Logo

Julie Bisland's Personal Meeting Room
Thomas Rickert (ISPCP)
41:24
Hi all!
Julf Helsingius (NCSG)
43:06
Apologies for being late, GNSO Council meeting ran a bit over time
Brian King (IPC)
44:43
Sounds fine
Chris Disspain
46:15
Hello All, apologies for being late
Amr Elsadr (NCSG)
46:21
In question 1, is “accessor” a real word? :-)
Brian King (IPC)
46:47
@Amr we might have made it up. But I like it!
Amr Elsadr (NCSG)
47:09
:F
Amr Elsadr (NCSG)
47:16
Sorry…, meant :D
Alan Woods (RySG)
50:08
thank you Leon. I appreciate this and I know the task is not an easy one!
León Sanchez - ICANN Board Liaison
50:23
Thank you Alan!
Brian King (IPC)
51:46
We were aware
Volker Greimann (RrSG)
52:01
we were aware that the term has no specific meaning yet
Milton Mueller (NCSG)
52:12
then what kind of an answer do you expect to get?
Steve DelBianco (BC)
52:34
does “Anchor” question help resolve our threshold issue: how GDPR would allow an automatic response to a query from an accredited entity with legitimate purpose.
Brian King (IPC)
52:50
@Milton not to be cheeky: an answer that does not depend on what "accreditation" means
Milton Mueller (NCSG)
53:18
ha
James Bladel (RrSG)
53:26
Sounds exciting at Leon’s house. I’d rather be there.
Volker Greimann (RrSG)
53:29
In my view, the answers will be the same either way. But I saw that parts of the community felt strongly about asking a question I saw as futile.
Farzaneh Badii (NCSG)
53:46
How would that be even possible Brian? You assume in these questions that accreditation is a done deal!
León Sanchez - ICANN Board Liaison
53:48
Yes James!
Milton Mueller (NCSG)
54:42
agree with Amr. "Any updates?" is not very helpful phrasing for an informative answer
Milton Mueller (NCSG)
55:09
although I think that question is probably the most useful one overall
Farzaneh Badii (NCSG)
55:12
I thought one of these questions was going to be asked by ICANN org from the data protection authorities.
Volker Greimann (RrSG)
55:13
James, you get to redo an entire house! What could be more exiting than that
Alan Woods (RySG)
55:16
Amr raises a fair point. The EC letter doesn't actually mention 6(1)b at all from my recollection.
Brian King (IPC)
55:31
I'd be happy to take Amr's concerns into account and revisit that question.
Amr Elsadr (NCSG)
55:50
I don’t recall it mentioning it either, Alan. Find this question to be curious.
Amr Elsadr (NCSG)
55:55
@Brian: Thanks. Appreciate it.
Brian King (IPC)
56:40
@Farzaneh assuming accreditation actually makes that a better question (if we're talking about Q1) because it addresses the concern about abuse of the system
León Sanchez - ICANN Board Liaison
56:47
Thanks Amr. Point noted. I will suggest the Legal Committee that we be more specific on this question 3
Amr Elsadr (NCSG)
57:42
@Brian: Yeah…, I only posted those comments a few hours ago. Wouldn’t be fair to ask you to address them now.
Amr Elsadr (NCSG)
57:57
@Leon: Thanks.
Marika Konings
58:12
You can also access the google doc here: https://docs.google.com/document/d/1ZMK6pw7i3oQ6I26n07kQv7tfsr8zKdBc/edit#
Milton Mueller (NCSG)
59:53
So it wasn't me alone that said it was all 61.f. it was CPH
Farzaneh Badii (NCSG)
01:00:01
but I don’t understand if our comments are not fully addressed then we can’t just move on. SSAC did the same thing in its use case too.
Milton Mueller (NCSG)
01:00:04
and I don't even see 6.1.f in there at all
Farzaneh Badii (NCSG)
01:03:27
What is the use of commenting when the drafters of the document can just disagree and move on? We will not get to any conclusion if we continue like this.
Milton Mueller (NCSG)
01:06:58
Well we have raised it, Janis, the question is how is it resolded?
Milton Mueller (NCSG)
01:07:05
resolved
James Bladel (RrSG)
01:07:08
I maintain that 6(1)(b) is a very shaky legal basis, and should be referred to one of the other 6(1) bases.
Farzaneh Badii (NCSG)
01:07:30
but they don’t change anything and they just disagree with our points and argue with us. How do we settle the issue that other than 6(1)(f) no other clauses apply in this case?
