+1

my apologies for being late

I did want to clarify that ALAC’s comments do not yet appear in the Staff document, as those comments were received after the deadline.

Hi all, just joined. Sorry for being late.

Hello all - sorry for being late

I didn't see this on the agenda

Could we pull up the Belgian letter please

Are you saying Mark it is unclear whether CP's control their subscribers' data?

@Milton: No, that isn't what I am claiming

ok but then i don't understand what you are saying

We prefer not to refer only to elements of advice, but rather on the whole picture

ICANN sets policy, enforces it, and manages the relationship with contracted parties.

I just did in the chat

we have already heard from the DPAs, that controllership is a matter of fact.

+1 James.

+1 James if our work is to be done by the middle of the year, we need to push forward with one model that is the safest route

control != physical control

Setting policy for the management of an industry is also a form of control

You get clarity if you present our concept as a draft code of conduct according to GDPR. Once approved, everyone has legal certainty.

Moreover, you cannot force all contracted parties to implement some complex algorithm associated with automation.

I would like to caution people about the assumption that it is responsible to spend a lot of money to build an intake system that does not produce more predictable output.

If we reject the CPH proposal to chase the Hybrid model now, then perhaps it would be helpful for other groups to articulate their concerns and why they want to continue examining the Centralized model. So when we meet at ICANN 99 somewhere to debate this, it will be clear why we didn’t take the fork in the road back in now

Becky + 1

Becky, that is certainly not an assumption we hold. We have been going on about the costs of this system vis a vis the benefits for some time.

his had is up

sorry, I mean you had said that Stephanie

we needed a proper risk assessment on this whole controllership issue, to clarify the facts, the risks, and the attendant liability.

Becky, I find your comment disingenuous. We are setting policies and standardizing processes for making disclosure decisions. To say that a hybrid model is not predictable and a centralized model is, has no logic behind it.

You are welcome to disagree with me Milton, not sure why it is necessary to suggest I am dissembling

And in response to Disspain, it's becoming increasingly obvious that our board liaisons are here to try to tilt the policy outcome in a way they prefer, not to serve as liaisons

Thank you Georgios for the clarification -

Wow..I wasn’t aware that agreeing with becky was so powerful

Milton, decentralized decisionmaking across thousands of different CPs is going to be far less standardized than centralized decisionmaking.

+1 Georgios we should not abandon the centralized model. Lets try to work on it to make it succeed

I actually have no idea at this point about the differential costs associated with any of the models. The Board has been clear about its desired outcome - a bottom up policy that results in a consistent and predictable user experiece.

experience

@Becky Now you're at least trying to make an argument. As such, I think it's straightforward to answer it. But the policy will be uniform, the procedures will be uniform and ICANN will be in a position to sanction CP's who don't comply with it. I think that's predictable and consistent

What we fear is that a "uniform and consistent" policy means "ICANN decides to disclose to anyone who asks" which is what we all know some people want, and it's the policy ICANN actually enforced for its first 20 years

Volker, liability cannot be reduced for processing under your control. The goal is to reduce the amount of processing under your control. This isn't a purely academic issue, it has real policy impacts.

+1 MarkSv

it boils down to "under its control"

That’s a good point, Stephanie. And not just Contracted Parties, but Registrars. Most customers have no idea who/what ICANN or the Registry is

Milton: that's not a reasonable argument. A cursory look at the dozens of pages of the draft shows we're not developing an automatic disclosure policy.

Milton, there are many ways of guarding against that perfectly reasonable concern. Dealing with the concern by having the answers provided by over 2000 different entities is only one way.

in practical terms, Franck, 90% of the policy hinges on who makes the disclosure decision

Moving toward an effective, consistent and predictable model while taking a bit more time is better than moving quickly with a system that does not work.

+1 Hadia

works for who, Hadia?

When this EPDP dies, remember why we killed it.

@Nilton for the users of the system

sorry Milton

We (NCSG) and most CP's are not going to accept a centralized model, so it's not like we are going to achieve consensus on it eventually

BC isn't going to accept 30-day SLAs

What about a centralized model in which the CPs take a role

@Hadia, so yeah, you are only concerned with the "users of the SSAD" which means those seeking disclosure - not registrants. It's too bad ALAC is no longer interested in representing individual internet users

I do agree with @Stephanie re registrant experience - I thought that was the point about developing bottom up policy regarding how the balancing is undertaken

@Hadia “What about a centralized model in which the CPs take a role”. That’s a Hybrid model.

The chat has gotten quite inflammatory. Let's bring this back to more productive discourse.

We are trying to develop bottom up policy here, Bevky, but we keep getting nudges from the top

@Milton In any of the models all registrants rights are 100% taken care of

@Milton: plz dial down the personal attacks.

