All, A quick additional response to the comments in the LEA specification: Note 7 says that “Registrar members of the IRT contend that the 24-hour period recommended by the PSWG is unworkable; PSWG members contend that 24 hours should be the maximum allowable time for a request to be actioned in an emergency situation.” This is a complete misrepresentation of the PSWG position. The PSWG has maintained from the beginning of the conversation on emergency requests that they needed to be “actioned” immediately. The PSWG does NOT recommend the 24-hour period, the PSWG is willing to COMPROMISE to the 24 hour period. The PSWG is NOT willing to compromise to the one business day response time. One business day, as the providers have explained it, means that an emergency request delivered to the provider on Friday afternoon does not need to be responded to until Monday afternoon. So, one business day means 72 hours or more. In an emergency, this is completely useless response time. By that time, people are dead. An imminent threat to life means that somebody is going to die any moment without this information. I hope that you never have to respond to one of these requests but I also hope that if you do, you will not ignore it until you get to it the next business day. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Metalitz, Steven Sent: Friday, April 27, 2018 2:24 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Notes, action items from today's PP IRT meeting--feedback requested by 27 April Please see in-line feedback below regarding some of Sara’s points on the LEA specification. On behalf of Coalition for Online Accountability (COA) | www.onlineaccountability.net<http://www.onlineaccountability.net> [image001] Steven J. Metalitz | Partner, through his professional corporation T: +1.202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, April 19, 2018 2:36 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Notes, action items from today's PP IRT meeting--feedback requested by 27 April Thanks, Sara and Steve, for your comments on this draft thus far. I’ve updated the draft to address your last point, Sara, and in line with Steve’s comment about separating out standard and high priority requests. I’ve left the comments in the draft from Tuesday’s call for now. Absent any strong opposition to the inclusion of the other edits proposed by Sara, as noted in the draft, these will be accepted in the next draft. I encourage all IRT members to review the draft again when you are able and provide any further feedback no later than the end of next week. I don’t have any further information or materials for you today for next week’s meeting, but I hope to have something for you soon (I’ll send it as soon as I have it). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, April 19, 2018 1:20 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Notes, action items from today's PP IRT meeting--feedback requested by 27 April Regarding Section 4.2.2 “without limitations” is necessary to ensure legitimate instances not yet listed or thought of are covered. Examples of additional causes beyond the control of the Provider: war, terrorism, riots, power outage, internet outage, internet failure, server failure, foreign gov’t changes, labor disputes, etc. Steve’s comment: (I think this refers to 4.1.2 of the revised document Amy sent out 4/17. ) This strikes me as a reasonable list of reasons why a provider would not be able to respond in a timely fashion to an LEA disclosure request (whether High Priority or Standard Priority), but not of reasons to deny altogether a request that otherwise meets the requirements of the specification. Should we append this list to what is now 4.1.4 (following “acts of nature”)? I would be much more comfortable including “without limitations” there rather than in 4.1.2. Regarding Section 4.2.2.5<http://4.2.2.5> – I see no issue with redundancy and there is no harm in including this. If anything, it protects against potential abuse (in parts of the world that are less democratic) Steve’s comment: This refers to the “well founded” phrasing in 4.1.2.5. I still have trouble understanding what would make a request that meets all the requirements of the specification not “well founded,” and believe I pointed out on the April 17 call why this situation differs from RAA 3.18.2 where “well-founded” appears (in short, that the RAA does not define what needs to go into an actionable LE request, and this specification does). Can Sara or others provide an example of when this ground for refusal of an LEA request might come into play? Regarding Section 4.2.6 – Not redundant and 100% necessary. Particularly for providers in parts of the world that are less democratic. We must remember this will be applied globally. Belt and suspenders! At ICANN61 this addition gave registrars that spoke with me the most comfort. Steve’s comment (this refers to the “due process” language now appearing in 4.1.6): I think it is redundant and for that reason do not object to it. “Foregoing due process within its applicable jurisdiction” is really a subset of 4.1.2.2, disclosure in contravention of applicable law. Regarding the legitimate concerns about “less democratic” jurisdictions: remember that this entire specification only applies to disclosure requests received from LE authorities within the provider’s own jurisdiction. If you choose to establish the provider within a “less democratic” jurisdiction, that provider still has to follow the laws of that jurisdiction, including the laws that define what process is due in a particular situation. Finally, I note that Staff is using the 24-hr timeframe as the default in the document instead of one business day as agreed by the registrars. Since one business day is what the registrars have agreed to, should it not be the default until otherwise determined? Steve’s comments: I have suggested putting the two options in square brackets, don’t care which one is listed first. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Tuesday, April 17, 2018 at 10:53 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: [Gdd-gnso-ppsai-impl] Notes, action items from today's PP IRT meeting--feedback requested by 27 April Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. For those who could not attend, I regret that we were unable to record this meeting (an issue with a new internal recording policy), but this was a one-time issue and all future meetings will be recorded. I’ve done my best to annotate the LEA specification document with the items we discussed, and have also attached the chat transcript. IRT Action Items We are nearing the completion of discussions on the LEA Specification. Other than the item of clear disagreement among members of the IRT—the time period for high priority requests—we are largely in the refining stage. To that end, we have a few final proposed edits for the group to review and comment on—including some edits that were originally suggested by Sara Bockey a few weeks ago and supported by many registrar members of the IRT. If we don’t hear any opposition to these edits that would warrant further discussion, we will make these edits as requested in the draft we publish for comment. Today, we considered whether the LEA Framework Specification would be clearer if we reorganized it slightly, to make more clear where processes apply to high priority requests and when they don’t. I’ve included two versions of the draft—the one with “orig” at the end of the title—which includes the proposed edits without reorganizing, and the “reorganized” one. Please review both and respond to the list with your thoughts about the proposed reorganizing of this. Please provide any additional input you have on this draft no later than next Friday, 27 April. Please note, specifically, questions in the following sections: Original Numbering Reorganized Version Section 2.1.10 (addition of “except in high priority” language at beginning of edit) Same section Section 3.2.1 (addition of the words “Standard Priority” to make clear this 2 business day receipt process doesn’t apply in high priority cases) Moved to Section 3.2.2 Section 4.2.2 (inclusion of “without limitations” language, plus input about and question from Steve Metalitz—any other reasons that registrars feel would be reasonable for refusing disclosure?); Also see feedback, generally, from PSWG liaison, in meeting chat transcript (most pasted into specification document but cuts off at the end) Same section Section 4.2.2.5<http://4.2.2.5> (is this redundant? ) Same section Section 4.2.6 (is this redundant?) Same section I’m also attaching the most recent draft de-accreditation procedure document. As mentioned on the list last week, upon further consideration on the ICANN org side we think we should add back in the proposed transition procedure for customers impacted by the de-accreditation or termination of a third-party provider (section 4). Please review and provide any further comments on this no later than 27 April. For next week, we are hoping to have the requested fees information ready for you to discuss. I’ll update you as soon as I can. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