Marika Konings
01:07:35
It may be helpful for the pen holder to note in the use case itself different views expressed and note that there is not necessarily agreement? In that way at least the different views are documented?
Amr Elsadr (NCSG)
01:07:40
@Brian: Right. Thanks…, and if I’m not mistaken, you agree that an appeals process should be in another use case, correct?
Milton Mueller (NCSG)
01:08:01
At a minimum, Marika. But still, we have to attempt to resolve the differences
Amr Elsadr (NCSG)
01:08:23
I can see how 6.1.c might apply to court cases, but not UDRP filings and related data processing requirements.
Brian King (IPC)
01:08:38
@Amr, I'm not sure. Appealing a UDRP decision still feels like the UDRP use case to me. Reasonable minds could differ.
Thomas Rickert (ISPCP)
01:09:36
In my view, we should drop 6 I c and add 6 I f.
Amr Elsadr (NCSG)
01:09:48
I guess it’s less relevant wether it’s a different use case, or the same, so long as we agree on what legal bases are applicable to which processing activities.
Thomas Rickert (ISPCP)
01:10:07
It would also be in line with what we wrote in our first report if I remember correctlz
Thomas Rickert (ISPCP)
01:10:18
correctly
Milton Mueller (NCSG)
01:10:44
correct Thomas
Thomas Rickert (ISPCP)
01:11:04
Ah, I also do not see 6 I a being applicable here.
Brian King (IPC)
01:11:16
We're removing 6.1.a Thomas
Amr Elsadr (NCSG)
01:11:18
Brian said that 6.1.a would be removed.
Brian King (IPC)
01:11:21
sorry I didn't strike that
Amr Elsadr (NCSG)
01:12:04
Yeah…, 6.1.f should be there, if 3rd parties would like data disclosed to them.
Thomas Rickert (ISPCP)
01:12:07
I just wanted to make sure my statement was not understdood as trying to keep 6 I a
Alan Woods (RySG)
01:12:07
sorry
Hadia Elminiawi(ALAC)
01:12:25
when there is a complete disagreement on the legal basis for disclosure, I guess this should be differed to our legal advisers
Farzaneh Badii (NCSG)
01:13:37
Where was the legal question about applying 6(1)(f)? I saw the question about automation
Farzaneh Badii (NCSG)
01:15:00
I really think issue of accreditation should be addressed later on. We haven’t defined it yet and we are setting criteria for it? Does not make sense to me.
Matt Serlin (RrSG)
01:16:59
Just want to point out, the RrSG hasn’t had the chance to review Brian’s comments to our comments and our silence here should not be reflected as us having nothing more to say on the subject
Matt Serlin (RrSG)
01:17:06
We will review and provide further comments
Amr Elsadr (NCSG)
01:18:21
I was thinking about these more as justification for processing of gTLD registration data, rather than accreditation criteria.
Amr Elsadr (NCSG)
01:20:23
@Brian: Yeah…, 1 or 2, then adding 3 to either of them sounds more reasonable to me.
Milton Mueller (NCSG)
01:21:15
oh that's interesting so you are talking about the DRP getting accredited to get disclosure
Milton Mueller (NCSG)
01:21:45
whereas 1 - 3 pertain to the TM holder
Amr Elsadr (NCSG)
01:21:49
Actually, in the case of 2 + 3, 1 would still be necessary to provide evidence of ownership of a TM. So either 1 +3, or 2 + 1 + 3?
Milton Mueller (NCSG)
01:22:29
I think it's a different use case entirely if you are talking about the DRP, then it's probably a 6.1.b
Milton Mueller (NCSG)
01:22:42
Maybe this accounts for some of our disahreements about legal basis
Steve DelBianco (BC)
01:23:21
#3 actually refers to a single individual complaint instance. So 1 of those would be needed to accredit an entity, right?
James Bladel (RrSG)
01:24:20
This is a good point, Milton.;
Steve DelBianco (BC)
01:24:38
But we can’t de-conflate complainer and Dispute provider, since they work together on the filing. And sometimes the complainers does a pre-filing to setup a Provider action.
Matt Serlin (RrSG)
01:24:39
So is it two use cases then?!
James Bladel (RrSG)
01:25:01
And from an operational point of view - one use case (providers) can be entirely automated
Alan Woods (RySG)
01:28:02
can we point out the only 'damned' persons here will be the CPs ... being a bit more mindful of that might be a little bit helpful
Ayden Férdeline (NCSG)
01:28:19
Sound is breaking out… is it an issue on my end?
Volker Greimann (RrSG)
01:28:20
Brian, just no.
