[NCUC-EC] FW: EPDP On the Temporary Specification for gTLD Registration Data - Phase 2 - Public Comment Proceeding Input Form

Mueller, Milton L milton at gatech.edu
Tue Mar 10 21:20:33 CET 2020



From: Google Forms <forms-receipts-noreply at google.com>
Sent: Tuesday, February 18, 2020 3:42 PM
To: Mueller, Milton L <milton at gatech.edu>
Subject: EPDP On the Temporary Specification for gTLD Registration Data - Phase 2 - Public Comment Proceeding Input Form

[Google Forms]

Thanks for filling out EPDP On the Temporary Specification for gTLD Registration Data - Phase 2 - Public Comment Proceeding Input Form<https://docs.google.com/forms/d/e/1FAIpQLSfl07TB3pwE0KRLmg_6qBYrzA0_-sWjI9oIPz7fyP9ujGw1Tg/viewform?usp=mail_form_link>
Here's what we got from you:
Edit response<https://docs.google.com/forms/d/e/1FAIpQLSfl07TB3pwE0KRLmg_6qBYrzA0_-sWjI9oIPz7fyP9ujGw1Tg/viewform?edit2=2_ABaOnuf3xfw5F1ZduqDQiXXXXcqdUfyPScbz1W5uctu-sRxvpPSa4P5cW_OXvQQXlIItATE>
EPDP On the Temporary Specification for gTLD Registration Data - Phase 2 - Public Comment Proceeding Input Form



Email address *
milton at gatech.edu<mailto:milton at gatech.edu>
Important Instructions - PLEASE READ BEFORE PROCEEDING
This Public Comment forum seeks community feedback on the Initial Report published by the Expedited Policy Development Process (EPDP) Team on the Temporary Specification for gTLD Registration Data. This is a new format for collecting public comment. It seeks to: -- Clearly link comments to specific sections of the initial report -- Encourage commenters to provide reasoning or rationale for their opinions -- Enable the sorting of comment so that the EPDP team can more easily read all the comments on any one topic There is no obligation to complete all sections within this form – respond to as many or as few questions as desired. Additionally, there is the opportunity to provide comments on the general content of the Initial Report or on new issues not raised by the Initial Report. To preview all questions in the Google Form, please refer to a Word version of this form here here's the link to the Word doc: <INSERT NEW LINK> As you review the "Questions for Community Input" in the Initial Report, you will note that there is not a 1:1 correspondence with the questions asked in the Public Comment format. This is because, in some instances, the "Questions for Community Input" have been divided into multi-part questions so that feedback on these questions would be clear. The Initial Report and Comment Forum have been reviewed to ensure that all the "Questions for Community Input" have been addressed in this Comment Forum. It is important that your comments include rationale (i.e., by answering the “rationale” question in each section). This is not a vote. The EPDP team is interested in your reasoning so that the conclusions reached and the issues discussed by the team can be tested against the reasoning of others. (This is much more helpful than comments that simply “agree” or “disagree”). You can easily navigate from page to page in the form. There is a table of contents below so that you can “fast forward” to the desired section by hitting “next” at the bottom of each page. To preview this entire form in Word format, see the link to the Word doc: <INSERT NEW LINK> To stop and save your work for later, you MUST (to avoid losing your work): 1. Provide your email address above in order to receive a copy of your submitted responses; 2. Click "Submit" at the end of the Google Form (the last question on every page allows you to quickly jump to the end of the Google Form to submit); 3. After you click "Submit," you will receive an email to the above-provided email address; within the email, click the "Edit Response" button at top of the email; 4. After you click the "Edit Response" button, you will be directed to the Google Form to return and complete; 5. Repeat the above steps 2-4 every time you wish to quit the form and save your progress. NOTES: -- Please refer to the specific recommendation and relevant section or page number of the Initial Report for additional details and context about each recommendation. Where applicable, you are encouraged to reference sections in the report for ease of the future review by the EPDP Team. --Your comments should take into account scope of the EPDP as described by the Charter and General Data Protection Regulation (GDPR) compliance. --For transparency purposes, all comments submitted to the Public Comment forum will be displayed publicly via an automatically-­generated Google Spreadsheet when the commenter hits the “Submit” button. Email addresses provided by commenters will not be displayed. --To maximize the visibility of your comments to the EPDP Team, please submit your comments via this form only. If you are unable to use this form, alternative arrangements can be made. --Please note there is a character limit of 2000 characters when submitting a response. In the event you encounter a character limit, you may send an email to policy-staff at icann.org<mailto:policy-staff at icann.org>, and the EPDP Support Staff will assist you with your response. --The final date of the public comment proceeding is 23:59 UTC on 23 March 2020. Any comments received after that date will not be reviewed / discussed by the EPDP Team.

