The screens in the room are largely illegible for those of us with imperfect eyes…could you drop the blue grey highlighting, that would definitely help. Thanks

+1 AlanW +1 MarcA

Congrats to Facebook:

https://about.fb.com/news/2020/01/data-privacy-day-2020/

Contracted and 3rd parties are free to offer those services at their own legal risk.

As they did prior to GDPR. But it is not a function of SSAD or obligation for CPs.

precisely, which is why the boundaries need to be sketched out.

expectations of what this is may be quite blurred

are we using the Zoom queue?

apparently not

What section of RAA refers to bulk access?

"bundling" is a good term

3.3.6

So will the RAAs say “you are not allowed to permit bulk access” or will registrars and registries be permitted to make private deals? please forgive the blunt question but this is an odd conversation to be having in meeting 42 or wherever we are now

if we are going to use a term like “bundling” make sure it gets into the definitions section

@Stephanie I don't think we're planning to change whatever bulk access rules are in the 2013 RAA

what then is bundling? I have my hand up.

if I send a request for thousands of registrations, and it gets split when it hits the front door of the SSAD into individual requests, is that bundling? Please explain how that differs from what you mean by bulk access

If I were a dpa investigating this, I would ask for a full explanation of the difference between bundling and bulk access

I can provide further clarity on what i just said if it would help

If there is indemnification all round, it does not promote compliance with law.

Yes Stephanie, thanks I think it would

idemnification here and there or insurance: who pays for that? is it in the financial sustainability of the model?

Suggestion: Add language. For the following requester types this indemnification clause should be removed: LEAs

The SSAD should provide an insurance policy for disclosing parties for all cases where no indemnification is provided

I have my hand up

Fwiw, most governments are prohibited by law from providing indemnification

Almost certain that is the case with USG

I have had my hand up for quite a while

I guess that 99% of the contracted parties already have indemnification clauses in their t&cs.

ditto for Canada

So the concept is not new

from a risk management perspective, may I pointed out that you need insurance coverage for making the RIGHT decision also

May I remind everyone of the costs of this insurance, which are trickling down to registrants. So yes, we might object to this if the costs are unreasonable

What are we insuring against? Misrepresentations in the request and mistakes in the response?

Assessing the risk of the costs of this is difficult

It would not be surprising to see a provision in the contract that says “you (requestor) indemnify me (responder) from 3rd party claims arising from your (requestor’s) failure to follow the rules.

E.g., failure to honestly describe your legitimate interest

that seems reasonable to me

there is a big difference between that qualified indemnification clause and what Thomas just described….this is the open barn door I am concerned about….

@CPs, are you asking to be indemnified against the recipient’s misuse of the data after you have released it? Or an indemnification for your release of the data based on an honest and complete request?

A broad indemnification clause for this SSAD instrument, IMHO, does not improve our chances of getting decent audit and oversight put in place. Awareness of risk decreases the changes of collecting on an insurance policy, thus dampening the urge to do proper quality controls and metrics.

@Becky: good question. if we start tackling the specifics of who "indemnifies" who for what, it's going to be a very meaty discussion.

and high time, too

@Franck, I understand, but I don’t see how you can reach a conclusion on indemnification without that discussion, and I don’t see how this is implementation and not policy

@becky: I don't disagree

it certainly feels like policy to me

It is not implementation. WE have stressed the need to consider the costs of building this disclosure instrument as a part of the fundamental policy decisions.

liability coverage is a potentially large cost that needs to be factored in. A further point I had my hand up to make, is that we are treating the decision making process in evaluating disclosure requests as if they were black and white rules based decisions. Some are. Many are not, they are judgement calls. Best to recognize this.

Point 3 in this list seems way too broad and there are mechanisms already in place for generic contactability of registrants

Agree Matt. Contacting for what reason?

Perhaps moving the 2nd paragraph first will make it more clear

"registered name holder consent or contract" is very problematic - if you have a registered nameholder consent - you already have the data - if the data is not that persons data you don't have the consent.... also the contract is the same - we don't have that contract with the registrant - therefore your actual point is consent …. so no

Remember, registrars have the ability to publish full registrant data if the registrant makes that choice which would address that use case IMO

@Matt, that would force the registrant to have the data public. The use case I mentioned would enable the registrant to retain privacy, and only consent to the specific requestor getting disclosure.

isn’t the issue with a free form box that it assumes the requestor knows precisely the right words to use?

Okay and CA’s have created ways to validate domain ownership in the meantime that utilize other means so still not sure this would be meaningful to them

Replace "selection" with "assertion" - better?

@Chris, that does seem like another thing to be concerned about.

old hand

Thank you Alan

I thought the concession was already made?

I believe that we did not agree to use the term “cybercrime” because it is a vernacular term. Either something is criminal behaviour, and or a breach of the terms and conditions of registration, or it is not.

This is in response to ALAC

Please use this form to list your issues, indicating line number, rationale for cannot live with and proposed alternative language.

thanks Brian, assertion is indeed an improvement

@Marika, not sure if it is because I use Zoom web, but I can't see the link to the document