Logo

Marika Konings' Personal Meeting Room - Shared screen with speaker view
Stephanie Perrin (NCSG)
01:29:33
The screens in the room are largely illegible for those of us with imperfect eyes…could you drop the blue grey highlighting, that would definitely help. Thanks
Mark Svancarek (BC)
01:31:07
+1 AlanW +1 MarcA
Volker Greimann (RrSG)
01:31:32
Congrats to Facebook:
Volker Greimann (RrSG)
01:31:33
https://about.fb.com/news/2020/01/data-privacy-day-2020/
James Bladel
01:32:09
Contracted and 3rd parties are free to offer those services at their own legal risk.
James Bladel
01:32:28
As they did prior to GDPR. But it is not a function of SSAD or obligation for CPs.
Stephanie Perrin (NCSG)
01:36:42
precisely, which is why the boundaries need to be sketched out.
Stephanie Perrin (NCSG)
01:36:58
expectations of what this is may be quite blurred
Mark Svancarek (BC)
01:43:57
are we using the Zoom queue?
James Bladel (RrSG)
01:45:22
apparently not
Laureen Kapin (GAC)
01:47:09
What section of RAA refers to bulk access?
Mark Svancarek (BC)
01:47:22
"bundling" is a good term
Marika Konings
01:47:29
3.3.6
Stephanie Perrin (NCSG)
01:47:37
So will the RAAs say “you are not allowed to permit bulk access” or will registrars and registries be permitted to make private deals? please forgive the blunt question but this is an odd conversation to be having in meeting 42 or wherever we are now
Stephanie Perrin (NCSG)
01:49:05
if we are going to use a term like “bundling” make sure it gets into the definitions section
Brian King (IPC)
01:49:24
@Stephanie I don't think we're planning to change whatever bulk access rules are in the 2013 RAA
Stephanie Perrin (NCSG)
01:50:57
what then is bundling? I have my hand up.
Stephanie Perrin (NCSG)
01:52:01
if I send a request for thousands of registrations, and it gets split when it hits the front door of the SSAD into individual requests, is that bundling? Please explain how that differs from what you mean by bulk access
Stephanie Perrin (NCSG)
01:53:36
If I were a dpa investigating this, I would ask for a full explanation of the difference between bundling and bulk access
Stephanie Perrin (NCSG)
02:00:10
I can provide further clarity on what i just said if it would help
Stephanie Perrin (NCSG)
02:00:32
If there is indemnification all round, it does not promote compliance with law.
Franck Journoud (IPC)
02:00:33
Yes Stephanie, thanks I think it would
Georgios Tselentis (GAC)
02:00:44
idemnification here and there or insurance: who pays for that? is it in the financial sustainability of the model?
Volker Greimann (RrSG)
02:02:00
Suggestion: Add language. For the following requester types this indemnification clause should be removed: LEAs
Volker Greimann (RrSG)
02:02:38
The SSAD should provide an insurance policy for disclosing parties for all cases where no indemnification is provided
Stephanie Perrin (NCSG)
02:03:52
I have my hand up
Becky Burr (ICANN Board Liaison)
02:06:20
Fwiw, most governments are prohibited by law from providing indemnification
Becky Burr (ICANN Board Liaison)
02:06:28
Almost certain that is the case with USG
Stephanie Perrin (NCSG)
02:06:52
I have had my hand up for quite a while
Thomas Rickert (ISPCP)
02:07:05
I guess that 99% of the contracted parties already have indemnification clauses in their t&cs.
Stephanie Perrin (NCSG)
02:07:06
ditto for Canada
Thomas Rickert (ISPCP)
02:07:20
So the concept is not new
Stephanie Perrin (NCSG)
02:08:01
from a risk management perspective, may I pointed out that you need insurance coverage for making the RIGHT decision also
Stephanie Perrin (NCSG)
02:09:47
May I remind everyone of the costs of this insurance, which are trickling down to registrants. So yes, we might object to this if the costs are unreasonable
Becky Burr (ICANN Board Liaison)
02:09:57
What are we insuring against? Misrepresentations in the request and mistakes in the response?
Stephanie Perrin (NCSG)
02:10:16
Assessing the risk of the costs of this is difficult
Becky Burr (ICANN Board Liaison)
02:13:41
It would not be surprising to see a provision in the contract that says “you (requestor) indemnify me (responder) from 3rd party claims arising from your (requestor’s) failure to follow the rules.