Table of Contents
Page 1: Email Address, Important Instructions, Table of Contents Page 2: Consent & Authorization Page 3: EPDP Team Phase 2 Recommendations #1-7 Page 4: EPDP Team Phase 2 Recommendations #8-9 Page 5: EPDP Team Phase 2 Recommendations #10-16 Page 6: EPDP Team Phase 2 Recommendation #17 Page 7: EPDP Team Phase 2 Recommendations #18-19; Implementation Guidance i-ii Page 8: Other Comments & Submission

Consent & Authorization
By submitting my personal data, I agree that my personal data will be processed in accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://www.google.com/url?q=https://www.icann.org/privacy/policy&sa=D&ust=1582062123846000&usg=AFQjCNF-kegHtr-d1fF-B-Lc5MLrj8U4sw>), and agree to abide by the website Terms of Service (https://www.icann.org/privacy/tos<https://www.google.com/url?q=https://www.icann.org/privacy/tos&sa=D&ust=1582062123846000&usg=AFQjCNGR4kJ4yApXgye5FppoR1gsviqvTA>).

Please provide your name: *
Dr. Milton Mueller

Please provide your affiliation *
Professor, Georgia Institute of Technology

Are you providing input on behalf of another group (e.g., organization, company, government)? *
·         (X) Yes
·         ( ) No

If yes, please explain:
Internet Governance Project, Georgia Institute of Technology

Save Your Progress

Do you want to save your progress and quit for now? You will be able to return to the form to complete at a later time.
·         ( ) Yes
·         (X) No, I would like to continue to the next section

Section 3, EPDP Preliminary Recommendations for Comment #1-7
This public comment proceeding seeks to obtain input on the Initial Report of the Phase 2 EPDP on the Temporary Specification for gTLD Registration Data Team. The Phase 2 EPDP Team is tasked with evaluating a System for Standardized Access/Disclosure to non-public gTLD registration data (“SSAD”).

Recommendation #1: Accreditation
Please find a link to the text of Recommendation 1 here: https://docs.google.com/document/d/1Mq8T1EBcQhbKnCBcVwYtb3qKDIgJcOClu5G0NaNaO50/edit<https://www.google.com/url?q=https://docs.google.com/document/d/1Mq8T1EBcQhbKnCBcVwYtb3qKDIgJcOClu5G0NaNaO50/edit&sa=D&ust=1582062123848000&usg=AFQjCNENFlJiXpc30QLCBB7qMhRhtwpdsw>.

Please choose your level of support for Recommendation #1:
·         (X) Support Purpose as written
·         ( ) Support Purpose intent with wording change
·         ( ) Significant change required: changing intent and wording
·         ( ) Purpose should be deleted
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #1, please indicate the revised wording and rationale here.

Recommendation #2: Accreditation of governmental entities
Please find a link to the text of Recommendation #2 here: https://docs.google.com/document/d/1NOTbh3PeQSaDr3O4GKjGjJPHgpB3bVIMTyJvz7pzpsU/edit<https://www.google.com/url?q=https://docs.google.com/document/d/1NOTbh3PeQSaDr3O4GKjGjJPHgpB3bVIMTyJvz7pzpsU/edit&sa=D&ust=1582062123849000&usg=AFQjCNGFR7KdaFDeM8b40egkElA7Ga1B4A>.

Choose your level of support of Recommendation #2:
·         ( ) Support Recommendation as written
·         ( ) Support Recommendation intent with wording change
·         (X) Significant change required: changing intent and wording
·         ( ) Recommendation should be deleted
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #2, please indicate the revised wording and rationale here.
The words "public policy task" should be replaced with "law enforcement tasks." Public policy is a far too broad basis for giving governmental authorities access to registration data. Governmental actions in this area acquire their legitimacy from law. Although not all laws are proper and legitimate, there is at least a level of transparency and due process that is normally followed in their passage, and they are subject to judicial review. A government can claim that virtually anything it wants to do is a "public policy task." The claims of governments for special accreditation status cannot be based on "public policy" claims. The term "Consumer rights organizations" should be replaced by "Governmental consumer protection agencies." Many nongovernmental organizations claim to support "consumer rights." The current wording opens the door to too many entities. Replace the wording "Cybersecurity authorities, including national Computer Emergency Response Teams (CERTs)," with "Legally constituted cybersecurity authorities, such as national Computer Emergency Response Teams (CERTS)". Once again, we think it is essential to limit this form of accreditation to governmental agencies.

