Marika Konings' Personal Meeting Room
James Bladel (RrSG)
QUestion: some folks missing from NCSG. Are they joining later or remotely?
Milton Mueller (NCSG)
Stephanie's plane was delayed but she is supposed to come
Ayden Férdeline (NCSG)
Stephanie Perrin is in travel and is coming
Ayden Férdeline (NCSG)
* in transit
James Bladel (RrSG)
Ok, thanks.
Ayden Férdeline (NCSG)
Farzaneh Badii will be joining remotely, I believe
As a reminder, please find the EPDP Team Statement of Participation here: https://community.icann.org/display/EOTSFGRD/EPDP+Team+Statement+of+Participation+-+Phase+2
Jennifer Gore (IPC)
i am remote and i can hear just fine
Terri Agnew
Wiki agenda page: https://community.icann.org/x/6oECBw
Ayden Férdeline (NCSG)
Do we have a way of capturing what is on the whiteboard for archive purposes? Some remote participants may be wondering what this hamburger looks like…
Farzaneh Badii
I think security researchers should definitely be accredited by law enforcement agencies
Farzaneh Badii (NCSG)
And hello. Sorry I could not be with you. Second week of a new job.
Ashley Heineman (GAC)
Point of order. This is good stuff, but too detailed at this stage from Thomas.
Milton Mueller (NCSG)
Thomas is proposing an entire accreditation proposal which I think is out of order at this time
Ashley Heineman (GAC)
Uh oh... Milton and I are in agreement again....
Greg Aaron (SSAC)
I'd like to perhaps clarify something aobut the hamburger technical model.
Farzaneh Badii (NCSG)
yeah. I agree with Milton. Is there a curry wurst model as well?
Julf Helsingius (NCSG)
Now I am hungry. When is lunch?
Milton Mueller (NCSG)
+1 to James - financial model has to be a major part of the architecture and it is not clear to me how it fits into the hamburger
Thomas Rickert (ISPCP)
As I mentinoed, you can criticize and abandon the idea. But these points need to be discussed. I am afraid no-one is going to support any of our suggestions without knowing the operational setup and liability.
Alex Deacon (IPC)
The financial model is important but we have to answer some fundamental questions first before we can have a data driven fact based conversation.
Thomas Rickert (ISPCP)
In my view, there is much hesitation to accept and support use cases or policy proposals because these points are unknown.
Volker Greimann (RrSG)
Due to the fine regime of the GDPR, as shared liability model is very hard to implement, it seems to me. A Godaddy-type operator would face a significantly higher fine than a mom-and-pop-type registrar for the same offense
Ayden Férdeline (NCSG)
Thanks for the photo
Thomas Rickert (ISPCP)
In order to get clarity on the liability, we need to get an approved code of conduct according to Art 40 GDPR. Before we get that (which would take years), we just have to do an excellent legal job documenting what we do with a robust legal rationale.
@Greg - Please put up your name card to enter the speaking queue.
Marika Konings
I have Greg noted in the queue :-)
Milton Mueller (NCSG)
I think Janis was simply trying to propose a very simplified high-level architecture to serve as the basis for discussions. We need to get to those more detailed discussions step by step. We were supposed to start with accreditation and user groups (building blocks F and C)
Marika Konings
But yes, for future interventions, please put your name card up.
Alan Woods (RySG)
So i must disagree with Janis here. Liability does not merely lie withthe disclosing party - Liability will ALWAYS lie with the controller. The Disclosing party may very well be a Processor - the liability will lie with the Controller in this instance too - (As Thomas did explain very well). The processor of course will ahve liability - not all of it.
Mark Svancarek (BC)
I think the significant issue is not necessarily "offence", it's that regulatory scrutiny results in costs even if the scrutiny results in no fines. I do not believe that GoDaddy will ever face significant fines simply because they will have implemented well, documented their decisions, and will cooperate with DPAs to mitigate any concerns. But even without fines, it's not free to respond to that scrutiny or mitigate any issues identified as a result of it.
