Re: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6
Thanks Roger and IRT for the productive discussion yesterday. We ended up spending most of the session on this topic but I thought it was well worth it. We reached a few important agreements. 1. Agreement: Acknowledgement (Ack) timeline requirement = 2 business days * Because the recommendation language does not differentiate between regular and urgent requests and specifies “not more than two (2) business days from receipt” the implementation language must reflect this as a requirement. * Some of the IRT had thought that the EPDP Team had asked the implementation team to come up with the acknowledgment timeline requirement for urgent requests, but after much discussion, we agreed that the recommendation requirement for 2 business days ACK applied to both regular and urgent requests. * Therefore, we consider the acknowledgement timeline discussion to be concluded at the 202010505 IRT meeting. 2. Agreement: Response timeline: Linear * One point of differing interpretation was centered around the concept of linear or parallel timeline. IRT was split on this but after discussion, it had reached an agreement that it is Linear. Liner and Parallel? i. Linear: total timeline = ack time + response time (additive) ii. Parallel: total timeline = response time (non-additive) * Ack timeline starts at the same time as the response time. * Since IRT agreed that Linear is the requirement, what’s left is the duration for the responses. 1. Agreement: Response timeline for Regular = 30 days * The policy recommendation has already specified “within maximum of 30 day.” So no further discussion was needed. 2. Outstanding work: Urgent request response time = ? * Recommendation did not specify the requirement but rather left it for the implementation team to figure decide. * The recommendation did, however, use the business days as the unit of time. “ [less than X business days]. * This means the job for the implementation is to come up with a number for X. To be clear, I am using some terms I’ve come up with to convey the requirements logic above to make it easier to understand for me and I hope for you as well. We will be crafting the policy language that reflects the understanding above and will ask the IRT to review. IRT ‘s input including drafts for policy languages are always welcomed. Thank you so much for your continued support to this complex policy implementation. Dennis Chang From: "IRT.RegDataPolicy" <irt.regdatapolicy-bounces@icann.org> on behalf of "Roger D Carney via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org> Reply-To: Roger D Carney <rcarney@godaddy.com> Date: Tuesday, April 20, 2021 at 11:13 To: "irt.regdatapolicy@icann.org" <irt.regdatapolicy@icann.org> Subject: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Good Afternoon, I thought it was probably easier to consume this information in an email versus trying to shoehorn it into comments on the OneDoc. After spending some more time reviewing Recommendation 18 (and resulting OneDoc section 11), I think I have been able to extract some useful bits of information that may help resolve any misunderstandings of the requirements from this recommendation. This is a bit lengthy, so you may want to grab a favorite drink and some snacks before you start reading:). I believe that the IRT generally agrees (please correct me if this is not the case) that sections 11.1-11.4, 11.7 and 11.8 make sense and seem to implement the relevant pieces of Recommendation 18 appropriately (though it does appear that there are some new changes occurring/occurred today, that will need to be reviewed). The concern and focus of discussions have been on sections 11.5 and 11.6. With that in mind. Paragraph 5 of Recommendation 18 makes the distinction between acknowledgement and response: "The EPDP Team recommends that criteria for a Reasonable Request for Lawful Disclosure and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation of these policy recommendations but will include at a minimum:" The "timeline section" of Recommendation 18 also makes this distinction between acknowledgement and response. Bullet 1 discusses specifically acknowledging of requests: "Response time for acknowledging receipt of a Reasonable Request for Lawful Disclosure. Without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible." Bullets two (response data) and three (logging) are not about timing but bullets four and five are and they specifically address the "response" to the request. Bullet four is about the response requirements for requests in general: "Response time for a response to the requestor will occur without undue delay, but within maximum of 30 days unless there are exceptional circumstances. Such circumstances may include the overall number of requests received. The contracted parties will report the number of requests received to ICANN on a regular basis so that the reasonableness can be assessed."; and bullet five is about response requirements for urgent requests: "A separate timeline of [less than X business days] will considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation].". It appears the One Doc section 11.5 (general requests) does a pretty good job of separating these two concepts and addressing bullets one and four: "Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within 2 business days but no more than 3 calendar days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances." Three notes on these One Doc wording: 1) 3 calendar days is not part of the recommendation and I do not support the addition as it changes the requirements from the recommendation; 2) the One Doc wording does not contain the "unless shown circumstances does not make this possible." wording from the recommendation but does state "absent exceptional circumstances", not sure why the change; 3) Recommendation 18 states 30 days not 30 calendar days. But the One Doc section 11.6 (urgent requests) does not correctly separate the two concepts (acknowledge and response), nor does it accurately portray the wording in the recommendation. Section 11.6 actually conflates these two concepts (acknowledge and response) and in doing so no longer states the requirements correctly (creates new policy): "For an Urgent Reasonable Request for Lawful Disclosure which meets the format required by the Registrar or Registry Operator, Registrars and Registry Operators MUST acknowledge and respond without undue delay, but within 24 hours from receipt. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) calendar days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time." I don't know if it makes more sense to have two sections, one for acknowledgment and one for response (with two sub points: general and urgent) or if it is better like it is in the One Doc, one for general and one for urgent just repeating the acknowledgement wording. Here are a couple proposals; the first, similar to what the One Doc has now: * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances. * For an Urgent Reasonable Request, those Requests for which evidence is supplied to show an immediate need, for Lawful Disclosure, Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. As a second option, I think it may be easier/clearer to read/understand like this (which aligns much closer to Recommendation 18 wording): * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt. * Registrars and Registry Operators MUST respond to a Reasonable Request for Lawful Disclosure: * For an Urgent Request, those Requests for which evidence is supplied to show an immediate need: without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. * For all other requests: without undue delay, but within thirty (30) days from receipt absent exceptional circumstances. I hope after reading this novel that I have been able to clarify what the requirements are from Recommendation 18. Thanks Roger
I must disagree with the conclusion reached that the Acknowledgement timeframe of Rec. 18 applies to urgent requests. I regret that I could not join yesterday’s meeting. I appreciate your summary and Chris and I were also able to confer about this key issue for the law enforcement community. Both Chris and I participated in the Phase 1 deliberations and the timeline for urgent requests was always intended to be a separate topic from general requests. This conclusion is supported by the plain language of Rec. 18 which states that: • A separate timeline of [less than X business days] will considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation][emphasis added]. I understand that this language does not explicitly speak to “acknowledgement.” However, the foundational logic of dealing with “urgent” requests separately was to streamline the entire process because these requests deal with time-sensitive matters that involve threats to life, safety, or vital infrastructure. Hence, it would be neither reasonable nor logical to view the 2-day acknowledgement provision as overriding or extending the separate timeline for responding to urgent requests. More specifically, the Acknowledgement time for general requests should not delay the contemplated expedited timeline for urgent requests. Therefore, I am registering our disagreement with the initial conclusions reflected below and requesting further consideration of this important topic. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: IRT.RegDataPolicy <irt.regdatapolicy-bounces@icann.org> On Behalf Of Dennis Chang via IRT.RegDataPolicy Sent: Thursday, May 6, 2021 2:01 PM To: Roger D Carney <rcarney@godaddy.com>; Subject: Re: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Thanks Roger and IRT for the productive discussion yesterday. We ended up spending most of the session on this topic but I thought it was well worth it. We reached a few important agreements. 1. Agreement: Acknowledgement (Ack) timeline requirement = 2 business days * Because the recommendation language does not differentiate between regular and urgent requests and specifies “not more than two (2) business days from receipt” the implementation language must reflect this as a requirement. * Some of the IRT had thought that the EPDP Team had asked the implementation team to come up with the acknowledgment timeline requirement for urgent requests, but after much discussion, we agreed that the recommendation requirement for 2 business days ACK applied to both regular and urgent requests. * Therefore, we consider the acknowledgement timeline discussion to be concluded at the 202010505 IRT meeting. 2. Agreement: Response timeline: Linear * One point of differing interpretation was centered around the concept of linear or parallel timeline. IRT was split on this but after discussion, it had reached an agreement that it is Linear. Liner and Parallel? i. Linear: total timeline = ack time + response time (additive) ii. Parallel: total timeline = response time (non-additive) 1. Ack timeline starts at the same time as the response time. * Since IRT agreed that Linear is the requirement, what’s left is the duration for the responses. 1. Agreement: Response timeline for Regular = 30 days * The policy recommendation has already specified “within maximum of 30 day.” So no further discussion was needed. 