Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
Hey Sara, maybe this is the angle we can find agreement with LEAs on: Instead of dictating a strict 24h deadline, we make it a more fluid, best effort approach. "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." I could agree to that. Volker Am 05.02.2018 um 18:05 schrieb Sara Bockey:
A few items.
Again, I’m concerned that we are /_creating_/ policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is _not_ the place to be creating policy for LEAs.
That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period *_despite a Provider’s best efforts_*. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Date: *Monday, February 5, 2018 at 7:51 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Colleagues,
As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).
**
*Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. *
To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).
*The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message).*The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).
Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), *“**Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”*
The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.
*Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well.*
**
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org>
www.icann.org<http://www.icann.org>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
I agree with Sara The assumption that the requests are always going to be valid is erroneous. So the language should be changed from “actioned” to “responded” or similar. The 24 hour time period is directly linked to the “actioned”, which, as Sara outlines, causes problems for providers. While I can sympathise with what LEA might be trying to achieve my sympathy does not extend to the point where I’d voluntarily enter into an agreement of this nature knowing that I’d run a very high risk of being out of compliance due to factors outside my control. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Sara Bockey <sbockey@godaddy.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Monday 5 February 2018 at 17:06 To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote:
A few items.
Again, I’m concerned that we are /_creating_/ policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is _not_ the place to be creating policy for LEAs.
That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period *_despite a Provider’s best efforts_*. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Date: *Monday, February 5, 2018 at 7:51 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Colleagues,
As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).
**
*Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. *
To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).
*The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message).*The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).
Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), *“**Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”*
The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.
*Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well.*
**
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org>
www.icann.org<http://www.icann.org>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org; Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi Amy, Thank you for the reminder, however, at no point in the original IRT (I was there) were timeframes mentioned for LEA, I think the push-back / discussion you are seeing is because LEA as usual have not bothered to be part of an IRT, therefore not being involved in the original works, and seeing an "open document" has referenced a wish list - which lets be honest, even ICANN themselves with the amount of money they spend on staff who ARE providing a service to the community cannot even be close to the timeframes that LEA are "wishing" for. Now, Volker did earlier mention about a more suitable paragraph, as did Sara. Michele and Theo and I agreeing with Sara's points needs to be addressed more than a cut/paste job as clearly NONE of the registrars are happy with this, and it is the registrars that have to implement whatever we as contracted parties agree too. Kind regards, Chris From: "Amy Bivins" <amy.bivins@icann.org> To: gdd-gnso-ppsai-impl@icann.org Sent: Monday, 5 February, 2018 18:58:46 Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13 th . As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “ In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html . * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html , we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org; Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts . Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “ Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2. ” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org www.icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org; Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Peter I don’t think we are talking about the same thing. The issue we have with the current wording is two fold: 1 - timing 2 - action My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for. That might not always be the case, which is why the timing issue is key Regards Michele Mr Michele Neylon Blacknight Hosting & Domains http://www.blacknight.host/ http://www.mneylon.social Sent from mobile so typos and brevity are normal On 8 Feb 2018, at 15:08, Roman, Peter (CRM) <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com<http://Dictionary.com>, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com<http://Dictionary.com>, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Fair enough, and that is why I am seeking clarification of the solutions. My reading of the suggestions for solving these issues are: 1 – timing: Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time 2 – action: Providers get to choose whether to respond to law enforcement requests at all Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Thursday, February 8, 2018 10:16 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Peter I don’t think we are talking about the same thing. The issue we have with the current wording is two fold: 1 - timing 2 - action My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for. That might not always be the case, which is why the timing issue is key Regards Michele Mr Michele Neylon Blacknight Hosting & Domains http://www.blacknight.host/ http://www.mneylon.social Sent from mobile so typos and brevity are normal On 8 Feb 2018, at 15:08, Roman, Peter (CRM) <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com<http://Dictionary.com>, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com<http://Dictionary.com>, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Peter 1 – that’s not correct. “Respond” and “take action” are two different things. If you ring me and I answer the phone you’re getting “a” response. 2 – Again that’s not correct. There is an obligation to “respond”. But you seem to be mixing “respond” and “take action” which is where the issue originally arose. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday 8 February 2018 at 15:52 To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Fair enough, and that is why I am seeking clarification of the solutions. My reading of the suggestions for solving these issues are: 1 – timing: Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time 2 – action: Providers get to choose whether to respond to law enforcement requests at all Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Thursday, February 8, 2018 10:16 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Peter I don’t think we are talking about the same thing. The issue we have with the current wording is two fold: 1 - timing 2 - action My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for. That might not always be the case, which is why the timing issue is key Regards Michele Mr Michele Neylon Blacknight Hosting & Domains http://www.blacknight.host/ http://www.mneylon.social Sent from mobile so typos and brevity are normal On 8 Feb 2018, at 15:08, Roman, Peter (CRM) <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com<http://Dictionary.com>, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com<http://Dictionary.com>, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Michele, I think that’s a distinction without a difference. If it takes three days for a provider to provide law enforcement with the information needed to handle an emergency request, which by definition is one involving a threat of imminent death or serious bodily injury, that is way too long. Whether the provider said that the request contains the relevant information required to meet the minimum standard for acceptance after two days is irrelevant to the need that required an emergency request in the first place. A three day window for responding in a useful way to an emergency request is unreasonable. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Feb 9, 2018, at 4:47 AM, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote: Peter 1 – that’s not correct. “Respond” and “take action” are two different things. If you ring me and I answer the phone you’re getting “a” response. 2 – Again that’s not correct. There is an obligation to “respond”. But you seem to be mixing “respond” and “take action” which is where the issue originally arose. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:52 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Fair enough, and that is why I am seeking clarification of the solutions. My reading of the suggestions for solving these issues are: 1 – timing: Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time 2 – action: Providers get to choose whether to respond to law enforcement requests at all Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Thursday, February 8, 2018 10:16 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Peter I don’t think we are talking about the same thing. The issue we have with the current wording is two fold: 1 - timing 2 - action My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for. That might not always be the case, which is why the timing issue is key Regards Michele Mr Michele Neylon Blacknight Hosting & Domains http://www.blacknight.host/ http://www.mneylon.social Sent from mobile so typos and brevity are normal On 8 Feb 2018, at 15:08, Roman, Peter (CRM) <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com<http://Dictionary.com>, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com<http://Dictionary.com>, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi Peter, I also find it unreasonable to expect an answer "within" 24 hours - but that aside for the moment, let me ask you, how many times have you seen in your experience an "imminent threat"/"imminent death/bodily harm" request for whois data ? In 20 years of being a registrar, I thankfully have yet to have 1 request of this nature. (touch wood I will never have one too) Kind regards, Chris From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> To: gdd-gnso-ppsai-impl@icann.org Sent: Friday, 9 February, 2018 11:36:08 Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Michele, I think that’s a distinction without a difference. If it takes three days for a provider to provide law enforcement with the information needed to handle an emergency request, which by definition is one involving a threat of imminent death or serious bodily injury, that is way too long. Whether the provider said that the request contains the relevant information required to meet the minimum standard for acceptance after two days is irrelevant to the need that required an emergency request in the first place. A three day window for responding in a useful way to an emergency request is unreasonable. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave. , NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov On Feb 9, 2018, at 4:47 AM, Michele Neylon - Blacknight < michele@blacknight.com > wrote: Peter 1 – that’s not correct. “Respond” and “take action” are two different things. If you ring me and I answer the phone you’re getting “a” response. 2 – Again that’s not correct. There is an obligation to “respond”. But you seem to be mixing “respond” and “take action” which is where the issue originally arose. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of "Roman, Peter (CRM)" < Peter.Roman@usdoj.gov > Reply-To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Date: Thursday 8 February 2018 at 15:52 To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Fair enough, and that is why I am seeking clarification of the solutions. My reading of the suggestions for solving these issues are: 1 – timing: Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time 2 – action: Providers get to choose whether to respond to law enforcement requests at all Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Michele Neylon - Blacknight Sent: Thursday, February 8, 2018 10:16 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Peter I don’t think we are talking about the same thing. The issue we have with the current wording is two fold: 1 - timing 2 - action My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for. That might not always be the case, which is why the timing issue is key Regards Michele Mr Michele Neylon Blacknight Hosting & Domains http://www.blacknight.host/ http://www.mneylon.social Sent from mobile so typos and brevity are normal On 8 Feb 2018, at 15:08, Roman, Peter (CRM) < Peter.Roman@usdoj.gov > wrote: BQ_BEGIN Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com , Emergency , http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com , Imminent , http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: " Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “ Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2. ” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority ”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of Amy Bivins < amy.bivins@icann.org > Reply-To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Date: Monday, February 5, 2018 at 11:58 AM To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13 th . As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html . * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html , we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org ; Sara Bockey < sbockey@godaddy.com > Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: BQ_BEGIN A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts . Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “ Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2. ” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org www.icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END BQ_BEGIN _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END BQ_END BQ_BEGIN _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi Chris, I do not have exact numbers, we do not keep statistics on questions like that (that I know of), but we do make emergency requests for subscriber data. I also wanted to note that this is a similar provision as the one in the registrar accreditation agreement: 3.18.2 Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week, to receive reports of Illegal Activity by law enforcement, consumer protection, quasi-governmental or other similar authorities designated from time to time by the national or territorial government of the jurisdiction in which the Registrar is established or maintains a physical office. Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Chris Pelling Sent: Friday, February 9, 2018 6:54 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi Peter, I also find it unreasonable to expect an answer "within" 24 hours - but that aside for the moment, let me ask you, how many times have you seen in your experience an "imminent threat"/"imminent death/bodily harm" request for whois data ? In 20 years of being a registrar, I thankfully have yet to have 1 request of this nature. (touch wood I will never have one too) Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 February, 2018 11:36:08 Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Michele, I think that’s a distinction without a difference. If it takes three days for a provider to provide law enforcement with the information needed to handle an emergency request, which by definition is one involving a threat of imminent death or serious bodily injury, that is way too long. Whether the provider said that the request contains the relevant information required to meet the minimum standard for acceptance after two days is irrelevant to the need that required an emergency request in the first place. A three day window for responding in a useful way to an emergency request is unreasonable. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Feb 9, 2018, at 4:47 AM, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote: Peter 1 – that’s not correct. “Respond” and “take action” are two different things. If you ring me and I answer the phone you’re getting “a” response. 2 – Again that’s not correct. There is an obligation to “respond”. But you seem to be mixing “respond” and “take action” which is where the issue originally arose. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:52 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Fair enough, and that is why I am seeking clarification of the solutions. My reading of the suggestions for solving these issues are: 1 – timing: Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time 2 – action: Providers get to choose whether to respond to law enforcement requests at all Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Michele Neylon - Blacknight Sent: Thursday, February 8, 2018 10:16 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Peter I don’t think we are talking about the same thing. The issue we have with the current wording is two fold: 1 - timing 2 - action My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for. That might not always be the case, which is why the timing issue is key Regards Michele Mr Michele Neylon Blacknight Hosting & Domains http://www.blacknight.host/ http://www.mneylon.social Sent from mobile so typos and brevity are normal On 8 Feb 2018, at 15:08, Roman, Peter (CRM) <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: Just to be clear, these two proposals are: 1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time Also, just to make sure we are all using the same terms in the same way: Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com<http://Dictionary.com>, Emergency, http://www.dictionary.com/browse/emergency?s=t (last visited February 8, 2018). Imminent: likely to occur at any moment; impending. Dictionary.com<http://Dictionary.com>, Imminent, http://www.dictionary.com/browse/imminent (last visited February 8, 2018). Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 8, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl -->
You are right about the RAA requirement, however we have never received such a request or a requests that was deemed to be this urgent by LEAs. Secondly, operating a registrar is vastly different from operating a privacy service both in size of their operation and staff as well as with regard to what they can actually do to assist. This must be borne in mind when it comes to the reasonableness of such a requirement. Is it a good thing for LEAs of appropriate jurisdiction to have such access? Probably. Is it reasonable though? Probably not... Volker Am 09.02.2018 um 17:24 schrieb Roman, Peter (CRM):
Hi Chris,
I do not have exact numbers, we do not keep statistics on questions like that (that I know of), but we do make emergency requests for subscriber data.
