Logo

051040043 - EPDP-Phase 2 Team Call - Shared screen with speaker view
Terri Agnew
27:42
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en
Matt Serlin (RrSG)
31:56
Agree with Marc…makes sense that if it isn’t included in 19, it can’t be present here
Terri Agnew
32:36
Members: reminder, please select all panelists and attendees in order for everyone to see chat
Marika Konings
33:42
Do note that many of the abusive behavior requirements are currently part of policy recommendations so further consideration would need to be given to what would move to implementation guidance so that it would be within scope for the mechanism.
Amr Elsadr (NCSG)
33:46
I have no problem with this being included in the scope of the evolutionary model, but want to note that I find discussing details of the scope of that mechanism to be problematic.
Marc Anderson (RySG)
37:28
having trouble hearing Janis
Amr Elsadr (NCSG)
39:31
I’m also having trouble hearing Janis.
Mark Svancarek (BC)
39:51
I think he said "Margie"...
Terri Agnew
41:32
Members, reminder: please select all panelists and attendees in order for everyone to see chat
Amr Elsadr (NCSG)
42:41
@Janis: +1
Margie Milam (BC)
44:55
+1 Laureen
Matt Serlin (RrSG)
46:20
The role of ICANN compliance is to ensure contracted parties abide by policy…not sure it’s in their remit to ensure they are complying with the law…
Matt Serlin (RrSG)
46:33
Lol what Marc said…
Amr Elsadr (NCSG)
46:35
@Matt: +1
Milton Mueller (NCSG)
47:52
exactly Owen, ICANN compliance monitors compliance with ICANN’s own contracts
Margie Milam (BC)
49:19
+1 Alan G
Owen Smigelski (RrSG)
49:40
ICANN Compliance does not have the authority to overrule a contracted party’s decision.
Margie Milam (BC)
53:35
+1 Laureen
Alan Woods (RySG)
54:52
You have pointed out a prima fiacie procedural. … ICANN will not need to second guess the result - but the fact that they have denied 100% of requests.
Thomas Rickert (ISPCP)
55:00
ICANN compliance could step in if the contracted party does not respond or does not offer a rationale for not disclosing. That would not be a response that requires legal assessment.
Matt Serlin (RrSG)
55:15
+1 Thomas
Amr Elsadr (NCSG)
55:19
@Thomas: +1
Marika Konings
55:27
See also: “ICANN Compliance MUST make available an alert mechanism by which requestors as well as data subjects whose data has been disclosed can alert ICANN Compliance if they are of the view that disclosure or non-disclosure is the result of systemic abuse by a Contracted Party. This alert mechanism is not an appeal mechanism – to contest disclosure or non-disclosure affected parties are expected to use available dispute resolution mechanisms such as courts or Data Protection Authorities – but it should help inform ICANN Compliance of potential systemic abuse which should trigger appropriate action.”
Alan Woods (RySG)
55:32
+1 Thomas
Owen Smigelski (RrSG)
55:48
+1 Thomas
Thomas Rickert (ISPCP)
58:26
Janis, Laureen, I just raised my hand to point to the proposal I made in the chat above as I think it can help resolve the point in this call.
Amr Elsadr (NCSG)
01:00:29
ICANN Compliance didn’t say they can’t step in. They just explained the circumstances by which they CAN step in.
Owen Smigelski (RrSG)
01:00:51
There is no requirement that contracted parties disclose data when requested.
Matt Serlin (RrSG)
01:01:08
I think assuming a CP denies every request it receives is a “systematic failure” isn’t really proper…a registrar may only get a handful of requests, review them and deny them all correctly
Laureen Kapin (GAC)
01:01:38
@ Milton, no what we're asking is to avoid language that precludes ICANN Compliance from considering
Margie Milam (BC)
01:01:51
+1 Laureen
Owen Smigelski (RrSG)
01:02:00
ICANN Compliance is not in a position to do the balancing test
Margie Milam (BC)
01:02:21
Balancing test isnt required in all cases
Margie Milam (BC)
01:02:37
There are other legal bases that apply
Owen Smigelski (RrSG)
01:03:02
Just like ICANN Compliance does not tell a registrar whether or not they should (or should not) suspend a domain name due to an abuse complaint.
