Hi Steve, I would imagine that this may occur, I've no idea if it's frequent. *Sarah Wyld, CIPP/E* Policy & Privacy Manager Pronouns: she/they swyld@tucows.com On 2024-02-15 2:47 p.m., Steve Crocker wrote:
Sarah,
You mentioned notifying the data subject. For clarification, are there circumstances where the data subject would be consulted before the registrar makes the decision whether to disclose the data? This is distinct from whether the data subject is notified of the request.
Thanks,
Steve
Sent from my iPhone
On Feb 15, 2024, at 2:41 PM, Sarah Wyld <swyld@tucows.com> wrote:
Hi,
Why do you say the requests aren't making it to the point of approval or denial? It sounds like because the request includes the confidentiality request and the registrar is not able to disclose the data without notifying the data subject that it is denied.
Regarding "/a non-RDRS external link is provided for reissuance of the request via non-RDRS means/", this is expected - the RDRS was not built to send information back and forth when the request is incomplete and needs to be supplemented, and I seem to recall feedback from LEA earlier in this RDRS process saying that adequate due process would generally be provided directly to the Registrar, not through RDRS, for confidentiality reasons. We've noted already that once a request is marked as 'denied' in RDRS it can't be updated even if the requestor then provides more information and it can be approved; perhaps altering that would help in this situation.
When you say "/the desire here is to collaborate on a solution to whatever issue(s) may be preventing participating registrars from being able to process requests when the box is ticked/", I think the issue at hand is a legal obligation to notify the data subject about the disclosure, in the absence of some legal obligation /not /to do so, such as a warrant, subpoena, or other due process in the relevant jurisdiction. I'm not sure that addressing this is within the purview of the RDRS Small Team; it may be better suited for RrSG/GAC discussions as it is not related to RDRS functionality or data gathering but is instead a question of how the registrar makes the disclosure decision.
Thanks,
*Sarah Wyld, CIPP/E*
Policy & Privacy Manager Pronouns: she/they
swyld@tucows.com
On 2024-02-15 12:24 p.m., Gabriel Andrews wrote:
Poor choice of words on my part, Sarah, and fair to correct me, as the requests aren’t even making it to the point of approval vs denial.
Instead, we’re being told that when the confidentiality box is checked, that the participating registrar(s) ~“isn’t able to process confidential requests through RDRS at this time”, and a non-RDRS external link is provided for reissuance of the request via non-RDRS means. So the desire here is to collaborate on a solution to whatever issue(s) may be preventing participating registrars from being able to process requests when the box is ticked. This can happen privately or via Standing Committee, as those registrars prefer, but it seemed quite worth noting in RDRS SC contexts, as it impacts both data collected as well as our understanding of what technical/policy features are needed for this or future request systems to be able to process confidential requests.
*From:* Sarah Wyld <swyld@tucows.com> *Sent:* Thursday, February 15, 2024 8:30 AM *To:* Andrews, Gabriel F. (STB) (FBI) <gfandrews@fbi.gov>; gnso-rdrs-sc@icann.org *Subject:* Re: [EXTERNAL EMAIL] - Re: [Gnso-rdrs-sc] First Report questions
Hi all,
Apologies if this is nitpicky, but I think it's important to understand that there are no automated denials in RDRS.
Each request is reviewed and updated by a human; although it may be the case that all requests with the confidentiality checkbox were denied, it is not automatic.
*Sarah Wyld, CIPP/E*
Policy & Privacy Manager Pronouns: she/they
swyld@tucows.com
On 2024-02-14 12:39 p.m., Gabriel Andrews wrote:
Concur I’d find that information useful. I’m not sure about review period 1, but I’m certain there were instances of the confidentiality checkbox being used since (as automatic denials associated with the box being checked is an item of feedback from LEA requestors).
*From:* Gnso-rdrs-sc <gnso-rdrs-sc-bounces@icann.org> <mailto:gnso-rdrs-sc-bounces@icann.org> *On Behalf Of *Sarah Wyld *Sent:* Wednesday, February 14, 2024 7:20 AM *To:* gnso-rdrs-sc@icann.org *Subject:* [EXTERNAL EMAIL] - Re: [Gnso-rdrs-sc] First Report questions
Hi all,
I understand that a request in the LEA category can have a confidentiality request along with it (the special checkbox). Will there be metric on the use of this checkbox in future reports? I didn't find it in the first one, maybe nobody had used it when that report was generated.
Thanks,
*Sarah Wyld, CIPP/E*
Policy & Privacy Manager Pronouns: she/they
swyld@tucows.com
On 2024-01-25 9:17 a.m., Sarah Wyld wrote:
Hello all,
I've watched the meeting recording and reviewed the report, and have a couple questions.
Metric 10 was discussed during the meeting; the understanding I came away with was that although it shows that 80% of lookups were for domains registered with non-participating registrars, the actual distribution of lookup between participating and non-participating was about 50/50. It seemed that a large portion of the lookups for domains with participating registrars do not proceed to the request stage, so only 19% of those lookups turn into requests, leaving us with the impression that most lookups are for non-participating when that is actually not the case. If that understanding is correct (and I think it is, but it sure is convoluted upon re-reading it) can this be made more clear somehow in the report? *At this point the Metric 10 is comparing the lookup rate for domains with non-participating registrars against the actual /request/ rate for domains /with /participating registrars, which is not an 'apples to apples' comparison. *
There was also some discussion about request type vs request*or* type. Metric 8 is titled "Disclosure Requests by Requestor Type" but the chart itself has a column "Request Category". This may seem like a distinction without difference but I do think we should be consistent; are we categorizing the request itself, or the requestor? I think it's the request, since in RDRS the user selects a "request category". *Maybe this metric should simply be renamed to "Disclosure Requests by Category"? *
Thanks very much*,*
--
*Sarah Wyld, CIPP/E*
Policy & Privacy Manager Pronouns: she/they
swyld@tucows.com
_______________________________________________
Gnso-rdrs-sc mailing list
Gnso-rdrs-sc@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rdrs-sc
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________ Gnso-rdrs-sc mailing list Gnso-rdrs-sc@icann.org https://mm.icann.org/mailman/listinfo/gnso-rdrs-sc
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.