I also wanted to note that this is a similar provision as the one in the registrar accreditation agreement:
3.18.2 Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week, to receive reports of Illegal Activity by law enforcement, consumer protection, quasi-governmental or other similar authorities designated from time to time by the national or territorial government of the jurisdiction in which the Registrar is established or maintains a physical office.
Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law.
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:* Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Chris Pelling *Sent:* Friday, February 9, 2018 6:54 AM *To:* gdd-gnso-ppsai-impl@icann.org *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Hi Peter,
I also find it unreasonable to expect an answer "within" 24 hours - but that aside for the moment, let me ask you, how many times have you seen in your experience an "imminent threat"/"imminent death/bodily harm" request for whois data ?
In 20 years of being a registrar, I thankfully have yet to have 1 request of this nature. (touch wood I will never have one too)
Kind regards,
Chris
------------------------------------------------------------------------
*From: *"Roman, Peter (CRM)" <Peter.Roman@usdoj.gov <mailto:Peter.Roman@usdoj.gov>> *To: *gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Sent: *Friday, 9 February, 2018 11:36:08 *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Michele,
I think that’s a distinction without a difference. If it takes three days for a provider to provide law enforcement with the information needed to handle an emergency request, which by definition is one involving a threat of imminent death or serious bodily injury, that is way too long. Whether the provider said that the request contains the relevant information required to meet the minimum standard for acceptance after two days is irrelevant to the need that required an emergency request in the first place. A three day window for responding in a useful way to an emergency request is unreasonable.
Peter Roman
Senior Counsel Computer Crime & Intellectual Property Section
Criminal Division U.S. Department of Justice 1301 New York Ave. <x-apple-data-detectors://7>, NW
Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
On Feb 9, 2018, at 4:47 AM, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com>> wrote:
Peter
1 – that’s not correct. “Respond” and “take action” are two different things. If you ring me and I answer the phone you’re getting “a” response.
2 – Again that’s not correct. There is an obligation to “respond”. But you seem to be mixing “respond” and “take action” which is where the issue originally arose.
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov <mailto:Peter.Roman@usdoj.gov>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday 8 February 2018 at 15:52 *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Fair enough, and that is why I am seeking clarification of the solutions. My reading of the suggestions for solving these issues are:
1 – timing: Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time
2 – action: Providers get to choose whether to respond to law enforcement requests at all
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Michele Neylon - Blacknight *Sent:* Thursday, February 8, 2018 10:16 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Peter
I don’t think we are talking about the same thing.
The issue we have with the current wording is two fold:
1 - timing
2 - action
My reading of the current wording is that there’s an assumption that on receipt of a request the provider will give the LEA what they’re asking for.
That might not always be the case, which is why the timing issue is key
Regards
Michele
Mr Michele Neylon
Blacknight Hosting & Domains
Sent from mobile so typos and brevity are normal
On 8 Feb 2018, at 15:08, Roman, Peter (CRM) <Peter.Roman@usdoj.gov <mailto:Peter.Roman@usdoj.gov>> wrote:
Just to be clear, these two proposals are:
1. Providers get to choose whether to respond to law enforcement requests at all 2. Providers can take up to three days to respond to emergency requests, such as imminent death or serious bodily harm, and in 10% of cases even more time
Also, just to make sure we are all using the same terms in the same way:
Emergency: a sudden, urgent, usually unexpected occurrence or occasion requiring immediate action. Dictionary.com <http://Dictionary.com>, /Emergency/, http://www.dictionary.com/browse/emergency?s=t(last visited February 8, 2018).
Imminent: likely to occur at any moment; impending. Dictionary.com <http://Dictionary.com>, /Imminent/, http://www.dictionary.com/browse/imminent(last visited February 8, 2018).
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Amy Bivins *Sent:* Thursday, February 8, 2018 9:25 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Thank you, Sara, for this very specific proposed change. What do others think of this language?
