Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Hadia
38:35
Hello all
Ayden Férdeline (NCSG)
39:02
Hello all
Franck Journoud (IPC)
40:25
Hi everyone - this is my first EPDP call. I'm the IPC's new primary, alongside Brian King, replacing the irreplaceable Alex Deacon.
Alan Greenberg (ALAC)
40:39
Agenda: In today's difficult world, it is good to see such full-blown optimism as indicated by this agenda!
Stephanie Perrin (NCSG)
40:51
welcome Franck!
Matt Serlin (RrSG)
40:54
Welcome Franck
Amr Elsadr (NCSG)
40:55
Welcome, Franck. Big shoes to fill. :-)
Volker Greimann (RrSG)
40:58
Abandon all hope ye who enter here (Welcome, Franck!)
Chris Lewis-Evans (GAC)
41:02
Hello and welcome Franck
Franck Journoud (IPC)
43:18
@Amr is right
Thomas Rickert (ISPCP)
43:37
Welcome, Franck!
Hadia Elminiawi (ALAC)
43:38
Welcome Franck
Thomas Rickert (ISPCP)
45:05
ISPCP is still reviewing. We will send comments as soon as we can.
Hadia Elminiawi (ALAC)
46:05
ALAC is still reviewing as well
Caitlin Tubergen
46:37
To Janis’ point: most/all Initial Reports typically include some open issues on which input is sought and highlight where disagreements still exist.
Franck Journoud (IPC)
46:48
I imagine everyone is still reviewing, we certainly are.
Volker Greimann (RrSG)
48:16
Some, but not all of therm
Berry Cobb
49:49
30 June all funds allocated for the Phase 2 effort, and the EPDP will have to request funds should we go beyond June 2020.
Berry Cobb
50:10
...funds returned to close out fiscal year.
Stephanie Perrin (NCSG)
50:19
at least not the fundamental ones. Like controllership.
Stephanie Perrin (NCSG)
50:33
This is not like selecting a paint colour folks.
Alan Woods (RYSG)
50:37
+1
Volker Greimann (RrSG)
50:44
Does not sound like the end of the world, Berry
Amr Elsadr (NCSG)
50:50
Still reviewing it myself, but assume that this initial report lacks insight to questions/answers that are key to the policy recommendations we ultimately need to send to the Council. Very premature to publish, imo.
Mark Svancarek (BC-marksv)
50:59
+1 Volker
Milton Mueller (NCSG)
51:29
I like Scenario 2
Matt Serlin (RrSG)
51:46
The initial report in its current state reads more like a Status Report to me
Stephanie Perrin (NCSG)
51:58
+1 Matt
Volker Greimann (RrSG)
52:48
+1 AlanG
Julf Helsingius (NCSG)
52:50
+1 Alan G
Matt Serlin (RrSG)
52:52
+1 Alan G
Amr Elsadr (NCSG)
52:55
@AlanG: +1
Thomas Rickert (ISPCP)
52:56
ISPCP will not be able to review and comment to support publication in a few days.
Amr Elsadr (NCSG)
53:20
@AlanG: +1 on all counts.
Thomas Rickert (ISPCP)
53:38
Let‘s not forget, we always said we would get an opportunity to review the entire package to spot whether there are inconsistencies or points missing. That is hardly possible.
Thomas Rickert (ISPCP)
54:02
For the ISPs we are currently checking whether our needs are sufficiently addressed, but that is not completed.
Milton Mueller (NCSG)
54:12
Nice try, Janis! :-)
Julf Helsingius (NCSG)
55:01
Ooh, a Merc SL300!
Stephanie Perrin (NCSG)
57:41
As Thomas has pointed out, given the variables, a conscientious review involves verifying for inconsistencies. This takes time and effort. Not done yet, speaking for myself and several other members of the NCSG team.
Jennifer Gore (IPC)
57:57
I think it is a big ask to change people’s behaviors during the comment period.
James Bladel (RrSG)
58:36
I think we should set the expectation that the Final Report will be significantly different than the Initial report, owing to the incomplete nature of the Initial report.
Thomas Rickert (ISPCP)
58:38
Shouldn‘t we await the responses to the legal questions?
