Logo

Julie Bisland's Personal Meeting Room
Milton Mueller (NCSG)
30:27
morning all
Leon Sanchez (ICANN Board Liaison)
30:42
Good morning Milton
Brian King (IPC)
32:10
Congratulations, Amr!
Steve DelBianco (BC)
35:30
BC supports the questions as drafted
Matt Serlin (RrSG)
37:03
great…thanks Leon!
Alex Deacon (IPC)
37:09
Sounds like it is important to send them today (or now even).
Amr Elsadr (NCSG)
38:30
Thanks, Leon. That’s helpful. Good luck to you and legal committee.
Leon Sanchez (ICANN Board Liaison)
38:43
Thanks!
Georgios Tselentis (GAC)
38:47
Am I the only one that cannot access the google docs?
Georgios Tselentis (GAC)
39:01
https://docs.google.com/document/d/1Q_0smZv58-rQ4RF9buAMBmt4PGVSk6gAYyLiPIOlyQU/edit [docs.google.com]
Amr Elsadr (NCSG)
39:37
@Georgios: I’m not having trouble accessing the doc. Are you logged in to your google account?
Marika Konings
40:04
Make sure to log in with the account that inso-secs has on file.
Alan Woods (RySG)
40:18
just saying they provided lengthy advice on that very specific question.....
Marika Konings
40:22
gnso-secs not inso :-)
Milton Mueller (NCSG)
40:46
yes
Georgios Tselentis (GAC)
41:01
Sorry Marika you were right -I had tried to log in with the wrong account
Alan Woods (RySG)
41:17
https://community.icann.org/download/attachments/102138857/ICANN%20-%20Memo%20on%20publication%20of%20the%20City%20field%20%28130219%29.docx?version=1&modificationDate=1550152144000&api=v2
Alan Woods (RySG)
41:24
see the final 5 pages
Volker Greimann (RrSG)
41:27
no
Volker Greimann (RrSG)
41:36
Same answer
Marika Konings
42:27
@Georgios - if you want another account to be added, we can definitely do so
Marika Konings
54:15
You can also follow along here: https://docs.google.com/document/d/1eLcD6TpQCW029qgi05BQHGwDA9PW29jM3e9ZhPEFzeQ/edit
Alan Woods (RySG)
57:19
the requester will not be really citing the basis though . the controller is the party that must assert the basis.
Amr Elsadr (NCSG)
01:00:14
@Alan W: That makes sense to me, which is not exactly what is reflected in the zero report.
Alan Woods (RySG)
01:00:37
not quite. But we have that to look forward to that tonight and LA :D
Amr Elsadr (NCSG)
01:00:46
Yup.
Milton Mueller (NCSG)
01:00:59
Why would you eliminate "high-volume automated" if you are concerned about DDoSing the SSAD?
Alex Deacon (IPC)
01:03:03
+1 Milton on the legal basis
Amr Elsadr (NCSG)
01:04:22
@Ben: that sounds good - keeping both, and adding “or”.
Matt Serlin (RrSG)
01:04:31
I support Ben’s suggestion to combine the two
Brian King (IPC)
01:04:52
We would just note that high-volume automated queries might not be abuse or misuse of the system.
Brian King (IPC)
01:05:06
Also "high-volume" is subjective
Alex Deacon (IPC)
01:05:10
any SSAD system will need to handle very high volumes of queries. there is a difference between managing that and mitigating DDoS attacks.
Steve DelBianco (BC)
01:06:09
@Milton — I think we are “allowing for” those accreditation groups, not calling for them to be created.
James Bladel (RrSG)
01:06:33
Disagree, somewhat: I think reliance on existing 3rd party accreditation orgs for bona fides is desirable. But agree we shouldn’t create them specifically for this purpose.
Brian King (IPC)
01:08:16
Alan W is good at reminding us about that point
Ben Butler (SSAC)
01:08:28
Absolutely Brian.
Milton Mueller (NCSG)
01:08:36
the distinction between "allowing for" and "creating" is not relevant to my argument. the point is that accreditation requirements and processes should be the same for ALL users. It is basically a commitment not to abuse the data once disclosed enforced by a threat to withdraw accreditation. External groups will not be in a position to do that
Alan Woods (RySG)
01:08:38
+1 James. It would be a very tall order to do so.
Alex Deacon (IPC)
01:10:06
@Marc - my comment was specific to the SSAD itself and not specific to this particular use case.
Marc Anderson (RySG)
01:10:26
@Alex - gotcha
Milton Mueller (NCSG)
01:10:51
Access to Whois data played no role in mitigating e.g. the Mirai botnet; it may have helped ex post in investigating for prosecution
Milton Mueller (NCSG)
01:11:59
the idea that you are going to stop a massive botnet involving 10,000 compromised domains by looking to Whois is unrealistic.
Brian King (IPC)
01:13:51
The more Stephanies the better
Matt Serlin (RrSG)
01:14:11
whoa
Julf Helsingius (NCSG)
01:14:19
Nice train whistle!