Recommendation #3: Criteria and Content of Requests
Please find a link to Recommendation #3 here: https://docs.google.com/document/d/1_w7EJHo4RzPtRis-zKgyJ4GzmY3KvGjk_-o03n7Yuzk/edit<https://www.google.com/url?q=https://docs.google.com/document/d/1_w7EJHo4RzPtRis-zKgyJ4GzmY3KvGjk_-o03n7Yuzk/edit&sa=D&ust=1582062123850000&usg=AFQjCNEUWTfq02wrbARX5kJdVZfQcvVAIQ>.

Choose your level of support of Recommendation #3:
·         (X) Support Recommendation as written
·         ( ) Support Recommendation intent with wording change
·         ( ) Significant change required: changing intent and wording
·         ( ) Recommendation should be deleted
·         ( ) No Opinion

If your response requires an edit or deletion of Recommendation #3, please indicate the revised wording here.

Recommendation #4: Third Party Purposes/Justifications
Please find a link to Recommendation #4 here: https://docs.google.com/document/d/1Xrx96CiQMhMff-dmCQWtomZ_ATISzgqRBSm72z0bzTA/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1Xrx96CiQMhMff-dmCQWtomZ_ATISzgqRBSm72z0bzTA/edit?usp%3Dsharing&sa=D&ust=1582062123851000&usg=AFQjCNEEGttDb5oOoAC17tjwwJpEH8MkgQ>.

Choose your level of support of Recommendation #4:
·         ( ) Support Recommendation as written
·         (X) Support Recommendation intent with wording change
·         ( ) Significant change required: changing intent and wording
·         ( ) Recommendation should be deleted
·         ( ) No Opinion

If your response requires an edit or deletion of Recommendation #4, please indicate the revised wording and rationale here.
The title of this Recommendation should be "Third Party Justifications." The sentence "Third parties MAY submit data disclosure requests for specific purposes such as..." should be changed to "Third parties MAY submit data disclosure requests with justifications such as..." The wording change makes it more accurate and avoids confusion with the vexed debate over Whois purposes that held up consensus in earlier reports.

Recommendation #5: Acknowledgement of receipt
Please find a link to Recommendation #5 here: https://docs.google.com/document/d/140U4AsH3so8tSojhdCEUa8I2QkD8OwBXxK9NcIjiCx4/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/140U4AsH3so8tSojhdCEUa8I2QkD8OwBXxK9NcIjiCx4/edit?usp%3Dsharing&sa=D&ust=1582062123852000&usg=AFQjCNGHIiHfMkcmMchkCae73e4cEruGnw>

Choose your level of support of Recommendation #5:
·         (X) Support Recommendation as written
·         ( ) Support Recommendation intent with wording change
·         ( ) Significant change required: changing intent and wording
·         ( ) Recommendation should be deleted
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #5, please indicate the revised wording and rationale here.

Recommendation #6: Contracted Party Authorization
Please find a link to Recommendation #6 here: https://docs.google.com/document/d/1-iiPCpZMdpYmhPLzqbHHbG7NvfKt80-AbjPPj-isHnM/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1-iiPCpZMdpYmhPLzqbHHbG7NvfKt80-AbjPPj-isHnM/edit?usp%3Dsharing&sa=D&ust=1582062123853000&usg=AFQjCNEwrE1YvQ5JdZ1xlQtYFI6Ger2NNw>.

Choose your level of support of Recommendation #6:
·         ( ) Support Recommendation as written
·         (X) Support Recommendation intent with wording change
·         ( ) Significant change required: changing intent and wording
·         ( ) Recommendation should be deleted
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #6, please indicate the revised wording and rationale here.
On the whole this recommendation is good. We propose a minor wording change at the end of the 4th paragraph. Delete the words, "nor can refusal to disclose be solely based on the fact that the request is founded on alleged intellectual property infringement in content on a website associated with the domain name." This is too specific for a policy recommendation and seems to be nothing more than special pleading by a particular interest group intended to bias consideration of certain kinds of claims. We know of no cases where disclosure requests to law enforcement or private actors have been denied based solely on a foundation of "alleged IP infringement in content on a website." Including this language may just encourage IP interests to contest justified disclosure denials. No legitimate rights are undermined or threatened by deleting this language.