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* Thursday, February 8, 2018 9:22 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Amy,
I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic:
You wrote:
“the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).”
At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused.
Regarding high priority requests, Volker has proposed:
"Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this."
Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.”
Your proposed language, namely, *“Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority*”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable.
Thanks,
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com* <mailto:sbockey@godaddy.com>*480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org <mailto:amy.bivins@icann.org>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Monday, February 5, 2018 at 11:58 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Hi, All,
*Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13^th .*
As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), /“In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.”/
//
* Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html.
* June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW
Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list.
This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date.
Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting.
Best,
Amy
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *theo geurts *Sent:* Monday, February 5, 2018 12:32 PM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Agreed Sara,
It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always.
If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures.
Theo
On 5-2-2018 18:05, Sara Bockey wrote:
A few items.
Again, I’m concerned that we are /_creating_/ policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is _not_ the place to be creating policy for LEAs.
That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period *_despite a Provider’s best efforts_*. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com* <mailto:sbockey@godaddy.com>*480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>on behalf of Amy Bivins <amy.bivins@icann.org> <mailto:amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org><gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Monday, February 5, 2018 at 7:51 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org><gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Colleagues,
As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).
**
*Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. *
To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).
*The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message).*The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).
Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), *“**Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”*
The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.
*Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well.*
**
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org>
www.icann.org <http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
-->
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html<http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html>. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html<http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html>, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
Thanks, Steve! Sara, Peter, others—what do you think of this suggestion? Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Metalitz, Steven Sent: Thursday, February 8, 2018 10:11 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Steven Metalitz <met@msk.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Michele Neylon <michele@blacknight.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Steven Metalitz <met@msk.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
+1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote:
+1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider.
Many thanks
Lindsay
*Lindsay Hamilton-Reid*
Senior Legal Counsel**
*Direct: *+44 (0)1452 509145 | *Mobile:* 07720 091147| *Email:*Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk>
*www.fasthosts.co.uk <http://www.fasthosts.co.uk/> **www.1and1.co.uk <http://www.1and1.co.uk/>*
fh-1and1
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
linkedin <http://www.linkedin.com/company/fasthosts-internet-ltd>twitter <https://twitter.com/Fasthosts>facebook <https://www.facebook.com/fasthostsinternet>gplus <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>blog <http://blogs.fasthosts.co.uk/>youtube <http://www.youtube.com/user/Fasthostsinternet>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* 09 February 2018 15:38 *To:* gdd-gnso-ppsai-impl@icann.org *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure.
To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it.
That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others:
Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
Regards,
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday, February 8, 2018 at 8:36 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Steve
That might help, though I’ll defer to Sara and Co
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com <mailto:met@msk.com>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday 8 February 2018 at 15:12 *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.)
So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”?
Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4).
Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure?
Steve Metalitz
*image001*
*Steven J. Metalitz *|***Partner, through his professional corporation*
T: 202.355.7902 | met@msk.com <mailto:met@msk.com>
*Mitchell Silberberg & Knupp**LLP*|*www.msk.com <http://www.msk.com/>*
1818 N Street NW, 8th Floor, Washington, DC 20036
*_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._**THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Amy Bivins *Sent:* Thursday, February 08, 2018 9:25 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Thank you, Sara, for this very specific proposed change. What do others think of this language?
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* Thursday, February 8, 2018 9:22 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Amy,
I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic:
You wrote:
“the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).”
At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused.
Regarding high priority requests, Volker has proposed:
"Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this."
Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.”
Your proposed language, namely, *“Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority*”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable.
Thanks,
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org <mailto:amy.bivins@icann.org>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Monday, February 5, 2018 at 11:58 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Hi, All,
*Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13^th .*
As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), /“In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.”/
//
* Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html.
* June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW
Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list.
This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date.
Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting.
Best,
Amy
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *theo geurts *Sent:* Monday, February 5, 2018 12:32 PM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Agreed Sara,
It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always.
If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures.
Theo
On 5-2-2018 18:05, Sara Bockey wrote:
A few items.
Again, I’m concerned that we are /_creating_/ policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is _not_ the place to be creating policy for LEAs.
That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period *_despite a Provider’s best efforts_*. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> <mailto:amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Monday, February 5, 2018 at 7:51 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Colleagues,
As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).
**
*Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. *
To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).
*The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message).*The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).
Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), *“**Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”*
The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.
*Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well.*
**
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org>
www.icann.org <http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
From my view, after the two business days to review the request. If a request pertains to loss of life or emergency, which I agree is extremely rare, contacting the privacy company directly would be the way forward. It’s how it works for most registrars so why should this be any different? I agree with Volker that a privacy company is not a registrar and you could always contact the registrar as back up. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 16:31 To: gdd-gnso-ppsai-impl@icann.org; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Isn’t the high priority request the direct way for law enforcement to contact the privacy proxy provider in an emergency? The whole point of the emergency disclosure request process here is to provide law enforcement with a means to contact the provider directly. You cannot take that process away while saying that law enforcement needs to contact the provider directly. And, three days is way too long to respond to an emergency request. Imminent means ‘now.’ Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Lindsay Hamilton-Reid [mailto:Lindsay.Hamilton-Reid@fasthosts.com] Sent: Friday, February 9, 2018 11:37 AM To: Roman, Peter (CRM) <Peter.Roman@CRM.USDOJ.GOV>; gdd-gnso-ppsai-impl@icann.org Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests From my view, after the two business days to review the request. If a request pertains to loss of life or emergency, which I agree is extremely rare, contacting the privacy company directly would be the way forward. It’s how it works for most registrars so why should this be any different? I agree with Volker that a privacy company is not a registrar and you could always contact the registrar as back up. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 16:31 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Friday, February 9, 2018 at 9:32 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
I don’t understand this argument. Isn’t the high priority request process the direct way to contact the provider in an emergency? Isn’t that the whole point? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Friday, February 9, 2018 11:52 AM To: gdd-gnso-ppsai-impl@icann.org; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Friday, February 9, 2018 at 9:32 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
The point that appears to be missing is the burden on privacy providers. The 24 hour timeline is not acceptable. As a registrar, if law enforcement need to take immediate action, then they contact us directly, not through an abuse email contact. If it is out of hours, most registrars have an emergency number. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 17:05 To: gdd-gnso-ppsai-impl@icann.org; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I don’t understand this argument. Isn’t the high priority request process the direct way to contact the provider in an emergency? Isn’t that the whole point? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Friday, February 9, 2018 11:52 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Friday, February 9, 2018 at 9:32 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
So are you suggesting that privacy providers should provide law enforcement with an emergency number for emergencies? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Lindsay Hamilton-Reid [mailto:Lindsay.Hamilton-Reid@fasthosts.com] Sent: Friday, February 9, 2018 12:08 PM To: Roman, Peter (CRM) <Peter.Roman@CRM.USDOJ.GOV>; gdd-gnso-ppsai-impl@icann.org Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests The point that appears to be missing is the burden on privacy providers. The 24 hour timeline is not acceptable. As a registrar, if law enforcement need to take immediate action, then they contact us directly, not through an abuse email contact. If it is out of hours, most registrars have an emergency number. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 17:05 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I don’t understand this argument. Isn’t the high priority request process the direct way to contact the provider in an emergency? Isn’t that the whole point? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Friday, February 9, 2018 11:52 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Friday, February 9, 2018 at 9:32 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
No, I was not suggesting that but if the registrar is listed on the WHOIS, then that is another avenue for LEAs to contact them. As I said, I am sure most registrars have regular dealings with LEAs and have their own methods of contact. I know we do. Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 18:00 To: Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com>; gdd-gnso-ppsai-impl@icann.org Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests So are you suggesting that privacy providers should provide law enforcement with an emergency number for emergencies? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Lindsay Hamilton-Reid [mailto:Lindsay.Hamilton-Reid@fasthosts.com] Sent: Friday, February 9, 2018 12:08 PM To: Roman, Peter (CRM) <Peter.Roman@CRM.USDOJ.GOV<mailto:Peter.Roman@CRM.USDOJ.GOV>>; gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests The point that appears to be missing is the burden on privacy providers. The 24 hour timeline is not acceptable. As a registrar, if law enforcement need to take immediate action, then they contact us directly, not through an abuse email contact. If it is out of hours, most registrars have an emergency number. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 17:05 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I don’t understand this argument. Isn’t the high priority request process the direct way to contact the provider in an emergency? Isn’t that the whole point? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Friday, February 9, 2018 11:52 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Friday, February 9, 2018 at 9:32 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
We’re in direct contact with ours as well as the department and the national cybercrime team -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Tuesday 13 February 2018 at 10:01 To: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov>, "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests No, I was not suggesting that but if the registrar is listed on the WHOIS, then that is another avenue for LEAs to contact them. As I said, I am sure most registrars have regular dealings with LEAs and have their own methods of contact. I know we do. Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 18:00 To: Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com>; gdd-gnso-ppsai-impl@icann.org Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests So are you suggesting that privacy providers should provide law enforcement with an emergency number for emergencies? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Lindsay Hamilton-Reid [mailto:Lindsay.Hamilton-Reid@fasthosts.com] Sent: Friday, February 9, 2018 12:08 PM To: Roman, Peter (CRM) <Peter.Roman@CRM.USDOJ.GOV<mailto:Peter.Roman@CRM.USDOJ.GOV>>; gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests The point that appears to be missing is the burden on privacy providers. The 24 hour timeline is not acceptable. As a registrar, if law enforcement need to take immediate action, then they contact us directly, not through an abuse email contact. If it is out of hours, most registrars have an emergency number. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] Sent: 09 February 2018 17:05 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I don’t understand this argument. Isn’t the high priority request process the direct way to contact the provider in an emergency? Isn’t that the whole point? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Friday, February 9, 2018 11:52 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Friday, February 9, 2018 at 9:32 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Theo Geurts Sent: Friday, February 9, 2018 11:03 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agree with Lindsay. Theo On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote: +1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 09 February 2018 15:38 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure. To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it. That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others: Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Regards, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com<mailto:michele@blacknight.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, February 8, 2018 at 8:36 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Steve That might help, though I’ll defer to Sara and Co Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 February 2018 at 15:12 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.) So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”? Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4). Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure? Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Thursday, February 08, 2018 9:25 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Thank you, Sara, for this very specific proposed change. What do others think of this language? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, February 8, 2018 9:22 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Amy, I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic: You wrote: “the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).” At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused. Regarding high priority requests, Volker has proposed: "Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this." Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.” Your proposed language, namely, “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable. Thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, February 5, 2018 at 11:58 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Hi, All, Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13th. As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), “In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.” * Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html. * June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list. This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date. Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting. Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of theo geurts Sent: Monday, February 5, 2018 12:32 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Agreed Sara, It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always. If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures. Theo On 5-2-2018 18:05, Sara Bockey wrote: A few items. Again, I’m concerned that we are creating policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is not the place to be creating policy for LEAs. That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period despite a Provider’s best efforts. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control. Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org><mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Monday, February 5, 2018 at 7:51 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests Dear Colleagues, As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments). Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3). The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message). The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft). Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours of completion of the receipt process outlined in Section 3.2.” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.” The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review. Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Fully agreed and this should be the preferred route as the registrar has more options to assist. However, this breaks down where there are unaffiliated privacy/proxy service, e.g. where the registrar only has the data of the service. Volker Am 13.02.2018 um 11:00 schrieb Lindsay Hamilton-Reid:
No, I was not suggesting that but if the registrar is listed on the WHOIS, then that is another avenue for LEAs to contact them. As I said, I am sure most registrars have regular dealings with LEAs and have their own methods of contact. I know we do.
