All - I need some time to review and digest this, but my first reaction is that this is a good attempt to find a working compromise. That said, there is one provision that is mildly problematic: 4.2.2.4. Where Provider has requested a court order/warrant/subpoena and LEA Requestor was unable or unwilling to provide same. The whole point of the emergency request is that there is not enough time to get any kind of court order. If there was time to get a court order, we would just go get it. This provision would effectively render the high priority disclosure meaningless. Also, I was kind of hoping that rather than just denying requests outright, if the provider finds some problem, there could be a discussion between the provider and the Requestor about what those problems are and whether we can rectify them. I don’t know whether that can be incorporated in the draft but I hope that was an underlying assumption that I just missed in this quick review (while listening to the timeline discussion in San Juan). Finally, I don’t understand the bit about providers giving the LEA Requestor a written response. First, that seems slow in a situation where speed is critical (unless by “in writing” you mean “by email or text”). If you are going to deny the request, it would be good to do so in time to see if we can fix the issue and/or to work other avenues of investigation. Second, as noted above, that sounds like a final decision will be made without any consultation with the Requestor to try and fix the request. Thanks for taking the time to work on this with us and being willing to compromise. Best, Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 15, 2018, at 12:30 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: Amy, Following our F2F discussion on Sunday, many of us have continuing and renewed concerns regarding the LEA spec, in particular the high priority disclosure framework and Section 4.2. After much discussion and many options being put to staff, 4.1.2 has devolved to a “compromise” which is basically the exact same language we started with 6 months ago, with the exception of adding “in accordance with Section 4.2.” As such, we are very concerned that the LEA Spec as written creates a presumption of disclosure and means to bypass due process. Additionally, it is important to remember that this is an accreditation program for ALL Privacy/Proxy Providers around the globe. That means that LEA requests come from LEA in all sorts of countries, and the language in the accreditation agreement need to reflect that. We cannot take an American-centric view. We need to bolster the language in 4.2 to better protect the rights of the Provider and its customers. Therefore, if we are to consider/accept the current proposed high priority language, namely: “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours, in accordance with Section 4.2. The LEA Requester will detail the threat type and justification for a request with a Priority Level of High Priority.” Then the following amendments must be made to Section 4.2 (new language in bold below): 4.2. Disclosure: 4.2.1. Within the applicable timeframe for a request’s Priority Level, Provider will disclose to the LEA Requestor, using a secure mechanism (this must be defined), the Requested Information it holds [associated with] the account. 4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following: 4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification; 4.2.2.2. If disclosure would lead to a contravention of applicable law; or 4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer. 4.2.2.4. Where Provider has requested a court order/warrant/subpoena and LEA Requestor was unable or unwilling to provide same. 4.2.2.5. Where Provider has not been able to verify the identity of the LEA Requestor. (We also need to determine how Providers can best verify the identity of the requestor in a timely fashion. This can at times be very time consuming.) 4.2.2.6. Where Provider has found, after investigation, that LEA Requestor’s request is not well founded. 4.2.3. If disclosure is refused by Provider, Provider must provide written notice (which may be by electronic communication) to the LEA Requestor setting for Provider’s specific reasons for refusing to disclose. Such notice must be provided by Provider to the LEA Requestor prior to any Customer notification by Provider, irrespective of the reason for refusal. 4.2.4. In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay and agree with the LEA Requestor on a new date by which it will provide its response under this Section. 4.2. 4.2.5. For all refusals made in accordance with the policy and requirements herein, Provider must accept and give due consideration to the LEA Requestor’s requests for reconsideration of the refusal to disclose. 4.2.6. Nothing in Section 4.2 above shall be interpreted nor is it intended to imply the Provider shall forego due process within its applicable jurisdiction to satisfy LEA Requestor’s request, regardless of Priority Level. Finally, I believe you were wanting to know if it was acceptable to have Escrow separate from the PPAA. I believe that is the case for the RAA, so I do not see an issue with having it separate from the PPAA. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Sunday, March 11, 2018 at 6:24 PM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: [Gdd-gnso-ppsai-impl] Discussion items for today's PP IRT face-to-face at ICANN61 (starting in 10 mins) Dear Colleagues, Attached you will find a document that a member of the finance team will be discussing during our session starting in a few minutes. In addition, you’ll be hearing an update about ongoing discussions between registrar and PSWG members of the IRT related to the draft LEA disclosure framework specification. This language was discussed informally among a smaller group this afternoon. Registrar and PSWG members of the IRT appear to be nearing agreement on a proposal for presentation to the IRT that would include a 24-hour time frame for provider responses to high priority LEA requests, with some additional requirements for documentation demonstrating that the request is high priority. The updated draft language for Section 4.1.2 for further discussion (deletions shown as strikeouts, additions in blue) is currently: * “Where a disclosure request has been categorized as High Priority, this must be actioned responded to within 24 hours, in accordance with Section 4.2. The LEA Requester will detail the threat type and justification for a request with a Priority Level of High Priority.” In addition, staff was asked to provide suggestions for additional details that can be specified about what goes into a High Priority requests. Staff has proposed the following as a starting point. * “For High Priority requests, in addition to the requirements specified in Section 2.1.*, LEA Requesters should provide specific information demonstrating that the request is necessary due to an imminent threat to life, serious bodily injury, critical infrastructure or child exploitation”. (Note: Section 2.1 is the section that lists all the details currently needed for a request.) We will be discussing these during the session and soliciting further feedback on the list afterward. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl