Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Brian King (IPC)
38:55
+1 Thomas. Face to face would be better for this topic
Amr Elsadr
40:46
Hi all…, since this is my first EPDP call of the decade, happy new year.
Stephanie Perrin (NCSG)
42:09
Fair and accurate point to make Marc, although I do appreciate Thomas’ offer. We do need a detailed analysis in my view, partly because of the perennial missing decisions.
Matt Serlin (RrSG)
42:12
Agree with Marc…if we could agree (at least in principle) on a model ahead of LA, we would still have a TON of work to do to flush out all of the details
Amr Elsadr (NCSG)
42:19
Agree with Marc. How much longer are we going to defer this discussion, and how will this affect our ability to consider the model when we ultimately become even tighter on time?
Terri Agnew
42:36
For attendance - who joined by phone number ending in 631?
Mark Svancarek (BC) (marksv)
43:46
I'm in
Brian King (IPC)
43:54
I'm in
Amr Elsadr (NCSG)
44:36
@James: +1
Berry Cobb
47:49
To meet our 7 Feb deadline we only have 1 week to finalize the Initial Report.
Berry Cobb
48:32
...post F2F that is.
Marc Anderson (Verisign / RySG)
49:24
I volunteer too
Hadia Elminiawi (ALAC)
49:48
I volunteer too
Franck Journoud (IPC)
49:50
me too
Chris Lewis-Evans (GAC)
50:04
me too
Alan Greenberg (ALAC)
52:19
Happy to participate as well.
Thomas Rickert (ISPCP)
54:30
I am afraid the only time slot I have tomorrow is between 15 and 16 UTC tomorrow.
Thomas Rickert (ISPCP)
55:30
Anyone else has a klicking noise in the line? Amost like a type-writer
Milton Mueller (NCSG)
55:43
I hear it, too
Berry Cobb
55:50
We think it is Janis' line.
Terri Agnew
56:06
Confirmed the crackling is from Janis’s line.
Thomas Rickert (ISPCP)
56:29
I hope its not Janis banging his head against the wall :-)
Thomas Rickert (ISPCP)
56:41
at a very very fast rate I shoud say :-)
Amr Elsadr (NCSG)
57:09
@Janis: Not banging your head against the wall…, yet? ;-)
Milton Mueller (NCSG)
01:00:52
Brian is assuming it is a data breach, i thought this alked more about breach of policy
Milton Mueller (NCSG)
01:01:00
talked
Brian King (IPC)
01:02:00
Milton that was my first point. It's not clear what kind of breach this attempts to address.
Julf Helsingius (NCSG)
01:02:48
Nice cave!
Milton Mueller (NCSG)
01:02:53
you're right about that, Brian!
Terri Agnew
01:02:55
echo is bouncing off of Alan G line
Stephanie Perrin (NCSG)
01:04:35
How would you propose to hold ICANN accountable?
Milton Mueller (NCSG)
01:04:37
the Greenberg cave
Amr Elsadr (NCSG)
01:05:01
@Alan G: +1, including notification of the affected data subjects/registrants that a breach resulted in data leaks (assuming this is the intent of breach here).
Stephanie Perrin (NCSG)
01:06:13
Existing accountability mechanisms are rather clumsy to deal swiftly with data breach issues.
Milton Mueller (NCSG)
01:06:41
"breach of the accreditation policy"
Amr Elsadr (NCSG)
01:06:55
There’s still an echo.
Stephanie Perrin (NCSG)
01:07:11
agree with Alan, precision required
James Bladel (RrSG)
01:08:43
Someone was saying something earlier about discussing “convoluted” topics?
Hadia Elminiawi (ALAC)
01:09:54
If ICANN is the accreditation authority, we should use the already existing mechanisms to address the noncompliance aspect.
Hadia Elminiawi (ALAC)
01:10:52
@Stephanie even if it is clumsy this is what we currently have
Milton Mueller (NCSG)
01:11:07
you've heard of multistakeholderism, James, well, this is multiconvoluteism
James Bladel (RrSG)
01:11:42
@Milton: “convoluted” means “your complicated issue that’s getting in the way of my complicated issue.” :)
Milton Mueller (NCSG)
01:11:53
exactly.
Brian King (IPC)
01:15:49
One important concept to decide here is who gets to decide whether ICANN has breached the policy.