*Lindsay Hamilton-Reid*
Senior Legal Counsel**
*Direct: *+44 (0)1452 509145 | *Mobile:* 07720 091147| *Email:*Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk>
*www.fasthosts.co.uk <http://www.fasthosts.co.uk/> **www.1and1.co.uk <http://www.1and1.co.uk/>*
fh-1and1
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
linkedin <http://www.linkedin.com/company/fasthosts-internet-ltd>twitter <https://twitter.com/Fasthosts>facebook <https://www.facebook.com/fasthostsinternet>gplus <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>blog <http://blogs.fasthosts.co.uk/>youtube <http://www.youtube.com/user/Fasthostsinternet>
*From:*Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] *Sent:* 09 February 2018 18:00 *To:* Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com>; gdd-gnso-ppsai-impl@icann.org *Subject:* RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
So are you suggesting that privacy providers should provide law enforcement with an emergency number for emergencies?
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Lindsay Hamilton-Reid [mailto:Lindsay.Hamilton-Reid@fasthosts.com] *Sent:* Friday, February 9, 2018 12:08 PM *To:* Roman, Peter (CRM) <Peter.Roman@CRM.USDOJ.GOV <mailto:Peter.Roman@CRM.USDOJ.GOV>>; gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
The point that appears to be missing is the burden on privacy providers. The 24 hour timeline is not acceptable. As a registrar, if law enforcement need to take immediate action, then they contact us directly, not through an abuse email contact. If it is out of hours, most registrars have an emergency number.
Many thanks
Lindsay
*Lindsay Hamilton-Reid*
Senior Legal Counsel**
*Direct: *+44 (0)1452 509145 | *Mobile:* 07720 091147| *Email:*Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk>
*www.fasthosts.co.uk <http://www.fasthosts.co.uk/> **www.1and1.co.uk <http://www.1and1.co.uk/>*
fh-1and1
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
linkedin <http://www.linkedin.com/company/fasthosts-internet-ltd>twitter <https://twitter.com/Fasthosts>facebook <https://www.facebook.com/fasthostsinternet>gplus <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>blog <http://blogs.fasthosts.co.uk/>youtube <http://www.youtube.com/user/Fasthostsinternet>
*From:*Roman, Peter (CRM) [mailto:Peter.Roman@usdoj.gov] *Sent:* 09 February 2018 17:05 *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com <mailto:Lindsay.Hamilton-Reid@fasthosts.com>> *Subject:* RE: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
I don’t understand this argument. Isn’t the high priority request process the direct way to contact the provider in an emergency? Isn’t that the whole point?
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* Friday, February 9, 2018 11:52 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com <mailto:Lindsay.Hamilton-Reid@fasthosts.com>> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
As the proposal states, in High Priority instances (meaning a loss of life emergency), the onus should be on LEA to make every effort to contact and speak with the Provider (or its affiliated Registrar), so in my view this may or may not be after the 2 days depending on how proactive the LEA is. If you submit an email or send a FedEX instead of getting on the phone, yes, you will likely still be subject to some processing delay even if they move you to the front of the queue.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov <mailto:Peter.Roman@usdoj.gov>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Friday, February 9, 2018 at 9:32 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com <mailto:Lindsay.Hamilton-Reid@fasthosts.com>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Are we still talking about ‘within 24 hours’ or ‘as soon as possible’ after the 2 business days that providers have to review the request?
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Theo Geurts *Sent:* Friday, February 9, 2018 11:03 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com <mailto:Lindsay.Hamilton-Reid@fasthosts.com>> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Agree with Lindsay.
Theo
On 9-2-2018 16:42, Lindsay Hamilton-Reid wrote:
+1 Sara with one caveat. I would prefer that it stated ‘Provider shall use reasonable efforts to respond to the request as soon as possible’ as opposed to Provider shall use its best efforts to action the request within 24 hours. Action suggests that the Provider should have physically done something, which may or may not be possible and puts an onerous burden on the Provider.