Rafik Dammak (GNSO Council Liaison)
01:14:23
a train on time
Brian King (IPC)
01:14:27
Stephanie's boarding from Platform 9 3/4
Leon Sanchez (ICANN Board Liaison)
01:14:58
:DD
James Bladel (RrSG)
01:15:27
They’rre not vouching for use of the data or the legitimacy of the request, but only the identity/credentials of the requestor.
Amr Elsadr (NCSG)
01:15:30
I thought it was a kind of civil defense siren of some sort!! :D
Milton Mueller (NCSG)
01:16:00
it was the Ga Tech whistle. It WAS speaking for Ga Tech
Milton Mueller (NCSG)
01:16:10
Not sure why my mic was open
Hadia Elminiawi (ALAC)
01:17:53
I guess stephanie agreed that there is a merit in accreditation
Chris Disspain (ICANN Board Liaison)
01:18:44
Hello All,
Chris Disspain (ICANN Board Liaison)
01:18:54
I need to drop off the call to attend a board call now
Chris Disspain (ICANN Board Liaison)
01:18:58
Apologies
Hadia Elminiawi (ALAC)
01:19:10
accreditation does not mean liberal access to data,
Alex Deacon (IPC)
01:19:26
@Milton - I’ve not heard anyone advocate for that.
Steve DelBianco (BC)
01:20:27
@Milton — accreditation is an option that could lead to automated responses. Anyone can query and expect a non-automated response.
Alan Greenberg (ALAC)
01:20:36
@Milton, accreditation may make the decision process on whether to release data easier.
Hadia Elminiawi (ALAC)
01:21:05
accreditation allows possible faster and safer requests for data, non accredited people could still make requests
Milton Mueller (NCSG)
01:21:21
how?
Milton Mueller (NCSG)
01:21:52
accreditation provides no extra legal basis or no guarantee of disclosure.
Alan Greenberg (ALAC)
01:22:11
A contracted party may CHOOSE to accept accreditation in making their decision.
Milton Mueller (NCSG)
01:22:53
so if accred DOES allow for automation, then we ARE saying that it affects the disclosure rights of the requestor
Milton Mueller (NCSG)
01:23:44
we get back to the question whether a "trusted party" can short-circuit the balancing test
Amr Elsadr (NCSG)
01:23:49
@Milton: …, and suggests that a balancing test might not be conducted when using 6.1.f as a lawful basis? Doesn’t sound good.
Amr Elsadr (NCSG)
01:24:23
What James is suggesting is that accreditation is a means of identifying requestors. That sounds better.
Amr Elsadr (NCSG)
01:24:35
At least that was my understanding of what James said.
Milton Mueller (NCSG)
01:25:03
no one is suggesting throwing out accreditation; it just needs to be uniform and basically a means of deterring abuse
Hadia Elminiawi (ALAC)
01:25:04
Faster because if you are accredited this means you are trusted to make requests in relation to certain issues therefore less time should be spent on looking into who you are. Safer because accredited people are sort of trusted requesters
Ben Butler (SSAC)
01:25:35
That is our understanding of accreditation as well. It is a possible avenue of identifying the requestor. It is not a guarantee of access or a an elimination of the balance test
Amr Elsadr (NCSG)
01:25:37
If accreditation is a way to help identify requestors, then it is not necessary to limit those who are allowed to submit disclosure requests to those who are accredited.
Alan Greenberg (ALAC)
01:26:07
@Amr, It is part of the decision process. Disclosure is not guaranteed or automatic based on accreditation. But a contracted party may use it in thier decision. If they chhose to use it as a guarantee and they could, with the potential increase in their risk.
Matt Serlin (RrSG)
01:26:25
I think we need to spend a fair amount of time on accreditation in the f2f to everyone is on the same page about what it means and what it potentially gets the accredited party
Marc Anderson (RySG)
01:27:20
agreed Matt - Accreditation should be one of the key topics we cover in LA
Brian King (IPC)
01:27:26
Agreed Matt
Hadia Elminiawi (ALAC)
01:28:28
@Amr I wouldn't use the word "identify"
Leon Sanchez (ICANN Board Liaison)
01:28:31
I need to leave the call for another meeting. My apologies for not staying till the end. See you all later
Leon Sanchez (ICANN Board Liaison)
01:28:32
thanks
Amr Elsadr (NCSG)
01:29:17
@Hadia: Why not?
Stephanie Perrin (NCSG)
01:30:10
You cannot release personal info until you know who you are dealing with.....so identification is a critical piece in my view.
Amr Elsadr (NCSG)
01:30:38
@Stephanie: Yup, and it’s already baked in to most of the use cases, isn’t it?
Amr Elsadr (NCSG)
01:33:42
@Alan G: There has been prior advice from EU Data protection experts, as well as the ICO that suggests that ICANN, as a controller, should not permit processing of personal data of natural persons for purposes not consistent with its mission.
Steve DelBianco (BC)
01:33:44
I have received very clever phishing emails where the sender’s domino did not resolve to a website I could look at. In those cases, isn’t whois the only resource to learn who registered that domain?
Alan Greenberg (ALAC)
01:37:19
You may recall that when we were told that it would be discussed, I said that I didnot say it was worth our time.