Milton Mueller (NCSG)
01:03:20
of course there are
Milton Mueller (NCSG)
01:03:59
exactly Marika, all we are hearing now is that certain stakeholders don’t trust that
Alan Woods (RySG)
01:05:43
is the problem with the request or the disclosure?
Owen Smigelski (RrSG)
01:05:46
Perhaps there is no need for balancing test for some law enforcement requests, but for IP matters, yes, the contracted party should always have the the option to do a balacing test.
Milton Mueller (NCSG)
01:06:41
Mark what kind of recourse is not available in the “systematic abuse” paragraph that Marika just read
Owen Smigelski (RrSG)
01:06:42
And by “balacing” I mean “balancing”
Margie Milam (BC)
01:07:20
Balancing test isnt needed when there is no personal data
Mark Svancarek (BC)
01:07:37
I'd like to see some oversight within the policy itself, as opposed to "go to court", which is a response we've been encountering already
Alan Greenberg (ALAC)
01:09:26
Do we even have confirmation from ICANN COmplaiance that they are able to respond to alerts?
Milton Mueller (NCSG)
01:09:37
what?!? individual cases?
Margie Milam (BC)
01:11:00
ICANN’s compliance processes could evolve
Matt Serlin (RrSG)
01:11:00
Good point…
Margie Milam (BC)
01:11:14
That’s not true
Margie Milam (BC)
01:11:28
It could have been disclosed previously
Volker Greimann (RrSG)
01:11:30
it is not?
Margie Milam (BC)
01:11:34
Per our automation use cases
Matt Serlin (RrSG)
01:11:42
It could have been updated too after that point
Margie Milam (BC)
01:12:29
We would know if its updated by looking at the last update in the record
Milton Mueller (NCSG)
01:12:32
=1
Stephanie Perrin (NCSG)
01:12:42
1. If ICANN compliance is going to contradict a decision of the CPS, then they are acting as a co-controller, in a relationship where ICANN has become the principal controller. I do not recall us arriving at this decision.
Milton Mueller (NCSG)
01:12:51
spinning spinning spinning, gettting nowhere
Volker Greimann (RrSG)
01:13:02
if is has been disclosed previously, it clearly is not a bad actor. and it would only be disclosed to the earlier requestor
Volker Greimann (RrSG)
01:13:10
i fail to see your point
Amr Elsadr (NCSG)
01:13:42
@Volker: +1. This is supposed to be about systemic abuse, not complaints against individual cases.
Margie Milam (BC)
01:14:07
We don’t agree with that result
Owen Smigelski (RrSG)
01:14:23
+1 Volker
Owen Smigelski (RrSG)
01:14:44
@Margie- just because you ask for data, does not mean you will always get it.
Amr Elsadr (NCSG)
01:17:00
What page are we on in the final report, please?
Berry Cobb
01:17:16
35
Amr Elsadr (NCSG)
01:17:21
Thanks, Berry.
Matt Serlin (RrSG)
01:20:30
I’m logging off now and tagging Sarah in my place…thanks Sarah!
Milton Mueller (NCSG)
01:23:46
no objection. Must leave for another meeting
Milton Mueller (NCSG)
01:23:57
well done Volcker
Sarah Wyld (RrSG)
01:25:32
As Volker is saying, this is within the ICANN context
Sarah Wyld (RrSG)
01:25:36
Not general administrative proceedings
Sarah Wyld (RrSG)
01:26:00
(like, yes UDRP, no civil court litigation)
Sarah Wyld (RrSG)
01:27:18
+1 Volker. Not including 'potential' proceedings, only actual ones
Sarah Wyld (RrSG)
01:30:06
I don't think it needs to be formalized with a fourth priority level
Hadia Elminiawi (ALAC)
01:33:49
ok
Sarah Wyld (RrSG)
01:37:48
Can we please see the relevant text on th eleft side?
Sarah Wyld (RrSG)
01:38:05
thank you
Stephanie Perrin (NCSG)
01:38:08
Did we define digital service provider?
Georgios Tselentis (GAC)
01:39:27
Digital service provider is a term if I am not mistaken used in NIS
Mark Svancarek (BC)
01:39:32
It's defined outside of policy, but definition is not included in the policy right now. "Digital service provision" is also not defined in the policy.
