Gemma,

Thanks for circulating these answers. I have added my answers, prefaced with my initials, SDC.

Thanks,

Steve

1.The ICANN Board and GNSO Council agreed that responses to Urgent requests should be provided in minutes or hours and not in days. Do IRT members agree that if 24 hours equates to 1 calendar day, then a response to an urgent request cannot take longer than 24 hours and cannot be in business days?

Yes. As has been discussed in recent trilateral meetings of the GAC, GNSO and ICANN Board and has been reflected earlier in the GAC ICANN77 communiqué, and then again in the ICANN82 communiqué, and given the exceptional circumstances underpinning urgent requests and the vital public safety interests related to them, responding to such requests within 24 hours is considered an appropriate response time in order to fulfil their purpose.

SDC: The trilateral meeting of the GAC, GNSO and ICANN Board -- or was it really ICANN staff? -- apparently reached an agreement that two hours to acknowledge and 24 hours to respond were sufficient. This is broken in at least two ways.

1. It is up to the PSWG to specify what the required response time needs to be. The registrars can say whatever they want about how long they would like to take, but that's a separate issue. Further, the specification of the required response needs to be tied to some sort of documentation. So far, the GAC has not provided any documentation or references that provide a basis for specifying the required response time. To an ordinary person, the common sense reading of the *importance* of an Urgent Request, viz immediate harm to a person, child endangerment, or immediate threat to critical infrastructure suggests the *urgency* is likely seconds or minutes, not hours or days.

Without some sort of study, documentation or other basis for specification of the urgency, there is no basis for development of a policy and imposing requirements on the registrars.

2. The response from the registrars that even if the requesting law enforcement agent or agency is authenticated they still need to have an attorney review and approve the request is questionable. As noted, the registrar will not be given details of the investigation. What do they need to know in addition to the authentication of the law enforcement agent/agency? If they also need to know the jurisdiction of the requestor or other factors, these can easily be included in the authentication process. There is no reason responses to Urgent Requests cannot be automated for a significant fraction of the likely cases.

2. Do IRT members agree that a timeline to respond to an urgent request measured in another unit than business days can be implemented consistent with Recommendation 18 ?

SDC: Absolutely not. Using days, whether it's calendar or business days, makes a mockery of the whole notion of "Urgent Requests."

Yes. Recommendation 18 refers to urgent requests as those for which “evidence is supplied to show an immediate need for disclosure”. It furthermore defers to the IRT to define the timeline, while the tentative ceiling of “less than X business days” is only a departing point for discussion.

3. Taking into consideration that specifics about the investigation will not be provided, what additional overarching requirements do contracted parties need to quickly review an urgent request and minimize the amount of time needed to provide a response?

[n/a – question for CPs]

SDC: I asked this question during the last meeting. The registrars remained silent. This is unacceptable.

4. If an authenticated entity submits a request that specifies its jurisdiction and asserts that the urgent request falls under categories such as imminent threat to life, serious bodily injury, critical infrastructure, or child exploitation, is that sufficient to provide a response to the requester within 24 hours

This should be sufficient but we are open for further considerations from the contracted parties, with the caveat that LEAs cannot be asked to disclose sensitive details concerning their investigations.

SDC: If the LEAs have a legitimate need for immediate responses, then 24 hours is not acceptable. If the LEAs do not need a response in less than 24 hours, then the word "Urgent" is inappropriate.

From: Isabelle Colas-Adeshina via IRT.RegDataPolicy <irt.regdatapolicy@icann.org>
Sent: Friday, May 9, 2025 1:19 AM
To: irt.regdatapolicy@icann.org
Subject: [IRT.RegDataPolicy] Update on 14 May IRT Session and Request for Feedback

Dear IRT Members,

We want to express our gratitude for your participation and the insightful discussions in our recent IRT session on 23 April regarding the urgent request response timeline. We plan to use your feedback to facilitate the next discussion on 21 May and to identify the next steps for determining an appropriate response time.

Unfortunately, we must cancel our upcoming session scheduled for Wednesday, 14 May due to scheduling conflicts. We are keeping the two additional sessions planned: on Wednesday, 21 May, and during ICANN83 on Tuesday, 10 June.

During the last discussion on the 23rd, the IRT members raised several interesting points and perspectives, and based on those, we prepared a few slides containing questions to consider with your stakeholder groups. Please review the attached slides and the follow-up questions and provide your responses on the list.

For those of you who attended the CPH Summit, I hope you enjoyed your time in Hanoi.

Thank you for your continued engagement.

Kind Regards,

--

Isabelle Colas-Adeshina

Sr. Manager, Policy Research & Stakeholder Programs

Internet Corporation for Assigned Names and Numbers (ICANN)

Los Angeles, CA

www.icann.org

Mobile: +1 310 266 7469

_______________________________________________
IRT.RegDataPolicy mailing list -- irt.regdatapolicy@icann.org
To unsubscribe send an email to irt.regdatapolicy-leave@icann.org

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.