2. Outstanding work: Urgent request response time = ? * Recommendation did not specify the requirement but rather left it for the implementation team to figure decide. * The recommendation did, however, use the business days as the unit of time. “ [less than X business days]. * This means the job for the implementation is to come up with a number for X. To be clear, I am using some terms I’ve come up with to convey the requirements logic above to make it easier to understand for me and I hope for you as well. We will be crafting the policy language that reflects the understanding above and will ask the IRT to review. IRT ‘s input including drafts for policy languages are always welcomed. Thank you so much for your continued support to this complex policy implementation. Dennis Chang From: "IRT.RegDataPolicy" <irt.regdatapolicy-bounces@icann.org> on behalf of "Roger D Carney via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org> Reply-To: Roger D Carney <rcarney@godaddy.com> Date: Tuesday, April 20, 2021 at 11:13 To: "irt.regdatapolicy@icann.org" <irt.regdatapolicy@icann.org> Subject: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Good Afternoon, I thought it was probably easier to consume this information in an email versus trying to shoehorn it into comments on the OneDoc. After spending some more time reviewing Recommendation 18 (and resulting OneDoc section 11), I think I have been able to extract some useful bits of information that may help resolve any misunderstandings of the requirements from this recommendation. This is a bit lengthy, so you may want to grab a favorite drink and some snacks before you start reading:). I believe that the IRT generally agrees (please correct me if this is not the case) that sections 11.1-11.4, 11.7 and 11.8 make sense and seem to implement the relevant pieces of Recommendation 18 appropriately (though it does appear that there are some new changes occurring/occurred today, that will need to be reviewed). The concern and focus of discussions have been on sections 11.5 and 11.6. With that in mind. Paragraph 5 of Recommendation 18 makes the distinction between acknowledgement and response: "The EPDP Team recommends that criteria for a Reasonable Request for Lawful Disclosure and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation of these policy recommendations but will include at a minimum:" The "timeline section" of Recommendation 18 also makes this distinction between acknowledgement and response. Bullet 1 discusses specifically acknowledging of requests: "Response time for acknowledging receipt of a Reasonable Request for Lawful Disclosure. Without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible." Bullets two (response data) and three (logging) are not about timing but bullets four and five are and they specifically address the "response" to the request. Bullet four is about the response requirements for requests in general: "Response time for a response to the requestor will occur without undue delay, but within maximum of 30 days unless there are exceptional circumstances. Such circumstances may include the overall number of requests received. The contracted parties will report the number of requests received to ICANN on a regular basis so that the reasonableness can be assessed."; and bullet five is about response requirements for urgent requests: "A separate timeline of [less than X business days] will considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation].". It appears the One Doc section 11.5 (general requests) does a pretty good job of separating these two concepts and addressing bullets one and four: "Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within 2 business days but no more than 3 calendar days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances." Three notes on these One Doc wording: 1) 3 calendar days is not part of the recommendation and I do not support the addition as it changes the requirements from the recommendation; 2) the One Doc wording does not contain the "unless shown circumstances does not make this possible." wording from the recommendation but does state "absent exceptional circumstances", not sure why the change; 3) Recommendation 18 states 30 days not 30 calendar days. But the One Doc section 11.6 (urgent requests) does not correctly separate the two concepts (acknowledge and response), nor does it accurately portray the wording in the recommendation. Section 11.6 actually conflates these two concepts (acknowledge and response) and in doing so no longer states the requirements correctly (creates new policy): "For an Urgent Reasonable Request for Lawful Disclosure which meets the format required by the Registrar or Registry Operator, Registrars and Registry Operators MUST acknowledge and respond without undue delay, but within 24 hours from receipt. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) calendar days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time." I don't know if it makes more sense to have two sections, one for acknowledgment and one for response (with two sub points: general and urgent) or if it is better like it is in the One Doc, one for general and one for urgent just repeating the acknowledgement wording. Here are a couple proposals; the first, similar to what the One Doc has now: * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances. * For an Urgent Reasonable Request, those Requests for which evidence is supplied to show an immediate need, for Lawful Disclosure, Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. As a second option, I think it may be easier/clearer to read/understand like this (which aligns much closer to Recommendation 18 wording): * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt. * Registrars and Registry Operators MUST respond to a Reasonable Request for Lawful Disclosure: * For an Urgent Request, those Requests for which evidence is supplied to show an immediate need: without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. * For all other requests: without undue delay, but within thirty (30) days from receipt absent exceptional circumstances. I hope after reading this novel that I have been able to clarify what the requirements are from Recommendation 18. Thanks Roger
