Logo

Julie Bisland's Personal Meeting Room
Ayden Férdeline
29:26
Hello all
Volker Greimann (RrSG)
29:32
In northern Germany, they are turning off nuclear plants as the cooling water from the river is too hot
Ashley Heineman (GAC)
30:01
Volker - Seriously???!!!
Volker Greimann (RrSG)
30:19
at least one of them
Mark Svancarek (MSFT)
30:45
yikes
Milton Mueller (NCSG)
31:11
Can we show the agenda in the Zoom room?
Andrea Glandon
32:21
Please remember to mute your phone and mic when not speaking.
Stephanie Perrin (NCSG)
39:44
My apologies for being late, I had trouble with the links.
Stephanie Perrin (NCSG)
40:23
I wish this no chat before you join feature would get fixed, particularly when it is so hard to get the system to function normally
Mark Svancarek (BC) (MSFT)
41:17
Kudos to the vteam that delivered this
Ben Butler (SSAC)
41:40
In this case, you haven’t missed any substantive chat @Stephanie.
Matt Serlin (RrSG)
42:31
Thanks to everyone that worked on this…looks like a logical way to proceed
Milton Mueller (NCSG)
43:08
Greg Aaron had suggested that we further collapse groups 2 and 4, but as he did not speak up I guess that issue will be moot
Stephanie Perrin (NCSG)
45:37
Thanks Ben, good to know!
Greg Aaron (SSAC)
45:38
I did not say "collapse" 2 and 4, Milton. I said maybe do 2 and then 4 and then 3..
Milton Mueller (NCSG)
46:02
oh sorry. I thought you said they were basically the same and if that's what you said you might be right
Hadia Elminiawi (ALAC)
46:08
@milton that is a possibility too
Milton Mueller (NCSG)
46:36
but I am ok with proceeding with the 4 groups
Marika Konings
46:40
If there are no objections to go to category 3 next, maybe we do not need to ask that question in the survey?
Milton Mueller (NCSG)
46:45
just wnted to take your points into account Greg
Hadia Elminiawi (ALAC)
46:51
like put 2 and 4 together
Marika Konings
47:07
Sorry, category 4 next, not 3...
Alex Deacon (IPC)
48:31
I thought we were capturing all of those things in the use case template?
Hadia Elminiawi (ALAC)
48:34
ok thanks Marka that makes more sense
Stephanie Perrin (NCSG)
49:53
This is true, but I remain convinced that due to a lack of familiarity with the actual work that goes on in compliance with data protection law, we are going to waste a lot of time.
Alan Woods (RySG) (Donuts)
51:04
I tend to agree with Stephanie on this. Not quite sure still as to the expectation as to our outcomes here.
Milton Mueller (NCSG)
53:03
Sorry, if I missed something, but the new ranking exercise involves cases within categories or the categories themselves?
Marika Konings
54:54
Cases within categories
Volker Greimann (RrSG)
54:56
Because the public a
Volker Greimann (RrSG)
55:03
data is already public?
Volker Greimann (RrSG)
55:18
Why should something that is already public need to be provided?
Volker Greimann (RrSG)
55:41
surely any requester is grown up enough to make a simple lookup themselves
Stephanie Perrin (NCSG)
55:46
There is no requirement under DP law to process public data (again) for the convenience of requestors, even the data subject.
Ashley Heineman (GAC)
56:55
Thanks Stephanie, but is there any prohibition?
Milton Mueller (NCSG)
58:02
Alan Woods? Controversial? Nooooo
Stephanie Perrin (NCSG)
58:38
No, so if registrars find it easier to give it all they certainly can. Some jurisdictions charge for subject access, I think it unlikely in those circumstances that you could not charge for separating it out, but I am not familiar with the caselaw (and frankly no one would bother doing that in Canada)
Stephanie Perrin (NCSG)
59:16
(there was an extra not in there, you could not charge for separating it was what I meant)
Kristina Rosette (RySG)
01:01:57
Probably useful to drop a footnote in the template to provide the explanation Chris just gave so it’s clear on its face and avoids later confusion and uncertainty
Ashley Heineman (GAC)
01:02:03
yay!