Alan Woods (RYSG)
59:56
or even the response of the EDPB to the strawberry team?
Milton Mueller (NCSG)
01:01:10
Those constraints are good, a feature not a bug
Matthew Crossman (RySG)
01:02:10
Flagging some relevant language from GNSO Operating Procedures, Annex 2: From GNSO guidelines: “While the Final Report is not required to be posted for public comment, in preparing the Final Report, the PDP Team should consider whether the Final Report should be posted for public comment as a [Draft] Final Report, with the goal of maximizing accountability and transparency with regards the PDP, especially when substantial changes have been made compared to the contents of the Initial Report.”
Volker Greimann (RrSG)
01:02:38
+1 AlanW
Alan Greenberg (ALAC)
01:02:52
+1 AlanW
Amr Elsadr (NCSG)
01:02:58
@AlanW: +1
Amr Elsadr (NCSG)
01:03:09
The two Alans are rocking it today. :-)
Matt Serlin (RrSG)
01:03:18
Well said Alan…let’s remember the scope and depth of what is is we are working on in this group
Franck Journoud (IPC)
01:03:36
If the intial report has inconsistencies, that's going to create unmanageable confusion in the mind of public commenters - and in mine too!
Stephanie Perrin (NCSG)
01:03:50
We should certainly wait for answers to the legal questions. Bad enough to ignore legal advice, even worse waste of money to not even wait for the answers....
Julf Helsingius (NCSG)
01:07:07
+1 Stephanie
Marc Anderson (Verisign / RySG)
01:08:03
Is this the correct document we should be looking at?
Marc Anderson (Verisign / RySG)
01:08:05
https://docs.google.com/document/d/1KqfkWfbC6gBIrmE3OTTw7MYpThciaMc03Lu6M9skEEI/edit
Volker Greimann (RrSG)
01:08:37
Financial harms can be regulated, human lives cannot. Therefore the differentiation is valid
Franck Journoud (IPC)
01:09:59
harm not crime
Margie Milam (BC)
01:10:10
significant financial harms such as phishing
Volker Greimann (RrSG)
01:10:31
James +1, also see above
Margie Milam (BC)
01:10:59
that would work for me
Jennifer Gore (IPC)
01:11:00
I agree with Margie
Volker Greimann (RrSG)
01:11:08
No surprise there
Alan Woods (RYSG)
01:11:14
Of course Critical infrastructure have very specific legal routes for raising - e,g, NIS Directive
Franck Journoud (IPC)
01:11:25
Agree with Margie
Alan Woods (RYSG)
01:11:27
so again - we are looking a citing actual legal power and process.
Alan Woods (RYSG)
01:12:19
not the expectation of 3rd parties who subjectively very entitled to hold the belief that their requrements are 'critical' … but objectively rhwy will not meet the required legal standard.
Volker Greimann (RrSG)
01:12:22
Let’s put it differently: adding this will remove our support for differential treatment of urgent request
Milton Mueller (NCSG)
01:13:08
good question James
Hadia Elminiawi (ALAC)
01:13:15
we can put a footnote that describes what we mean by critical infrastructure
Alan Woods (RYSG)
01:13:18
+1 james
Stephanie Perrin (NCSG)
01:15:52
is this not an implementation issue?
Alan Woods (RYSG)
01:15:55
in truth Chris is very right - how to treat a request is the decision of the controller...…….
Caitlin Tubergen
01:16:04
For what it’s worth, the definition of urgent was pulled from the PPSAI IRT.
Alan Woods (RYSG)
01:16:18
based on the request
Caitlin Tubergen
01:16:32
(Privacy/Proxy Services Accreditation)
James Bladel (RrSG)
01:17:30
Still feels like we are creating a class of “civilian” requests that are deputized with pseudo-LEA authorities.
Stephanie Perrin (NCSG)
01:17:37
doubtless for good reason. I understand the desire to grapple with it here, but I can think of a ton of problems across various legal regimes that would require urgent treatment
Volker Greimann (RrSG)
01:17:57
We are still talking about whois data access
Alan Woods (RYSG)
01:18:04
Agreed with James. The PROPER channel for such requests will always be through the proper authorities such as LEA
Volker Greimann (RrSG)
01:18:20
How can this kind of attack be mitigated on an urgent
Margie Milam (BC)
01:18:20
WHOis plays a part in mitigation
James Bladel (RrSG)
01:18:23
There are other channels for scenarios Greg has descrbed.