Good Afternoon, Thanks Laureen, yes it was a good call yesterday, sorry you had to miss it. There were a lot of great points in this discussion, and it might be good to have a listen to the call recording, specifically regarding the dissecting of requirements in Recommendation 18. Two items discussed yesterday that I don't think get enough attention in this discussion: maximum duration and LE. * Something that we talked quite a bit about yesterday that did not make it into Dennis' writeup was looking at the timelines not from the end (no later than) but from the beginning, I think we may have come close to agreeing on "without undue delay" yesterday (Thanks Marc for continuing to highlight this important idea). For example, Registrars and Registry Operators will acknowledge receipt, which meets the format required by the Registrar or Registry Operator, without undue delay but no later than two (2) business days. Responding text would also use this "without undue delay" terminology. * Law Enforcement was mentioned only a couple times yesterday, but I know that this topic has come up often. I know this has been said in several venues including this one I believe, but I think it is important to reiterate that Law Enforcement already have much quicker resolution paths to a majority of registered domains, then Recommendation 18 or the SSAD could provide. Additionally, there was a lot of discussion about how a lot of the Registrars and Registries will probably be auto-acknowledging many requests, so once again supporting the looking at the timeline from the beginning not the maximum (e.g. many acknowledgements will be minutes not days). As you have indicated, Recommendation 18 is clear and plainly makes a distinction between acknowledging and responding. This was universally agreed upon on the call yesterday as well. Additionally, as you pointed out, bullet 5 of the Timeline and Criteria section of Recommendation 18 provides details for Urgent Requests. Interestingly, "urgent" is only used twice in the entire final report and both times it is in this specific bullet 5 regarding responding to requests. You state that bullet 5, "...does not explicitly speak to acknowledgment...", and there is a reason for this, as acknowledgment is detailed in bullet 1. That is the reason bullet 4 also does not talk to acknowledgment either. Bullet 1 provides the time requirements for acknowledging and mentions nothing about the response. Bullet 4 specifically talks to the time requirements for responses in general, and mentions nothing about acknowledging. And bullet 5 specifically talks to the time requirements for the subset of responses that are deemed urgent, and nothing about acknowledging. As I break this down and think about it in more detail, it seems that you are not in disagreement with the outlined implementation conclusions per se, but that you are really disagreeing with Recommendation 18? Thanks Roger ________________________________ From: Kapin, Laureen <LKAPIN@ftc.gov> Sent: Thursday, May 6, 2021 1:22 PM To: Dennis Chang <dennis.chang@icann.org>; Roger D Carney <rcarney@godaddy.com>; LEWIS-EVANS, Christopher <Christopher.Lewis-Evans@nca.gov.uk> Cc: irt.regdatapolicy@icann.org <irt.regdatapolicy@icann.org> Subject: RE: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 I must disagree with the conclusion reached that the Acknowledgement timeframe of Rec. 18 applies to urgent requests. I regret that I could not join yesterday’s meeting. I appreciate your summary and Chris and I were also able to confer about this key issue for the law enforcement community. Both Chris and I participated in the Phase 1 deliberations and the timeline for urgent requests was always intended to be a separate topic from general requests. This conclusion is supported by the plain language of Rec. 18 which states that: • A separate timeline of [less than X business days] will considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation][emphasis added]. I understand that this language does not explicitly speak to “acknowledgement.” However, the foundational logic of dealing with “urgent” requests separately was to streamline the entire process because these requests deal with time-sensitive matters that involve threats to life, safety, or vital infrastructure. Hence, it would be neither reasonable nor logical to view the 2-day acknowledgement provision as overriding or extending the separate timeline for responding to urgent requests. More specifically, the Acknowledgement time for general requests should not delay the contemplated expedited timeline for urgent requests. Therefore, I am registering our disagreement with the initial conclusions reflected below and requesting further consideration of this important topic. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: IRT.RegDataPolicy <irt.regdatapolicy-bounces@icann.org> On Behalf Of Dennis Chang via IRT.RegDataPolicy Sent: Thursday, May 6, 2021 2:01 PM To: Roger D Carney <rcarney@godaddy.com>; Subject: Re: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Thanks Roger and IRT for the productive discussion yesterday. We ended up spending most of the session on this topic but I thought it was well worth it. We reached a few important agreements. 