Logo

Julie Bisland's Personal Meeting Room
Thomas Rickert (ISPCP)
37:22
Hi all!
Ayden Férdeline (NCSG)
39:11
Agenda is fine thanks
Julf Helsingius (NCSG)
42:23
Alternating makes it somewhat confusing
Volker Greimann (RrSG)
42:32
Alternating will cause missed meetings
Becky Burr (ICANN Board Liaison)
43:08
Ok with me, same issue for Rafik tho
Marc Anderson (Verisign / RySG)
43:43
we have a good number of people on pacific time right?
Milton Mueller (NCSG)
44:26
echoechoecho
Margie Milam (BC)
46:39
at least 4 from pacific zone , and lots of staff
Hadia Elminiawi (ALAC)
46:58
Thanks Marika
Marc Anderson (Verisign / RySG)
47:26
seems like we could accommodate more people by shifting the time.
Berry Cobb
47:29
As a reminder, here is the Action Item / Workplan google sheet. It contains AIs assigned (still cleaning up some old ones) and the purple coded rows contain the topics to be deliberated with our future meeting schedule. https://docs.google.com/spreadsheets/d/179ocCF6XHK48CJaFF4Rdg9T3atQKFeY51zwF6rfQ4Jw/edit#gid=126973602
Ayden Férdeline (NCSG)
48:31
I think it was 24-27?
Ayden Férdeline (NCSG)
48:41
Sorry I was wrong
Terri Agnew
49:03
EPDP F2F 27, 28, 29 Jan in LA
Marika Konings
49:51
See also: https://docs.google.com/document/d/130z5SNuYgGhlH9hnAHJcjuZ_9F5zP7uJ4P4g_XcILpU/edit
James Bladel
51:15
Good morning everyone. Apologies for my joining late.
James Bladel (RrSG)
51:34
Terri, can you reflect the RrSG attendance? Thx.
Terri Agnew
52:35
Hi James, you are noted as joining.
Sarah Wyld (RrSG)
56:57
Makes sense to separate logins from queries, as logged items
Milton Mueller (NCSG)
57:54
good level of generality for this statement
Alan Woods (RYSG)
01:03:19
+1 Thomas
Sarah Wyld (RrSG)
01:03:29
+1 Thomas. Always need to accommodate for jurisdictional differences
Sarah Wyld (RrSG)
01:04:39
Is it possible to log the activity of accredited users without having personal data in the logs? Their username could be PD, no?
Ayden Férdeline (NCSG)
01:05:33
I suggest changing "machine-readable format" to "in a commonly used, structured, machine-readable format accompanied by an intelligible description of all variables"
Alan Woods (RYSG)
01:08:41
thank you!
Thomas Rickert (ISPCP)
01:10:05
The logs shall be retained for a period of time sufficient to cover the time until claims by data subjects are barred by statute according to the national law applicable for the entity keeping having disclosed the data.
Ayden Férdeline (NCSG)
01:10:09
@Brian - if we changed “data protection authorities” to "relevant supervisory authorities" would that alleviate your concerns
Brian King (IPC)
01:12:28
"due legal process, including relevant supervisory authorities as appropriate"
Chris Lewis-Evans (GAC)
01:12:35
@Ayden reliant supervisory authorities also get rid of the other two icon, audit body?
Volker Greimann (RrSG)
01:12:36
Happy with that suggerstion
Brian King (IPC)
01:12:37
or "as applicable" probably
Ayden Férdeline (NCSG)
01:12:48
@Chris yes I think so
Brian King (IPC)
01:12:57
due legal process, including relevant supervisory authorities, as applicable
Brian King (IPC)
01:13:34
No opposition to technical operator
Sarah Wyld (RrSG)
01:14:13
+1 to limitation. Maybe the technical operator gets a redacted version of the logs, to remove any personal data that may appear there
Marc Anderson (Verisign / RySG)
01:14:14
thanks Chris - friendly amendment. :)
Brian King (IPC)
01:14:20
good point, C.L-E. Let's include the purpose and include it
Mark Svancarek (marksv) (BC)
01:17:25
lol
Sarah Wyld (RrSG)
01:18:26
+1 "all activity" is too broad
Chris Lewis-Evans (GAC)
01:18:30
+1 to going back this is a guidance to implementation to ensure we have a good base line to help the implementation team
Alan Woods (RYSG)
01:18:37
agreed. Original language for i
Sarah Wyld (RrSG)
01:18:44
Agreed, original language
Milton Mueller (NCSG)
01:18:47
no objection
Alan Woods (RYSG)
01:19:12
…. oops .... for implementation guidance was the end of that sentence
Sarah Wyld (RrSG)
01:19:56
+1 Dan, "validated" doesn't mean "logged in" to me
Brian King (IPC)
01:20:03
Agreed
Brian King (IPC)
01:20:21
if we scratch the parenthetical this bullet is good
Hadia Elminiawi (ALAC)
01:21:26
Logging into the system is a different activity
Brian King (IPC)
01:21:47
What's the point of logging "log in" events where no data is requested?
Sarah Wyld (RrSG)
01:21:50
So then we could change "validated" to "used"
Brian King (IPC)
01:22:00
(assuming we're already logging data requests)
Chris Lewis-Evans (GAC)
01:22:39
@Sarah validated and used?
Sarah Wyld (RrSG)
01:22:52
Right - what Janis just said
Brian King (IPC)
01:25:14
Ok that is helpful, Marc. I understand what Alex was thinking.
Brian King (IPC)
01:26:03
Any system with decent security protocols will log all user sessions anyway. I yield the point. Sorry for dragging us down.
Hadia Elminiawi (ALAC)
01:28:27
In all cases" i.e. when they log in" does not belong where it is now
Volker Greimann (RrSG)
01:29:21
Is non-violent disagreement acceptable too?
Volker Greimann (RrSG)
01:29:34
I doubt they will let us bring torches and pitchforks to LA
Sarah Wyld (RrSG)
01:34:08
Good point Marc, we should make sure these line up
Marika Konings
01:35:30
The accreditation authority is mentioned at the top of the logging building block
Sarah Wyld (RrSG)
01:35:34
In Logging block, it says the accreditation authority in the 4 bullet points at the top, but not in the implementation guidance
Marc Anderson (Verisign / RySG)
01:36:35
thanks Sarah and Marika - I think this can be addressed with another section specific to this in implementation guidance.
Sarah Wyld (RrSG)
01:36:51
Agreed, Marc
James Bladel (RrSG)
01:37:51
Perhaps Alan is making the case for why ICANN can’t directly operate SSAD
Alan Greenberg (ALAC)
01:38:51
Operating the SSAD is different from being the accreditation authority.
Mark Svancarek (marksv) (BC)
01:39:06
Brian's explanation makes sense to me. Avoids the paradox AlanG mentioned
Alan Greenberg (ALAC)
01:39:19
If ICANN outsources, then it is fine for ICANN to replace the outsourced authority.
Brian King (IPC)
01:41:15
Existing accountability mechanisms seem appropriate
Marc Anderson (Verisign / RySG)
01:41:25
great points, thanks Dan
Brian King (IPC)
01:41:31
thanks, Dan
Alex Deacon (IPC)
01:41:54
apologies for being late - completely forgot about the time change/difference. (or perhaps it was wishful thinking)
Sarah Wyld (RrSG)
01:42:18
Alex - it nearly caught me too!
Alan Woods (RYSG)
01:43:13
so we assume all is good until we get a complaint? that doesn't seem very safeguard heavy!
Marc Anderson (Verisign / RySG)
01:43:41
@Alex - welcome - we left all the logging action items to you. :)
Alex Deacon (IPC)
01:44:36
@marc - thanks!
Marika Konings
01:44:57
Note that the accreditation building block says: “The accreditation policy defines a single Accreditation Authority, run and managed by ICANN org” with a footnote that states: “Note that ICANN org may outsource this function to a qualified third party, however the details of this are outside the scope of this document."
Milton Mueller (NCSG)
01:45:24
OK got it
Brian King (IPC)
01:46:14
Thanks for the bail-out Marika!
Marika Konings
01:46:23
Any time :-)
Milton Mueller (NCSG)
01:47:17
Well, it can also note that poorly implementation or noncompliant accreditation would make the accred authority liable for GDPR fines
Milton Mueller (NCSG)
01:48:15
+ 1 Thomas (re: sharing data paused)
Brian King (IPC)
01:49:35
Agree with Thomas on moving forward with that assumption. We have to keep moving forward.
Brian King (IPC)
01:54:33
suggestion: merely scratch "by an independent auditor"
Sarah Wyld (RrSG)
01:55:47
+1 Marc
Milton Mueller (NCSG)
01:57:29
I will have to leave now
Alan Greenberg (ALAC)
01:59:17
Ultimately (for GDPR in any case) there are significant financial implication to NOT doing this job properly.
Alan Greenberg (ALAC)
01:59:38
That's a higher threat than for most of ICANN's responsibilities
Alan Woods (RYSG)
02:03:20
well surely , following best practice, a statistically significant sample should be tested for compliance no?
Brian King (IPC)
02:04:00
AlanW sounds reasonable, let's talk about how
Volker Greimann (RrSG)
02:04:12
Just like you audit a registrar: make them show proof
Alan Woods (RYSG)
02:04:19
+1 volker
Volker Greimann (RrSG)
02:04:24
No proof - failed audit
Sarah Wyld (RrSG)
02:04:46
+1 Volker
Alan Greenberg (ALAC)
02:05:40
@Volker how can you "prove" that you didn't misuse the date or audit that you really deleted it (instead of hiding it under your mattress)?
