Hi Thomas,
As we have discussed in private emails, I have the following comments:

1Accreditation Definition
  I'm not sure what is meant by "Accreditation" of LEAs in addition to Authentication and this word has not been floated in the PSWG group meetings where Lawrence, Farzi, and I (and various CPH members) had been participating.  You indicated some distinction in IRT discussions but please clarify.

2Jurisdictional Scenarios
 I see the possible jurisdictional scenarios a litte differently and somewhat less complex as follows: 

  • A. CP and LEA are both located in (or otherwise subject to) the laws of the same jurisdiction (via long arm statute or mutual legal assistance treaty).

  • B. CP is not subject to the jurisdiction of the particular LEA and has no obligation to disclose (or may be prohibited from disclosing by the laws of its own jurisdiction or its contractual commitments with registrants.

  • C. CP has no obligation to disclose but elects to disclose if not prohibited by its governing law or by its registration policies. 

    • 3.   Appropriate Next Steps
    While you believe this must be brought before the Board again, I believe the Board reconvened the IRT with the understanding that the GAC PSWG would be working on this Authentication issue "in parallel" with the IRT.  Therefore, I believe the above jurisdictional issues should be the subject of a joint meeting (or meetings) between the IRT and the GAC PSWG Authentication group before anything is brought back up to the Board level.  For example, the GAC PSWG Authentication group has been discussing a longer term solution that would provide a centralized authenticated email contact for Interpol and Europol  This centralized approach would appear to be in conflict with your viewpoint on the jurisdictional issue but that has not been raised in the Authentication group by any contracted party representative as far as I know.  So how is the Board supposed to address these issues when the interested community groups it anticipated developing solutions have not met to discuss these issues with each other?

    Thank you,
    Anne

    Anne Aikman-Scalese
    GNSO Councilor
    NomCom Non-Voting 2022-2026
    anneicanngnso@gmail.com


    On Wed, Aug 20, 2025 at 9:36 AM Thomas Rickert | rickert.law via council <council@icann.org> wrote:

    Hi all,

    following up on our discussion in Prague Let me summarize how I think we can frame and advance the discussion in preparation for the September meeting.

     

    ICANN and the issue of handling LEA disclosure requests at the global level. 

     

    When it comes to processing disclosure requests from law enforcement authorities (LEAs) there still seems to be a lot of confusion and different expectations by different parts of the ICANN community with respect to process and outcome. 

     

    The topic was discussed in the EPDP, in related IRT (currently with respect to urgent requests) and in the RDRS Standing Committee. The issue is also relevant to work on DNS Abuse.

     

    The two main areas of concern seem to be: 

     

    1. Authentication (and accreditation) of LEAs.
    2. How can Contracted Parties interact with LEAs? Some say CPs are required to disclose if an LEA and should ideally automate the process. Others say that – once authenticated – LEA requests still need to be duly substantiated and a disclosure will only occur if so possible in a legally compliant manner after a legal assessment. 

     

    Whilst the community spent considerable time discussing LEA interaction, a structured analysis of the legal implications in particular and work on solutions has never occurred. However, both questions need to be answered in order for the interactions between CPs and LEAs to work. 

     

    Even if there were a mechanism for authenticating LEAs (which does not currently exist), a distinction needs to be made between various scenarios. These are:

     

    1. CP and LEA are both in the same jurisdiction
    2. CP and LEA are in different jurisdiction, but a legal framework exists (e.g. a mutual legal assistance treaty)
    3. CP and LEA are in different jurisdictions, but no international agreement exists. 

     

    Depending on the case in question 

     

    • a CP might be legally required to disclose if a legal basis exists and legal requirements are met,
    • a CP might have the option to disclose,  
    • an LEA might need to work with the LEA in the jurisdiction where the CP is established, or
    • a disclosure might not be possible. 

     

    So far, our discussion does not seem to have that level of nuance, but it appears that it not possible to use an approach that works at the global level. 

     

    The risk for ICANN and its community

     

    ICANN can produce policies that are binding for the CPs. However, in order for LEA interaction to work at the global level, measures need to be taken by LEAs and governments, but these cannot be obliged by ICANN to act. 

     

    Not only does the ICANN community need LEA’s / governments’ support with an authentication regime for LEAs, but it may also be the case that the legal instruments that currently exist do not allow for an efficient collaboration between LEAs and CPs at the global level.

     

    If this issue is not flagged and worked on, we as the GNSO Council, will allow for a perception within and outside our community to be solidified that the GNSO and ICANN is not able to come to workable solutions to this issue, that the multistakeholder approach is now effective and that CPs are not willing to cooperate with LEAs. 

     

    A constructive way forward

     

    The GNSO Council should take the initiative and invite the GAC / PSWG and the ICANN Board to a meeting or a series of meetings to flag the issue and manage expectations. If other fora should be used or the discussion should be triggered differently, we should discuss these.

     

    We should highlight that ICANN cannot task third-parties, but that third-party support is needed. We should emphasize that ICANN and its community will continue to work on framework and technical solution that can facilitate the match-making between LEAs and CPs, but that we need to base this on a thorough analysis of the legal implications for CPs and ICANN taking into account the risks of unlawful disclosure for registrants. 

     

    Best, 

    Thomas

     

    _______________________________________________
    council mailing list -- council@icann.org
    To unsubscribe send an email to council-leave@icann.org

    _______________________________________________
    By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.