Congrats, Farzaneh!

Congrats, Farzaneh!!

congratulations!

indeed absolutely... congratulations!!

congrats Farzi

Thank you all

Congrats Farzi!

no dog barking today!

In this file you can find the survey results

I have to drop off for 30 minutes unfortunately. Will be back as soon as I can

I agree with Milton - seems good advice

Me too

Starting with a common understanding with regard to the SSAD is absolutely necessary

+ 1 Milton

seems like a reasonable plan

See https://docs.google.com/document/d/1bm8sdjrNHvNgftMK4f8s-U81FlNSIe2TVNlQKCXZy5k/edit#heading=h.gjdgxs

I have to leave the call early as I am heading to the airport. My apologies for not staying till the end.

see you all soon in LA

safe travels

I will have comment on O

A gac rep ? as an accreditor . No offence to our gac colleagues, on the record as a no there.

Interesting point Amr

We have questions on the legal basis for LEA currently with Bird and Bird. So we might need to revisit once we get the answers.

That is the reason why I am silent on this one.

@Thomas: Sounds reasonable…, and important to note.

@Chris: Thanks for the clarification. That does make sense.

Right, so maybe that should refer to human review of the request to confirm that legal basis etc. is identified, but not specific to the "balancing test"

Oh O O

thanks!

We should get Alice in Wonderland’s smoking caterpillar to chair this call, when we’re racing through the alphabet? ;-)

Perhaps replace "Yes" with "Maybe" if things are not that clear

Sorry Milton did you mean N?

Yes

Actually I meant N O (haha)

@Milton Happy with Desirable if possible?

The big issue with both use cases is that we are opening the floodgates for requestors who claim they are security practitioners. I do not see a way of checking eligibility. Doing this via safeguards only, as suggested by SSAC during our last call - is not enough in my view.

of the Controller, not the disclosee

only if you already control the data, Margie, not if you still have to get it... none of these sections grant access

You can exercise user rights vis a vis the controller, but not use that as a reason to ask for any data. Am I getting this wrong?

agreed both Volker and Thomas.

+1 Thomas

@thomas - so then some kind accreditation, authentication, authorization is necessary.

kind of

What does the highlighting indicate?

Alex, maybe we need to discuss this in LA. I do not seem to understand the raison d’être for this use case.

That is absolutely one of the big items to discuss in LA

+1 thomas

@thomas - ok well that’s a different (and larger) issue than the one I was commenting on.

@Alex. Yes. Sorry. I do not mean to be difficult.

if all the european lawyers on the call agree, that still is just an opinion?

It just comes naturally Thomas :)

:-)

+1 Amr…I think it continues to overlap a lot with the SSAC use case with maybe slight variations

I guess the main difference is in relation to the civil claims

+1 Amr

I haven’t seen any of the cases addressing the civil claims aspect

bar of course the SSAC

which recognised non-LEA

therefore is civil

@Hadia: If civil claims is an issue, then that can be added where appropriate in the other use cases. If it’s the same set of disclosure requestors, requesting disclosure for the same purposes, there is no need that I can identify for an entirely new use case.

@Amr I am not sure that they are the same set of requestors.

@Hadia: The requestors identified in this use case are: “Law enforcement, operational security practitioners, anti-abuse authorities”.

wait NIS ... are we sayig the requesters are critical infrastructure providers under NIS?

cos that seems more to fit into the SSAC II

In this case, the security practitioners are employed by companies. I’m not sure that distinction was made in the SSAC use case, but not sure it makes a difference.

@Alan I think it's "digital service providers" defined under a different NIS provision

Maybe the anti abuse authorities need to be further detailed

We have previously said, we believe reverse whois lookups to be out of scope of our work here…that would be a completely new policy development

@Matt: +1

@Milton, aside from other things, there is a logging and notification requirement here which was not present in the old WHOIS.

@brian ... yes Digital service providers, deeemed unde the NIS directive to apply or have an impact on critical infrastructure. . Still not seeing how this is different from SSAC II

@Volker: +1

Well said, Volker.

possible does not equal legal

@Alan W I don't think so. "If you provide an online search engine, online marketplace or cloud computing service (either alone or in combination) then you are a digital service provider (DSP)." https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/

base contracts were written prior to GDPR

@alan but also doesn’t equal illegal.

Alex .. hardly the strongest policy position ... It's not legal ... but it's not illegal either ... fingers croissed

@margie can you point to what you are referring to in the new gTLD agreement that allows this? Thanks!

