Dear colleagues,
For the record, as indicated in the GAC Public comment (and other public comments), the GAC favors retaining the currently proposed 24 hour timing to respond to “Urgent Requests” as commensurate with the emergency
nature of these requests. Our remarks from our public comment are set forth here:
GAC Comments on the Draft Registration Data Consensus Policy for gTLDs - 21 November 2022 Pages 6-7
Section 10. Disclosure Requests
Paragraph 10.6 regarding Urgent Requests for Disclosure misapplies the approved Phase 1 policy recommendations
by failing to implement expedited timeframes consistent with the nature of responding to emergency requests for
disclosure. For context, EPDP Recommendation 18 stated that:
A separate timeline of [less than X business days] will [be] considered for the response to ‘Urgent’ Reasonable
Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure
[time frame to be finalized and criteria set for Urgent requests during implementation]. [Emphasis added].
Notably, the Phase 1 Recommendations highlighted that these urgent requests relate to “an immediate need for
disclosure.” The implementation team defined urgent requests (Definition 3.8) in a manner consistent with such
an
immediate need:
“Urgent Requests for Lawful Disclosure” are limited to circumstances that pose an imminent threat to life,
serious bodily injury, critical infrastructure, or child exploitation in cases where disclosure of the data is
necessary in combatting or addressing this threat. Critical infrastructure means the physical and
cybersystems that are vital in that their incapacity or destruction would have a debilitating impact on
economic security or public safety.
As stressed in the section pertaining to definition, the GAC recommends to include in the scope of urgent requests
other circumstances generating an immediate need for disclosure and which would otherwise be included in the
regular requests (maximum response time of 30 days), in particular significant cybersecurity threats or incidents
(such as those deriving from large scale ransomware, malware or botnet campaigns) regardless of whether the target
is critical infrastructure.
Furthermore, in relation to the timeline, the GAC notes that despite the immediate need for such information,
the
implementation team construed the Phase 1 recommendations to permit a two business-day response period
followed by one business-day extension under certain circumstances. Put simply, three business days (which could
stretch to seven calendar days depending on weekends and intervening holidays) is not a reasonable time period
for
responding to urgent requests. This is especially true because “urgent” requests apply only to emergency situations
involving imminent threats to life and critical infrastructure among other things.
The implementation team misinterpreted the Phase 1 recommendations by applying the same two business-day
acknowledgment period for general requests to urgent requests. This flawed interpretation had the effect of
prolonging the timeframe to respond to an urgent request. However, the foundational logic of dealing with “urgent”
requests separately was to streamline the entire process because these requests deal with time-sensitive matters
that involve threats to life, safety, or vital infrastructure. Hence, it would be neither reasonable nor logical
to view
the 2-day acknowledgement provision as overriding or extending the separate timeline for responding to urgent
requests. More specifically, the acknowledgement time for general requests should not delay the contemplated
expedited timeline for urgent requests. The GAC believes that this interpretation conflicts with the clear Phase
1
directive to develop “a separate timeline” for the response to urgent requests. The GAC recommends that the
implementation team must revisit this issue to ensure that responses to urgent requests are in fact expedited
in a
manner consistent with an emergency response.
We support the outcome of ICANN.Org’s assessment and response to the public comments on this important public safety issue.
Kind regards,
Laureen Kapin
Assistant Director for International Consumer Protection
Office of International Affairs
Federal Trade Commission
lkapin@ftc.gov