Georgios Tselentis (GAC)
01:39:42
+1 Margie
Stephanie Perrin (NCSG)
01:40:18
If we are going to include it, we need to define it both in the definitions and at its first use.
Marika Konings
01:40:56
Would be great if someone could send us the link to the law referenced for inclusion in the footnote.
Amr Elsadr (NCSG)
01:41:23
@Marika: +1 - difficult to support or reject this without understanding the full background.
Sarah Wyld (RrSG)
01:42:25
wouldn't disclosure due to a legal obligation be included under (i)?
Hadia Elminiawi (ALAC)
01:42:34
+1 Margie keep the Digital service provider with a footnote with the definition
Sarah Wyld (RrSG)
01:43:23
+1 Stephanie
Amr Elsadr (NCSG)
01:44:18
Is there a specific part of the NIS Directive we should be looking at to understand this?
Stephanie Perrin (NCSG)
01:44:24
They are things, not purposes….I am actually asking for illustrations.
Sarah Wyld (RrSG)
01:45:25
we lost you after "look forward to seeing"
Georgios Tselentis (GAC)
01:46:32
digital service providers are subject to obligations NIS directive if this helps
Amr Elsadr (NCSG)
01:49:18
@Georgios: Thanks, but if there’s a specific part of the NIS Directive that’ll help us understand the DSP purpose, that’d be great.
Amr Elsadr (NCSG)
01:49:49
Thanks, Margie: I was looking at this: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC
Amr Elsadr (NCSG)
01:51:01
@AlanG: Phase 1 allowed for legal and natural persons’ personal information to be treated the same. I don’t recall redaction being specified.
Alan Woods (RySG)
01:51:18
yes … a VALID request.
Margie Milam (BC)
01:51:41
Resubmitting my chat as I didn’t have it set to all attendees: https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/
Sarah Wyld (RrSG)
01:52:32
I don't think that receiving a request is itself a legal basis to process data, though. First the controller has to review the request to see if it includes a lawful reason to process
Sarah Wyld (RrSG)
01:53:20
I like Volker's idea of letting the relevant controller determine the order of operations
Stephanie Perrin (NCSG)
01:53:52
Agree with Sarah. If it were, then you would have to state that you are gathering data to disclose it. I don’t think you are.
Owen Smigelski (RrSG)
01:54:49
+1 Sarah
Thomas Rickert (ISPCP)
01:55:27
Isn’t it sort of funny how much discussion we could have avoided if we had just sorted out the controller question earlier?
Amr Elsadr (NCSG)
01:55:35
@AlanW: +1
Brian King (IPC)
01:55:42
Doesn’t the CGM ensure sufficient minimal request elements?
Mark Svancarek (BC)
01:55:48
Thomas, "funny" is not the word I would use
Amr Elsadr (NCSG)
01:55:49
@Thomas: sigh
Georgios Tselentis (GAC)
01:56:06
+1 Thomas
Sarah Wyld (RrSG)
01:57:33
I think we should stick with the order that the RySG team proposed, not changing it as it is here
Stephanie Perrin (NCSG)
01:58:31
Thank you Thomas! And may I add, nothing gets “standardized” if no-one is taking the accountability for that process of standardization…..
Alan Woods (RySG)
01:59:38
Hadia, you do accept that the controller also needs a legal basis to process personal data yes? Saving time is not a good legal basis-
Alan Woods (RySG)
01:59:48
in fact it would be a very very bad legal basis
Alan Woods (RySG)
02:01:22
"some" grounds - that the request is not valid. Also - paying for something is a bit of a misnomer here - this is not a transaction.
Alan Woods (RySG)
02:01:25
Also 'concealing' ?
Margie Milam (BC)
02:01:36
+1 Brian
Margie Milam (BC)
02:02:16
This is an example of where compliance should be able to enforce
Alan Greenberg (ALAC)
02:04:44
NO. Phase 1 allowed CP to treat Legal and Natural persons in the same way IN WHAT IS PUBLISHED IN THE PUBLIC RDS.
Margie Milam (BC)
02:05:26
CPH would never get the request if it isnt properly formed because the Gateway wouldn’t forward it
Brian King (IPC)
02:05:34
If CPs have concrete concerns about how SSAD would allow faulty requests through to them, we need to improve the SSAD.
