Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> To: gdd-gnso-ppsai-impl@icann.org Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey < sbockey@godaddy.com > wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of Amy Bivins < amy.bivins@icann.org > Reply-To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Date: Thursday, March 8, 2018 at 10:05 AM To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of Amy Bivins < amy.bivins@icann.org > Reply-To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Date: Thursday, March 8, 2018 at 8:04 AM To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk www.fasthosts.co.uk www.1and1.co.uk <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg> <image003.jpg> <image004.jpg> <image005.jpg> <image006.jpg> <image007.jpg> From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day. , noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form ) or other means for LEA to obtain designated LEA contact information ) . If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ . As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form ) or other means for LEA to obtain designated LEA contact information ) . I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org www.icann.org BQ_BEGIN _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
My apologies - that should have been "Peter" Kind regards, Chris From: "Chris Pelling" <chris@netearth.net> To: gdd-gnso-ppsai-impl@icann.org Sent: Friday, 9 March, 2018 18:26:35 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> To: gdd-gnso-ppsai-impl@icann.org Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey < sbockey@godaddy.com > wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of Amy Bivins < amy.bivins@icann.org > Reply-To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Date: Thursday, March 8, 2018 at 10:05 AM To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of Amy Bivins < amy.bivins@icann.org > Reply-To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Date: Thursday, March 8, 2018 at 8:04 AM To: " gdd-gnso-ppsai-impl@icann.org " < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk www.fasthosts.co.uk www.1and1.co.uk <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg> <image003.jpg> <image004.jpg> <image005.jpg> <image006.jpg> <image007.jpg> From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day. , noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form ) or other means for LEA to obtain designated LEA contact information ) . If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ . As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form ) or other means for LEA to obtain designated LEA contact information ) . I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org www.icann.org BQ_BEGIN _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Amy, Can you circulate the most recent full draft of the proposed agreement? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:32 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: My apologies - that should have been "Peter" Kind regards, Chris ________________________________ From: "Chris Pelling" <chris@netearth.net<mailto:chris@netearth.net>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 18:26:35 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi Peter, I don't know the registrars that ask lea to go direct, and cannot speak for them. But, we do not and I know a fair few that would request court order issued in jurisdiction of registrar or it would need to come via lea in registrars jurisdiction. Sent from Chris on the move On Sun, Mar 11, 2018 at 10:51 AM +0000, "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> wrote: In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> To: gdd-gnso-ppsai-impl@icann.org Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk www.fasthosts.co.uk www.1and1.co.uk <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><image003.jpg><image004.jpg><image005.jpg><image006.jpg><image007.jpg> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org www.icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Would that be your expectation for emergency requests too? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 11, 2018, at 6:59 AM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Peter, I don't know the registrars that ask lea to go direct, and cannot speak for them. But, we do not and I know a fair few that would request court order issued in jurisdiction of registrar or it would need to come via lea in registrars jurisdiction. Sent from Chris on the move On Sun, Mar 11, 2018 at 10:51 AM +0000, "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
A quick pint of clarification, when the proposed language says “one business day” to action an emergency request, does that mean that, for example, if lea makes a request on Friday evening, the provider does not have to action it until the end of the workday on Monday? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 11, 2018, at 6:59 AM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Peter, I don't know the registrars that ask lea to go direct, and cannot speak for them. But, we do not and I know a fair few that would request court order issued in jurisdiction of registrar or it would need to come via lea in registrars jurisdiction. Sent from Chris on the move On Sun, Mar 11, 2018 at 10:51 AM +0000, "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> wrote: In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl In both emergency requests and in general requests for subscriber information, registrars now commonly ask that law enforcement make the requests directly to the registrar and not go through local law enforcement. Are you suggesting that this practice be different for privacy proxy providers? Also, if that is the intent of the language, which is not clear from the language, I don’t believe that there is any comparable language in either the registrar or registry agreements. If not, why should it be here? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 9, 2018, at 2:28 PM, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: Hi Perter, You actually just answered this yourself : Quote: I imagine that to be true in most jurisdictions. Therefore if it is not ALL jurisdictions - the wording has be to be included - likewise, if my company was for example in say Spain, I would expect any request to come from my Spanish LEA's, anything outside of that would mean the LEA requesting the information will need to go through the registrars country LEA to get any information. Kind regards, Chris ________________________________ From: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov<mailto:Peter.Roman@usdoj.gov>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Friday, 9 March, 2018 16:34:32 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call A. It’s unnecessary - The entire contract is only valid where it is not in contravention of applicable law B. In the US, there is a specific exemption to provider’s legal responsibilities that allows them to action emergency requests from law enforcement without additional process and based upon the LEA’s representation of the facts. I imagine that to be true in most jurisdictions. Which makes the language both redundant and unnecessary. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Friday, March 9, 2018 9:05 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Peter and any others who see a potential issue with the inclusion of the “contravention of applicable law” language or references to court order/subpoena here in this section, do you want to elaborate on why you think the language should go elsewhere instead of here? Sent from my iPhone On Mar 8, 2018, at 12:27 PM, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> wrote: There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy, you will recall that there were not many registrars on the last call. Additionally, the support was expressed on the mailing list. Pease see the thread to my March 2 email. https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000635.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000636.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000638.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000649.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000639.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000637.html https://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/2018-March/000641.html Personally, I would like to see the language about “contravention of applicable law” in both sections. It’s important and we would like it reiterated. My question for you is what harm is there in reiterating it? Yes, we need to consider additional language to 4.2.2 as it is too narrow. Many thanks, Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 10:05 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara and all, This language was proposed as a compromise, as the relevant language already appears (and can potentially be enhanced) elsewhere in a potentially more relevant section of the specification. Registrar recommendations are being heard, but this is a compromise situation. We are trying to find a solution that the IRT can reach consensus on. This proposal also proposed to keep the 1 business day requirement proposed by the registrars, though PSWG members of the IRT would prefer a 24 hour requirement. There did not appear to be consensus support on our call on Tuesday that the language about “contravention of applicable law” had to appear here in this section. If you believe that staff is wrong about that, and that there is consensus support for the language to appear in this specific section, we can certainly poll the group to see if there is consensus support for that. It would be helpful if you could explain why the language needs to appear here, as opposed to in 4.2. And we could certainly consider additional language to 4.2.2. Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Thursday, March 8, 2018 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018<https://community.icann.org/display/IRT/06+March+2018> If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Metalitz, Steven" <met@msk.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Sara Bockey <sbockey@godaddy.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Metalitz, Steven" <met@msk.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris From: "Michele Neylon" <michele@blacknight.com> To: gdd-gnso-ppsai-impl@icann.org Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Sara Bockey <sbockey@godaddy.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Metalitz, Steven" <met@msk.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com) From: Sara Bockey < sbockey@godaddy.com > Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org < gdd-gnso-ppsai-impl@icann.org > Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk www.fasthosts.co.uk www.1and1.co.uk © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day. , noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form ) or other means for LEA to obtain designated LEA contact information ) . If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ . As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov From: Gdd-gnso-ppsai-impl [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form ) or other means for LEA to obtain designated LEA contact information ) . I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org www.icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”) Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Chris Pelling Sent: Thursday, March 8, 2018 2:05 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris ________________________________ From: "Michele Neylon" <michele@blacknight.com<mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Morning all, After reading a lot of emails last night, I think we may be very close to a compromise. It appears (to me) all that is needed is the following: High Priority language: 4.1.2 Where a disclosure request has been categorized as High Priority, and it has been determined that Provider has useful information, Provider shall use reasonable efforts to action the request within one business day. Registrar will not be required to take any action in contravention of applicable law. And then add “without limitations” back to 4.2.2., so: 4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following: 4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification; 4.2.2.2. If disclosure would lead to a contravention of applicable law; or 4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer. Thoughts? sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 3:29 PM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”) Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Chris Pelling Sent: Thursday, March 8, 2018 2:05 PM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris From: "Michele Neylon" <michele@blacknight.com<mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Excellent. What do others think about this? Do you think we need any additional language here to clarify that this is one business day from receipt of the request, to make clear that the 2 business day receipt process doesn’t apply first (for example, adding “of receipt of the request” after “one business day”? Also, per Peter’s request, the current PPAA draft, as distributed for IRT feedback a couple of weeks ago, is attached. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Sunday, March 11, 2018 7:52 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Morning all, After reading a lot of emails last night, I think we may be very close to a compromise. It appears (to me) all that is needed is the following: High Priority language: 4.1.2 Where a disclosure request has been categorized as High Priority, and it has been determined that Provider has useful information, Provider shall use reasonable efforts to action the request within one business day. Registrar will not be required to take any action in contravention of applicable law. And then add “without limitations” back to 4.2.2., so: 4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following: 4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification; 4.2.2.2. If disclosure would lead to a contravention of applicable law; or 4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer. Thoughts? sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 3:29 PM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”) Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Chris Pelling Sent: Thursday, March 8, 2018 2:05 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris From: "Michele Neylon" <michele@blacknight.com<mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
A quick pint of clarification, when the proposed language says “one business day” to action an emergency request, does that mean that, for example, if lea makes a request on Friday evening<x-apple-data-detectors://0>, the provider does not have to action it until the end of the workday on Monday? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 11, 2018, at 8:30 AM, Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> wrote: Excellent. What do others think about this? Do you think we need any additional language here to clarify that this is one business day from receipt of the request, to make clear that the 2 business day receipt process doesn’t apply first (for example, adding “of receipt of the request” after “one business day”? Also, per Peter’s request, the current PPAA draft, as distributed for IRT feedback a couple of weeks ago, is attached. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Sunday, March 11, 2018 7:52 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Morning all, After reading a lot of emails last night, I think we may be very close to a compromise. It appears (to me) all that is needed is the following: High Priority language: 4.1.2 Where a disclosure request has been categorized as High Priority, and it has been determined that Provider has useful information, Provider shall use reasonable efforts to action the request within one business day. Registrar will not be required to take any action in contravention of applicable law. And then add “without limitations” back to 4.2.2., so: 4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following: 4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification; 4.2.2.2. If disclosure would lead to a contravention of applicable law; or 4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer. Thoughts? sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 3:29 PM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”) Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Chris Pelling Sent: Thursday, March 8, 2018 2:05 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris From: "Michele Neylon" <michele@blacknight.com<mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image003.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <PPAA_28Feb_CleanIRTNotes.pdf> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
What’s our timing for reaching an agreement? Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice 1301 New York Ave.<x-apple-data-detectors://7>, NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> On Mar 11, 2018, at 8:30 AM, Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> wrote: Excellent. What do others think about this? Do you think we need any additional language here to clarify that this is one business day from receipt of the request, to make clear that the 2 business day receipt process doesn’t apply first (for example, adding “of receipt of the request” after “one business day”? Also, per Peter’s request, the current PPAA draft, as distributed for IRT feedback a couple of weeks ago, is attached. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: Sunday, March 11, 2018 7:52 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Morning all, After reading a lot of emails last night, I think we may be very close to a compromise. It appears (to me) all that is needed is the following: High Priority language: 4.1.2 Where a disclosure request has been categorized as High Priority, and it has been determined that Provider has useful information, Provider shall use reasonable efforts to action the request within one business day. Registrar will not be required to take any action in contravention of applicable law. And then add “without limitations” back to 4.2.2., so: 4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following: 4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification; 4.2.2.2. If disclosure would lead to a contravention of applicable law; or 4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer. Thoughts? sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 3:29 PM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”) Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Chris Pelling Sent: Thursday, March 8, 2018 2:05 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris From: "Michele Neylon" <michele@blacknight.com<mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> [fh-1and1] © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. [linkedin]<http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts>[facebook]<https://www.facebook.com/fasthostsinternet>[gplus]<https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts>[blog]<http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <PPAA_28Feb_CleanIRTNotes.pdf> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Looks good Sara. Best, Theo On 11-3-2018 12:51, Sara Bockey wrote:
Morning all,
After reading a lot of emails last night, I think we may be very close to a compromise. It appears (to me) all that is needed is the following:
High Priority language:
4.1.2 Where a disclosure request has been categorized as High Priority, and it has been determined that Provider has useful information, Provider shall use reasonable efforts to action the request within one business day. Registrar will not be required to take any action in contravention of applicable law.
