Logo

Julie Bisland's Personal Meeting Room
Marc Anderson (RySG)
41:51
Original text:Absent that input, we may be forced to focus our efforts on policy recommendations aimed at improving the existing distributed model.Text Proposed by James in consultation with board liaisons:Absent that input, the EPDP work must abandon the centralized SSAD model, and shift its focus to policy recommendations aimed at improving the existing distributed model in which each registry and registrar independently evaluates, applies their own balancing test, and responds to queries on a case by case basis.Janis proposal:Reply to this latter would greatly facilitate the work of the Team towards Initial Report.
Matt Serlin (RrSG)
43:10
Thanks James…I think the fact our Board liaisons thought that language is appropriate lends weight to its inclusion in our transmission
Mark Svancarek (BC) (marksv)
43:16
I support the sending of the letter.
Alan Woods (RySG)
43:22
agreed Matt.
Mark Svancarek (BC) (marksv)
43:36
+1 Matt
Mark Svancarek (BC) (marksv)
43:54
(in spite of my stated concerns)
Ayden Ferdeline (NCSG)
44:44
I agree with James re: letter
Ashley Heineman (GAC)
45:02
James - did you say GAC objection to the letter?
Margie Milam (BC)
46:10
I agree with Milton
Mark Svancarek (BC) (marksv)
46:25
+1 Milton
James Bladel (RrSG)
46:33
@Ashley - only the last sentence. Or did I misunderstand Brian’s email on this point?
Ashley Heineman (GAC)
46:47
You misunderstood.
Milton Mueller (NCSG)
46:53
But we do need a very sharp statement to the board
Jennifer Gore (IPC)
48:33
I agree with Ashley on the sense of urgency however the IPC is not in support of the tone associated with abandoning of a centralized model.
Becky Burr (ICANN Board Liaison)
49:26
If the result, in the absence of a clear response, is that CPs rather than a central gatekeeper applies balancing test on case by case basis, that needs to be clearly stated.
Hadia Elminiawi (ALAC)
49:39
+ 1 Greg
Alan Greenberg (ALAC)
49:49
@Gred, doesn't "depending upon the model" cover that?
Alan Greenberg (ALAC)
49:57
Greg
Amr Elsadr (NCSG)
50:14
Is it just me, or do we need a definitive answer from ICANN asap, so that we can proceed with our own work with some assurance on how the Board might ultimately handle them? Why are we debating asking them to be clear on this, in no uncertain terms?
Julf Helsingius (NCSG)
51:17
+1 Amr
Matt Serlin (RrSG)
52:08
Maybe it’s just the “must abandon” that needs to be refined…
Greg Aaron (SSAC)
52:16
So the end of the second paragraph could read: ""All of the proposed “centralized” SSAD models presume that ICANN will assume some sort of operational role. In some models, ICANN could assume some degree of responsibility and liability for decisions to disclose non-public data to a third-party requester."
Ashley Heineman (GAC)
52:30
how about adding "may" and move on. This letter needs to get out.
Jennifer Gore (IPC)
52:37
James, I would be happy to help modify the last sentence
Jennifer Gore (IPC)
52:42
today
Alan Greenberg (ALAC)
52:46
Let's get it out today.
Ashley Heineman (GAC)
53:06
+1 Alan
James Bladel (RrSG)
53:06
Jen - please send draft text. Thx.
Chris Lewis-Evans (GAC)
53:08
+1 Alan
Amr Elsadr (NCSG)
53:13
@Matt: +1
Hadia Elminiawi (ALAC)
53:24
+1 Alan
Jennifer Gore (IPC)
53:24
ok
Becky Burr (ICANN Board Liaison)
53:37
What about:”Absent that input, the EPDP must shift its focus to policy recommendations aimed at improving the existing distributed model in which ear registry and registrar independently evaluates, applies its own balancing test, and responds to queries on a car by case basis.”