Volker Greimann (RrSG)
01:18:28
Manner with WHOIS data, Greg?
Franck Journoud (IPC)
01:18:32
Greg's point is important: law enforcement is often not the 1st to intervene, even for major problems, if the problem is very technical
Volker Greimann (RrSG)
01:18:37
By non-LEAs to boot?
Stephanie Perrin (NCSG)
01:18:41
right. And if a private sector actor is experiencing a serious problem, they can still come in through LEA
Greg Aaron (SSAC)
01:19:57
No, Stephanie. LE does not perform mitigation. It investigates and maybe makes arrests. But it is not an operational stand-in.
Alan Woods (RYSG)
01:19:58
1st to respons - does not a urgent request make however when we are considering privacy rights.
Alan Woods (RYSG)
01:20:01
*respond
Milton Mueller (NCSG)
01:20:15
really? can you point me to today’s headline?
Chris Lewis-Evans (GAC)
01:20:15
+1 Greg this is why splitting the threat to life/ bodily harm with critical infrastructure out would make sense the decision maker for this could then be with the public authority for threat to life and for CI allow public sector to make urgent requests with the decision pushed to the controller (decision maker)
James Bladel (RrSG)
01:20:40
I’m now convinced that (e) isn’t necessary, and fraught with potential problems.
Amr Elsadr (NCSG)
01:20:56
There is a cost to dealing with requests in an accelerated manner, so basically dealing with issues of financial harm in this manner just shifts this financial harm from one actor to another.
Alan Greenberg (ALAC)
01:21:08
+1 MarkSV
James Bladel (RrSG)
01:21:09
Thanks Mark SV for confirming my concerns that (e) will be used as a workaround for regular channels.
Stephanie Perrin (NCSG)
01:21:19
I understand that LEAS don’t mitigate, but if a problem is life and death can you not develop a joint arrangement?
Stephanie Perrin (NCSG)
01:21:50
In other words if it is a crime, do you not report it? IF not why not?
Mark Svancarek (BC-marksv)
01:22:32
James, don't cherry-pick my intervention.
Margie Milam (BC)
01:22:58
there is a technical point of contact in WHOIS that is useful for mitigation
Mark Svancarek (BC-marksv)
01:22:59
I also said that we don't have assurance about the so-called "non urgent" situation.
James Bladel (RrSG)
01:23:25
@Mark - but this was the heart of your intervention. We can’t rely on non-urgent timelines, so we need an urgent timeline. But I think I have a fix.
Chris Disspain
01:23:27
hello all///apologies for joining late
Alan Woods (RYSG)
01:23:34
we cannot ignore due process. It is not a crime because a private company claims it is so. It is an allegation of a crime, and can only be treated as an allegation - a normal LEA channel is a completely differently weighted matter and hould be the more appropriate and impactful approach surely?
Margie Milam (BC)
01:25:00
privacy/proxy is a different service than WHOIS
Margie Milam (BC)
01:25:26
it make sense to have a different standard for those who have signed up to that service
Jennifer Gore (IPC)
01:27:09
agree on the handling of registrations with P/P , being handled differently in order for the additional layer of privacy to not hold up the reveal process for legit
Jennifer Gore (IPC)
01:27:19
requests
Mark Svancarek (BC-marksv)
01:27:45
I's listening...
Caitlin Tubergen
01:27:48
Here is a link to the document where the P/P definition can be found: https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180913/426735f5/PPAA_12Sept_IRTMarkUp-0001.pdf
Mark Svancarek (BC-marksv)
01:27:56
I'm listening...
Jennifer Gore (IPC)
01:28:01
thanks Caitlin
Matt Serlin (RrSG)
01:28:39
yeah E really does read like guaranteed disclosure so agree with what James is saying
Caitlin Tubergen
01:28:41
Note, the PPSAI IRT used the term “high priority” instead of “urgent".