And then add “without limitations” back to 4.2.2., so:
4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including *without limitations* any of the following:
4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification;
4.2.2.2. If disclosure would lead to a contravention of applicable law; or
4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer.
Thoughts?
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Date: *Thursday, March 8, 2018 at 3:29 PM *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Subject: *Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”)
Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement.
*From:* Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Chris Pelling *Sent:* Thursday, March 8, 2018 2:05 PM *To:* gdd-gnso-ppsai-impl@icann.org *Subject:* Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
We also had to close our offices last week due to lack of actual employees being able to get in.
So I find Sarah's argument totally acceptable.
Kind regards,
Chris
*From: *"Michele Neylon" <michele@blacknight.com <mailto:michele@blacknight.com>> *To: *gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> *Sent: *Thursday, 8 March, 2018 19:01:01 *Subject: *Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours.
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,
Ireland Company No.: 370845
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday 8 March 2018 at 14:58 *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sure, Steve.
There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable.
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday, March 8, 2018 at 11:48 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to?
Steve Metalitz
Sent with BlackBerry Work (www.blackberry.com <http://www.blackberry.com>)
*From: *Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>>
*Date: *Thursday, Mar 08, 2018, 11:04 AM
*To: *gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>
*Subject: *Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Amy,
It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it.
Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”.
It’s incredibly frustrating that staff does not appear to hear what we are saying.
Sara
*sara bockey*
*sr. policy manager | **Go**Daddy^™ *
*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*
*skype: sbockey*
//
/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./
*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org <mailto:amy.bivins@icann.org>> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Thursday, March 8, 2018 at 8:04 AM *To: *"gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Lindsay!
I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law.
What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information?
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Lindsay Hamilton-Reid *Sent:* Thursday, March 8, 2018 10:00 AM *To:* gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Hi Amy
Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations.
Many thanks
Lindsay
*Lindsay Hamilton-Reid*
Senior Legal Counsel
*Direct: *+44 (0)1452 509145 | *Mobile:* 07720 091147| *Email:*Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk>
*www.fasthosts.co.uk*<http://www.fasthosts.co.uk/>***www.1and1.co.uk*<http://www.1and1.co.uk/>
fh-1and1
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027.
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts.
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Amy Bivins *Sent:* 08 March 2018 12:07 *To:* gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise.
Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline):
4.1.2 Where a disclosure request has been categorized as High Priority,LEA will make every effort to contact the Provider directly to discuss the matter,and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website.
3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.”
Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)?
Peter, what would you and your PSWG colleagues think about this?
Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico.
I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars).
Best,
Amy
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Roman, Peter (CRM) *Sent:* Wednesday, March 7, 2018 1:08 PM *To:* gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process.
Peter Roman
Senior Counsel
Computer Crime & Intellectual Property Section
Criminal Division
Department of Justice
1301 New York Ave., NW Washington, DC 20530 (202) 305-1323
peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov>
*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Amy Bivins *Sent:* Tuesday, March 6, 2018 11:42 AM *To:* gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> *Subject:* [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Dear Colleagues,
Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018
If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZCurrently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage.
Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft.
We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification.
The proposed language is:
4.1.2 Where a disclosure request has been categorized as High Priority, this
must be actioned within 24 hours. The LEA Requestor will detail the
threat type and justification for a request with a Priority Level of High Priority.Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2>that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language.
IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know.
Best,
Amy
*Amy E. Bivins*
Registrar Services and Engagement Senior Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax: +1 (202) 789-0104
Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org>
www.icann.org<http://www.icann.org>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Agree with Sara’s proposed language. Amy, I like the idea of adding clarity using “of receipt of the request” after “one business day. Kind Regards, Vlad Dinculescu ———————— DNS Africa Ltd
On 11 Mar 2018, at 8:29 AM, Theo Geurts <gtheo@xs4all.nl> wrote:
Looks good Sara.