1. Agreement: Acknowledgement (Ack) timeline requirement = 2 business days * Because the recommendation language does not differentiate between regular and urgent requests and specifies “not more than two (2) business days from receipt” the implementation language must reflect this as a requirement. * Some of the IRT had thought that the EPDP Team had asked the implementation team to come up with the acknowledgment timeline requirement for urgent requests, but after much discussion, we agreed that the recommendation requirement for 2 business days ACK applied to both regular and urgent requests. * Therefore, we consider the acknowledgement timeline discussion to be concluded at the 202010505 IRT meeting. 2. Agreement: Response timeline: Linear * One point of differing interpretation was centered around the concept of linear or parallel timeline. IRT was split on this but after discussion, it had reached an agreement that it is Linear. Liner and Parallel? i. Linear: total timeline = ack time + response time (additive) ii. Parallel: total timeline = response time (non-additive) 1. Ack timeline starts at the same time as the response time. * Since IRT agreed that Linear is the requirement, what’s left is the duration for the responses. 1. Agreement: Response timeline for Regular = 30 days * The policy recommendation has already specified “within maximum of 30 day.” So no further discussion was needed. 2. Outstanding work: Urgent request response time = ? * Recommendation did not specify the requirement but rather left it for the implementation team to figure decide. * The recommendation did, however, use the business days as the unit of time. “ [less than X business days]. * This means the job for the implementation is to come up with a number for X. To be clear, I am using some terms I’ve come up with to convey the requirements logic above to make it easier to understand for me and I hope for you as well. We will be crafting the policy language that reflects the understanding above and will ask the IRT to review. IRT ‘s input including drafts for policy languages are always welcomed. Thank you so much for your continued support to this complex policy implementation. Dennis Chang From: "IRT.RegDataPolicy" <irt.regdatapolicy-bounces@icann.org> on behalf of "Roger D Carney via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org> Reply-To: Roger D Carney <rcarney@godaddy.com> Date: Tuesday, April 20, 2021 at 11:13 To: "irt.regdatapolicy@icann.org" <irt.regdatapolicy@icann.org> Subject: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Good Afternoon, I thought it was probably easier to consume this information in an email versus trying to shoehorn it into comments on the OneDoc. After spending some more time reviewing Recommendation 18 (and resulting OneDoc section 11), I think I have been able to extract some useful bits of information that may help resolve any misunderstandings of the requirements from this recommendation. This is a bit lengthy, so you may want to grab a favorite drink and some snacks before you start reading:). I believe that the IRT generally agrees (please correct me if this is not the case) that sections 11.1-11.4, 11.7 and 11.8 make sense and seem to implement the relevant pieces of Recommendation 18 appropriately (though it does appear that there are some new changes occurring/occurred today, that will need to be reviewed). The concern and focus of discussions have been on sections 11.5 and 11.6. With that in mind. Paragraph 5 of Recommendation 18 makes the distinction between acknowledgement and response: "The EPDP Team recommends that criteria for a Reasonable Request for Lawful Disclosure and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation of these policy recommendations but will include at a minimum:" The "timeline section" of Recommendation 18 also makes this distinction between acknowledgement and response. Bullet 1 discusses specifically acknowledging of requests: "Response time for acknowledging receipt of a Reasonable Request for Lawful Disclosure. Without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible." Bullets two (response data) and three (logging) are not about timing but bullets four and five are and they specifically address the "response" to the request. Bullet four is about the response requirements for requests in general: "Response time for a response to the requestor will occur without undue delay, but within maximum of 30 days unless there are exceptional circumstances. Such circumstances may include the overall number of requests received. The contracted parties will report the number of requests received to ICANN on a regular basis so that the reasonableness can be assessed."; and bullet five is about response requirements for urgent requests: "A separate timeline of [less than X business days] will considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation].". It appears the One Doc section 11.5 (general requests) does a pretty good job of separating these two concepts and addressing bullets one and four: "Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within 2 business days but no more than 3 calendar days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances." Three notes on these One Doc wording: 1) 3 calendar days is not part of the recommendation and I do not support the addition as it changes the requirements from the recommendation; 2) the One Doc wording does not contain the "unless shown circumstances does not make this possible." wording from the recommendation but does state "absent exceptional circumstances", not sure why the change; 3) Recommendation 18 states 30 days not 30 calendar days. But the One Doc section 11.6 (urgent requests) does not correctly separate the two concepts (acknowledge and response), nor does it accurately portray the wording in the recommendation. Section 11.6 actually conflates these two concepts (acknowledge and response) and in doing so no longer states the requirements correctly (creates new policy): "For an Urgent Reasonable Request for Lawful Disclosure which meets the format required by the Registrar or Registry Operator, Registrars and Registry Operators MUST acknowledge and respond without undue delay, but within 24 hours from receipt. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) calendar days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time." I don't know if it makes more sense to have two sections, one for acknowledgment and one for response (with two sub points: general and urgent) or if it is better like it is in the One Doc, one for general and one for urgent just repeating the acknowledgement wording. Here are a couple proposals; the first, similar to what the One Doc has now: * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances. * For an Urgent Reasonable Request, those Requests for which evidence is supplied to show an immediate need, for Lawful Disclosure, Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. As a second option, I think it may be easier/clearer to read/understand like this (which aligns much closer to Recommendation 18 wording): * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt. * Registrars and Registry Operators MUST respond to a Reasonable Request for Lawful Disclosure: * For an Urgent Request, those Requests for which evidence is supplied to show an immediate need: without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. * For all other requests: without undue delay, but within thirty (30) days from receipt absent exceptional circumstances. I hope after reading this novel that I have been able to clarify what the requirements are from Recommendation 18. Thanks Roger
Thanks for this context Roger. For clarification, I'm disagreeing with the interpretation of Rec. 18 as described in Dennis's email. It's my hope that most acknowledgments will be executed immediately via an automated response. It's also my hope that law enforcement can rely on a variety of paths in addition to the SSAD to quickly obtain the domain name registration information they need for urgent situations. Nevertheless, for those situations where law enforcement must rely on the SSAD for urgent requests, I want to make sure there are clear measures in place and that the Phase 1 team's intent to create a separate streamlined timeline for urgent requests is honored during implementation. I look forward to continued discussion of this topic. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: IRT.RegDataPolicy <irt.regdatapolicy-bounces@icann.org> On Behalf Of Roger D Carney via IRT.RegDataPolicy Sent: Thursday, May 6, 2021 5:37 PM To: irt.regdatapolicy@icann.org Subject: Re: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Good Afternoon, Thanks Laureen, yes it was a good call yesterday, sorry you had to miss it. There were a lot of great points in this discussion, and it might be good to have a listen to the call recording, specifically regarding the dissecting of requirements in Recommendation 18. Two items discussed yesterday that I don't think get enough attention in this discussion: maximum duration and LE. * Something that we talked quite a bit about yesterday that did not make it into Dennis' writeup was looking at the timelines not from the end (no later than) but from the beginning, I think we may have come close to agreeing on "without undue delay" yesterday (Thanks Marc for continuing to highlight this important idea). For example, Registrars and Registry Operators will acknowledge receipt, which meets the format required by the Registrar or Registry Operator, without undue delay but no later than two (2) business days. Responding text would also use this "without undue delay" terminology. * Law Enforcement was mentioned only a couple times yesterday, but I know that this topic has come up often. I know this has been said in several venues including this one I believe, but I think it is important to reiterate that Law Enforcement already have much quicker resolution paths to a majority of registered domains, then Recommendation 18 or the SSAD could provide. Additionally, there was a lot of discussion about how a lot of the Registrars and Registries will probably be auto-acknowledging many requests, so once again supporting the looking at the timeline from the beginning not the maximum (e.g. many acknowledgements will be minutes not days). As you have indicated, Recommendation 18 is clear and plainly makes a distinction between acknowledging and responding. This was universally agreed upon on the call yesterday as well. Additionally, as you pointed out, bullet 5 of the Timeline and Criteria section of Recommendation 18 provides details for Urgent Requests. Interestingly, "urgent" is only used twice in the entire final report and both times it is in this specific bullet 5 regarding responding to requests. You state that bullet 5, "...does not explicitly speak to acknowledgment...", and there is a reason for this, as acknowledgment is detailed in bullet 1. That is the reason bullet 4 also does not talk to acknowledgment either. Bullet 1 provides the time requirements for acknowledging and mentions nothing about the response. Bullet 4 specifically talks to the time requirements for responses in general, and