Dear colleagues, For the record, as indicated in the GAC Public comment (and other public comments), the GAC favors retaining the currently proposed 24 hour timing to respond to "Urgent Requests" as commensurate with the emergency nature of these requests. Our remarks from our public comment are set forth here: GAC Comments on the Draft Registration Data Consensus Policy for gTLDs - 21 November 2022 Pages 6-7 Section 10. Disclosure Requests Paragraph 10.6 regarding Urgent Requests for Disclosure misapplies the approved Phase 1 policy recommendations by failing to implement expedited timeframes consistent with the nature of responding to emergency requests for disclosure. For context, EPDP Recommendation 18 stated that: A separate timeline of [less than X business days] will [be] considered for the response to 'Urgent' Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation]. [Emphasis added]. Notably, the Phase 1 Recommendations highlighted that these urgent requests relate to "an immediate need for disclosure." The implementation team defined urgent requests (Definition 3.8) in a manner consistent with such an immediate need: "Urgent Requests for Lawful Disclosure" are limited to circumstances that pose an imminent threat to life, serious bodily injury, critical infrastructure, or child exploitation in cases where disclosure of the data is necessary in combatting or addressing this threat. Critical infrastructure means the physical and cybersystems that are vital in that their incapacity or destruction would have a debilitating impact on economic security or public safety. As stressed in the section pertaining to definition, the GAC recommends to include in the scope of urgent requests other circumstances generating an immediate need for disclosure and which would otherwise be included in the regular requests (maximum response time of 30 days), in particular significant cybersecurity threats or incidents (such as those deriving from large scale ransomware, malware or botnet campaigns) regardless of whether the target is critical infrastructure. Furthermore, in relation to the timeline, the GAC notes that despite the immediate need for such information, the implementation team construed the Phase 1 recommendations to permit a two business-day response period followed by one business-day extension under certain circumstances. Put simply, three business days (which could stretch to seven calendar days depending on weekends and intervening holidays) is not a reasonable time period for responding to urgent requests. This is especially true because "urgent" requests apply only to emergency situations involving imminent threats to life and critical infrastructure among other things. The implementation team misinterpreted the Phase 1 recommendations by applying the same two business-day acknowledgment period for general requests to urgent requests. This flawed interpretation had the effect of prolonging the timeframe to respond to an urgent request. However, the foundational logic of dealing with "urgent" requests separately was to streamline the entire process because these requests deal with time-sensitive matters that involve threats to life, safety, or vital infrastructure. Hence, it would be neither reasonable nor logical to view the 2-day acknowledgement provision as overriding or extending the separate timeline for responding to urgent requests. More specifically, the acknowledgement time for general requests should not delay the contemplated expedited timeline for urgent requests. The GAC believes that this interpretation conflicts with the clear Phase 1 directive to develop "a separate timeline" for the response to urgent requests. The GAC recommends that the implementation team must revisit this issue to ensure that responses to urgent requests are in fact expedited in a manner consistent with an emergency response. We support the outcome of ICANN.Org's assessment and response to the public comments on this important public safety issue. Kind regards, Laureen Kapin Assistant Director for International Consumer Protection Office of International Affairs Federal Trade Commission lkapin@ftc.gov