Stephanie Perrin (NCSG)
01:16:13
my point is merely that you will find out about the failure of the accreditation process through a much larger investigation of a data breach, potentially. A simple examination of data breach investigations under data protection law would illustrate this, I commend that research to you. ICANN is not the whole world.....
Milton Mueller (NCSG)
01:17:13
"Da community" gets to decide
Alan Woods (RySG) (Donuts)
01:17:31
Stephanie nailed it there IMHO
Milton Mueller (NCSG)
01:18:07
right, so also law gets to decide
Amr Elsadr (NCSG)
01:18:10
Apologies, but I’m a little confused. We’re discussing “breaches” in the context of audits. Would data breaches be identified during these audits? I wouldn’t think so. Unless I’m mistaken, why are we discussing data breaches at all right now?
Milton Mueller (NCSG)
01:18:23
because we can
Amr Elsadr (NCSG)
01:18:47
ok?
Amr Elsadr (NCSG)
01:18:55
@Marc: +1
Brian King (IPC)
01:18:59
I think we decided we're not talking about data breaches.
Amr Elsadr (NCSG)
01:19:23
@Brian: Yeah…, I thought so too, but there have still been a few comments about data breaches.
Brian King (IPC)
01:19:48
That might have been my fault :-(
Alan Greenberg (ALAC)
01:20:17
That's what happens when we use multi-meaning words like "breach" without appropriate modifiers.
James Bladel (RrSG)
01:20:40
+1 Marc and we need to leave clear guidance for the IRT.
Amr Elsadr (NCSG)
01:21:16
@Brian: Now worries. :-)
Brian King (IPC)
01:21:45
+1 Marc, and I could join a small team
Marc Anderson (Verisign / RySG)
01:23:43
Good points @Georgios
Matt Serlin (RrSG)
01:23:57
+1 Georgios
Franck Journoud (IPC)
01:25:35
agree with Marc A re hashing this out in smaller team.
Amr Elsadr (NCSG)
01:26:18
@Janis: Good summary of the issue we need to focus on.
Georgios Tselentis (GAC)
01:27:50
So for my understanding: the paragraph assumes that ICANN is NOT outsourcing any accreditation activities and performs all activities by themselves
Caitlin Tubergen
01:28:02
Janis’ proposal: If ICANN serves as the accreditation authority, existing accountability mechanisms are expected to address any breaches of the accreditation policy, noting that in such extreme case, the credentials issued during the time of the breach will be reviewed. Modalities of this review should be established in the implementation phase.
Amr Elsadr (NCSG)
01:28:21
@Janis: Agree with your proposal, but would add that access by any SSAD users accredited during the period of the breach need to have their access to SSAD temporarily suspended until the breach is addressed.
Matt Serlin (RrSG)
01:29:10
proposal seems fine and think Amr’s point makes sense but probably need to build in flexibility to determine if that’s warranted in a specific case
Brian King (IPC)
01:29:12
I like Janis' suggestion. My inner lawyer wants to poke at it with a wordsmithing stick, but I think the concept is right where we want to be for this one.
Amr Elsadr (NCSG)
01:29:19
Better: Agree with your proposal, but would add that any SSAD users accredited during the period of the breach need to have their access to SSAD temporarily suspended until the breach is addressed.
Stephanie Perrin (NCSG)
01:30:24
The operative question here in my mind is if credentials have been issued incorrectly, who takes the responsibility for ensuring that data released under those credentials is treated properly? the data has to be expunged from the repository or sharing arrangements, the registrants have to be notified, etc.
Stephanie Perrin (NCSG)
01:30:51
That is a rather large responsibility folks.
Alan Woods (RySG) (Donuts)
01:31:09
agree stephanie … based on of course on the weight placed on the accreditation in the decision.
Alan Woods (RySG) (Donuts)
01:31:17
in the first place
Brian King (IPC)
01:31:45
Agree with Janis. Would prefer "reviewed" to address Amr's point.
Stephanie Perrin (NCSG)
01:32:02
If we were to set out to clean the records of (for instance) Domain tools, who might have been vacuuming up and selling data that was released not in compliance with law, who would assume that responsibility? It needs to be in this new policy.
Eleeza Agopian (ICANN Org Liaison)
01:33:05
I tried. :)
Hadia Elminiawi (ALAC)
01:34:35
+1 janis
Franck Journoud (IPC)
01:34:46
There needs to be a concept of causality and proportionality between the breach (eg size, how bad) and the consequences.