Recommendation #7: Authorization for automated disclosure requests
Please find a link for Recommendation #7 here: https://docs.google.com/document/d/11BSAUqIUOWJmZOSTaQIW0QZncnywljKJPWUtCTtnCHY/edit<https://www.google.com/url?q=https://docs.google.com/document/d/11BSAUqIUOWJmZOSTaQIW0QZncnywljKJPWUtCTtnCHY/edit&sa=D&ust=1582062123854000&usg=AFQjCNHWmIv4IjsoRTkKP9iuIXrPc7842w>.

Choose your level of support of Recommendation #7:
·         ( ) Support Recommendation as written
·         ( ) Support Recommendation intent with wording change
·         ( ) Significant change required: changing intent and wording
·         (X) Recommendation should be deleted
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #7, please indicate the revised wording and rationale here.
Most of this Recommendation (Parts 1, 2 and 3) merely repeats what other parts of the initial report say, notably Recommendation 6. The parts that are not repetitive are poorly thought out or objectionable. The part of the recommendation that says "a Contracted Party MAY request the Central Gateway to fully automate all, or certain types of, disclosure requests" is not consistent with the requirement that automated disclosure must be legally permissible. A contracted party could request automation when it is not legally permissible, and this recommendation does not provide any checks on that. It encourages contracted parties to save time and money by sacrificing the data protection rights of their customers. The part that suggests that law enforcement agencies should be able to automate ALL requests is neither justified nor legally permissible. It is routinely true that LEAs must get warrants or subpoenas to disclose private information; the mere fact that they are LEAs does not relieve them of basic privacy protections. Automated disclosures raise important legal questions, which this Recommendation does not resolve. Automation of disclosure poses a real danger that all of the legal rights for data subjects could be bypassed by a system that essentially recreates the open-access Whois for any accredited user.

Save Your Progress

Do you want to save your progress and quit for now? You will be able to return to the form to complete at a later time.
·         ( ) Yes
·         (X) No, I wish to continue to the next section

Section 3, EPDP Phase 2 Recommendations #8-9

Recommendation #8: Response Requirements
Please find a link to Recommendation #8 here: https://docs.google.com/document/d/1U6iEnJzxls_824MsBzgW1tk7Qa2W6eY72B3QkdMu2Uk/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1U6iEnJzxls_824MsBzgW1tk7Qa2W6eY72B3QkdMu2Uk/edit?usp%3Dsharing&sa=D&ust=1582062123856000&usg=AFQjCNE1zn6Mbs-Wxs1RTOtxVvObR-b79g>.

Choose your level of support of Recommendation #8:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

Do you recommend a change to the wording of Recommendation 8? If so, please indicate proposed edits and rationale here.

Recommendation #9: Determining Variable SLAs for response times for SSAD
Please find a link to Recommendation #9 here: https://docs.google.com/document/d/1QwHyvI1SnFgVi8WGGIheCu0-fG76I_SIUFBe-sph-Ew/edit<https://www.google.com/url?q=https://docs.google.com/document/d/1QwHyvI1SnFgVi8WGGIheCu0-fG76I_SIUFBe-sph-Ew/edit&sa=D&ust=1582062123857000&usg=AFQjCNH9U2h_mM9td6b7nOLpdep2ErKjFA>.

Choose your level of support of Recommendation #9:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

Do you recommend a change to Recommendation 9? If so, please indicate proposed edits and rationale here.

If you do not agree with the proposed SLA matrix and/or accompanying description, please provide your rationale and proposed alternative language.

Save Your Progress

Do you want to save your progress and quit for now? You will be able to return to the form to complete at a later time.
·         ( ) Yes
·         (X) No, I wish to continue to the next section

Section 3, EPDP Phase 2 Recommendations #10-16

Recommendation #10: Acceptable Use Policy
Please find a link to Recommendation #10 here: https://docs.google.com/document/d/1JHgbtfvnHezDhEJLkj6KxvGC1bvGu1v7XZA73Z47IMA/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1JHgbtfvnHezDhEJLkj6KxvGC1bvGu1v7XZA73Z47IMA/edit?usp%3Dsharing&sa=D&ust=1582062123859000&usg=AFQjCNH4Ai_eTDwcJ4V3GotfeuwvXTc8wQ>.