Best,
Theo
On 11-3-2018 12:51, Sara Bockey wrote:
Morning all,
After reading a lot of emails last night, I think we may be very close to a compromise. It appears (to me) all that is needed is the following:
High Priority language:
4.1.2 Where a disclosure request has been categorized as High Priority, and it has been determined that Provider has useful information, Provider shall use reasonable efforts to action the request within one business day. Registrar will not be required to take any action in contravention of applicable law.
And then add “without limitations” back to 4.2.2., so:
4.2.2. Disclosure can be reasonably refused by Provider for reasons consistent with the general policy stated herein, including without limitations any of the following:
4.2.2.1. The LEA Requestor failed to provide to Provider information to meet the minimum standard for acceptance as outlined in Section 2 of this Specification; 4.2.2.2. If disclosure would lead to a contravention of applicable law; or 4.2.2.3. Where the Customer has provided, or Provider has found, specific information, facts, or circumstances showing that disclosure will endanger the safety of the Customer.
Thoughts?
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Amy Bivins <amy.bivins@icann.org> <mailto:amy.bivins@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> Date: Thursday, March 8, 2018 at 3:29 PM To: "gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, all, for providing these examples! I’m wondering if Section 4.2.4 could accommodate these situations (“In exceptional circumstances, if Provider requires additional time to respond to the LEA Requestor, Provider shall inform the LEA Requestor of the cause of the delay, and agree with the LEA Requestor on a new date by which it will provide its response under this Section 4.2.”)
Perhaps we could update the draft language a bit in 4.1.2 to make clear that 4.2.4 also applies? Also, if offices are closed locally due to a disaster I’m wondering whether this would then not be a “business day” as we are now talking about a 1 business day requirement.
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Chris Pelling Sent: Thursday, March 8, 2018 2:05 PM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
We also had to close our offices last week due to lack of actual employees being able to get in.
So I find Sarah's argument totally acceptable.
Kind regards,
Chris
<image001.png> From: "Michele Neylon" <michele@blacknight.com <mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> https://ceo.hosting/ <https://ceo.hosting/> Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sure, Steve.
There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable.
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to?
Steve Metalitz
Sent with BlackBerry Work (www.blackberry.com <http://www.blackberry.com/>)
From: Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Amy,
It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it.
Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”.
It’s incredibly frustrating that staff does not appear to hear what we are saying.
Sara
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org <mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Lindsay! <>
I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law.
What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information?
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Hi Amy
Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations.
Many thanks
Lindsay
Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk <http://www.fasthosts.co.uk/> www.1and1.co.uk <http://www.1and1.co.uk/> <image002.jpg>
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image003.jpg> <http://www.linkedin.com/company/fasthosts-internet-ltd><image004.jpg> <https://twitter.com/Fasthosts><image005.jpg> <https://www.facebook.com/fasthostsinternet><image006.jpg> <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image007.jpg> <http://blogs.fasthosts.co.uk/><image008.jpg> <http://www.youtube.com/user/Fasthostsinternet>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise.
Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline):
4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter,and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website.
3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.”
Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)?
Peter, what would you and your PSWG colleagues think about this?
Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico.
I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ <https://www.surveymonkey.com/r/CMGF8FZ>. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars).
Best, Amy
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process.
Peter Roman
Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Dear Colleagues,
Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording,https://community.icann.org/display/IRT/06+March+2018 <https://community.icann.org/display/IRT/06+March+2018>
If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ <https://www.surveymonkey.com/r/CMGF8FZ> Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage.
Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft.
We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification.
The proposed language is:
4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority.Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 <http://4.2.2.2/> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language.
IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know.