Stephanie Perrin (NCSG)
01:38:07
the accreditation policy could be fine, there could be a rogue employee in the accredited body.
Becky Burr
01:38:12
hello all, apologies for joining late
Chris Disspain
01:38:20
ditto
Amr Elsadr (NCSG)
01:38:48
@Janis: Of course, as part of its compliance function.
Franck Journoud (IPC)
01:39:44
Why don’t we hash this out offline?
Stephanie Perrin (NCSG)
01:39:56
I understand that people want to separate breach and breach investigation from policy, but under the law breach disclosure and attendant mechanisms are important, I fail to see how we can separate them without examining. Audit rarely finds potential breach in my view….(I do not have stats at hand to back that up, but I am pretty sure they exist in the DP community)
James Bladel (RrSG)
01:40:13
Please note that, at the beginning of our call, we deferred discussion of the CPH proposal to immediately begin working on a Hybrid model because it was too convoluted. We have now spent over an hour discussing how to audit accreditors. Many months from now, when folks ask why we aren’t further in our work, this call transcript should be Exhibit A.
Amr Elsadr (NCSG)
01:40:54
I don’t think my point came across clearly. A breach in policy will likely result in improper disclosure of personal information. All I’m saying is that the audit, once it has identified a breach in policy, should also identify what data was improperly disclosed, as well as all parties affected.
Amr Elsadr (NCSG)
01:41:40
This is important, because GDPR requires notification of data subjects of such situations.
Matt Serlin (RrSG)
01:41:47
Have to agree with James…feels like this VERY detailed discussion is very in the weeds and feels ill-timed given our lack of ability to agree on a draft model to march forward with
Stephanie Perrin (NCSG)
01:41:49
Way back in the mists of time, the NCSG pushed for thorough education of members of this group. I think it would have avoided these lengthy detours, because unfortunately some of us feel duty bound to not allow complex issues to slip by through failure to examine the impact of our words.
Alan Woods (RySG) (Donuts)
01:41:50
Only if accreditation is determinative Amr. Which is in a very small set of possibilities
Berry Cobb
01:42:23
can I get it in chat please?
Marc Anderson (Verisign / RySG)
01:42:43
and/or identity provider (if applicable)
Alan Woods (RySG) (Donuts)
01:42:44
we should build redundancies into the actual decision. This harks back to earlier thoughts .. accreditation is a complex check of ID and system credential distribution no?
Amr Elsadr (NCSG)
01:43:04
@Alan W: Yup. Isn’t this whole discussion taking place under the assumption that a breach in the accreditation policy has occurred and been identified during an audit?
Alan Woods (RySG) (Donuts)
01:44:41
yes … agreed. But a person (again except in limited LEA etc circs) should not get disclosure because of who they are but, for what reason, legal basis and the balance of the rights in the instance. Probably why this conversation was a tad frustrating as, it is not the most important element ...by faaar!
Becky Burr (ICANN Board Liaison)
01:44:52
Yes @Stephanie, while I agree that data breaches don’t usually turn up in an audit, I think that the failure to disclose in accordance with policy is more likely to be spotted in an audit and/or via spot checks.
Alan Woods (RySG) (Donuts)
01:45:45
definitely a factor - but one hopes in all but the most extreme of circumstances, the decision could stand, despite the 'accreditation; issue - but perhaps not...
Becky Burr (ICANN Board Liaison)
01:45:49
data breaches may be outed in an audit, but if the controller hasn’t noticed them before hand, it’s difficult for an auditor to do so
Amr Elsadr (NCSG)
01:46:44
Alan W: Good point!!
Stephanie Perrin (NCSG)
01:48:04
exactly Becky. I would suggest that we are going to be revoking more credentials as the result of complaint and data breach than through audit.
Stephanie Perrin (NCSG)
01:48:10
Sorry to slow things down.
Stephanie Perrin (NCSG)
01:49:16
But I am presuming that the audit mechanism we set up through these words has to be robust enough to manage the investigation of data breaches and complaints.
Alan Woods (RySG) (Donuts)
01:51:22
+1 james
Matt Serlin (RrSG)
01:51:45
i think a footnote might make sense here as Janis offered
Volker Greimann (RrSG)
01:53:36
loaded with what?
