yokoyama
01:27:32
Oops, go back to slide 8
Maxim Alzoba (RySG)
01:28:16
maybe requests via Interpol are not that bad …
Becky Burr
01:28:29
@brian, isn’t the question of whether ICANN can compel disclosures different than the question of whether ICANN act if the cp ignores the request? In any case, data about the volume of requests submitted is critical
Maxim Alzoba (RySG)
01:30:03
will ICANN be recognized as a data controller in case of personal data breach via SAAD ?
John McElwaine
01:31:13
To Brian's Point, I think that there rarely any longer a way to make a WHOIS inaccuracy report to compliance because all of the information is redacted and "The redaction of contact details ... alone indicate that the data is inaccurate. In order to submit a valid complaint, please provide evidence of the inaccuracy (e.g., rejection of an email sent to the displayed email address) with your submission." However, the emails displayed in the WHOIS are anonymized or redacted.
Maxim Alzoba (RySG)
01:32:07
@John, sometimes it is a webform in the details
Volker Greimann (RRSG)
01:32:13
If you cannot bill for it, it is not worth doing?
John McElwaine
01:33:16
@Maxim, yes, I know but if you never get a response to that submission can you file an inaccuracy report? You'll always get an email back saying that the registrar's form system worked.
Matt Serlin
01:33:49
Goran is exactly right…if a contracted party simply isn’t even responding to disclosure requests, that absolutely should be escalated to compliance
Goran Marby
01:34:13
John, and we cannot check either…so we proposed to the EC that we should be able to check accuracy…they did not agree
John McElwaine
01:35:00
@Goran - I know. I'm just explaining why inaccuracy complaints are down.
Goran Marby
01:35:17
That one we know…and we pointed that out.
Brian King
01:37:53
So data like this would be helpful? Our professional analysts reviewed and manually sent over 1,000 requests for data of confirmed infringing domains to registrars and received the data just 14% of the time. 66% were denied and 20% were ignored. https://clarivate.com/blog/gdpr-whois-and-impacts-to-brand-protection-nine-months-later/
Jamie Hedlund
01:38:35
While Compliance cannot second guess the judgment of a CP in denying a request for access, we will make sure that the CP complied with the obligations in the Temp Spec to receive a request; apply the required analysis and respond to the requestor.
Maxim Alzoba (RySG)
01:38:47
@Brian, that is highly dependent on the text you send (and who sends it, for example sending from the same jurisdiction makes things simpler)
Milton Mueller
01:39:06
Lotsa people will agree with you on that one, Goran
Brian King
01:39:27
I agree, Goran. It's squarely in ICANN's SSR role.
Stephanie Perrin
01:39:38
But the RNH should not have to pay the costs of disclosing their data to requestors.
Brian King
01:40:41
@Stephanie they always have in a way, if you consider CP costs for Port 43 WHOIS.
Maxim Alzoba (RySG)
01:41:10
@Brian, it is not correct, SSAD involves persons making decisions
Brian King
01:41:46
@Maxim unclear what you mean is not correct.
Maxim Alzoba (RySG)
01:42:18
@Brian, WHOIS is not a disclosure of the personal data, merely outputs tech data
Maxim Alzoba (RySG)
01:42:47
does not make disclosures
Goran Marby
01:44:40
I also think that the EC is going to far into ICANN MS model
Paul McGrady
01:45:00
@Staff, to whom should we reach out if we have ideas about how to tighten up the request estimates?
Goran Marby
01:45:50
I think that we need to have a more general discussion about what to do next
Diana Middleton
01:45:54
@Paul, please send an email to ODP-SSAD@icann.org
Maxim Alzoba (RySG)
01:45:57
@Paul, I think there is an issue of the mathematical model with too many variables
Thomas Rickert
01:46:03
We have two types of disclosure requests: One where the requestor has a legal right to obtain the data. Those requests will likely go to the CP directly. And then there are those where the CP is just entitled to make the disclosure based on a legitimate interest. CPs could agree only to honour the latter type of requests if they come through the SSAD. By that you could encourage its use.
Paul McGrady
01:46:07
@Diana, thank you.
Diana Middleton
01:46:23
Please note emails to that email address are public
Stephanie Perrin
01:46:27
If I were representing civil society in a case against an SSAD system that made the RNH pay for the costs of accreditation of the data requestors, I think I would have a strong case.
Volker Greimann (RRSG)
01:46:30
If ICANN pays for it that just means contracted parties ultimately pay for it
Maxim Alzoba (RySG)
01:46:33
the issue is to distinguish the requestors who have the legal right from those who think so
Goran Marby
01:46:33
And we have not even touched upon international data transfers...
Diana Middleton
01:46:42
All submissions will be publicly archived and available to view.
Kristian Ørmen
01:46:56
Every time I look at this, I’m really thinking, is this system worth this very high cost?
Kristian Ørmen
01:47:07
Do we really get enough out of it?
