
27:38
Congrats, Farzaneh!

27:42
Congrats, Farzaneh!!

27:45
congratulations!

27:53
indeed absolutely... congratulations!!

28:05
congrats Farzi

28:12
Thank you all

28:21
Congrats Farzi!

32:38
no dog barking today!

35:35
In this file you can find the survey results

38:08
I have to drop off for 30 minutes unfortunately. Will be back as soon as I can

45:01
I agree with Milton - seems good advice

45:11
Me too

45:25
Starting with a common understanding with regard to the SSAD is absolutely necessary

45:40
+ 1 Milton

46:23
seems like a reasonable plan

46:46
See https://docs.google.com/document/d/1bm8sdjrNHvNgftMK4f8s-U81FlNSIe2TVNlQKCXZy5k/edit#heading=h.gjdgxs

49:07
I have to leave the call early as I am heading to the airport. My apologies for not staying till the end.

49:11
see you all soon in LA

49:14
safe travels

49:48
I will have comment on O

51:45
A gac rep ? as an accreditor . No offence to our gac colleagues, on the record as a no there.

52:30
Interesting point Amr

52:34
We have questions on the legal basis for LEA currently with Bird and Bird. So we might need to revisit once we get the answers.

52:45
That is the reason why I am silent on this one.

53:21
@Thomas: Sounds reasonable…, and important to note.

54:47
@Chris: Thanks for the clarification. That does make sense.

56:09
Right, so maybe that should refer to human review of the request to confirm that legal basis etc. is identified, but not specific to the "balancing test"

57:04
Oh O O

58:13
thanks!

58:46
We should get Alice in Wonderland’s smoking caterpillar to chair this call, when we’re racing through the alphabet? ;-)

59:30
Perhaps replace "Yes" with "Maybe" if things are not that clear

01:00:04
Sorry Milton did you mean N?

01:01:37
Yes

01:01:53
Actually I meant N O (haha)

01:03:16
@Milton Happy with Desirable if possible?

01:05:06
The big issue with both use cases is that we are opening the floodgates for requestors who claim they are security practitioners. I do not see a way of checking eligibility. Doing this via safeguards only, as suggested by SSAC during our last call - is not enough in my view.

01:05:14
of the Controller, not the disclosee

01:05:50
only if you already control the data, Margie, not if you still have to get it... none of these sections grant access

01:06:12
You can exercise user rights vis a vis the controller, but not use that as a reason to ask for any data. Am I getting this wrong?

01:06:34
agreed both Volker and Thomas.

01:06:48
+1 Thomas

01:06:50
@thomas - so then some kind accreditation, authentication, authorization is necessary.

01:06:59
kind of

01:07:37
What does the highlighting indicate?

01:07:56
Alex, maybe we need to discuss this in LA. I do not seem to understand the raison d’être for this use case.

01:08:27
That is absolutely one of the big items to discuss in LA

01:08:32
+1 thomas

01:08:37
@thomas - ok well that’s a different (and larger) issue than the one I was commenting on.

01:09:12
@Alex. Yes. Sorry. I do not mean to be difficult.

01:09:17
if all the european lawyers on the call agree, that still is just an opinion?

01:09:25
It just comes naturally Thomas :)

01:09:40
:-)

01:11:13
+1 Amr…I think it continues to overlap a lot with the SSAC use case with maybe slight variations

01:11:22
I guess the main difference is in relation to the civil claims

01:11:22
+1 Amr

01:12:21
I haven’t seen any of the cases addressing the civil claims aspect

01:12:38
bar of course the SSAC

01:12:50
which recognised non-LEA

01:12:58
therefore is civil

01:13:41
@Hadia: If civil claims is an issue, then that can be added where appropriate in the other use cases. If it’s the same set of disclosure requestors, requesting disclosure for the same purposes, there is no need that I can identify for an entirely new use case.

01:15:19
@Amr I am not sure that they are the same set of requestors.

01:16:07
@Hadia: The requestors identified in this use case are: “Law enforcement, operational security practitioners, anti-abuse authorities”.

01:16:35
wait NIS ... are we sayig the requesters are critical infrastructure providers under NIS?

01:16:49
cos that seems more to fit into the SSAC II

01:17:03
In this case, the security practitioners are employed by companies. I’m not sure that distinction was made in the SSAC use case, but not sure it makes a difference.

01:17:15
@Alan I think it's "digital service providers" defined under a different NIS provision

01:17:35
Maybe the anti abuse authorities need to be further detailed

01:18:51
We have previously said, we believe reverse whois lookups to be out of scope of our work here…that would be a completely new policy development

01:19:01
@Matt: +1

01:19:01
@Milton, aside from other things, there is a logging and notification requirement here which was not present in the old WHOIS.

01:19:16
@brian ... yes Digital service providers, deeemed unde the NIS directive to apply or have an impact on critical infrastructure. . Still not seeing how this is different from SSAC II

01:20:21
@Volker: +1

01:20:34
Well said, Volker.

01:21:08
possible does not equal legal

01:21:18
@Alan W I don't think so. "If you provide an online search engine, online marketplace or cloud computing service (either alone or in combination) then you are a digital service provider (DSP)." https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/

01:21:26
base contracts were written prior to GDPR

01:21:39
@alan but also doesn’t equal illegal.

01:22:11
Alex .. hardly the strongest policy position ... It's not legal ... but it's not illegal either ... fingers croissed

01:22:21
@margie can you point to what you are referring to in the new gTLD agreement that allows this? Thanks!