Becky Burr (ICANN Board Liaison)
02:14:10
E.g., failure to honestly describe your legitimate interest
Stephanie Perrin (NCSG)
02:15:11
that seems reasonable to me
Stephanie Perrin (NCSG)
02:18:10
there is a big difference between that qualified indemnification clause and what Thomas just described….this is the open barn door I am concerned about….
Becky Burr (ICANN Board Liaison)
02:22:32
@CPs, are you asking to be indemnified against the recipient’s misuse of the data after you have released it? Or an indemnification for your release of the data based on an honest and complete request?
Stephanie Perrin (NCSG)
02:22:37
A broad indemnification clause for this SSAD instrument, IMHO, does not improve our chances of getting decent audit and oversight put in place. Awareness of risk decreases the changes of collecting on an insurance policy, thus dampening the urge to do proper quality controls and metrics.
Franck Journoud (IPC)
02:23:49
@Becky: good question. if we start tackling the specifics of who "indemnifies" who for what, it's going to be a very meaty discussion.
Stephanie Perrin (NCSG)
02:24:40
and high time, too
Becky Burr (ICANN Board Liaison)
02:24:47
@Franck, I understand, but I don’t see how you can reach a conclusion on indemnification without that discussion, and I don’t see how this is implementation and not policy
Franck Journoud (IPC)
02:25:06
@becky: I don't disagree
Chris Disspain (ICANN Board Liaison)
02:25:13
it certainly feels like policy to me
Stephanie Perrin (NCSG)
02:25:36
It is not implementation. WE have stressed the need to consider the costs of building this disclosure instrument as a part of the fundamental policy decisions.
Stephanie Perrin (NCSG)
02:29:39
liability coverage is a potentially large cost that needs to be factored in. A further point I had my hand up to make, is that we are treating the decision making process in evaluating disclosure requests as if they were black and white rules based decisions. Some are. Many are not, they are judgement calls. Best to recognize this.
Matt Serlin (RrSG)
02:38:31
Point 3 in this list seems way too broad and there are mechanisms already in place for generic contactability of registrants
Ben Butler (SSAC)
02:42:56
Agree Matt. Contacting for what reason?
Mark Svancarek (BC)
02:43:05
Perhaps moving the 2nd paragraph first will make it more clear
Alan Woods (RYSG)
02:46:15
"registered name holder consent or contract" is very problematic - if you have a registered nameholder consent - you already have the data - if the data is not that persons data you don't have the consent.... also the contract is the same - we don't have that contract with the registrant - therefore your actual point is consent …. so no
Matt Serlin (RrSG)
02:51:12
Remember, registrars have the ability to publish full registrant data if the registrant makes that choice which would address that use case IMO
Brian King (IPC)
02:52:34
@Matt, that would force the registrant to have the data public. The use case I mentioned would enable the registrant to retain privacy, and only consent to the specific requestor getting disclosure.
Chris Disspain (ICANN Board Liaison)
02:53:39
isn’t the issue with a free form box that it assumes the requestor knows precisely the right words to use?
Matt Serlin (RrSG)
02:53:53
Okay and CA’s have created ways to validate domain ownership in the meantime that utilize other means so still not sure this would be meaningful to them
Brian King (IPC)
02:57:27
Replace "selection" with "assertion" - better?
Mark Svancarek (BC)
02:57:51
@Chris, that does seem like another thing to be concerned about.
Mark Svancarek (BC)
03:03:51
old hand
Mark Svancarek (BC)
03:06:49
Thank you Alan
Mark Svancarek (BC)
03:08:56
I thought the concession was already made?
Stephanie Perrin (NCSG)
03:09:41
I believe that we did not agree to use the term “cybercrime” because it is a vernacular term. Either something is criminal behaviour, and or a breach of the terms and conditions of registration, or it is not.
Stephanie Perrin (NCSG)
03:09:53
This is in response to ALAC
Marika Konings
03:12:08
Please use this form to list your issues, indicating line number, rationale for cannot live with and proposed alternative language.
Stephanie Perrin (NCSG)
03:12:23
thanks Brian, assertion is indeed an improvement
Stefan Filipovic (NCSG)
03:15:13
@Marika, not sure if it is because I use Zoom web, but I can't see the link to the document