Choose your level of support of Recommendation #10:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #10, please indicate the revised wording and rationale here.

Recommendation #11: Disclosure Requirement
Please find a link to Recommendation #11 here: https://docs.google.com/document/d/1r6qgmnI-0ha0mmYqP0Z3drZr3FJsxG-uW9bRC2bJ4Uo/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1r6qgmnI-0ha0mmYqP0Z3drZr3FJsxG-uW9bRC2bJ4Uo/edit?usp%3Dsharing&sa=D&ust=1582062123860000&usg=AFQjCNF4w3tsvHII6NqEO-r04diO6qM-4Q>.

Choose your level of support of Recommendation #11:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #11, please indicate the revised wording and rationale here.

Recommendation #12: Query Policy
Please find a link to Recommendation #12 here: https://docs.google.com/document/d/1_ng86GC09Ye5ruCBk4vBrXZN7nCyagAanJT9aSDBrGQ/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1_ng86GC09Ye5ruCBk4vBrXZN7nCyagAanJT9aSDBrGQ/edit?usp%3Dsharing&sa=D&ust=1582062123861000&usg=AFQjCNHrcKDHGMCWq9E8l_ivaA9YYLlxVA>.

Choose your level of support of Recommendation #12:
·         ( ) Support recommendation as written
·         (X) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If your response requires an edit or deletion of Recommendation #12, please indicate the revised wording and rationale here.
Clarification is needed regarding this statement: "Support the ability of a requestor to submit multiple domain names in a single request." We think this bullet point should be deleted. Recommendation #3 specifies all the elements that go into a request. In a request with multiple domain names will all these things be the same? We fail to see how a request that combines multiple domains can conform to Rec 3, unless it is the same registrant and the same justification. We fail to see how the authorization process described in Recommendation #6 can be conducted if dozens of different domains with different registrants and justifications are combined in the same request.

Recommendation #13: Terms of Use
Please find a link to Recommendation #13 here: https://docs.google.com/document/d/1ou3hY3peDnxgo45FmUBs_cIv4f3qUntYecIg10wB__4/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1ou3hY3peDnxgo45FmUBs_cIv4f3qUntYecIg10wB__4/edit?usp%3Dsharing&sa=D&ust=1582062123862000&usg=AFQjCNGLioOZ8jVa4DPTW3j9-c1FyoegAA>.

Choose your level of support of Recommendation #13:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If you believe edits are needed for Recommendation #13, please propose edits and rationale here.

Recommendation #14: Retention and Destruction of Data
Please find a link to Recommendation #14 here: https://docs.google.com/document/d/1tBf2jEWlXydskYXxYAjOObebuFgL4iYIHqhBwdo86pU/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1tBf2jEWlXydskYXxYAjOObebuFgL4iYIHqhBwdo86pU/edit?usp%3Dsharing&sa=D&ust=1582062123864000&usg=AFQjCNH57pNZewKeDKPXjwhHvpiIcSogkA>.

Choose your level of support of Recommendation #14:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If you do not support Recommendation #14, please provide proposed edits and rationale here.

Recommendation #15: Financial Sustainability
Please find a link to Recommendation #15 here: https://docs.google.com/document/d/1EN7mDz44BkxoW_RVlDsgjxhSLkUgrW5XwxIX-O-0TEk/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1EN7mDz44BkxoW_RVlDsgjxhSLkUgrW5XwxIX-O-0TEk/edit?usp%3Dsharing&sa=D&ust=1582062123865000&usg=AFQjCNFDlUVyKzE8KLnsxJy3M4TngFvhVQ>.

Choose your level of support of Recommendation #15:
·         ( ) Support recommendation as written
·         (X) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If you believe edits are needed for Recommendation #15, please propose edits and rationale here.
On the whole, this Recommendation is acceptable, although a lot depends on the implementation details. We recommend one minor change: It currently says, "Accreditation applicants MAY be charged a to-be-determined non-refundable fee proportional to the cost of validating an application." We believe that "MAY" should be changed to MUST here. We are concerned that entities that offer accreditation for free will not be trustworthy.