Volker Greimann (RrSG)
I am just saying that if we gave up the decision making part, we’d still be liable for bad decisions. No matter how well we implement, we would still bear the liability for bad decisions.
Volker Greimann (RrSG)
And I wonder if any entity would be willing to accept liability for go daddy-lee fines
Volker Greimann (RrSG)
Farzaneh Badii (NCSG)
reducing risk should not lead to less data protection for the domain name registrant.
Ashley Heineman (GAC)
But can't we divy up liabilty a bit more clearly? Yes - contracted parties will always have liabilty associated with collection and transfer... but let's explore if we can corner off liabilty associated with disclosure to a single party.
Farzaneh Badii (NCSG)
I wish there was a camera…
Brian King (IPC)
+1 Ashley
Matt Serlin (RrSG)
This all goes to the legal questions we posed to B&B and I’m curious if we anticipate having their feedback this week
Alex Deacon (IPC)
+1 Matt
Farzaneh Badii (NCSG)
what are those yellow bits in the picture? cheese?
Farzaneh Badii (NCSG)
Chris’s voice is faint
Andrea Glandon
He has adjusted, does it sound better now?
Farzaneh Badii (NCSG)
I had to turn up the volume to be able to hear him
Milton Mueller (NCSG)
when do we discuss liability and indemnification?
Milton Mueller (NCSG)
are we going to resolve that issue now? Or does it need to wait for other decisions about our approach to SSAD?
Alex Deacon (IPC)
we can’t help diving head first into the deep end.
Alex Deacon (IPC)
Where’s the Beef - https://www.youtube.com/watch?v=R6_eWWfNB54
Milton Mueller (NCSG)
Alex you may want to address the question of why we need this kind of accreditation at all. It's not clear to me that this complex system performs any function that couldn't be done more efficiently by a direct accreditation contract between the SSAD operator and any potential user
Thomas Rickert (ISPCP)
Please note I mentioned Interpol and Wipo for illustration purposes. I could have called them Amos and Andy as well.
Ayden Férdeline (NCSG)
How would one prevent forum shopping of accreditation bodies, i.e. is there only one accreditation body per user type, or could there be multiple, and thus some with reduced/higher/differing standards for whom they issue a credential to? Broadly I think I like what is proposed here, so long as it isn’t possible for the system to be gamed in some way, and for someone to head to one accreditation body if another wouldn’t grant them access. I appreciate Alex noticed that a rogue accreditation body could have all issued credentials revoked, but I imagine this is not going to be happening particularly swiftly.
Ayden Férdeline (NCSG)
* noted, not noticed
Ashley Heineman (GAC)
What I said was not what Gina said.
Andrea Glandon
Okay, sounds like they are starting
Milton Mueller (NCSG)
starting now
Alex Deacon
@stephanie - hopefully the various Code of Conducts would be based on what I called “baseline requirements” so that they would be 80%+ the same. (mod the specific requirements for each group).
Milton Mueller (NCSG)
Ashley: yes, in principle, every individual or organization faces the same risks and thus should have the same right to requests disclosure. Let me reverse the question, are you really saying that millions of legitimate requests should not be entertained at all unless they go through an accreditation process first?
Milton Mueller (NCSG)
correction: A "user group" based accreditation process. In my favored approach, everyone would also have to sign a standardized agreement
Alex Deacon (IPC)
I’ll add a box for yelling and screaming.
Ashley Heineman (GAC)
Milton - yes, I agree. But not through a UAM in my opinion. The purpose of a UAM (in my opinion) is to provide efficiencies for the contracted parties and those who "rely" on getting disclosure of information (ie: not ad hoc one offs). The ad hoc one offs can still be addressed, and likely very important and valid, but should be directed through what is now status quo. Directly to the registrar.
Thomas Rickert (ISPCP)
Balancing has nothing to do with accreditation.
Thomas Rickert (ISPCP)
As Margie rightly stated, balancing is not always required. 6 I c does not require balancing e.g.
Farzaneh Badii (NCSG)
Many of the use cases presented fall under 6IF and require balancing
Terri Agnew
lunch break, back in one hour