@ Milton, I have lost count of the number of times that as a liaison to different community groups I have been told how important it is for us to say if we have any possible concerns about what is being discussed…I’m sorry you don’t like it but I view it as an essential part of our role as liasons

It's not a personal attack to point out that Board members are intervening on policy. That's a process point, Franck.

@Milton what we are trying to do - is finding what would work best and reduce the liability of the CPs

And it's not "personal" to ask why ALAC reps are taking a position that does not seem to be in the interests of who they are supposed to represent. At a personal level, Hadia is very nice

So I don't like it when serious policy disagreements are dismissed as "personal attacks."

"Unreasonable burden on smaller operators": it's unclear whether this refers to ongoing costs or startup costs

Good points as always, Stephanie

@Franck, I was assuming reference was to operational costs

@Milton, my statement - that the costs and benefits of any approach must be considered, and that the costs and benefit of each of the options are likely to be different - strikes me as a statement of fact, not a policy nudge. I certainly have reached no judgment about those costs and benefits at this point.

disproportionately high

to be fair, disappointingly high is also not good :-)

disproportionately high with regards to the available resources to treat such a request"

fine by me, Georgios

@Milton the ALAC position is aligned 100% with the interests of the Internet end users, the loss of the registration data has minor benefits to privacy and major benefits to those harming the network and leading to its insecurity. Most importantly you cannot have true privacy without having a secure network. The ALAC is trying to ensure a network that provides both privacy and security and this is obviously in the best interest of all, Internet users and registrants

To Janis' answer about whether we're talking startup or ongoing costs: following paragraph refers to "the subsequent running of the system." The clear implication is that this paragraph is about startup. If we mean ongoing, let's say ongoing - and then not have different paragraphs deal with the same thing in unclearly overlapping ways.

To be clear, as the other ALAC representative on the EPDP, I support what Hadia has said and would appreciate others not mischaracterizing our motivations and actions.

we hear you

+1 Brian re: "under no circumstances" language.

That's just wrong, Milton. Data will not be disclosed unless the request is necessary.

lol

IPC is happy for SSAD users to contribute to the cost of running the system.

The objection is to the characterization here as a formal policy position.

but @Brian, isn’t this choice a policy decision?

TANSTAAFL

How about “Free to use”. Like the old WHOIS system.

The choice of who pays for it is a policy position we're happy to discuss, and I think we agree that users should contribute.

My objection is to characterizing SSAD as only benefitting the requestors.

Ah, got it

Where is that statement, Marc?

Direct Beneficiaries = Recipients of SSAD data

There is and will be tragedy of commons if usage is detached from cost

I think if I have a monthly request quota, as opposed to a per-request pricing, would be a better attachment of cost to reimbursement

some people would have better data plans than others

so not disagreeing with Milton, just pointing out that we have options

I have a specific comment that can advance things

How would we dump the cost on data subjects, even if we wanted to? (we don't want to)

The way it's done now, Brian, data subjects have to pay to avoid open whois

Also, a general increase in the price of domain name registration could essentially tax users to support the system, especially if there are no usage-sensitive fees

Stephanie, is your dog tearing the house down?

love the bone drop - dogs and kids make noise when mom is on the phone

:-)

Big Christmas bone, tile floor….and it is about 30 below out there, he keeps scratching and going to the patio door, then refuses to go outside…(naked weimaraners, what can I say….)

Meanwhile, at Stephanie's house: https://www.youtube.com/watch?v=Mh4f9AYRCZY

"Under no circumstances" is bad policy language

Being constructive/productive, we're nearly there by removing the second part of the sentence.

Thanks, let's revisit

and move along

I agree with deleting the "neither should operational costs. . . " language.

We could add "for ICANN" before the semicolon

we should add " for ICANN"

jinx!

owe me a Coke®

Why does it mean you can't outsource it?

that's a problem - ICANN should be able to outsource

I think the current wording does address the issue

yes, I like Alan’s suggestion

+1 Stephanie -- I think the language is vague and may lead to unintended restrictions on how to implement this. Why not say something affirmative about how we view the SSAD rather what the system won't be.

+1 Laureen and Stephanie

"outrageous amounts of money" not a very precise term/

I like JAnis' suggestion. Delete business opportunity

Funding should be sufficient to cover cost, including for subcontractors at market cost and to establish a legal risk fund.

Mark is absolutely right here

that was the intent.

And I agree with the concept

I think replacing "will" with "may" solves the problem

+1 Milton

+1 Milton

I'm happy to change to may

don't think that "discretion of the provider" language is necessary

wow. agreement! :-)

<fireworks emoji>

woohoo!

on that note, end the call! quick!

Thanks!

thanks all