mentions nothing about acknowledging. And bullet 5 specifically talks to the time requirements for the subset of responses that are deemed urgent, and nothing about acknowledging. As I break this down and think about it in more detail, it seems that you are not in disagreement with the outlined implementation conclusions per se, but that you are really disagreeing with Recommendation 18? Thanks Roger ________________________________ From: Kapin, Laureen <LKAPIN@ftc.gov> Sent: Thursday, May 6, 2021 1:22 PM To: Dennis Chang <dennis.chang@icann.org>; Roger D Carney <rcarney@godaddy.com>; LEWIS-EVANS, Christopher <Christopher.Lewis-Evans@nca.gov.uk> Cc: irt.regdatapolicy@icann.org <irt.regdatapolicy@icann.org> Subject: RE: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 I must disagree with the conclusion reached that the Acknowledgement timeframe of Rec. 18 applies to urgent requests. I regret that I could not join yesterday's meeting. I appreciate your summary and Chris and I were also able to confer about this key issue for the law enforcement community. Both Chris and I participated in the Phase 1 deliberations and the timeline for urgent requests was always intended to be a separate topic from general requests. This conclusion is supported by the plain language of Rec. 18 which states that: * A separate timeline of [less than X business days] will considered for the response to 'Urgent' Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation][emphasis added]. I understand that this language does not explicitly speak to "acknowledgement." However, the foundational logic of dealing with "urgent" requests separately was to streamline the entire process because these requests deal with time-sensitive matters that involve threats to life, safety, or vital infrastructure. Hence, it would be neither reasonable nor logical to view the 2-day acknowledgement provision as overriding or extending the separate timeline for responding to urgent requests. More specifically, the Acknowledgement time for general requests should not delay the contemplated expedited timeline for urgent requests. Therefore, I am registering our disagreement with the initial conclusions reflected below and requesting further consideration of this important topic. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: IRT.RegDataPolicy <irt.regdatapolicy-bounces@icann.org> On Behalf Of Dennis Chang via IRT.RegDataPolicy Sent: Thursday, May 6, 2021 2:01 PM To: Roger D Carney <rcarney@godaddy.com>; Subject: Re: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Thanks Roger and IRT for the productive discussion yesterday. We ended up spending most of the session on this topic but I thought it was well worth it. We reached a few important agreements. 1. Agreement: Acknowledgement (Ack) timeline requirement = 2 business days * Because the recommendation language does not differentiate between regular and urgent requests and specifies "not more than two (2) business days from receipt" the implementation language must reflect this as a requirement. * Some of the IRT had thought that the EPDP Team had asked the implementation team to come up with the acknowledgment timeline requirement for urgent requests, but after much discussion, we agreed that the recommendation requirement for 2 business days ACK applied to both regular and urgent requests. * Therefore, we consider the acknowledgement timeline discussion to be concluded at the 202010505 IRT meeting. 1. Agreement: Response timeline: Linear * One point of differing interpretation was centered around the concept of linear or parallel timeline. IRT was split on this but after discussion, it had reached an agreement that it is Linear. Liner and Parallel? i. Linear: total timeline = ack time + response time (additive) ii. Parallel: total timeline = response time (non-additive) 1. Ack timeline starts at the same time as the response time. * Since IRT agreed that Linear is the requirement, what's left is the duration for the responses. 1. Agreement: Response timeline for Regular = 30 days * The policy recommendation has already specified "within maximum of 30 day." So no further discussion was needed. 1. Outstanding work: Urgent request response time = ? * Recommendation did not specify the requirement but rather left it for the implementation team to figure decide. * The recommendation did, however, use the business days as the unit of time. " [less than X business days]. * This means the job for the implementation is to come up with a number for X. To be clear, I am using some terms I've come up with to convey the requirements logic above to make it easier to understand for me and I hope for you as well. We will be crafting the policy language that reflects the understanding above and will ask the IRT to review. IRT 's input including drafts for policy languages are always welcomed. Thank you so much for your continued support to this complex policy implementation. Dennis Chang From: "IRT.RegDataPolicy" <irt.regdatapolicy-bounces@icann.org> on behalf of "Roger D Carney via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org> Reply-To: Roger D Carney <rcarney@godaddy.com> Date: Tuesday, April 20, 2021 at 11:13 To: "irt.regdatapolicy@icann.org" <irt.regdatapolicy@icann.org> Subject: [IRT.RegDataPolicy] Homework Item #149 - Section 11.6 Good Afternoon, I thought it was probably easier to consume this information in an email versus trying to shoehorn it into comments on the OneDoc. After spending some more time reviewing Recommendation 18 (and resulting OneDoc section 11), I think I have been able to extract some useful bits of information that may help resolve any