Jennifer Gore (IPC)
01:28:58
refer to the LEA framework in the draft PPSAI accreditation agreement
Matt Serlin (RrSG)
01:29:12
The option to route an urgent request into the standard lane would work
Volker Greimann (RrSG)
01:29:14
In Germany, law enforcement is also charged with mitigation. We call that Gefahrenabwehr - mitigation of acute danger
Mark Svancarek (BC-marksv)
01:29:46
I think James' suggestion is a good one. It will be subject to uncertainty unless there is a central entity making the urgent/non-urgent decision, though
Georgios Tselentis (GAC)
01:29:54
@James How the controller knows better than the requester if something is urgent?
Volker Greimann (RrSG)
01:30:04
Seems like you guys need better law enforcement
Alan Woods (RYSG)
01:30:27
well surely it is subjective to the request - and that can be discerned by … meaningful human intervention -
Milton Mueller (NCSG)
01:30:28
ok forget it
Alan Woods (RYSG)
01:30:46
it's not urgent because the requester says so …. it is urgent due to the actual request
James Bladel (RrSG)
01:30:47
@Georgios - Controller would determine if the qualifications for urgency (as defined here in the policy) have been met
James Bladel (RrSG)
01:31:11
Flipping the question around: If we leave the determination of “urgent” to the requester, then every request is "urgent"
Alan Woods (RYSG)
01:31:34
exactly James
Milton Mueller (NCSG)
01:31:40
Yes, if it’s not imminent it’s not urgent. Got it?
Georgios Tselentis (GAC)
01:31:56
@James not necessarily e.g. if they need to justify the urgency with the harm caused
Alan Woods (RYSG)
01:32:37
Hey why not go with the GDPR's "vital interests! :)
James Bladel (RrSG)
01:32:37
Absent some mechanisms to bounce things back to the non-urgent channel, then I don’t accept (e) as written
Amr Elsadr (NCSG)
01:33:45
When we were dealing with the uses cases, I never got the impression that mitigating a threat to life or serious bodily injury is completely dependent on disclosure of registration data. Is “e” meant to do this now?
Milton Mueller (NCSG)
01:34:42
well if reg data never does mitigate an imminent threat then this provision will not be used much, will it?
Alan Woods (RYSG)
01:37:00
Proposed edit: "If a requestor is of the view that the response from the entity disclosing the data is not consistent with these policy recommendations, a complaint should be filed with ICANN Compliance. If a requestor is of the view that the response from the entity disclosing the data is not consistent with applicable data protection legislation, the requestor should contact the relevant data protection authority."
Volker Greimann (RrSG)
01:38:02
No Alan, still goes to faer.
Becky Burr (ICANN Board Liaison)
01:38:26
Apologies, I need to drop off for a few minutes
James Bladel (RrSG)
01:38:51
I’m ok with that
Hadia Elminiawi (ALAC)
01:38:52
+1 Alan
James Bladel (RrSG)
01:39:13
ICANN enforces the policy, DPAs enforce the law. And never the twain shall cross
Matt Serlin (RrSG)
01:39:14
And our policy recommendations actually don’t dictate the circumstances for which data is actually disclosed so that make this language difficult to come to terms with
Alan Woods (RYSG)
01:39:24
thanks. All credit to Matthew on that!
Volker Greimann (RrSG)
01:39:52
How about this: If a requestor is found to abuse the Urgent category even once, all his current and future requests will be relegated to the permanent end of the regular response queue. Permanent end meaning that new entrants in the queue will line up in front of that requestor.
Volker Greimann (RrSG)
01:40:24
He will basically wear a sign of shame reading: Please cut in line before me because I abused the system
Franck Journoud (IPC)
01:40:27
Agree with Milton: we shouldn't work on 2 parallel documents
Jennifer Gore (IPC)
01:41:18
@Volker - the request or may just be educated the first time. the treatment you suggest is very heavy handed
Volker Greimann (RrSG)
01:41:48
True, but that serves to ensure that any requestor will think thrice before launching an urgent request.
Volker Greimann (RrSG)
01:41:57
Perfect protection against abuse
Jennifer Gore (IPC)
01:42:16
I don’t agree
Milton Mueller (NCSG)
01:42:36
OK got it. Pardon the interuuption
Caitlin Tubergen
01:42:39
@Milton - Support Staff can import the NCSG comments in the Initial Report and put them in the Building Blocks if that would be helpful.