01:22:25
I’m just adding balance to the discussion :)

01:22:42
@Matt - yes -i'll find it

01:23:26
c) is unacceptable

01:23:48
reverse lookup

01:23:59
Yes, thanks Marc, that would have been my next point as well.

01:24:02
I cannot agree to any of the fields as I have my fundamental issues at the moment.

01:24:03
@Marc: +1

01:24:08
I am not comfortable with that third bullet point in seciton c

01:24:19
+1 Marc and Sarah

01:25:16
absolutely legal ... with a court order.

01:25:37
legality is but one concern though.

01:25:49
just becasue something is legal does not make it right

01:25:54
Done - thank you, Janis.

01:26:43
@Matt: +1. This was a by-product of a publicly published whois in the past. Was never an ICANN Consensus Policy.

01:26:47
and if some registries offered it voluntarily, they sure could continue to do so.

01:26:57
+1 Volker

01:27:11
we do not need policy for allowing someone to provide a voluntary service that is legal

01:27:50
@Brian: New policy recommendations would need to be handled in another process (not an EPDP). Would need to be scoped in an issues report subject to a public comment.

01:28:01
+1 Amr

01:28:05
ask yourself another question then: Will it get consensus?

01:28:26
@Amr — all of this work is new policy, and is within scope of our charter.

01:28:59
@Steve: I disagree. The EPDP is about harmonizing existing policy with data protection regulation, not about creating new policy.

01:29:21
There are strict guidelines on using an EPDP. Check annex 4 of the PDP manual.

01:29:48
+ 1 Brian we are looking for a system that is legal and provides the same benefits of the old system

01:30:35
@Amr, there are all sorts of things that were not ICANN policy bacause there was no need for such policy - the information was public. SSAD did not exist and we are talking about it for the same reason.

01:31:22
Not sure about that last bullet in (G), for similar reasons to what we just discussed about (c)

01:31:44
Hadia. Thats a very surprising statement the old system was access to unfettered access which was, and as has been clearly indicated by the EDPB, not in line with the requiremetns of data protdciton law. Benefits derived from the breach of the law, is hardly something we should be aspiring to.

01:32:05
Yes - I agree with Brian

01:32:09
ugh... typing fails ..lol

01:32:12
SSAD, to me, is an implementation measure to facilitate whatever policy recommendations we come up with. The policy recommendations should focus on the features of SSAD to (again) harmonize existing policies with data protection regulation.

01:32:58
hard to hear Volker

01:33:33
Purpose of a request is not the same thing as specific uses of the data in fulfilling that purpose

01:34:06
@Amr, Anything we do has to be in accordance with data protection regulation. That is why we are suggesting asking for legal input. The rest is to decide what do we need (legally alloowed) that allows us to continue to function given GDPR.

01:34:08
Requestor can represent that they will use the data ONLY in accord with their stated purpose, and in compliance with GDPR

01:34:53
I have said this before. I am hoping that if the legal advice is not what you have in mind and not what you thought would, you accept it even if not in the interest of what you are pursuing.

01:35:23
@Alan G: Agree, but using an EPDP to develop recommendations is another limiting factor in what the GNSO is allowed to recommend to the ICANN Board.

01:36:16
@Alan G: You were one of the folks who came up with EPDP guidelines. ;-)

01:36:34
@Alan W I did explicitly say the words "a legal system.” I meant getting the benefits of the old system and obviously avoiding the "Miss use" through a New system that respects the law

01:37:42
We will certainly submit written comments as well ;)

01:38:07
@Hadia some of the “benefits” of the old system sadly were never ICANN consensus policy and as we continue to say shouldn’t be part of our work here but could be another PDP in the future

01:38:12
Reverse searching?

01:38:49
which, for the record may not look like the old system ... which was not legal. Rose tinted reminiscence of the fact that the good old days were wonderful, does not help us set realistic expectations as to the necessary limitations that will result in a future, legal, outcome of our task.

01:38:52
reverse searching is in the new gtld agreements

01:38:54
I would like to record my objection to J. Don’t know if it has been discussed before

01:39:30
We’ll put this up as a google doc following the call

01:39:30
and if it's in the contract it must be legal right?

01:39:41
Margie… you can have a holy agreement granted by god and if it is against the law, it can’t and won’t happen

01:39:54
@Alan - I am asking for legal advice to answer that question

01:40:07
I do have a question re the F2F schedule

01:41:55
Spec 4

01:41:58
Section 1.10

01:42:07
https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved-31jul17-en.html

01:42:29
Thanks for that info

01:42:44
you betcha

01:43:08
To review the current draft GNSO schedule, please see https://docs.google.com/spreadsheets/d/1JimSyz5laTsRNDN4CvyhPTQdCQYxfMrCro7_GjrTWqY/edit#gid=1857571399

01:43:26
For EPDP Team, there is a full day scheduled on Saturday and other meetings throughout the week.

01:43:38
I won’t be able to join the LA F2F meeting. I will attend partly remotely

01:46:17
Sure

01:47:09
Glass of wine? I thought it deserved whiskey

01:47:45
Safe travels to all heading to LA

01:47:46
Safe travels everyone going to LA.

01:48:06
Safe travels!

01:48:33
Safe tarvels all

01:49:01
See you in LA, Safe travels

01:49:05
Thanks, all.

01:49:08
as a lot of the use case is pending legal advice ... surely we should wait

01:49:14
Thank you al bye

01:49:16
Thanks all. Bye.

01:49:17
See you in LA!

01:49:20
ghanks all

01:49:22
thanks all