I’m just adding balance to the discussion :)

@Matt - yes -i'll find it

c) is unacceptable

reverse lookup

Yes, thanks Marc, that would have been my next point as well.

I cannot agree to any of the fields as I have my fundamental issues at the moment.

@Marc: +1

I am not comfortable with that third bullet point in seciton c

+1 Marc and Sarah

absolutely legal ... with a court order.

legality is but one concern though.

just becasue something is legal does not make it right

Done - thank you, Janis.

@Matt: +1. This was a by-product of a publicly published whois in the past. Was never an ICANN Consensus Policy.

and if some registries offered it voluntarily, they sure could continue to do so.

+1 Volker

we do not need policy for allowing someone to provide a voluntary service that is legal

@Brian: New policy recommendations would need to be handled in another process (not an EPDP). Would need to be scoped in an issues report subject to a public comment.

+1 Amr

ask yourself another question then: Will it get consensus?

@Amr — all of this work is new policy, and is within scope of our charter.

@Steve: I disagree. The EPDP is about harmonizing existing policy with data protection regulation, not about creating new policy.

There are strict guidelines on using an EPDP. Check annex 4 of the PDP manual.

+ 1 Brian we are looking for a system that is legal and provides the same benefits of the old system

@Amr, there are all sorts of things that were not ICANN policy bacause there was no need for such policy - the information was public. SSAD did not exist and we are talking about it for the same reason.

Not sure about that last bullet in (G), for similar reasons to what we just discussed about (c)

Hadia. Thats a very surprising statement the old system was access to unfettered access which was, and as has been clearly indicated by the EDPB, not in line with the requiremetns of data protdciton law. Benefits derived from the breach of the law, is hardly something we should be aspiring to.

Yes - I agree with Brian

ugh... typing fails ..lol

SSAD, to me, is an implementation measure to facilitate whatever policy recommendations we come up with. The policy recommendations should focus on the features of SSAD to (again) harmonize existing policies with data protection regulation.

hard to hear Volker

Purpose of a request is not the same thing as specific uses of the data in fulfilling that purpose

@Amr, Anything we do has to be in accordance with data protection regulation. That is why we are suggesting asking for legal input. The rest is to decide what do we need (legally alloowed) that allows us to continue to function given GDPR.

Requestor can represent that they will use the data ONLY in accord with their stated purpose, and in compliance with GDPR

I have said this before. I am hoping that if the legal advice is not what you have in mind and not what you thought would, you accept it even if not in the interest of what you are pursuing.

@Alan G: Agree, but using an EPDP to develop recommendations is another limiting factor in what the GNSO is allowed to recommend to the ICANN Board.

@Alan G: You were one of the folks who came up with EPDP guidelines. ;-)

@Alan W I did explicitly say the words "a legal system.” I meant getting the benefits of the old system and obviously avoiding the "Miss use" through a New system that respects the law

We will certainly submit written comments as well ;)

@Hadia some of the “benefits” of the old system sadly were never ICANN consensus policy and as we continue to say shouldn’t be part of our work here but could be another PDP in the future

Reverse searching?

which, for the record may not look like the old system ... which was not legal. Rose tinted reminiscence of the fact that the good old days were wonderful, does not help us set realistic expectations as to the necessary limitations that will result in a future, legal, outcome of our task.

reverse searching is in the new gtld agreements

I would like to record my objection to J. Don’t know if it has been discussed before

We’ll put this up as a google doc following the call

and if it's in the contract it must be legal right?

Margie… you can have a holy agreement granted by god and if it is against the law, it can’t and won’t happen

@Alan - I am asking for legal advice to answer that question

I do have a question re the F2F schedule

Spec 4

Section 1.10

https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved-31jul17-en.html

Thanks for that info

you betcha

To review the current draft GNSO schedule, please see https://docs.google.com/spreadsheets/d/1JimSyz5laTsRNDN4CvyhPTQdCQYxfMrCro7_GjrTWqY/edit#gid=1857571399

For EPDP Team, there is a full day scheduled on Saturday and other meetings throughout the week.

I won’t be able to join the LA F2F meeting. I will attend partly remotely

Sure

Glass of wine? I thought it deserved whiskey

Safe travels to all heading to LA

Safe travels everyone going to LA.

Safe travels!

Safe tarvels all

See you in LA, Safe travels

Thanks, all.

as a lot of the use case is pending legal advice ... surely we should wait

Thank you al bye

Thanks all. Bye.

See you in LA!

ghanks all

thanks all