Becky Burr (ICANN Board Liaison)
54:13
Leaves room for some form of centralization
Matt Serlin (RrSG)
54:28
i like that assuming ear is each :)
James Bladel (RrSG)
54:33
Yes. Anyone with draft text, please send to me off list. Thx
James Bladel (RrSG)
54:44
I am NOT collecting edits in the chat window. Thx. :P)
Alan Greenberg (ALAC)
55:00
I can accept Becky's sentence
Milton Mueller (NCSG)
58:43
sorry to ask, but could we have the google doc link for block F
Marika Konings
01:00:58
https://docs.google.com/document/d/1zAEBygpoddKOJOfb1whMtaQHcik856aZZc9BoDk392E/edit
Farzaneh Badii (NCSG)
01:02:23
Can you hold an individual accountable ?
Hadia Elminiawi (ALAC)
01:02:34
@Marc I agree with you, I can't see the logic behind it
Milton Mueller (NCSG)
01:02:44
am I the only person hearing a clicking sound?
Ashley Heineman (GAC)
01:02:45
For F, a - how accredited entities can be legal persons or individuals. :-)
Ashley Heineman (GAC)
01:02:55
"how about" that is.
Julf Helsingius (NCSG)
01:02:58
I hear a clicking too
Milton Mueller (NCSG)
01:03:34
individuals can be authenticated
Alan Woods (RySG)
01:05:23
I agree with Alan in concept - but surely that's a matter for the company managing their personnel
Alan Greenberg (ALAC)
01:05:59
@Alan W, yes, but we need to specify that such rules/procedures are in place.
Farzaneh Badii (NCSG)
01:06:00
So can individuals authorize other SSAD users?
Alan Greenberg (ALAC)
01:07:09
@Farzaneh, I think you are asking whether an authorized person (either for themselves or on behalf of a legal entity) can have an agent.
Matt Serlin (RrSG)
01:08:55
I don’t think we want to force individuals to be accredited…there should still be a path to use SSAD for non-accredited individuals IMO
Margie Milam (BC)
01:09:04
+1 Matt
Margie Milam (BC)
01:09:31
I thought we agreed on possibility of non-accredited to submit requests
Alan Greenberg (ALAC)
01:09:39
Accreditation is not just a verification of identity.
Amr Elsadr (NCSG)
01:10:06
What other purpose would it serve, Alan?
Alan Greenberg (ALAC)
01:10:13
We are talking accreditation here, not whether ALL users need to be accredited.
Greg Aaron (SSAC)
01:10:48
People can always submit disclosure requests outside the SSAD system.
Alan Greenberg (ALAC)
01:10:53
They would certify that they will use the data for specific purposes and conply with a code of conduct.
Amr Elsadr (NCSG)
01:11:35
@Janis: Right. Tying automation to this would be dependent on verification of identity via accreditations, so basically the same thing.
Amr Elsadr (NCSG)
01:12:34
@Alan G: My assumption is that complying with what you’re describing would be required of anyone to whom disclosure is granted, accredited or not.
Milton Mueller (NCSG)
01:13:47
It seems no one wants to exclude individuals from accreditation, so why are we bogging down on this?
Milton Mueller (NCSG)
01:15:23
sigh
Hadia Elminiawi (ALAC)
01:15:57
in all cases the RDAP will be used so why have different systems
Milton Mueller (NCSG)
01:16:30
sigh
Milton Mueller (NCSG)
01:16:53
we didn't get there
Alan Woods (RySG)
01:18:14
Ok so automation as to getting to the 'decision' as opposed to the additional ID verification stage required for nonaccredited.
Alan Woods (RySG)
01:18:25
(with the decision not being automated)
Mark Svancarek (BC) (marksv)
01:19:18
ouch
Milton Mueller (NCSG)
01:20:28
:-)
Milton Mueller (NCSG)
01:20:40
saw no issues with b, so skipped it.
Milton Mueller (NCSG)
01:20:49
not walking with dignity
Milton Mueller (NCSG)
01:24:46
I am ok with adding "alone" where Brian puts it
stephanieperrin
01:26:11
my apologies for being late
Amr Elsadr (NCSG)
01:26:16
@Janis: +1
Matt Serlin (RrSG)
01:28:26
At one point we talked about having a list of definitions as part of our work I believe
Marika Konings
01:28:34
This is the definition that Alex developed: “Accreditation - An administrative action by which a designated authority declares that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards."