Alan Woods (RYSG)
02:06:32
hahah .. we may be welcoming Alan G into the CPH. It's difficult, but we have to figure out a way.
Alan Woods (RYSG)
02:07:47
+1 Volker
Sarah Wyld (RrSG)
02:08:35
Doesn't the Code of Conduct for accredited entities, part of the accreditation building block, cover how they use the data that is disclosed to them?
Alan Woods (RYSG)
02:09:06
The safeguards that we create must be real and auditable, not aspirational. So I think that is a really god identification of why the safeguards we create, must be meaningful.
Alan Woods (RYSG)
02:09:14
*good
Volker Greimann (RrSG)
02:10:28
An audit may be triggered by a complaint
Julf Helsingius (NCSG)
02:10:36
echo echo echo
Thomas Rickert (ISPCP)
02:10:59
you can have a mix of different actions. audits triggered by complaints, random audits for some, filing duties etc
Volker Greimann (RrSG)
02:11:04
And if it is not a complaint-based audit, the audit has to show their general procedures to pass
Sarah Wyld (RrSG)
02:12:04
+1 Thomas and Alan W
Sarah Wyld (RrSG)
02:12:07
And Volker
Alex Deacon (IPC)
02:13:50
+1 Volker -
Margie Milam (BC)
02:13:54
+1 Volker
Thomas Rickert (ISPCP)
02:14:43
+1 Volkerl
Alex Deacon (IPC)
02:16:52
Perhaps this should be titled “Audits of the Authorization Entity (a.k.a. the Discloser)”
James Bladel (RrSG)
02:17:18
Excellent points, Sarah
Sarah Wyld (RrSG)
02:17:20
Seems reasonable to me, Alex
Marika Konings
02:19:29
Correct, this section could eventually reflect responsibility of multiple parties that are involved.
Alex Deacon (IPC)
02:20:01
+1 Marika - copying my comment in the doc here “So audits would be appropriate for contracted parties depending on how they are involved. (either they are discloser or they provider data to a central decider).”
Alex Deacon (IPC)
02:20:14
provider
Alex Deacon (IPC)
02:20:19
*provide
Sarah Wyld (RrSG)
02:20:24
Agreed that once we know who is the disclosing party, and what is the role of iCANN, then we should come back to this.
Sarah Wyld (RrSG)
02:24:37
It does seem redundant, yes
Volker Greimann (RrSG)
02:25:12
Deletion Brackets?
Chris Lewis-Evans (GAC)
02:25:17
Keep the note?
Alex Deacon (IPC)
02:25:28
yes keep the note
Marika Konings
02:25:37
Yes, note would stay - just the auditing of logs paragraph would be deleted.
Brian King (IPC)
02:25:47
Great
Marika Konings
02:26:48
See also https://docs.google.com/document/d/1KqfkWfbC6gBIrmE3OTTw7MYpThciaMc03Lu6M9skEEI/edit
Alex Deacon (IPC)
02:27:19
I can give an overview
Sarah Wyld (RrSG)
02:27:27
+1 Volker
Sarah Wyld (RrSG)
02:27:42
RrSG went through this block earlier this week but it does seem to have been changed since then
James Bladel (RrSG)
02:29:46
Here a diagram/flow chart might serve us better than text.
James Bladel (RrSG)
02:30:36
For a slow, “visual learner” like me. :)
Marc Anderson (Verisign / RySG)
02:31:32
thanks Alex - your explanation was helpful
Mark Svancarek (marksv) (BC)
02:31:34
If desired, I could try to create a diagram
Marc Anderson (Verisign / RySG)
02:32:39
goo suggestion Markia
Marc Anderson (Verisign / RySG)
02:32:47
Marika (sorry)
Alex Deacon (IPC)
02:34:02
I’d be willing to write some python code to make it super clear :) (just kidding…..kinda)
Alex Deacon (IPC)
02:34:23
happy to
Julf Helsingius (NCSG)
02:34:49
Alex: looking forward to the Python code!
Chris Lewis-Evans (GAC)
02:35:11
@Alex thought you were a Fortran guy :P
Mark Svancarek (marksv) (BC)
02:35:16
.NET
Sarah Wyld (RrSG)
02:35:18
Thanks team
Alex Deacon (IPC)
02:35:25
C coder!
James Bladel (RrSG)
02:35:29
Thanks, all.
Hadia Elminiawi (ALAC)
02:35:32
bye all
Chris Lewis-Evans (GAC)
02:35:33
Thanks All
Sarah Wyld (RrSG)
02:35:34
I can provide bad HTML if that helps this effort :)
Marc Anderson (Verisign / RySG)
02:35:34
thanks all
Olga Cavalli
02:35:36
bye thanks
Alan Woods (RYSG)
02:35:38
thank all!! and good morning to our west coasters!
James Bladel (RrSG)
02:35:38
My best work was in Assembly. :P