Milton Mueller (NCSG)
01:02:08
;-)
Chris Lewis-evans (GAC)
01:02:17
sounds good Kristina
Matt Serlin (RrSG)
01:03:23
i’d like to just point out, we’d probably like a day or two to review the responses Chris provided and may respond further on the list once we’ve had a chance to do that
Alan Woods (RySG) (Donuts)
01:05:05
sorry, can you please define what you mean about validiation... validation of what?
León Sánchez
01:05:05
my apologies. I didn’t have connectivity
Alan Greenberg (ALAC)
01:08:17
We need a set of definitions because I beleive that people are using the terms in different ways, and for accreditation, there are two aspects. Accredditing of a group to be eligible to use a system (or make a manual request) and accrediting thean individual requester to be part of that group.
Alan Greenberg (ALAC)
01:08:31
Sorry for spelling errors...
Kristina Rosette (RySG)
01:09:05
@Hadia: by validation, are you referring to the process by which the criteria set forth for accreditation eligibility are met? in other words, accreditation = criteria and validation = process of ensuring criteria are met?
Marika Konings
01:09:28
@Alan - this is what we currently have in the chair’s working definitions document: “Accreditation – refers to the process or action of recognizing a person as having a particular identity, possibly with an associated affiliation or status.”
Ashley Heineman (GAC)
01:10:07
+1 Janis
Ashley Heineman (GAC)
01:10:52
Your connection is a bit choppy Milton. At least for me.
Julf Helsingius (NCSG)
01:11:19
Choppy fror me too
Farzaneh Badii (NCSG)
01:11:34
choppy for me too
Terri Agnew
01:12:31
I am hearing Milton clearly at this time. Any better for Julf or Farzaneh?
Terri Agnew
01:12:46
and Ashley
Marika Konings
01:15:09
See Chair’s working definitions here: https://community.icann.org/x/-5WjBg\
Marika Konings
01:15:13
https://community.icann.org/x/-5WjBg
Julf Helsingius (NCSG)
01:15:18
Terri: got better
Chris Lewis-evans (GAC)
01:17:26
agree
Chris Lewis-evans (GAC)
01:17:49
@AlanW
Ayden Férdeline (NCSG)
01:18:45
+1 Alan W
Alex Deacon IPC
01:19:10
I have assumed that there would be some “approved” list of accredited based on some tbd set of criteria.
Alex Deacon IPC
01:19:29
accreditors based....
Margie Milam (BC)
01:20:38
We can develop general policies on accreditation - and it is in our workplace
Margie Milam (BC)
01:20:44
workplan
Margie Milam (BC)
01:21:49
+1 Ashley
Milton Mueller (NCSG)
01:22:16
Ashley's point is a good one, but...if the law an LEA is following is problematic from a HR point of view, they are not technically "abusing" their role
Ashley Heineman (GAC)
01:23:18
I think we all agree at this point that accreditation doesn't assume access.
Alan Woods (RySG) (Donuts)
01:23:51
+1 Stephanie. A valid form of accreditation is merely a factor in the 6(1)f balance - or in the case of in jurisdiction - a confirmation that there is a legal obligation on that controller in that jurisdiction.