Hadia Elminiawi (ALAC)
01:29:26
makes sense
Marika Konings
01:30:13
But as previously mentioned, the definitions will ultimately need to be aligned with what the EPDP Team is going to recommend
Milton Mueller (NCSG)
01:30:33
I think Alex lifted that definition from IETF or some other technical document. As such, it's unobjectionable but a bit abstract
Marika Konings
01:31:04
@Milton - correct, the footnote got dropped: RFC 4949 - “Internet Security Glossary, Version 2”, p. 13
Marika Konings
01:33:04
Amr - How about something like: ‘in case of system abuse or in cases where pre-requisites for accreditation no longer exist’
Amr Elsadr (NCSG)
01:33:24
@Marika: Yeah…, that sounds much better.
Amr Elsadr (NCSG)
01:33:29
@Alan G.: +1
Amr Elsadr (NCSG)
01:34:20
@Margie: Yeah, the renewal process is not a bad idea.
Marika Konings
01:34:42
I believe renewal is mentioned somewhere further below
Margie Milam (BC)
01:34:53
thanks1
Alan Greenberg (ALAC)
01:35:24
Certainly a IP attorney ceasing to practice is a reason for de-accred. So let's stick to princip. and leave to imple.
Milton Mueller (NCSG)
01:38:20
again I think people are confusing accred with authorization. An IP attorney who retires may still want to request disclosure of Whois data for whatever reason. If his request is based on a legit interest and sound legal basis, it can stil go through. All the accred gets you is easier authentication and a way of punishing him if he misuses data
Milton Mueller (NCSG)
01:38:53
accreditation does NOT guarantee that the no-long-IP attorney will get disclosure
Alan Woods (RySG)
01:39:13
+1 Milton
Stephanie Perrin (NCSG)
01:42:39
+1 Milton
Berry Cobb
01:43:13
Marika, we lost your audio.
Hadia Elminiawi (ALAC)
01:43:36
we also lost the text on the screen
Milton Mueller (NCSG)
01:46:22
Correct, Janis, merge G and h
Volker Greimann (RrSG)
01:47:41
I think we should get rid of this section. Fees are not policy
Matt Serlin (RrSG)
01:47:58
Agree with Margie that fees for SSAD should be separated out from accreditation fees here
Volker Greimann (RrSG)
01:48:14
It also adds no value as a one cent per hundred requests rebate would also satisfy this
Margie Milam (BC)
01:49:14
Chris's approach works for me too
Marika Konings
01:49:29
Made it back - apologies for the connectivity issues
Margie Milam (BC)
01:49:55
I have to drop to drive but will stay on phone
Amr Elsadr (NCSG)
01:50:25
@Janis: I don’t think it is part of what we should be doing.
Milton Mueller (NCSG)
01:50:32
I disagree
Stephanie Perrin (NCSG)
01:50:45
I think we should not discuss the cost structure, but we need to acknowledge that there are Significant costs involved here…that is a policy issue.
Amr Elsadr (NCSG)
01:50:56
@Stephanie: +1
Amr Elsadr (NCSG)
01:52:13
OK…, I find Milton’s comment persuasive.
Stephanie Perrin (NCSG)
01:52:32
no more free riders. It would be nice if Milton the economist could reword that one for me.
Chris Lewis-Evans (GAC)
01:52:59
My language was: The accreditation service may be part of a cost recovery system.
Milton Mueller (NCSG)
01:53:43
well Chris that leaves a bit too open the question of who the costs are recovered from.
Milton Mueller (NCSG)
01:53:55
I don't want registrants paying for it
Marika Konings
01:54:51
This should be updated to read ‘organizations and individuals'
Milton Mueller (NCSG)
01:55:40
+1 to Hadi's point
Milton Mueller (NCSG)
01:56:07
point j) seems to assume the user-group model of accreditation
Chris Disspain (ICANN Board Liaison)
01:57:36
I am dropping off the call now….Take care all…
Hadia Elminiawi (ALAC)
01:58:07
@ Alan I agree with what you said, but practically speaking how does this reflect as an output
Alan Greenberg (ALAC)
01:58:31
Whenther his is a POLICY or an IMPLEMENTATION issue is a good question.