Brian King (IPC)
01:53:56
loaded with cheese, bacon, and chives
Brian King (IPC)
01:54:06
sour cream on the side
Alan Woods (RySG) (Donuts)
01:56:34
funny …. if unhelpful
Stephanie Perrin (NCSG)
01:57:18
The cost of examining the data management practices of potential accredited entities could be substantial. Who covers that? in an ISO quality system, the accredited entity does....
Stephanie Perrin (NCSG)
01:57:52
I am talking about onsite audit here, just for added clarity
Stephanie Perrin (NCSG)
01:58:11
with a team of experts
Matt Serlin (RrSG)
01:58:21
This talks about maintaining the system as James is highlighting…
Brian King (IPC)
01:58:31
@James that clarity would be helpful
Franck Journoud (IPC)
01:58:40
Staff please add me to Brian-Amr tag team drafting language re cost
Amr Elsadr (NCSG)
01:58:48
@James: +1. There are cost-recovery provisions in play for whatever ICANN needs to fund upfront, right?
James Bladel (RrSG)
01:59:53
@Alan G I think that we all agreed on that.
Brian King (IPC)
02:00:15
I'm confident that we can get to agreement here
Amr Elsadr (NCSG)
02:00:52
I was addressing a comment from Brian in the doc on this section, where he indicates that several groups object to the sentence as a whole. Did I misunderstand what was being objected to?
Berry Cobb
02:02:05
Can we get this by COB Wednesday?
Amr Elsadr (NCSG)
02:03:44
@Berry: Are you referring to the task assigned to Brian, Steph, Franck and myself?
Berry Cobb
02:04:09
Yes, but Janis said for next Thursday, so CoB next Monday?
Mark Svancarek (BC) (marksv)
02:04:17
+1 Volker
Amr Elsadr (NCSG)
02:04:30
@Berry: Yeah…, that sounds more doable. :-)
Alan Greenberg (ALAC)
02:04:52
Agree with Volker.
Thomas Rickert (ISPCP)
02:06:29
Does not the language I suggested for the next para cover all of that?
Brian King (IPC)
02:06:49
I think Thomas' language does that
Brian King (IPC)
02:09:51
Really like Thomas' suggestion. It gives sufficient flexibility.
Brian King (IPC)
02:14:33
Thanks, Staff
Chris Lewis-Evans (GAC)
02:22:42
yep sorry my bad
Alan Woods (RySG) (Donuts)
02:25:11
sorry all have to drop a little early today
Stephanie Perrin (NCSG)
02:27:16
Given the number of policy options implicit in the various models, there are various implementation details that may have policy implications, particularly with respect to cost distribution and choice of party who performs various data protection functions. These issues are collected here under Implementation Guidance for consideration.
Marc Anderson (Verisign / RySG)
02:27:35
gotcha… that makes sense. Thanks
Berry Cobb
02:28:00
The team may wish not to confuse Implementation Guidance as a policy recommendation. If this review is important, should it be a recommendation.
Amr Elsadr (NCSG)
02:28:19
@Berry: Was wondering the same.
Mark Svancarek (BC) (marksv)
02:28:27
+1 Amr
Laureen Kapin (GAC)
02:28:54
reviewed and changed over time?
Amr Elsadr (NCSG)
02:29:04
May we also agree to consider what Berry suggested in the chat above?
Hadia Elminiawi (ALAC)
02:30:29
+1 to having SSAD fee structure may need ….. as a recommendation
Stephanie Perrin (NCSG)
02:30:48
Just noting that the text I typed above should be in quotes, as the text requested by Janis to introduce implementation guidance. Whether it is called implementation guidance or some other title (e.g. Policy Implications of Implementation choices)
James Bladel (RrSG)
02:31:34
Need to drop. Thanks all.
Stephanie Perrin (NCSG)
02:32:00
+1000 Thomas
Laureen Kapin (GAC)
02:32:43
Also need to leave.
Brian King (IPC)
02:32:59
Need to drop too
Brian King (IPC)
02:33:01
thanks, all.
Thomas Rickert (ISPCP)
02:33:08
We should include them in the report and also work on them more.
Matt Serlin (RrSG)
02:33:13
i need to drop…thanks all
Georgios Tselentis (GAC)
02:33:22
+1 Thomas I need to drop as well
Terri Agnew
02:34:19
Doodle has been sent to those who wanted to join small team call tomorrow - please check your emails.
Amr Elsadr (NCSG)
02:35:18
Thanks all. Bye.
Hadia Elminiawi (ALAC)
02:35:31
bye