Amr Elsadr (NCSG)
01:37:38
@Alan G.: Do recall that. :-)
Amr Elsadr (NCSG)
01:38:08
I hope I clarified what I meant by “reject the use case” in my last response to Alan G over email.
Matt Serlin (RrSG)
01:38:26
Agree with James and Marc previously
Amr Elsadr (NCSG)
01:38:28
So agree with Alan G and James, when they say it makes no sense to reject the use case.
Terri Agnew
01:40:00
@Hadia, we seem to have lost your audio
Terri Agnew
01:40:09
it seems to be cutting in and out
Marika Konings
01:41:09
You can also view this document here: https://docs.google.com/document/d/1DBPBL_nIwE8tjaahM1uS3hvIA8FSzPiN/edit?ts=5d4c43aa#heading=h.30j0zll
Amr Elsadr (NCSG)
01:43:30
I suspect we’ve said all there is to say. :-)
Alan Woods (RySG)
01:44:28
personally i'd report it to the law enforcement
James Bladel (RrSG)
01:44:43
Steve - closely related to the LEA or SSAC use case.
Amr Elsadr (NCSG)
01:44:46
@Steve: Doesn’t that make it a LE or private-security issue?
Amr Elsadr (NCSG)
01:44:53
@James: +1
Volker Greimann (RrSG)
01:45:04
Do they need to know that?
Hadia Elminiawi (ALAC)
01:45:20
@Amr no it does not make it A LE case
Alan Woods (RySG)
01:45:46
use cases are not about 'factual descriptions' they are about discerning the policy steps and the consderations in the assessmnet of a disclosure request.
Alan Greenberg (ALAC)
01:45:58
@Amr, it may be LE oe security researcher IF and WHEN it reaches them.
Alan Greenberg (ALAC)
01:46:05
oe = or
Alex Deacon (IPC)
01:46:44
I note it could also be passed to some consumer protection agency - we need to make sure this option is covered by our policy (and yes I understand the special designation those agencies may have/need).
Alan Greenberg (ALAC)
01:47:12
@Alan W: correct. And we cannot really provide guidance to contracted parties in this use case,
Amr Elsadr (NCSG)
01:47:16
@Hadia: I’m not sure why. I don’t see why it’s an Internet user issue. Do you investigate/do whois lookups for spam emails you receive, or do you report them?
Alan Woods (RySG)
01:47:39
Alex and this is the beauty of the concept of the use case . Nothtat they are response templates, but whether or not, based on the circumstances stated, is disclisure necessary and in this case whether the abalancing test is met.
Alan Greenberg (ALAC)
01:47:47
@Amr, in my case, I may do both.
Matt Serlin (RrSG)
01:47:59
Amor makes a good point…generally those are reported to the brand holder who is being abused and they then investigate as we have already covered in other use cases
Alan Woods (RySG)
01:47:59
personally I think in this case .. not, but it is valuable to demonstrate that for that reason.
Amr Elsadr (NCSG)
01:48:11
@Alan G: Agree with your comment above on when it would be a LE/SSAC use case issue.
Alan Woods (RySG)
01:50:55
thank you Chris. This is a very excellent reason!
Georgios Tselentis (GAC)
01:52:58
Beware also that depending on the disclosure model data transfers may take place between different juristictions (LEA1)
Marc Anderson (RySG)
01:54:07
do we have a link for this document?
Amr Elsadr (NCSG)
01:54:20
I don’t think so, but was sent to us via email.
Marc Anderson (RySG)
01:54:29
ok, thanks'
Marika Konings
01:54:31
It was forwarded to the mailing list just prior to this call. We will post it as a google doc after this meeting.
Hadia Elminiawi (ALAC)
01:56:47
@Amr if I get an email (not all emails' domains resolve into websites" that I suspect I would either try to check it or just drop the matter. No security researcher would have the time to look into this and certainly this is not a LE case.
Volker Greimann (RrSG)
01:58:05
hence the requirement to include the same data in business mails
Hadia Elminiawi (ALAC)
01:59:12
@Amr with regard to why not use "identify" there are other steps like validation that would need to happen to fully identify a requester
Alan Greenberg (ALAC)
02:05:41
Any idea when hotel confirmations for LA will be sent?
Brian King (IPC)
02:06:50
Alan I can't tell you where we're staying, but there are two trees involved.
Amr Elsadr (NCSG)
02:07:12
@Marika: So substantive discussion on the zero report will not begin until the F2F?
Alan Greenberg (ALAC)
02:07:56
@Brian, yes, I know which hotel it will be. Just asking when we will get the formal message.
Amr Elsadr (NCSG)
02:08:38
@Marika: Thanks.
Terri Agnew
02:10:27
We will follow up on when the hotel confirmations will be sent for the F2F LA meeting.
Ben Butler (SSAC)
02:11:18
Thanks all
Chris Lewis-Evans (GAC)
02:11:19
See you all later, thanks
Julf Helsingius (NCSG)
02:11:22
Thanks, and see you all too soon!
Amr Elsadr (NCSG)
02:11:22
Thanks all. Bye.
Hadia Elminiawi (ALAC)
02:11:25
thanks all