I listened to the discussion today regarding the proper language to put into the contract regarding Urgent requests. The components of the discussion seem to be:
- There's been a lot of discussion and some degree of process decisions in the past that addresses the response time requirements for Urgent requests. These discussions are focused on time frames that vary between 24 hours and three business days, with various formulations in between
- "Urgent" requests are defined very precisely and involve immediate risk to life or limb.
- There is no data on how often such requests have occurred in the past. The best guess is this happens extremely rarely.
- In the few cases where an Urgent situation, i.e. one that meets the definition, or a similarly high priority situation occurs, law enforcement personnel use every means available to reach the relevant people.
- Registrars work cooperatively and briskly with the relevant authorities when they are notified of a high priority situation.
- Requests from unknown sources
- In appropriate disclosure of sensitive information
- Complaints to ICANN that they haven't responded within the mandated time frame.
- ICANN staff seems to be focused on adhering to prior consensus and finishing the work in a timely fashion.
These elements do not fit together in any coherent or meaningful way. Attempting to plow forward is a mistake. (Law of holes:
if you find yourself in a hole, stop digging. -- https://en.wikipedia.org/wiki/Law_of_holes)
It seems to me a much simpler and more effective solution is the following:
- Every registrar must have a designated point of contact for high priority situations. This information does NOT need to be publicly available. Instead, the information should be available to trusted parties.
There is little risk involved in disclosing information to trusted parties. They are identified and accountable, and the disclosure is made in good faith.
- Requests and disclosure made via this solution should be documented and reported appropriately.
- There is no need for contractual language that sets forth a specific timeline. The requirement for a point of contact is all that's needed in the contract.
As a separate but related matter, I believe there is similar treatment for reports of DNS Abuse. If a similar structure has already been agreed to for DNS Abuse, it's puzzling why the same solution is not being used for both purposes.
Steve