Volker Greimann (RrSG)
01:42:57
So how do you then propose the abuse of the urgent queue is prevented
Milton Mueller (NCSG)
01:43:03
Thanks for the offer, Caitlin, not sure how the two map on to each other, so let’s wait on that
Stephanie Perrin (NCSG)
01:43:11
That would save me a ton of work Caitlin, thanks could you please do that?
Franck Journoud (IPC)
01:43:24
Agree with Jennifer: it's excessive. Folks hastily responding to difficult situations can't sink their organization's future ability to use SSAD
Volker Greimann (RrSG)
01:44:37
Well, best think before you hastily respond
Stephanie Perrin (NCSG)
01:44:48
there is a balance here to be struck. Orgs should not rely on the excuse of incompetence of staff to make bad risk assessments regarding legal requests ( a request for personal data being a legal request under the GDPR)
Margie Milam (BC)
01:45:05
Agree with Amp
Margie Milam (BC)
01:45:07
Amr
Stephanie Perrin (NCSG)
01:45:16
They need to ensure that staff are acting in compliance with law
Volker Greimann (RrSG)
01:45:21
The urgent queue should be used for clearly urgent matters, not based on a hasty decision
Jennifer Gore (IPC)
01:45:22
no need to school me , Volker.
Hadia Elminiawi (ALAC)
01:45:51
@amr makes sense
Jennifer Gore (IPC)
01:46:29
I agree with the purpose of the urgent queue and the responsibility of request to be educated
Amr Elsadr (NCSG)
01:46:46
The second half can be put in to the report as advice, as opposed to a formal Recommendation.
Amr Elsadr (NCSG)
01:47:03
…, as one potential course of action to be taken.
Margie Milam (BC)
01:52:08
+1 Janis
Volker Greimann (RrSG)
01:54:23
I still feel that the proposal should be bracketed as not reflecting a consensus view
Alan Greenberg (ALAC)
01:54:59
There are ways to get around this. The "modification" may in fact be a new request, but includes a field that cites the original bounced request.
Volker Greimann (RrSG)
01:57:01
Agree to move
Matt Serlin (RrSG)
01:59:18
we should end A as it is and then the rest is implementation imo
Becky Burr
01:59:50
Apologies, back
Laureen Kapin (GAC)
02:01:50
timelines
Berry Cobb
02:03:44
https://docs.google.com/document/d/1XeHP_YZN7fR0LwQ4DzRuY9PqB39uOzHXot-yH0fcvbc/edit
Volker Greimann (RrSG)
02:10:28
Like the UDRP, maybe
Milton Mueller (NCSG)
02:10:45
+1 Alan. ICANN was created to make DNS governance transcend jurisdictional fragmentation
Stephanie Perrin (NCSG)
02:10:54
+100 Alan
Volker Greimann (RrSG)
02:10:58
When contesting a UDRP decision, multiple jurisdictions can be used
Amr Elsadr (NCSG)
02:11:52
@AlanW: +1
Margie Milam (BC)
02:12:04
+1 Janis
Margie Milam (BC)
02:13:00
@Alan W -- we should talk about a "rules engine" approach, because there may be conflicts of laws
Volker Greimann (RrSG)
02:13:37
Everyone does have protection though. At learnt if processing occurs in the EU
Volker Greimann (RrSG)
02:13:42
least
Alan Greenberg (ALAC)
02:14:19
Amr agrees with which Alan?
Alan Woods (RYSG)
02:14:50
So to Janis & Alan G's point is that we are saying that some registrants are deserving of rights and others are not …. we have the opportunity to set a homogenus policy … perhaps we should.
Milton Mueller (NCSG)
02:15:02
we most certainly should
Julf Helsingius (NCSG)
02:18:08
+1 Milton
Amr Elsadr (NCSG)
02:18:15
@Milton: +1
Amr Elsadr (NCSG)
02:19:40
@Stephanie: Good point, on the replacement of a previous uniform policy.
Milton Mueller (NCSG)
02:21:06
glad to know we are redacting city field, Margie.
