
01:29:33
The screens in the room are largely illegible for those of us with imperfect eyes…could you drop the blue grey highlighting, that would definitely help. Thanks

01:31:07
+1 AlanW +1 MarcA

01:31:32
Congrats to Facebook:

01:31:33
https://about.fb.com/news/2020/01/data-privacy-day-2020/

01:32:09
Contracted and 3rd parties are free to offer those services at their own legal risk.

01:32:28
As they did prior to GDPR. But it is not a function of SSAD or obligation for CPs.

01:36:42
precisely, which is why the boundaries need to be sketched out.

01:36:58
expectations of what this is may be quite blurred

01:43:57
are we using the Zoom queue?

01:45:22
apparently not

01:47:09
What section of RAA refers to bulk access?

01:47:22
"bundling" is a good term

01:47:29
3.3.6

01:47:37
So will the RAAs say “you are not allowed to permit bulk access” or will registrars and registries be permitted to make private deals? please forgive the blunt question but this is an odd conversation to be having in meeting 42 or wherever we are now

01:49:05
if we are going to use a term like “bundling” make sure it gets into the definitions section

01:49:24
@Stephanie I don't think we're planning to change whatever bulk access rules are in the 2013 RAA

01:50:57
what then is bundling? I have my hand up.

01:52:01
if I send a request for thousands of registrations, and it gets split when it hits the front door of the SSAD into individual requests, is that bundling? Please explain how that differs from what you mean by bulk access

01:53:36
If I were a dpa investigating this, I would ask for a full explanation of the difference between bundling and bulk access

02:00:10
I can provide further clarity on what i just said if it would help

02:00:32
If there is indemnification all round, it does not promote compliance with law.

02:00:33
Yes Stephanie, thanks I think it would

02:00:44
idemnification here and there or insurance: who pays for that? is it in the financial sustainability of the model?

02:02:00
Suggestion: Add language. For the following requester types this indemnification clause should be removed: LEAs

02:02:38
The SSAD should provide an insurance policy for disclosing parties for all cases where no indemnification is provided

02:03:52
I have my hand up

02:06:20
Fwiw, most governments are prohibited by law from providing indemnification

02:06:28
Almost certain that is the case with USG

02:06:52
I have had my hand up for quite a while

02:07:05
I guess that 99% of the contracted parties already have indemnification clauses in their t&cs.

02:07:06
ditto for Canada

02:07:20
So the concept is not new

02:08:01
from a risk management perspective, may I pointed out that you need insurance coverage for making the RIGHT decision also

02:09:47
May I remind everyone of the costs of this insurance, which are trickling down to registrants. So yes, we might object to this if the costs are unreasonable

02:09:57
What are we insuring against? Misrepresentations in the request and mistakes in the response?

02:10:16
Assessing the risk of the costs of this is difficult

02:13:41
It would not be surprising to see a provision in the contract that says “you (requestor) indemnify me (responder) from 3rd party claims arising from your (requestor’s) failure to follow the rules.

02:14:10
E.g., failure to honestly describe your legitimate interest

02:15:11
that seems reasonable to me

02:18:10
there is a big difference between that qualified indemnification clause and what Thomas just described….this is the open barn door I am concerned about….

02:22:32
@CPs, are you asking to be indemnified against the recipient’s misuse of the data after you have released it? Or an indemnification for your release of the data based on an honest and complete request?

02:22:37
A broad indemnification clause for this SSAD instrument, IMHO, does not improve our chances of getting decent audit and oversight put in place. Awareness of risk decreases the changes of collecting on an insurance policy, thus dampening the urge to do proper quality controls and metrics.

02:23:49
@Becky: good question. if we start tackling the specifics of who "indemnifies" who for what, it's going to be a very meaty discussion.

02:24:40
and high time, too

02:24:47
@Franck, I understand, but I don’t see how you can reach a conclusion on indemnification without that discussion, and I don’t see how this is implementation and not policy

02:25:06
@becky: I don't disagree

02:25:13
it certainly feels like policy to me

02:25:36
It is not implementation. WE have stressed the need to consider the costs of building this disclosure instrument as a part of the fundamental policy decisions.

02:29:39
liability coverage is a potentially large cost that needs to be factored in. A further point I had my hand up to make, is that we are treating the decision making process in evaluating disclosure requests as if they were black and white rules based decisions. Some are. Many are not, they are judgement calls. Best to recognize this.

02:38:31
Point 3 in this list seems way too broad and there are mechanisms already in place for generic contactability of registrants

02:42:56
Agree Matt. Contacting for what reason?

02:43:05
Perhaps moving the 2nd paragraph first will make it more clear

02:46:15
"registered name holder consent or contract" is very problematic - if you have a registered nameholder consent - you already have the data - if the data is not that persons data you don't have the consent.... also the contract is the same - we don't have that contract with the registrant - therefore your actual point is consent …. so no

02:51:12
Remember, registrars have the ability to publish full registrant data if the registrant makes that choice which would address that use case IMO

02:52:34
@Matt, that would force the registrant to have the data public. The use case I mentioned would enable the registrant to retain privacy, and only consent to the specific requestor getting disclosure.

02:53:39
isn’t the issue with a free form box that it assumes the requestor knows precisely the right words to use?

02:53:53
Okay and CA’s have created ways to validate domain ownership in the meantime that utilize other means so still not sure this would be meaningful to them

02:57:27
Replace "selection" with "assertion" - better?

02:57:51
@Chris, that does seem like another thing to be concerned about.

03:03:51
old hand

03:06:49
Thank you Alan

03:08:56
I thought the concession was already made?

03:09:41
I believe that we did not agree to use the term “cybercrime” because it is a vernacular term. Either something is criminal behaviour, and or a breach of the terms and conditions of registration, or it is not.

03:09:53
This is in response to ALAC

03:12:08
Please use this form to list your issues, indicating line number, rationale for cannot live with and proposed alternative language.

03:12:23
thanks Brian, assertion is indeed an improvement

03:15:13
@Marika, not sure if it is because I use Zoom web, but I can't see the link to the document