Stephanie Perrin
01:47:14
If Cps pay for it, lets be clear….the RNH is paying for it
Maxim Alzoba (RySG)
01:47:20
I wonder if more laws like in CPR will be used worldwide (no data without being presented in the country)
Thomas Rickert
01:47:28
Agreed, Göran. That’s a challenge we have just mentioned in very broad terms, but that needs more work, much more work.
Steve DelBianco (BC)
01:48:19
If some govt enacts law that requires much greater disclosure, would the SSAD evolve to resolve conflicts of law and make the disclosure in some cases?
Maxim Alzoba (RySG)
01:48:21
stock like price structure - where you do not know the cost prior to the request 🙂
Paul McGrady
01:49:07
@Diana - thanks for the note. I'm happy to hear about the transparency in place
Maxim Alzoba (RySG)
01:49:16
@Steve, if EU makes a waiver of sorts - maybe yes
Milton Mueller
01:49:39
Right, of course, “free alternative” but if the convenience of the central intake exceeds the cost of individually going to registrars, it might still be preferable.
Mark Svancarek (USA)
01:50:17
@Milton, I agree it will be preferable
Goran Marby
01:50:47
EU cannot give a waiver…we had a shot with Strawberry but the EC decided for political reasons not to proceed with that
Maxim Alzoba (RySG)
01:51:13
@Goran, then it is just a hypothetical idea (not applicable )
Maxim Alzoba (RySG)
01:52:35
I think there might arise more stricter laws worldwide , not more loose
Brian King
01:52:41
Merry Christmas
Milton Mueller
01:52:47
Ho ho ho
Maxim Alzoba (RySG)
01:52:51
Happy Holidays !
desiree_miloshevic_evans
01:52:53
Understanding costs of users going direct to CPs is an important step in these financial projections - would it be hard to get such a study?
Amr Elsadr
01:52:55
Correct, Eleeza. Thanks.
Amr Elsadr
01:53:05
72
Amr Elsadr
01:53:07
:-)
Yuko Yokoyama
01:53:16
@Amr, we presented about the Identity Verification. Here is the recording: https://icann.zoom.us/rec/share/-haOPzkqxnm2xBRGMlwzf-lT82jjieCsfykgd8R5onKFL3x_0U4Kmq8bz9NWSTID.Js8-R6bleGgGPu_R?startTime=1635449411000
Goran Marby
01:53:37
Maybe a little bit tired when ICANN MS model gets blamed for not being able to fix “problems” with GDPR.
Amr Elsadr
01:54:01
I recall that webinar and the three levels of verification you highlighted (and the middle ground). I’m asking about details on these verification standards. Could you share what you’re thinking/what you’re looking at?
Maxim Alzoba (RySG)
01:54:14
MS model can not fix ideas of large states (it is not even UN 🙂
Amr Elsadr
01:55:37
Thanks again.
Diana Middleton
01:56:13
We will follow up in writing to the GNSO Council with regards to that question.
Maxim Alzoba (RySG)
01:57:01
question: what happens if there are only few thousand requests per year? (what will be the price? when ICANN changes it )
Maxim Alzoba (RySG)
01:58:21
what security measures are foreseen to prevent SSAD from being a source of data leaks? (including lost credentials)
Milton Mueller
01:58:43
How would the system determine such things as “there is no personal data on a record that has been previously disclosed?
Goran Marby
01:59:37
The EDPB said that while GDPR does not apply to legal persons, the data of a legal person may contain personal information of a natural person. Hence the mere fact that a registrant is a legal person does not justinfy the unliminted publication of personal data relating to natural persons that a legal person’s registration data contain (e.g. natural persons that work for or represent that registrant).
Mark Svancarek (USA)
01:59:43
@Milton, the record could have to have been flagged during the previous disclosure
Chris Gift
02:00:44
@maxim when we estimated the development costs of SSAD we took into account the data flowing through the system and the levels of security required. However, the specifics of the security would be determined by the vendor in conjunction and guidance from ICANN staff.
Diana Middleton
02:00:45
@milton, it’s up to the CP to flag that to the SSAD.
Milton Mueller
02:01:28
@Diana I am assuming that there is no SSAD, just a centralized intake system
Eleeza Agopian
02:01:30
Thank you all. Apologies for the technical troubles.
Maxim Alzoba (RySG)
02:01:33
@Chris for that the requirements have to be in the text before the conversation
Theresa Swinehart
02:01:41
Thank you all for the good discussion.
Goran Marby
02:01:50
Thanks for having us…
Maxim Alzoba (RySG)
02:01:53
thanks all
Chris Gift
02:01:58
@maxim Agreed. But didn’t get to that level of specificity.
Milton Mueller
02:01:59
Chatham House rules for these conversations?
Mark Svancarek (USA)
02:02:00
thanks all
Maxim Alzoba (RySG)
02:02:03
and happy new year
Yuko Yokoyama
02:02:08
My apology about the internet being unstable in the end.
Nathalie Peregrine - ICANN Org
02:02:22
GNSO Councilors and GNSO appointed EPDP members: please stay on the call.
Amr Elsadr
02:02:26
Once more, thank you very much for the work and update. Happy holidays everyone.
Kristian Ørmen
02:02:26
Thank you