Best, Amy
Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org> www.icann.org <http://www.icann.org/>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
Agree with Sara, we had the same issues with our offices as Michele and Chris. Many thanks Lindsay Sent from my iPhone On 8 Mar 2018, at 19:05, Chris Pelling <chris@netearth.net<mailto:chris@netearth.net>> wrote: We also had to close our offices last week due to lack of actual employees being able to get in. So I find Sarah's argument totally acceptable. Kind regards, Chris ________________________________ From: "Michele Neylon" <michele@blacknight.com<mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ https://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sure, Steve. There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to? Steve Metalitz Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>) From: Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Amy, It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it. Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”. It’s incredibly frustrating that staff does not appear to hear what we are saying. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org<mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Lindsay! I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law. What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information? From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Hi Amy Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations. Many thanks Lindsay Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd>[twitter]<https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/>[youtube]<http://www.youtube.com/user/Fasthostsinternet> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise. Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline): 4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website. 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.” Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)? Peter, what would you and your PSWG colleagues think about this? Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico. I’ll note that the poll is still open through EOD Friday, https://www.surveymonkey.com/r/CMGF8FZ. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars). Best, Amy From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process. Peter Roman Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov<mailto:peter.roman@usdoj.gov> From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call Dear Colleagues, Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording, https://community.icann.org/display/IRT/06+March+2018 If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage. Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft. We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification. The proposed language is: 4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law. Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information). I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2<http://4.2.2.2> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language. IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
Hi everyone Very interested to read the various potential challenges which could impact ability to respond to legal requests. I note that many registrars (including those on this list) advertise 24/7 support services. Assuming you have mitigation strategies in place for such challenges / events - how do you maintain these advertised services, which no doubt form part of the appeal of choosing a particular registrar for domain registrants? That aside, the main element of my intervention here is to note that back when I was a LEA officer, I used to be part of the 24/7 response team (shared around the team on a rota, we each typically did one week on each month). I had a laptop and phone which enabled me to make / receive calls, and connect into the corporate system. I would receive a small payment on top of my base salary for the time that I was on call, with an additional overtime payment if the phone actually rang. In return I would handle enquiries including data preservation requests / threat to life enquiries that came in outside office hours. Now naturally we couldn’t always solve everything within the 24hr window over a weekend, get all the evidence, find the bad people, put them in jail, but as required we were able to be called upon to do - at the minimum - an initial triage and provide information, analysis or guidance which would enable those in charge of running the threat to life operation or urgent case to make an assessment of risk, and determine the most effective course of action to mitigate the risk. Maybe providing this service is something that could be handled by pre-existing 24/7 services? Maybe it might incur an additional cost? I’m fully aware that different providers have different budgets and margins, and I won’t attempt to dictate to the experts how to do this, but I don’t think that this is an impossible task. In my personal view, there is an overriding public interest for at least the minimal response within a 24hr timeframe to High Priority requests as outlined in the draft, and we have a social obligation as a community to figure it out from this starting point. Kind regards, Nick Nick Shorey Phone: +44 (0) 7552 455 988 Email: lists@nickshorey.com Skype: nick.shorey Twitter: @nickshorey LinkedIn: www.linkedin.com/in/nicklinkedin Web: www.nickshorey.com
On 8 Mar 2018, at 22:48, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> wrote:
Agree with Sara, we had the same issues with our offices as Michele and Chris.
Many thanks
Lindsay
Sent from my iPhone
On 8 Mar 2018, at 19:05, Chris Pelling <chris@netearth.net <mailto:chris@netearth.net>> wrote:
We also had to close our offices last week due to lack of actual employees being able to get in.
So I find Sarah's argument totally acceptable.
Kind regards,
Chris
From: "Michele Neylon" <michele@blacknight.com <mailto:michele@blacknight.com>> To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Sent: Thursday, 8 March, 2018 19:01:01 Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
We had to close our offices for two days last week due to the snow storm. Several of our staff had no electricity or internet connection for 24+ hours. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> https://ceo.hosting/ <https://ceo.hosting/> Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday 8 March 2018 at 14:58 To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sure, Steve.
There could be a hurricane, flooding, snow storm, earthquake (name a natural disaster) that could cause a power outage or worse. There could be a DDoS attack. A provider’s staff could be hit particularly hard by a flu (or insert potential pandemic here) and taking out half or all their staff. I’m not being melodramatic, just pointing out that the provision doesn’t take into account life going sideways. Things do happen outside of our control and to be in breach of contract in such circumstances is not acceptable.