Ashley Heineman (GAC)
01:23:57
Milton - So, let's look forward to discussing how to address these issues. :-)
Milton Mueller (NCSG)
01:24:13
Yes, it's down the road, not an immediate problem
Hadia Elminiawi (ALAC)
01:24:58
sure Stephanie there is a difference between accreditation and decision meaning
Farzaneh Badii (NCSG)
01:25:04
general policies to keep authoritarian countries away from disclosure and accreditation? I don’t think this group can do that. Also some of these countries are allegedly undertaking cyber attacks. Would be funny to see their LEA accredited to access DNH registrants data
Farzaneh Badii (NCSG)
01:25:29
*registration
Alan Woods (RySG) (Donuts)
01:26:45
@farzi it would make sense to me that whatever this LEA accreditation body would be ... civil society would definately have to be involved in the definitions - but this is astronimical units outside of our remit
Farzaneh Badii (NCSG)
01:27:01
Yes it is totally outside of our remit
Milton Mueller (NCSG)
01:27:49
we are NOT talking about automated accreditation processes.
Farzaneh Badii (NCSG)
01:28:20
automation should not be discussed now….
Kristina Rosette (RySG)
01:28:26
sounds to me like Stephanie has articulated one of our accreditation policy principles
Farzaneh Badii (NCSG)
01:28:45
what?
Farzaneh Badii (NCSG)
01:28:50
Automated decision?
Farzaneh Badii (NCSG)
01:29:06
you mean a machine automate it and not a person? oh dear
Theo Geurts (RrSG)
01:31:09
so the automation is automated?
Hadia Elminiawi (ALAC)
01:32:32
ok thanks - authorization
Alex Deacon (IPC)
01:35:24
credentialing is a result/output of accreditation.
Marika Konings
01:37:04
These are the charter questions (but no definition): b) What are the unanswered policy questions that will guide implementation?b1) How will credentials be granted and managed?b1) How will credentials be granted and managed?b2) Who is responsible for providing credentials?b3) How will these credentials be integrated into registrars’/registries’ technical systems?
Alex Deacon (IPC)
01:38:12
Thanks Marika - helpful to remind us what questions the charter asks us to answer.
Stephanie Perrin (NCSG)
01:38:47
Sounds good, as long as we add a footnote to note it.
Volker Greimann (RrSG)
01:39:55
M) two days is too restrictive
Volker Greimann (RrSG)
01:40:33
it must be flexible to allow longer processing times in case of being inundated with requests
Alex Deacon (IPC)
01:40:45
I’ll note the definition of “response” is important here.
Volker Greimann (RrSG)
01:40:58
I stick with my: “When we get to it” response
Farzaneh Badii (NCSG)
01:41:00
I was told these use cases are supposed to be GENERAL!! And was told that specifics are not needed only at implementation level they are needed. Now we are talking about expected timing of response etc … isn’t this an implementation issue?
Hadia Elminiawi (ALAC)
01:41:31
@Farzi machines might be better decision makers
Volker Greimann (RrSG)
01:41:35
Well, Alex, substitutive response should be clear though. Even I am not going to argue what that merans
Alan Woods (RySG) (Donuts)
01:41:45
clarity is important.
Matt Serlin (RrSG)
01:41:58
+1 to Alan Woods…2 days as a SLA commitment is problematic
Farzaneh Badii (NCSG)
01:42:26
Really Hadia? or quicker decision makers with no checks and balances?
Volker Greimann (RrSG)
01:42:35
come on, you know how most registrars are staffed, right?
Stephanie Perrin (NCSG)
01:42:36
Note, I have been using the word “elision”. If people are more comfortable with the term “conflation”, that works for me also.
Volker Greimann (RrSG)
01:42:42
Some have four people in total
Mark Svancarek (BC) (MSFT)
01:42:53
I love "elision" and I will use it from now on
Kristina Rosette (RySG)
01:42:55
Clear that no consensus on M
Volker Greimann (RrSG)
01:43:04
you cannot apply go daddy standards to all of us.
Stephanie Perrin (NCSG)
01:43:55
As I have said many times before, we cannot make up for 20 years of ignoring data protection law and thinking in a matter of months.
Stephanie Perrin (NCSG)
01:44:06
We need to slow down.
Alan Woods (RySG) (Donuts)
01:49:11
moving too fast indeed.... we need to discuss n
Theo Geurts (RrSG)
01:49:26
We can automate processes, but not all processes can be automated.