Many thanks
Lindsay
*Lindsay Hamilton-Reid*
Senior Legal Counsel
*Direct: *+44 (0)1452 509145 | *Mobile:* 07720 091147| *Email:*Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk>
*www.fasthosts.co.uk <http://www.fasthosts.co.uk/> **www.1and1.co.uk <http://www.1and1.co.uk/>*
fh-1and1
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
linkedin <http://www.linkedin.com/company/fasthosts-internet-ltd>twitter <https://twitter.com/Fasthosts>facebook <https://www.facebook.com/fasthostsinternet>gplus <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>blog <http://blogs.fasthosts.co.uk/>youtube <http://www.youtube.com/user/Fasthostsinternet>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* 09 February 2018 15:38 *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Personally, clarifying the word “action” is only marginally helpful. I’m more concerned with the content and the fact that the LEA framework as currently written creates a presumption of disclosure.
To answer Peter’s question, I’m not saying “Providers get to choose whether to respond to law enforcement requests at all”, but the Provider DOES get to follow due process and doesn’t have to volunteer information just because LEA asks for it.
That said, perhaps we can use the following as a starting point for our conversation regarding High Priority on Tuesday. I will be the first to say this language needs work and input from others:
Where a disclosure request is categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within 24 hours, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
Regards,
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Michele Neylon <michele@blacknight.com <mailto:michele@blacknight.com>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday, February 8, 2018 at 8:36 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Steve
That might help, though I’ll defer to Sara and Co
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Steven Metalitz <met@msk.com <mailto:met@msk.com>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday 8 February 2018 at 15:12 *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
I wonder whether part of the problem here is the use of “action” as a verb. I certainly don’t read that as establishing a “presumption of disclosure.” I read it as saying that the provider will take action on the request within 24 hours (or whatever the time frame is, for non-priority requests). That action could be (1) disclosure; (2) refusal to disclose, based on one of the grounds listed in the specification; or (3) refusal to disclose for the time being, based on the LEA not having provided all the needed information, as spelled out in the specification. ( I guess (3) is really a subset of (2), since 4.2.2.1 provides this ground for non-disclosure.)
So would it clarify to define the word “action” where it appears in 4.1.1 as follows (or something similar): “As used in this subsection, “action” means (i) to disclose to the LEA requestor, or (ii) to refuse to disclose to the LEA requestor, citing one or more of the reasons listed in 4.2.2”?
Another way to draft this is to append to “action” the parenthetical “in accordance with subsection 4.2,” which includes both the options listed (as well as the option of extending the deadline, “in exceptional circumstances,” see 4.2.4).
Could Sara or others give some examples of reasons beyond those listed in 4.2.2 on which a Provider might validly rely for non-disclosure?
Steve Metalitz
*image001*
*Steven J. Metalitz *|***Partner, through his professional corporation*
T: 202.355.7902 | met@msk.com <mailto:met@msk.com>
*Mitchell Silberberg & Knupp**LLP*|*www.msk.com <http://www.msk.com/>*
1818 N Street NW, 8th Floor, Washington, DC 20036
*_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._**THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Amy Bivins *Sent:* Thursday, February 08, 2018 9:25 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Thank you, Sara, for this very specific proposed change. What do others think of this language?
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Sara Bockey *Sent:* Thursday, February 8, 2018 9:22 AM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Amy,
I will reiterate my concern that the LEA framework, as currently written, creates a presumption of disclosure if LEAs check all the right boxes. Because this decision ultimately resides with the provider, based on due process, this must be reflected in the framework. Therefore, the following is problematic:
You wrote:
“the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).”
At the very minimum, I believe we need to add “without limitations” back to section 4.2.2. (Forgive me, I can’t recall where we landed on this and fear if I wait to see the revised document it will be deemed “too late” to discuss.) What’s listed under 4.2.2 should be non-limiting examples for when disclosure can be reasonably refused.
Regarding high priority requests, Volker has proposed:
"Where a disclosure request has been categorized as High Priority, Provider shall use its best efforts towards actioning the request within 24 hours on business days or as close as possible to this."
Another option could be something like “actioning the request within 24 hours for up to 90% (or some other level determined acceptable by Providers) of incidences.”
Your proposed language, namely, *“**Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours **of completion of the receipt process outlined in Section 3.2.**” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority*”, remains overly strict, uses language that creates a presumption of disclosure, and is not acceptable.
Thanks,
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org <mailto:amy.bivins@icann.org>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Monday, February 5, 2018 at 11:58 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Hi, All,
*Thanks so much for your contribution to this discussion thus far, and I encourage the IRT to continue this discussion between now and our next meeting on the 13^th .*
As a reminder of how we arrived at this point, the Final Report contained a few guidelines for any future LEA disclosure framework (see p. 16), /“In the event that a Disclosure Framework is eventually developed for LEA requests, the WG recommends that the Framework expressly include requirements under which at a minimum: (a) the Requester agrees to comply with all applicable data protection laws and to use any information disclosed to it solely for the purpose to determine whether further action on the issue is warranted, to contact the customer, or in a legal proceeding concerning the issue for which the request was made; and (b) exempts Disclosure where the customer has provided, or the P/P service provider has found, specific information, facts, and/or circumstances showing that Disclosure will endanger the safety of the customer.”/
//
* Jan 2016 Final Report: Guidelines re: any future LEA framework * June 2016 GAC Helsinki Communique: advising ICANN Board to ensure that GAC concerns are effectively addressed in the implementation phase of the Privacy/Proxy Service Provider Accreditation Program to the greatest extent possible. The GAC advised that its input and feedback should be sought out as necessary in developing a proposed implementation plan, including through participation of the GAC Public Safety Working Group (PSWG) on the Implementation Review Team (IRT). * December 2016: ICANN Board directs ICANN Org to continue to encourage dialogue between the IRT and the PSWG to address GAC concerns during implementation, to the extent that so doing is consistent with Policy Recommendations. * Jan 2017: IRT invites PSWG to share strawman proposal, http://mm.icann.org/pipermail/gdd_pp_irt_lea/2017-January/000003.html.