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 11:48 AM To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Sara, sorry if I missed this, but could you give an example of the “extraordinary circumstances” you are referring to?
Steve Metalitz
Sent with BlackBerry Work (www.blackberry.com <http://www.blackberry.com/>)
From: Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> Date: Thursday, Mar 08, 2018, 11:04 AM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Amy,
It seems clear that the additional language is necessary regardless of 4.2. It’s been raised repeatedly and agreed to by pretty much all of the registrars, so it’s unclear to me why you keep trying to remove it.
Additionally, it has been raised repeatedly and agreed to my pretty much all of the registrars that the 3 instances under 4.2.2 are not sufficient. There are extraordinary circumstances that could arise, as outlined previously. At the very least, we need to amend the language to say “including but not limited to”.
It’s incredibly frustrating that staff does not appear to hear what we are saying.
Sara
sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Amy Bivins <amy.bivins@icann.org <mailto:amy.bivins@icann.org>> Reply-To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Thursday, March 8, 2018 at 8:04 AM To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Lindsay! <>
I’ll note that in Section 4.2 (I’ve attached a copy of the specification as it looks now, with no changes), disclosure may be reasonably refused if disclosure would contravene applicable law.
What if we added something in this section 4.2, such that disclosure may be reasonably refused if a subpoena or a court order is required to obtain the requested information?
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Lindsay Hamilton-Reid Sent: Thursday, March 8, 2018 10:00 AM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Hi Amy
Thank you for the suggestion and while we have reworded another clause to compensate for the first part of your deletion, the part about court orders must remain. We will not provide information without a court order and will certainly not contravene applicable law. I know we are trying to find the right balance here but it must be reasonable. We will of course do what we can to help law enforcement but we are not here for the benefit of LEAs and do have the rights of our customers to protect, particularly in view of the GDPR and the upcoming ePrivacy regulations.
Many thanks
Lindsay
Lindsay Hamilton-Reid Senior Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk <http://www.fasthosts.co.uk/> www.1and1.co.uk <http://www.1and1.co.uk/> <image001.jpg>
© 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg> <http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg> <https://twitter.com/Fasthosts><image004.jpg> <https://www.facebook.com/fasthostsinternet><image005.jpg> <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg> <http://blogs.fasthosts.co.uk/><image007.jpg> <http://www.youtube.com/user/Fasthostsinternet>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Amy Bivins Sent: 08 March 2018 12:07 To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Thanks, Peter, for your input on this. I’m noticing that while you aren’t happy with the proposed one business day requirement, you didn’t say that it’s a definite non-starter, either. Perhaps there is some room for compromise.
Sara and other registrars who supported Sara’s proposed language, how would you feel about trimming the proposal to account for the discussion on Tuesday about points that are already covered elsewhere in the framework? If we did that, it would look something like this (edit to Sara’s proposal in redline):
4.1.2 Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day., noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
As proposed below, we could also update 3.1 to make abundantly clear that this is a direct LEA contact to the provider’s designated LEA contact, which may be an email address, form, phone number, or any other means the provider has shared with LEA. There must be a way for LEA to obtain the designated contact via the website (even instructions to call the provider’s main number would seem to satisfy this request) but the contact itself does not have to be posted on the website.
3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
If the language looked like this, for compliance purposes we could use some additional clarity about what it means for a provider to “use its best efforts to action the request within one business day.”
Sara and other registrars who support this proposal, if we kept the “one business day” standard, would you be able to compromise by editing this a bit to make clear that a human (non-automated) response would be required within one business day of receipt of the request (perhaps by simply reverting to the word “action” if we were to clearly define that as discussed previously)?
Peter, what would you and your PSWG colleagues think about this?
Thanks, all for your continued attention to this matter. Hopefully, we can reach a conclusion on this while many of you are at ICANN61 in Puerto Rico.