Milton Mueller (NCSG)
01:50:18
If a LEA makes a request for 10,000 records all based on the same legal basis and investigation, could the request be manually reviewed but once approved the deliveru of the data automatic?
Alan Greenberg (ALAC)
01:50:41
N says that automation of SUBSTANTIVE RESPONSE.
Mark Svancarek (BC) (MSFT)
01:50:54
Milton, thanks for asking that question
Theo Geurts (RrSG)
01:52:31
the amount of requests is also a factor when it comes to automation. Development is pretty expensive.
Milton Mueller (NCSG)
01:52:33
what does "substantive response" mean? just the delivery of the data?
Ashley Heineman (GAC)
01:53:24
+1 Alex
Matt Serlin (RrSG)
01:53:27
+1 Alex
Hadia Elminiawi (ALAC)
01:53:46
+1 Alex let's move on
Matt Serlin (RrSG)
01:53:49
We could get into the automation discussion with every use case
Alex Deacon (IPC)
01:54:08
@matt - I’m suggesting we try super hard not to do that!
Matt Serlin (RrSG)
01:54:13
Agreed!
Milton Mueller (NCSG)
01:55:27
prove it
Hadia Elminiawi (ALAC)
01:56:10
+1 chris
Milton Mueller (NCSG)
01:56:29
I think a "possible" question should remain in the template, though we may want to separate it from "desirable"
Milton Mueller (NCSG)
01:57:25
Data retention would be subject to legal requirements in the jurisdiction of the LEA would it not?
Chris Lewis-Evans (GAC)
01:58:34
Thanks will adjust
Milton Mueller (NCSG)
01:59:16
might be better to ask whether automation is consistent with legal requirements/legal basis
Chris Lewis-Evans (GAC)
02:00:13
@milton like that wording
Milton Mueller (NCSG)
02:02:34
or rather to "what extent" automation is consistent, as there can be mixes/hybrids of manual and automation
Georgios Tselentis (GAC)
02:02:55
+1 Milton
Marika Konings
02:05:08
If you want to scroll along yourself for this use case, please see https://community.icann.org/download/attachments/111386876/SSAC%20Crime-Abuse%20Investigation%20Use%20Case%20-%2011%20July%202019.docx?version=1&modificationDate=1562865007000&api=v2
Alex Deacon (IPC)
02:05:18
@Greg - I like the use of tasks to describe what is happening.
Theo Geurts (RrSG)
02:06:38
So how does 49 relate to domain names?
Ben Butler (SSAC)
02:09:00
@Theo, when domains are as the mechanism for the cybercrime attack, the “ability of a network to resist…” will largely be based on the ability to continue to allow traffic from said domain, or (as Greg is explaining) to block / reject any further traffic from or access to said domain.
Farzaneh Badii (NCSG)
02:09:04
How can you describe things generally and then go to nitty gritty issues like automation. you need to be very specific in other fields as well. I don’t see a Use Case here. clear explanation on how all those recitals and all the clauses apply to these issues
Farzaneh Badii (NCSG)
02:12:31
No bogus data is not automatically a sign of bad faith. And your accuracy check has to be done by compliance …
Volker Greimann (RrSG)
02:12:48
T3) Sounds very much like a fishing expedition to me.
Alex Deacon (IPC)
02:13:12
@Farzaneh - I didn’t hear Greg use the word “automatically”.
Farzaneh Badii (NCSG)
02:13:47
It’s in the template Alex. I am sure he will get to it.
Volker Greimann (RrSG)
02:14:48
56k?
Farzaneh Badii (NCSG)
02:14:57
well obviously security researchers tool have not followed Internet speed
Farzaneh Badii (NCSG)
02:15:05
Still using 30 years ago WHOIS protocol
Milton Mueller (NCSG)
02:17:11
Surely Ben is capable of explaining this
Farzaneh Badii (NCSG)
02:18:15
Well fighting with DGA by accessing WHOIS … not very efficient I’d say. We talked about pattern of registration through pseudonymization. What happened to that discussion?
