A
few items.
Again,
I’m concerned that we are
creating policy, not implementing it.
Granted, the framework outlined in the Final Report is not
as robust as what is detailed for IPC, but then again LEA
did not participate in the PDP process. The IRT is
not the place to be creating policy for LEAs.
That said, the problem
with a strict 24-hour period is that it doesn’t
acknowledge certain situations/matters may require
additional time, falling outside a 24-hour period despite
a Provider’s best efforts. Language such as
“Where a disclosure request has been categorized as High
Priority, this must be actioned within 24 hours” are overly
strict and sets the Provider up for failure/being out of
compliance due to circumstances beyond its control.
Finally,
I fear the LEA framework as currently written creates
unrealistic expectations/SLAs. There seems to be a
presumption of disclosure – if LEAs check all the right
boxes, the information will be disclosed. However, this
decision should reside with the provider, who does not have
to bypass due process just to please LEAs.
sara bockey
sr. policy manager | GoDaddy™
sbockey@godaddy.com
480-366-3616
skype: sbockey
This
email message and any attachments hereto is intended for
use only by the addressee(s) named herein and may
contain confidential information. If you have received
this email in error, please immediately notify
the sender and permanently delete the original and any
copy of this message and its attachments.
Dear Colleagues,
As mentioned on the
list a couple of weeks ago, the current draft PPAA is still
a bit ambiguous regarding how the review process outlined in
Section 3.2.1 applies to high priority requests. We need
ensure that the draft is clear about this requirement when
we go out for public comment (and if there is opposition to
the proposed requirement by any members of the IRT, this
will be flagged in the call for comments).
Upon reviewing the
IRT’s input to date, I am proposing an edit that I believe
reflects the IRT discussion on this point. Please review
and provide your comments on this proposed language no
later than this Friday, 9 February.
To summarize, the
current draft
contains a
two-step process for Providers upon receipt of a request
from LEA. (1) Within two business days, the Provider must
review the request and confirm to the LEA requester that
it has been received and contains the relevant information
required to meet the minimum standard for acceptance (See
3.2.1 of Specification 4). (2) The Provider must then
action the request in accordance with the priority level
(within 24 hours for “high priority” requests (4.1.2); or
within the timeline requested by LEA, if possible, for
other requests (See 4.1.3).
The current
language may be a bit ambiguous as to whether the two
business day “review period” applies before the 24-hour
period for responding to high priority requests (as
explained in more detail in the attached message). The view of
registrar IRT members appears to be that requiring action
within 24 hours of receipt of an LEA request, even if it
is a high priority request, is unacceptable. PSWG members
of the IRT disagree. Other IRT members appear to have
mixed views on this (some referenced the RAA requirement
that “Well-founded reports of Illegal Activity submitted
to these [dedicated LEA] contacts must be reviewed within
24 hours by an individual who is empowered by Registrar to
take necessary and appropriate actions in response to the
report.” Registrar members of the IRT said that the
RAA-required review is less intensive than the PPAA review
due to the specific requirements in the PPAA draft).
Based on the views
expressed within the IRT, it appears that one potential
solution to this ambiguity would be to update Section
4.1.2 to state that (proposed edit in red), “Where a disclosure request has been
categorized as High Priority, this must be actioned
within 24 hours
of completion of the
receipt process outlined in Section 3.2.” The LEA Requestor will detail the
threat type and justification for a request with a
Priority Level of High Priority.”
The practical impact of this proposed
change would be that the provider must action a high
priority request within 24 hours of determining that the
request meets the minimum standard for acceptance. If the
provider completes the receipt process sooner than 2
business days after receipt of the request, this would
start the 24-hour clock for actioning the request. Thus,
this could shorten the response window a bit, partially
addressing the PSWG concerns of a “two business days plus
24 hours” requirement, while also addressing registrar
concerns by not starting the clock until the provider has
time to review the request, if the full time of the
receipt process is required to conduct that review.
Please provide your feedback on this
proposed change no later than this Friday, 9 Feb. And
if you have further comments on this, please share those
as well.
Best,
Amy
Amy E. Bivins
Registrar Services and Engagement
Senior Manager
Registrar Services and Industry
Relations
Internet Corporation for Assigned
Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email:
amy.bivins@icann.org
www.icann.org