I’ll note that the poll is still open through EOD Friday,https://www.surveymonkey.com/r/CMGF8FZ <https://www.surveymonkey.com/r/CMGF8FZ>. As of now, there are 18 responses. Four IRT members support raising this issue to the Council, and 14 oppose that (including some registrars).
Best, Amy
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Roman, Peter (CRM) Sent: Wednesday, March 7, 2018 1:08 PM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
FWIW, I am not very happy with the one business day requirement to action the law enforcement High Priority request. Even a 24 hour window is too long. This is an emergency, that’s why we will be using this process. It really should be actioned more or less immediately. If it didn’t need immediate attention, we wouldn’t be using the High Priority process.
Peter Roman
Senior Counsel Computer Crime & Intellectual Property Section Criminal Division Department of Justice 1301 New York Ave., NW Washington, DC 20530 (202) 305-1323 peter.roman@usdoj.gov <mailto:peter.roman@usdoj.gov>
From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Amy Bivins Sent: Tuesday, March 6, 2018 11:42 AM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Action items from today's IRT call
Dear Colleagues,
Thank you for your participation on today’s privacy/proxy IRT call. If you couldn’t attend, I encourage you to listen to the recording,https://community.icann.org/display/IRT/06+March+2018 <https://community.icann.org/display/IRT/06+March+2018>
If you haven’t already, please complete the IRT poll regarding the potential policy implications surrounding the IRT discussions on the LEA framework specification no later than Friday, https://www.surveymonkey.com/r/CMGF8FZ <https://www.surveymonkey.com/r/CMGF8FZ> Currently, two IRT members have indicated that they believe the issue should be escalated to the Council. Fourteen responded that this should not be escalated to the Council at this stage.
Today, we solicited any additional feedback related to the draft reporting specification. I’ve attached a draft with some notes indicating the feedback received to date. We will begin updating the specification based on this feedback, and will consider any additional feedback received between now and the end of the IRT session at ICANN61 in updating the draft.
We also discussed a proposal from Sara Bockey on-list, which has been supported by several other registrar members of the IRT, for alternative language for the LEA Framework Specification.
The proposed language is:
4.1.2 Where a disclosure request has been categorized as High Priority, this must be actioned within 24 hours. The LEA Requestor will detail the threat type and justification for a request with a Priority Level of High Priority. Where a disclosure request has been categorized as High Priority, LEA will make every effort to contact the Provider directly to discuss the matter, and should it be determined that Provider has useful information, Provider shall use its best efforts to action the request within one business day, noting that a court order/subpoena may still be required prior to release of any information. Registrar will not be required to take any action in contravention of applicable law.
Based on the discussion today, it’s possible that an edit could potentially be made in Section 3.1, to eliminate the perceived need for the “contact the Provider directly” language, such as: 3.1 Pre‐Request: Provider will establish and maintain a designated LEA Requestor point of contact for submitting disclosure requests. Provider shall publish on its website the designated contact (e.g. email address, telephone number, form) or other means for LEA to obtain designated LEA contact information).
I’ll note that because LEA are not a party to this contract, I don’t think they could be required via this contract to “make every effort,” so that may be a point to consider. Also, the draft already states, at Section 4.2.2.2 <http://4.2.2.2/> that a Provider can refuse disclosure if the disclosure would lead to a contravention of applicable law. Concerns have also been raised about the “best efforts” language.
IRT feedback is requested on-list on the above proposed language. If IRT members who oppose the current PSWG-proposed text can reach agreement on proposed language, this can be published for public comment. This will be on the agenda for the session on Sunday at ICANN61. A full agenda will be distributed later this week. In addition, if the IRT would like to discuss any items from the updated PPAA draft in Puerto Rico, please let me know.
Best, Amy
Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org> www.icann.org <http://www.icann.org/>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl><image001.jpg><image006.jpg><image005.jpg><image004.jpg><image002.jpg>_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>
participants (10)
-
Amy Bivins -
Chris Pelling -
Lindsay Hamilton-Reid -
Metalitz, Steven -
Michele Neylon - Blacknight -
Nick Shorey -
Roman, Peter (CRM) -
Sara Bockey -
Theo Geurts -
Vlad Dinculescu