Brian King (IPC)
01:28:52
Alan W, respectfully, no way.
Volker Greimann (RrSG)
01:29:05
there is no way to construct a contractual obligation of the data subject to the complainant under any conceivably legal aspect
Brian King (IPC)
01:29:05
I don't know a UDRP complainant who wants to process ill-gotten data
Volker Greimann (RrSG)
01:29:32
yet apparently they want the data anyway?
Brian King (IPC)
01:30:01
@Volker: they need it :-) and need it to be legal
Volker Greimann (RrSG)
01:30:11
6if
Alan Woods (RySG)
01:30:34
point generally at all the data scraping for many ...MANY years ... .... hmmmmmm?
Volker Greimann (RrSG)
01:30:45
and effectively, they only need it to make some very specific aruments.
Milton Mueller (NCSG)
01:31:23
6.1.b. for DRPs, yes. For complainants, nah
Milton Mueller (NCSG)
01:32:38
because the registrants has signed a contract with registrars taht commits them to submit to a DRP.
Milton Mueller (NCSG)
01:32:42
What am I missing here?
Volker Greimann (RrSG)
01:32:53
they are a third party beneficiary
Milton Mueller (NCSG)
01:35:27
sounds like a legitimate interest, yes.
Milton Mueller (NCSG)
01:35:35
doesn't sound like a contractual obligation
Brian King (IPC)
01:37:20
We're happy to note the discussion and viewpoints in the document.
Brian King (IPC)
01:37:24
Thanks Milton for explaining.
Marika Konings
01:37:54
Please see https://docs.google.com/document/d/1iK9ygUOo8ntLWC_7dx3bS195W2ivkqHH/edit?ts=5d4df668
Farzaneh Badii (NCSG)
01:40:01
Marika suggested that we put the disagreements in
Farzaneh Badii (NCSG)
01:40:27
I don’t have the whole suggestion Marika made but I think it was a good one. Gotta scroll up
Amr Elsadr (NCSG)
01:40:46
I think there’s some places where there is considerable disagreement from the NCSG perspective, particularly on the interpretation of articles and recitals being referenced.
Marika Konings
01:41:16
This is what I suggested above: It may be helpful for the pen holder to note in the use case itself different views expressed and note that there is not necessarily agreement? In that way at least the different views are documented?
Brian King (IPC)
01:44:32
Thanks for restating, Marika. I thought I saw that in the flurry of chat above. Good point.
Amr Elsadr (NCSG)
01:47:47
@James: +1, especially the association of malicious activity with inaccurate registration data!!
Alan Woods (RySG)
01:49:08
+1 Milton
Matt Serlin (RrSG)
01:52:09
+1 Marc
Steve DelBianco (BC)
01:52:44
The “descriptive” part of use cases should not be so controversial and should be used to develop policy, as Marc said. The “normative” statements that appear in Use Cases are subject to disagreement. Perhaps we distinguish in use cases to show any statement that is normative or presumptive.
Milton Mueller (NCSG)
01:54:59
it's not a normative disagreement primarily, Steve, it's legal
Milton Mueller (NCSG)
01:55:31
the main issues we are having is people claiming legal bases that make it easier for them to get disclosure regardless of the law
Steve DelBianco (BC)
01:56:29
Agree, Milton. The normative / argumentative part of uses cases is where the pen-holder asserts a legal basis that would be supported by GDPR.
Thomas Rickert (ISPCP)
01:58:42
The researcher might be ok with pseudonzmized data. When crime is involved, one might like actual data.
James Bladel (RrSG)
01:58:51
They may be conflated in the real world, but they have different legal bases for disclosure of personal information. So they should be separate for the purposes of our work.
James Bladel (RrSG)
01:59:09
Sorry: “they” = Crime + Abuse
Milton Mueller (NCSG)
01:59:17
Correct, James. AND, different types of actors (LEAs vs private actors, for example) have different legeal bases
Farzaneh Badii (NCSG)
02:01:23
Crime is established by law enforcement. Security researchers need pattern of registration etc which can be reached by pseudonymized data
Milton Mueller (NCSG)
02:02:27
If it is included in the report, it needs to be agreed upon
Milton Mueller (NCSG)
02:03:24
If it's not, it doesn't. And I did challenge the idea that whoever holds the pen can unilaterally dictate what goes into the use case
Milton Mueller (NCSG)
02:04:06
But it seems like you amended the use case legal basis properly
Farzaneh Badii (NCSG)
02:04:49
Some of the recitals invoked don’t apply.