* June 2017: PSWG shares strawman proposal with IRT * Jun-Sept 2017: IRT discussions re: LEA framework (among other topics) * Jan/Feb 2018: Continued IRT discussions re: lingering open items in LEA FW
Following over six months of discussions on this draft framework, the only remaining item appears to be how to handle “high priority” requests in terms of timing. In the last request to the IRT on this topic, sent to the IRT on 23 Jan, http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-January/000525.html, we requested any final feedback on this topic with a deadline of 28 Jan. No responses were sent to the list.
This proposed language was distributed today for discussion as a proposed solution to resolve potential ambiguity in the Final Draft prior to going to public comment. This proposal is an attempt to reflect all IRT member input received on the topic to date.
Please share any comments on the list with the goal of reaching a resolution to this issue prior to our next meeting.
Best,
Amy
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *theo geurts *Sent:* Monday, February 5, 2018 12:32 PM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> *Subject:* Re: [Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Agreed Sara,
It seems, or at least, we create a suggestion that if process X is followed, disclosure will happen, that is not the case, and never has been the case, providers must follow due process, always.
If we create a set of LEA procedures, they need to realistic and clear and never put a provider in a position where contractual agreements put pressure on a provider to comply with applicable law. But the first step in this process is to figure out if we are not out of scope as an IRT to create such procedures.
Theo
On 5-2-2018 18:05, Sara Bockey wrote:
A few items.
Again, I’m concerned that we are /_creating_/ policy, not implementing it. Granted, the framework outlined in the Final Report is not as robust as what is detailed for IPC, but then again LEA did not participate in the PDP process. The IRT is _not_ the place to be creating policy for LEAs.
That said, the problem with a strict 24-hour period is that it doesn’t acknowledge certain situations/matters may require additional time, falling outside a 24-hour period *_despite a Provider’s best efforts_*. Language such as “Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours” are overly strict and sets the Provider up for failure/being out of compliance due to circumstances beyond its control.
Finally, I fear the LEA framework as currently written creates unrealistic expectations/SLAs. There seems to be a presumption of disclosure – if LEAs check all the right boxes, the information will be disclosed. However, this decision should reside with the provider, who does not have to bypass due process just to please LEAs.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> <mailto:amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Monday, February 5, 2018 at 7:51 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Request for IRT Feedback: LEA Framework Specification, Receipt Process's Application to High Priority Requests
Dear Colleagues,
As mentioned on the list a couple of weeks ago, the current draft PPAA is still a bit ambiguous regarding how the review process outlined in Section 3.2.1 applies to high priority requests. We need ensure that the draft is clear about this requirement when we go out for public comment (and if there is opposition to the proposed requirement by any members of the IRT, this will be flagged in the call for comments).
**
*Upon reviewing the IRT’s input to date, I am proposing an edit that I believe reflects the IRT discussion on this point. Please review and provide your comments on this proposed language no later than this Friday, 9 February. *
To summarize, the current draft contains a two-step process for Providers upon receipt of a request from LEA. (1) Within two business days, the Provider must review the request and confirm to the LEA requester that it has been received and contains the relevant information required to meet the minimum standard for acceptance (See 3.2.1 of Specification 4). (2) The Provider must then action the request in accordance with the priority level (within 24 hours for “high priority” requests (4.1.2); or within the timeline requested by LEA, if possible, for other requests (See 4.1.3).
*The current language may be a bit ambiguous as to whether the two business day “review period” applies before the 24-hour period for responding to high priority requests (as explained in more detail in the attached message).*The view of registrar IRT members appears to be that requiring action within 24 hours of receipt of an LEA request, even if it is a high priority request, is unacceptable. PSWG members of the IRT disagree. Other IRT members appear to have mixed views on this (some referenced the RAA requirement that “Well-founded reports of Illegal Activity submitted to these [dedicated LEA] contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report.” Registrar members of the IRT said that the RAA-required review is less intensive than the PPAA review due to the specific requirements in the PPAA draft).
Based on the views expressed within the IRT, it appears that one potential solution to this ambiguity would be to update Section 4.1.2 to state that (proposed edit in red), *“**Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours **of completion of the receipt process outlined in Section 3.2.**” The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.”*
The practical impact of this proposed change would be that the provider must action a high priority request within 24 hours of determining that the request meets the minimum standard for acceptance. If the provider completes the receipt process sooner than 2 business days after receipt of the request, this would start the 24-hour clock for actioning the request. Thus, this could shorten the response window a bit, partially addressing the PSWG concerns of a “two business days plus 24 hours” requirement, while also addressing registrar concerns by not starting the clock until the provider has time to review the request, if the full time of the receipt process is required to conduct that review.
*Please provide your feedback on this proposed change no later than this Friday, 9 Feb. And if you have further comments on this, please share those as well.*
**
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org>
www.icann.org <http://www.icann.org>
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
participants (9)
-
Amy Bivins -
Chris Pelling -
Lindsay Hamilton-Reid -
Metalitz, Steven -
Michele Neylon - Blacknight -
Roman, Peter (CRM) -
Sara Bockey -
theo geurts -
Volker Greimann