Milton Mueller (NCSG)
02:21:21
I guess we have reached consensus on that now
Franck Journoud (IPC)
02:21:57
+1 @Margie
Matt Serlin (RrSG)
02:22:09
I’ve got to drop a few mins early today…thanks all
Laureen Kapin (GAC)
02:22:18
+1 Margie -- GDPR does not require a balancing test in all situations.
Milton Mueller (NCSG)
02:23:57
what about “where required by policy"?
Georgios Tselentis (GAC)
02:24:10
+1 Milton
Mark Svancarek (BC-marksv)
02:24:43
Milton, I think I agree
Hadia Elminiawi (ALAC)
02:26:15
+1 Milton
Margie Milam (BC)
02:26:57
+1 Laureen
Milton Mueller (NCSG)
02:27:02
yes, that is exactly what we are debating
Franck Journoud (IPC)
02:27:20
+1 Laureen
Hadia Elminiawi (ALAC)
02:27:26
Ok Margie you are correct
Stephanie Perrin (NCSG)
02:27:32
It ensures a harmonized policy, rather than having to factor in all the relevant laws
Milton Mueller (NCSG)
02:28:06
it is exactly the business we are here for.
Franck Journoud (IPC)
02:28:06
+1 Alan G
Amr Elsadr (NCSG)
02:28:30
@AlanG: ICANN’s been setting its own rules since it was created. Why is this suddenly not something we’re here to do?
Alan Woods (RYSG)
02:28:36
not to create law upon ourselves - you mean consensus policy Alan?
Alan Greenberg (ALAC)
02:29:21
@AlanW, no, we are here to implement policy to allow contracted parities to operate in GDPR (and similar) environments.
Margie Milam (BC)
02:29:32
We were created by the Board to conform WHOIS to GDPR
Margie Milam (BC)
02:29:44
its in the Board resolution that started the EPDP
Mark Svancarek (BC-marksv)
02:29:59
"personal data", rather than "privacy data"
Amr Elsadr (NCSG)
02:30:01
All we’re trying to do is create a uniform Consensus Policy that is consistent with data protection law, and allows for dealing with situations where conflicts with this policy exist. Conflicts not the same thing as absence of data protection law.
Mark Svancarek (BC-marksv)
02:30:13
"data processing law" rathe rthan "privacy law"
Mark Svancarek (BC-marksv)
02:30:25
related concepts but not identical
Hadia Elminiawi (ALAC)
02:30:41
Why do we need to tell the authorization provider that he needs to do a balancing test - the authorization provider will certainly not violate the law
Stephanie Perrin (NCSG)
02:32:00
I agree with Janis’s proposal for text.
Milton Mueller (NCSG)
02:32:08
we need to tell them that because it is now ICANN policy to protect the PII of registrants
Milton Mueller (NCSG)
02:32:36
I like that
Amr Elsadr (NCSG)
02:33:07
@Janis: I like the text you’ve proposed as well.
Alan Woods (RYSG)
02:34:00
heeeey!
Alan Woods (RYSG)
02:34:01
:D
Amr Elsadr (NCSG)
02:35:09
3 minutes, then food. I’m starving!! :-)
Franck Journoud (IPC)
02:36:14
+1 Margie
Alan Woods (RYSG)
02:36:41
yes but are we not talking about scalability and perhaps a higher degree of automation getting to the 'meaningful human review point"? If the suggestion is thayt you want to treat regsitrants differently as they don't have the same rights in the DNS … then go for it!
Stephanie Perrin (NCSG)
02:37:23
It would be impossible to implement in an affordable way. Sorry. This is why you harmonize.
Milton Mueller (NCSG)
02:37:24
yes, automation totally impossible in a nonuniform process. “rules engines” don’t work
Margie Milam (BC)
02:37:45
rules engines are used all the time Milton by high tech companies
Chris Lewis-Evans (GAC)
02:37:56
Thanks everyone see you tomorrow :)
Milton Mueller (NCSG)
02:38:18
bye Chris
Milton Mueller (NCSG)
02:38:41
rules engines used to calculate taxes, not make balancing tests, don’t make me laugh
Amr Elsadr (NCSG)
02:38:50
Thanks all. Bye.
Hadia Elminiawi (ALAC)
02:39:00
thank you all bye
Volker Greimann (RrSG)
02:39:02
Yaaaay?