There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2.

Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email.

Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it?

Yes, we need to consider additional language to 4.2.2 as it is too narrow.

Many thanks,

Sara

sara bockey

sr. policy manager | GoDaddy^™

sbockey@godaddy.com 480-366-3616

skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.

From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org>
Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>
Date: Thursday, March 8, 2018 at 10:05 AM
To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

Sara and all,

This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement.

Amy

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey
Sent: Thursday, March 8, 2018 11:04 AM
To: gdd-gnso-ppsai-impl@icann.org
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

Amy,

It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it.

Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”.

It’s incredibly frustrating that staff does not appear to hear what we are saying.

Sara

sara bockey

sr. policy manager | GoDaddy^™

sbockey@godaddy.com 480-366-3616

skype: sbockey

From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org>
Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>
Date: Thursday, March 8, 2018 at 8:04 AM
To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

Thanks, Lindsay!

I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law.

What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information?

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid
Sent: Thursday, March 8, 2018 10:00 AM
To: gdd-gnso-ppsai-impl@icann.org
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

Hi Amy

Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations.

Many thanks

Lindsay

Lindsay Hamilton-Reid

Senior Legal Counsel

Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk

www.fasthosts.co.uk www.1and1.co.uk

fh-1and1

© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.

This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins
Sent: 08 March 2018 12:07
To: gdd-gnso-ppsai-impl@icann.org
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise.

Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline):

4.1.2 Where a disclosure request has been categorized as High Priority, ~~LEA will make every effort to contact the Provider directly to discuss the matter,~~ and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day.~~, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.~~

As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website.

3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).

If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.”

Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)?

Peter, what would you and your PSWG colleagues think about this?

Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico.

I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars).

Best,

Amy

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM)
Sent: Wednesday, March 7, 2018 1:08 PM
To: gdd-gnso-ppsai-impl@icann.org
Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process.

Peter Roman

Senior Counsel

Computer Crime & Intellectual Property Section

Criminal Division

Department of Justice

1301 New York Ave., NW
Washington, DC 20530
(202) 305-1323

peter.roman@usdoj.gov

From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins
Sent: Tuesday, March 6, 2018 11:42 AM
To: gdd-gnso-ppsai-impl@icann.org
Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call

Dear Colleagues,

Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018

If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage.

Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft.

We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification.

The proposed language is:

4.1.2 ~~Where a disclosure request has been categorized as High Priority, this~~

~~must be actioned within 24 hours. The LEA Requestor will detail the~~

~~threat type and justification for a request with a Priority Level of High Priority.~~ Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.

Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).

I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language.

IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know.

Best,

Amy

Amy E. Bivins

Registrar Services and Engagement Senior Manager

Registrar Services and Industry Relations

Internet Corporation for Assigned Names and Numbers (ICANN)

Direct: +1 (202) 249-7551

Fax: +1 (202) 789-0104

Email: amy.bivins@icann.org