Alan Woods (RySG)
02:05:39
Thank you Amr - 100% agree
Marc Anderson (RySG)
02:06:42
@Alan - can you point out where in the phase 1 recommendation the legal vs Natural recommendation is restricted to what is published in the public RDS... I'm looking at Rec 17 and that doesn't seem to be the case.
Amr Elsadr (NCSG)
02:07:31
@Hadia: The point is that to go through these steps and process personal information, the CP has to have its own legal basis for doing so. All we’re asking is that the requestor provide this in the request. Why is that such a big ask?
Amr Elsadr (NCSG)
02:08:26
@Stephanie: +1
Alan Greenberg (ALAC)
02:10:02
You do not need a legal basis for releasing information that did not have to be redacted to the begin with.
Alan Woods (RySG)
02:10:31
I shall ….
Hadia Elminiawi (ALAC)
02:10:44
yes
Amr Elsadr (NCSG)
02:10:50
@AlanG: How would anybody know what kind of data is being processed, until after it’s been processed?
Brian King (IPC)
02:11:09
I want to say yes if possible. Need to see the language
Amr Elsadr (NCSG)
02:11:11
All we need is for the request to be submitted correctly.
Alan Greenberg (ALAC)
02:11:46
As MArk and Brian said, if a requests from an authenticated user is validated by the SSAD, ther eis a legal basis.
Hadia Elminiawi (ALAC)
02:11:55
+1 Brian need to see the language
Thomas Rickert (ISPCP)
02:12:13
The easiest solution to natural vs legal is an opt-in scheme that can be deployed easily….
Thomas Rickert (ISPCP)
02:12:25
I am sure companies would avail themselves of that opportunity
Berry Cobb
02:13:27
@Thomas that is part of Rec12 from Phase 1....for new registrations from some set date. Then of course, how does that get implemented for previously registered/active domains.
Alan Greenberg (ALAC)
02:13:44
@Thomas, the problem is that there are plenty of legal entities with no personal data in their record to PREFER to be kept hidden.
Thomas Rickert (ISPCP)
02:14:10
I know, Berry. I am just mentioning it as some interventions sound like we do not have means to make business owner’s data available
Georgios Tselentis (GAC)
02:14:15
@Thomas I don't know whether it is a solution but it is a good start keeping in mind that bad actors would not opt for that
Alan Greenberg (ALAC)
02:15:32
@Thmas, Phase 1 already required CT to allow a registrant to say their data should be public. If they ever get around to doing it.
Thomas Rickert (ISPCP)
02:15:45
@Alan and Georgios: I guess that is for the market to solve. European distance selling provisions require publication of an imprint. Consumers then need to take a decision whether or not they want to trust a website that does not have an imprint. Same logic here....
Sarah Wyld (RrSG)
02:16:17
It's unfair to suggest that CPs are not allowing registrants to opt in to publish data. If that is happening then ICANN Compliance can handle it, it's not material here
Thomas Rickert (ISPCP)
02:16:20
The opt-in should be promoted at some points Registrars can campaign for that…
Sarah Wyld (RrSG)
02:16:45
I like Janis and Volker's suggestion that all these steps are at the CP's discretion for what order to do it in
Owen Smigelski (RrSG)
02:18:03
Registrants can indeed request to have their data published (with proper consent). It does indeed happen, and even Compliance has noticed.
Stephanie Perrin (NCSG)
02:18:31
Thomas is correct. If we spent more time pushing regulatory authorities in legal jurisdictions to regulate companies selling on the Internet, and not rely on the DNS to do it, we would be much further ahead. Criminals are not likely to authenticate as corporations or companies. I am curious as to how lawyers acting as proxies for businesses are going to respond to an authentication requirement.
Brian King (IPC)
02:22:02
Also not comfortable with the “whatever order you want” approach, especially until we see Alan W’s saving grace language
Hadia Elminiawi (ALAC)
02:22:27
we are waiting for Alan W language
Brian King (IPC)
02:25:06
thanks all
Sarah Wyld (RrSG)
02:26:24
Thanks, all
Hadia Elminiawi (ALAC)
02:26:25
Thank you all bye
Amr Elsadr (NCSG)
02:26:30
Thanks all. Bye.