Amy,

Following our F2F discussion on Sunday, many of us have continuing and renewed concerns regarding the LEA spec, in particular the high priority disclosure framework and Section 4.2.

After much discussion and many options being put to staff, 4.1.2 has devolved to a “compromise” which is basically the exact same language we started with 6 months ago, with the exception of adding “in accordance with Section 4.2.” As such, we are very concerned that the LEA Spec as written creates a presumption of disclosure and means to bypass due process. Additionally, it is important to remember that this is an accreditation program for ALL Privacy/Proxy Providers around the globe. That means that LEA requests come from LEA in all sorts of countries, and the language in the accreditation agreement need to reflect that. We cannot take an American-centric view. We need to bolster the language in 4.2 to better protect the rights of the Provider and its customers. Therefore, if we are to consider/accept the current proposed high priority language, namely:

“Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours, in accordance with Section 4.2. The LEA Requester will detail the threat type and justification for a request with a Priority Level of High Priority.”

Then the following amendments must be made to Section 4.2 (new language in bold below):

4.2. Disclosure:

4.2.1. Within the applicable timeframe for a request’s Priority Level, Provider will disclose to the LEA Requestor, using a secure mechanism (this must be defined), the Requested Information it holds [associated with] the account.

4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following:

4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification;

4.2.2.2. If disclosure would lead to a contravention of applicable law; or

4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer.

4.2.2.4. Where Provider has requested a court order/warrant/subpoena and LEA Requestor was unable or unwilling to provide same.

4.2.2.5. Where Provider has not been able to verify the identity of the LEA Requestor. (We also need to determine how Providers can best verify the identity of the requestor in a timely fashion. This can at times be very time consuming.)

4.2.2.6. Where Provider has found, after investigation, that LEA Requestor’s request is not well founded.

4.2.3. If disclosure is refused by Provider, Provider must provide written notice (which may be by electronic communication) to the LEA Requestor setting for Provider’s specific reasons for refusing to disclose. Such notice must be provided by Provider to the LEA Requestor prior to any Customer notification by Provider, irrespective of the reason for refusal.

4.2.4. In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay and agree with the LEA Requestor on a new date by which it will provide its response under this Section. 4.2.

4.2.5. For all refusals made in accordance with the policy and requirements herein, Provider must accept and give due consideration to the LEA Requestor’s requests for reconsideration of the refusal to disclose.

4.2.6. Nothing in Section 4.2 above shall be interpreted nor is it intended to imply the Provider shall forego due process within its applicable jurisdiction to satisfy LEA Requestor’s request, regardless of Priority Level.

Finally, I believe you were wanting to know if it was acceptable to have Escrow separate from the PPAA. I believe that is the case for the RAA, so I do not see an issue with having it separate from the PPAA.

Sara

sara bockey

sr. policy manager | GoDaddy^™

sbockey@godaddy.com 480-366-3616

skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.

From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org>
Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>
Date: Sunday, March 11, 2018 at 6:24 PM
To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>
Subject: [Gdd-gnso-ppsai-impl] Discussion items for today's PP IRT face-to-face at ICANN61 (starting in 10 mins)

Dear Colleagues,

Attached you will find a document that a member of the finance team will be discussing during our session starting in a few minutes.

In addition, you’ll be hearing an update about ongoing discussions between registrar and PSWG members of the IRT related to the draft LEA disclosure framework specification. This language was discussed informally among a smaller group this afternoon. Registrar and PSWG members of the IRT appear to be nearing agreement on a proposal for presentation to the IRT that would include a 24-hour time frame for provider responses to high priority LEA requests, with some additional requirements for documentation demonstrating that the request is high priority.

The updated draft language for Section 4.1.2 for further discussion (deletions shown as strikeouts, additions in blue) is currently:

“Where a disclosure request has been categorized as High Priority, this must be ~~actioned~~ responded to within 24 hours, in accordance with Section 4.2. The LEA Requester will detail the threat type and justification for a request with a Priority Level of High Priority.”

In addition, staff was asked to provide suggestions for additional details that can be specified about what goes into a High Priority requests. Staff has proposed the following as a starting point.

“For High Priority requests, in addition to the requirements specified in Section 2.1.*, LEA Requesters should provide specific information demonstrating that the request is necessary due to an imminent threat to life, serious bodily injury, critical infrastructure or child exploitation”.

(Note: Section 2.1 is the section that lists all the details currently needed for a request.)

We will be discussing these during the session and soliciting further feedback on the list afterward.

Best,

Amy

Amy E. Bivins

Registrar Services and Engagement Senior Manager

Registrar Services and Industry Relations

Internet Corporation for Assigned Names and Numbers (ICANN)

Direct: +1 (202) 249-7551

Fax: +1 (202) 789-0104

Email: amy.bivins@icann.org