Alan Woods (RySG)
01:58:32
This just reads ... to be blunt ... some people should be treated better because they are bigger and more important.
Amr Elsadr (NCSG)
01:58:39
@Marc: Good point.
Alan Woods (RySG)
01:58:45
...... not a huge fan of it!
Amr Elsadr (NCSG)
01:59:01
Agree with Marc and Hadia.
Amr Elsadr (NCSG)
01:59:09
…, and Alan W.
Alan Woods (RySG)
01:59:51
+1
Milton Mueller (NCSG)
01:59:52
support deletion
Stephanie Perrin (NCSG)
02:00:17
I think folks need to remember that in the DP world, law enforcement (who are easy to identify, backed by governments and in many cases parliamentary oversight) do not get special status in matters of data requests. I think people are still imagining easy tiered access.
Milton Mueller (NCSG)
02:00:26
nope. no reformulation, just deletion
Milton Mueller (NCSG)
02:00:39
yay
Ashley Heineman (GAC)
02:00:54
what does that mean?
Marika Konings
02:01:59
As Volker said :-)
Ashley Heineman (GAC)
02:02:14
I think this needs tidying up a little bit.
Marika Konings
02:02:53
I believe our charter refers to ‘credentials’ but I think ‘tokens’ has also been used.
Marika Konings
02:03:20
How will SSAD know that these users are accredited if the accreditation authority does not confirm that through a token or credential to SSAD?
Alan Woods (RySG)
02:03:25
perhaps there is a means to verify accredited users in real time or something like that.
Milton Mueller (NCSG)
02:04:05
right, Marika. Wording is a bit awkward but the idea is correct
Alan Greenberg (ALAC)
02:07:40
James has sent in his proposed letter changes. Perhaps we can go back to that before we run out of time and get the letter dispatched ASAP.
Marika Konings
02:08:04
Please see under fees - f
Marika Konings
02:08:16
Accredited organizations must renew their accreditation annually.
Chris Lewis-Evans (GAC)
02:08:32
Accredited parties must renew their accreditation periodically?
Hadia Elminiawi (ALAC)
02:08:36
+1 Alan G
Stephanie Perrin (NCSG)
02:08:55
on an ongoing basis is a better formulation.
Stephanie Perrin (NCSG)
02:09:45
annually is not good enough, particularly given the mobility of the labor force and the fact that you want to accredit cybersecurity professionals. No contract, no accreditation.
Marc Anderson (RySG)
02:09:50
Some good suggestions in chat
Marc Anderson (RySG)
02:10:25
the fees section doesn't seem the right place to put the concept of renewals and expiration of accreditation.
Hadia Elminiawi (ALAC)
02:10:46
+1 Janis
Stephanie Perrin (NCSG)
02:11:15
Like every other other security privilege, one of the hardest things to police is the removal of privileges to access personal data. Needs to be ongoing.
Stephanie Perrin (NCSG)
02:11:22
and audited
Stephanie Perrin (NCSG)
02:12:50
this should be controlled in the same manner that most companies manage downsizing….walking the employee out with their cardboard boxes. Access privileges need to be part of that protocol.
Milton Mueller (NCSG)
02:14:06
agree, Steph, but remember, accreditation is not authorization
Stephanie Perrin (NCSG)
02:15:09
agreed, but it must be accurate. Failure to police leads to opportunity for abuse.
Stephanie Perrin (NCSG)
02:16:54
IN other words, when the employee loses their access badge they should cease to be accredited as an employee eligible to request under the circumstances set out for the employer (e.g. law firm, cybersecurity firm, LEA, etc.) Sorry to beat this dead horse but I like specificity.
Stephanie Perrin (NCSG)
02:17:34
This is a required management practice under DP law.
Hadia Elminiawi (ALAC)
02:18:43
it is just an initial thought, to start the discussion. The answer though depends on the model in my opinion
Marika Konings
02:19:38
Will do
Hadia Elminiawi (ALAC)
02:19:45
Agree with mark
Hadia Elminiawi (ALAC)
02:20:51
what Marc suggests sets the principal and avoids relating it to the model
James Bladel (RrSG)
02:25:38
Thanks, Alan
Matt Serlin (RrSG)
02:27:11
Seems not like a policy principle but more implementation
Stephanie Perrin (NCSG)
02:27:47
Agree with Amr.
Mark Svancarek (BC) (marksv)
02:27:54
+1 Amr
Alan Woods (RySG)
02:28:08
+1 Amr
Matt Serlin (RrSG)
02:28:13
+1 Amr…could be the case for a lot of our work to date
Stephanie Perrin (NCSG)
02:28:26
+1 Matt.
Stephanie Perrin (NCSG)
02:28:45
Lots will change if we get different controllership scenarios
Marika Konings
02:29:26
@Amr - is it your expectation that the requirements for responses and timeline are different depending on who the entity disclosing the data is?
Amr Elsadr (NCSG)
02:30:22
@Marika: No…, more who decides that a disclosure request is inconsistent with policy/law, the ability to seek a ruling from Compliance, etc…
Hadia Elminiawi (ALAC)
02:30:42
@Marc yes what if the request passes, what should be expected.
Amr Elsadr (NCSG)
02:30:46
Sorry…, that probably wasn’t clear.
Milton Mueller (NCSG)
02:30:59
gotta go, folks. bye
Marika Konings
02:31:02
I think this building block is specifically about response requirements and timelines, not who would be deciding
Amr Elsadr (NCSG)
02:31:09
Depending on who is deciding and disclosing, this Building Block might need to be revised.
Marika Konings
02:33:32
That is probably something that applies to all building blocks? Or at a minimum they will need to be checked for consistency with ultimate decision on responsibilities.
Amr Elsadr (NCSG)
02:33:32
@Marika: Right…, as well as what follow-up actions a requestor might be able to seek, should it disagree with a refusal to disclose data.
Amr Elsadr (NCSG)
02:34:11
@Marika: Yeah…, you’re very likely right.
Marika Konings
02:34:17
Correct, that is also one of the elements that is covered in this building block. Any suggestions for that part would be helpful too as I think there were some concerns expressed about existing wording.
Ashley Heineman (GAC)
02:35:37
before Montreal would be awesome.
Alan Greenberg (ALAC)
02:35:40
No later than...
Matt Serlin (RrSG)
02:35:48
+1 Ashley
Ashley Heineman (GAC)
02:36:13
+1 James
Alan Woods (RySG)
02:36:27
+1 James
Chris Lewis-Evans (GAC)
02:36:35
+1 JB
Ashley Heineman (GAC)
02:36:42
"we would appreciate a response by...."
James Bladel (RrSG)
02:36:47
Agree with Marc. We’ll hear back when they have something to tell us.
Ashley Heineman (GAC)
02:37:17
I'm not as convinced that they'll be working at our same level of urgency if we aren't somewhat explicit in our expectations.
Amr Elsadr (NCSG)
02:37:28
@Ashley: +1
James Bladel (RrSG)
02:37:29
+1 Alan. This is like a ship captain asking if we are on the right course. WE aren’t stopping the ship, so the longer they take to confirm (or change) our course, the more at-risk our work between now and then.
Matt Serlin (RrSG)
02:37:38
Agree with Ashley…I like the “we would appreciate a response by…”
Matt Serlin (RrSG)
02:37:47
not to propose text in the chat :)
Amr Elsadr (NCSG)
02:38:06
@Matt: Agree.
James Bladel (RrSG)
02:38:16
Thanks Janis.
Amr Elsadr (NCSG)
02:38:26
2-hour what?
James Bladel (RrSG)
02:38:30
Thanks all...
Ashley Heineman (GAC)
02:38:36
2 hours for providing input on letter
Chris Lewis-Evans (GAC)
02:38:42
Thanks all
Hadia Elminiawi (ALAC)
02:38:43
Thank you all bye
Ashley Heineman (GAC)
02:38:44
Or not saying anything and it will then go through
Amr Elsadr (NCSG)
02:38:45
Ah…, thanks, Ashley. :-)
Rafik Dammak (GNSO Council Liaison)
02:38:47
thanks all