misunderstandings of the requirements from this recommendation. This is a bit lengthy, so you may want to grab a favorite drink and some snacks before you start reading:). I believe that the IRT generally agrees (please correct me if this is not the case) that sections 11.1-11.4, 11.7 and 11.8 make sense and seem to implement the relevant pieces of Recommendation 18 appropriately (though it does appear that there are some new changes occurring/occurred today, that will need to be reviewed). The concern and focus of discussions have been on sections 11.5 and 11.6. With that in mind. Paragraph 5 of Recommendation 18 makes the distinction between acknowledgement and response: "The EPDP Team recommends that criteria for a Reasonable Request for Lawful Disclosure and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation of these policy recommendations but will include at a minimum:" The "timeline section" of Recommendation 18 also makes this distinction between acknowledgement and response. Bullet 1 discusses specifically acknowledging of requests: "Response time for acknowledging receipt of a Reasonable Request for Lawful Disclosure. Without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible." Bullets two (response data) and three (logging) are not about timing but bullets four and five are and they specifically address the "response" to the request. Bullet four is about the response requirements for requests in general: "Response time for a response to the requestor will occur without undue delay, but within maximum of 30 days unless there are exceptional circumstances. Such circumstances may include the overall number of requests received. The contracted parties will report the number of requests received to ICANN on a regular basis so that the reasonableness can be assessed."; and bullet five is about response requirements for urgent requests: "A separate timeline of [less than X business days] will considered for the response to 'Urgent' Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation].". It appears the One Doc section 11.5 (general requests) does a pretty good job of separating these two concepts and addressing bullets one and four: "Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within 2 business days but no more than 3 calendar days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances." Three notes on these One Doc wording: 1) 3 calendar days is not part of the recommendation and I do not support the addition as it changes the requirements from the recommendation; 2) the One Doc wording does not contain the "unless shown circumstances does not make this possible." wording from the recommendation but does state "absent exceptional circumstances", not sure why the change; 3) Recommendation 18 states 30 days not 30 calendar days. But the One Doc section 11.6 (urgent requests) does not correctly separate the two concepts (acknowledge and response), nor does it accurately portray the wording in the recommendation. Section 11.6 actually conflates these two concepts (acknowledge and response) and in doing so no longer states the requirements correctly (creates new policy): "For an Urgent Reasonable Request for Lawful Disclosure which meets the format required by the Registrar or Registry Operator, Registrars and Registry Operators MUST acknowledge and respond without undue delay, but within 24 hours from receipt. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) calendar days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time." I don't know if it makes more sense to have two sections, one for acknowledgment and one for response (with two sub points: general and urgent) or if it is better like it is in the One Doc, one for general and one for urgent just repeating the acknowledgement wording. Here are a couple proposals; the first, similar to what the One Doc has now: * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within thirty (30) calendar days from receipt absent exceptional circumstances. * For an Urgent Reasonable Request, those Requests for which evidence is supplied to show an immediate need, for Lawful Disclosure, Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt, and MUST respond without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. As a second option, I think it may be easier/clearer to read/understand like this (which aligns much closer to Recommendation 18 wording): * Registrars and Registry Operators MUST acknowledge receipt of a Reasonable Request for Lawful Disclosure within two (2) business days from receipt. * Registrars and Registry Operators MUST respond to a Reasonable Request for Lawful Disclosure: * For an Urgent Request, those Requests for which evidence is supplied to show an immediate need: without undue delay, but within one (1) business day from receipt absent exceptional circumstances. If responding to an Urgent Reasonable Request for Lawful Disclosure is complex, or a large number of requests are received by a Registrar or a Registry Operator within a 24 hour period, Registrars or Registry Operators MAY extend the time for response up to an additional two (2) business days from the date of receipt of the Urgent Reasonable Request for Lawful Disclosure, provided Registrars or Registry Operators provide notice to the requestor within the initial 24 hour period and explain the need for an extension of time. * For all other requests: without undue delay, but within thirty (30) days from receipt absent exceptional circumstances. I hope after reading this novel that I have been able to clarify what the requirements are from Recommendation 18. Thanks Roger
participants (3)
-
Dennis Chang -
Kapin, Laureen -
Roger D Carney