Steve DelBianco (BC)
02:06:33
Use cases usually do have descriptive (factual) sentences, plus some normative statements about what SHOULD happen. We add another normative aspect by arguing that a desired outcome meets GDPR compliance.
Alan Woods (RySG)
02:09:27
So the distilled and important policy point here is ... those who have a 6(1)c legal basis (when they have an 'official authoirty' will be processed in 1 way and those who don't, (privuate researcherse) will be processed in another way - based on 6 (1)f. This is the salient point no?
Alan Woods (RySG)
02:09:36
*authority
Farzaneh Badii (NCSG)
02:10:02
column e — is just wrong
Farzaneh Badii (NCSG)
02:10:20
oops sorry too late. Disregard my comment
James Bladel (RrSG)
02:10:30
One could argue that this Use Case was the original purpose of WHOIS/RDS
Farzaneh Badii (NCSG)
02:10:39
Yep!
Marika Konings
02:10:44
Please see https://community.icann.org/download/attachments/111386876/Use Case - SSAC Operational Security.docx?version=1&modificationDate=1562843262000&api=v2 for this use case
Amr Elsadr (NCSG)
02:10:57
@James: +1
Marika Konings
02:11:10
https://community.icann.org/download/attachments/111386876/Use Case - SSAC Operational Security.docx?version=1&modificationDate=1562843262000&api=v2
Farzaneh Badii (NCSG)
02:11:10
this is the one and true use case!
Marika Konings
02:11:25
Sorry, the link doesn’t copy over well, please make sure to copy over all the text in your browser
Marika Konings
02:11:32
or use the link that was included in the agenda
Amr Elsadr (NCSG)
02:12:27
It is, and should have been the only relevant interpretation of SSR in our phase 1 report.
Farzaneh Badii (NCSG)
02:12:46
Yep.
Alan Woods (RySG)
02:13:19
not violent disagreement .... but a point
Farzaneh Badii (NCSG)
02:14:11
I wish supporting info didn’t invoke recitals but explained the lawful basis… (the steps need to be taken etc)
Farzaneh Badii (NCSG)
02:15:55
I like this use case. I will have to look at it closely but I think it’s a solid case.
James Bladel (RrSG)
02:18:37
Just because something is subject to a 6(1)(f) test doesn’t necessarily mean it is slow process. Emergency processes for low volume incidents can be constructed (and exist today)
Farzaneh Badii (NCSG)
02:20:01
Yes James. So maybe we can discard the “automation” legal question...
Milton Mueller (NCSG)
02:20:56
Urgency and immediate threats certainly tilt the balancing test!
Milton Mueller (NCSG)
02:21:09
...in favor of disclosure
Steve DelBianco (BC)
02:21:27
Might be an imminent threat to users and hosts, but not necessarily an “existential threat to the internet itself”. That is too high a bar, I think.
Farzaneh Badii (NCSG)
02:21:30
This is Model use case!
Alan Woods (RySG)
02:23:11
public interest only applicable to those who have a public interest granted to the Controller in EU or member state law . Not really applicable here.
Chris Lewis-Evans (GAC)
02:24:18
Alan for the requestor not the controller
Brian King (IPC)
02:25:19
hospitals, national transportation infrastructure systems, online power grids, etc. would surely implicate the public interest
Alex Deacon (IPC)
02:25:26
@alan - “not really applicable” != “never applicable” so why wouldn’t we leave the public interest basis in if there may be a case when it can be used?
Milton Mueller (NCSG)
02:25:56
Again, he most useful notion of "accreditation" is NOT "I am a certified security researcher" but rather, "I have signed an agreement that authenticates who i am and makes me accountable for any abuse of the data"
Amr Elsadr (NCSG)
02:26:27
@Milton: +1
Alan Woods (RySG)
02:26:39
chris sorry that was at Brian . but to process under e - it must be in vested in the controller - the dislcosing controller (the CPs) don't have that.
Alan Woods (RySG)
02:27:01
Brian and Alex, I'm simply stating what the law states.
Chris Lewis-Evans (GAC)
02:27:36
@Alan agree
Brian King (IPC)
02:27:56
hmmmm, thanks for clarifying the focus on the discloser
Hadia Elminiawi(ALAC)
02:28:26
@Milton +1 making people accountable is for sure a requirement
James Bladel (RrSG)
02:29:24
Thanks all
Julf Helsingius (NCSG)
02:29:25
Thanks all
Milton Mueller (NCSG)
02:29:25
thanks Janis, another meeting brought in under 2 hours ;-)
Hadia Elminiawi(ALAC)
02:29:29
thanks all bye