Milton Mueller (NCSG)
02:18:16
I have some specific questions for Greg which I hope there will be time for today
Farzaneh Badii (NCSG)
02:20:03
Why can’t LEAs come up with a way to facilitate cybersec researchers access?
Theo Geurts (RrSG)
02:20:11
Agreed Alan W, this is not something we can fix within ICANN.
Alan Greenberg (ALAC)
02:20:25
Alan W is correct, but we need to keep the Internet running and the law will not change sufficiently quickly.
Theo Geurts (RrSG)
02:20:51
Well the internet is still running after May 25th 2018 with a redacted WHOIS.
Farzaneh Badii (NCSG)
02:21:43
Microsoft uses the court subpoenas very efficiently to mitigate botnet. Without identification of DNH . Judicial system worked there …
Stephanie Perrin (NCSG)
02:22:05
apologies, I had to step away to answer the door….my hand is still up if you went past me.
Hadia Elminiawi (ALAC)
02:22:59
we did not pass you yet stephanie
Stephanie Perrin (NCSG)
02:23:57
Thanks Hadia!!
Alan Woods (RySG) (Donuts)
02:24:58
@alan i appreciate the internet must run ... but the internet will die far faster if people are advocating breaking it because people did not involve themselves in the crafting of such law. For example the e-privacy regulations were stalled because an affected party advocated on how the law would would have an unintended consequence. Again ICANN cannot fix the way it is, we can only figure out a way of making the "new" post GDPR world better .... including shaping future legislative endeavours - not by ICANN policy supporting a bending of that law.
Farzaneh Badii (NCSG)
02:25:07
They should be reported to law enforcement. Not like Brian Krebs just putting out info of the attackers wife on a public blog. https://krebsonsecurity.com/2017/07/who-is-the-govrat-author-and-mirai-botmaster-bestbuy/
Farzaneh Badii (NCSG)
02:25:43
security researchers need to do their research diligently without harming those who are not involved.
Theo Geurts (RrSG)
02:26:15
Move security investigations to CP
Theo Geurts (RrSG)
02:26:20
:)
Farzaneh Badii (NCSG)
02:26:34
So phone number is irrelevant. That’s one element you don’t need to have access to
Hadia Elminiawi (ALAC)
02:27:05
@Alan W for sure no one is suggesting any kind of bending the law
Alan Woods (RySG) (Donuts)
02:27:30
well i'm very happy to hear that Hadia.
Mark Svancarek (BC) (MSFT)
02:28:37
Phone number is relevant when its relevant :-) This use case doesn't cover those instances where passive DNS (for example) was sufficient . They do exist, but not relevant to this use case
Stephanie Perrin (NCSG)
02:28:51
I suggest that people do their research on how investigations by private actors are managed under DP law in the meantime, and talk about the case the following week. While cybercrime is a good example of rampant regulatory avoidance, it is not the only one. However, it does not work well under data protection law (competition law also being relevant but not in our remit).
Farzaneh Badii (NCSG)
02:29:27
No Sorry Mark. That is not specific enough. so not GDPR compliant
Alan Greenberg (ALAC)
02:29:45
I would support deferring until Greg is back.
Alan Greenberg (ALAC)
02:29:55
It will save replicating discussions.
Alan Woods (RySG) (Donuts)
02:30:13
me too. I am actually out next week also (not that that is a deciding factor :D)
Stephanie Perrin (NCSG)
02:30:30
This stuff is difficult. WE should lower expectations.
Matt Serlin (RrSG)
02:30:40
Next week is going to be alternate week for sure! I’m out too :)
Hadia Elminiawi (ALAC)
02:30:45
Thank you all bye
Georgios Tselentis (GAC)
02:30:50
bye
Chris Lewis-Evans (GAC)
02:30:51
thanks all