Recommendation #16: Automation
Please find a link to Recommendation #16 here: https://docs.google.com/document/d/1_gqq1JKHcDqVKKfdwOdfAghPYm-ErV2t9qxJVDsDjWc/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1_gqq1JKHcDqVKKfdwOdfAghPYm-ErV2t9qxJVDsDjWc/edit?usp%3Dsharing&sa=D&ust=1582062123866000&usg=AFQjCNHQnY7AFklq2ttkSvan-lh2sDdoCg>.

Choose your level of support of Recommendation #16:
·         ( ) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         (X) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If you believe changes are needed for Recommendation #16, please provide proposed edits and rationale here.
We agree with all the language regarding automation of requests. We do not approve of the language regarding automation of disclosure. Specifically we disagree with this paragraph: "The SSAD MUST allow for automation of the processing of well-formed, valid, complete, properly-identified requests from accredited users with some limited and specific set of legal basis and data processing purposes which are currently described in Preliminary Recommendation #7 but still under discussion. These requests MAY be automatically processed and result in the disclosure of non-public RDS data without human intervention." We note that this recommendation does not mention "legally permissible" as is required by other parts of the report. This oversight must be fixed. We note that where there is no human intervention, it is impossible to know whether the legal bases or data processing purposes are valid for a specific request. We note the clear risk that parties requesting data could lie and assert rationales that would lead to automated disclosure even if they were not applicable.

Save Your Progress

Do you want to save your progress and quit for now? You will be able to return to the form to complete at a later time.
·         ( ) Yes
·         (X) No, I wish to continue to the next section

Section 3, EPDP Phase 2 Recommendation #17

Recommendation #17: Logging
Please find a link to Recommendation #17 here: https://docs.google.com/document/d/1zG2myy1br-xbXBHBvd34gm_J-vXPEr6GoBOoWFqi9RQ/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1zG2myy1br-xbXBHBvd34gm_J-vXPEr6GoBOoWFqi9RQ/edit?usp%3Dsharing&sa=D&ust=1582062123867000&usg=AFQjCNEpZDe8YUGWByzZ3DKBSjB1U6am6A>.

Choose your level of support of Recommendation #17:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

Section 3, EPDP Phase 2 Recommendations #18-19, Implementation Guidance

Recommendation #18: Audits
Please find a link to Recommendation #18 here: https://docs.google.com/document/d/1GnR5m5kdHrNCn3TxHhwtUJF0j-Zl1gdVAauQ47WqGBQ/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1GnR5m5kdHrNCn3TxHhwtUJF0j-Zl1gdVAauQ47WqGBQ/edit?usp%3Dsharing&sa=D&ust=1582062123868000&usg=AFQjCNGnTkRs3T-Ed6Dxz4d76qsfUfs2KQ>.

Choose your level of support of Recommendation #18:
·         (X) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         ( ) Delete recommendation
·         ( ) No opinion

If you do not support Recommendation #18, please provide proposed edits/changes and rationale here.

Recommendation #19: Mechanism for the Evolution of the SSAD
Please find a link to Recommendation #19 here: https://docs.google.com/document/d/12KdBUNUXy8m_exDvFL3D2rBUYUTMmJpM9RqoWlZL_0o/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/12KdBUNUXy8m_exDvFL3D2rBUYUTMmJpM9RqoWlZL_0o/edit?usp%3Dsharing&sa=D&ust=1582062123869000&usg=AFQjCNFqH303zqBXKWIsN0HFahcZGBykUA>.

Choose your level of support of Recommendation #19:
·         ( ) Support recommendation as written
·         ( ) Support intent of recommendation with edits
·         ( ) Intent and wording of this recommendation requires amendment
·         (X) Delete recommendation
·         ( ) No opinion

If you do not support Recommendation #19, please provide proposed edits or changes and rationale here.
We view a threat that the mechanism for "evolution" of SSAD could become a Trojan Horse whereby hard-fought consensus policy decisions can be undermined or negated by small groups acting outside of public view. We do see a need for updating administration of the SSAD but believe that any such changes must stay within the bounds of policy set by the EPDP.

What existing processes / procedures, if any, can be used to meet the above responsibilities?
A subcommittee of the GNSO Council can engage in long-term oversight of the SSAD's administration. We oppose strongly any attempt to make expanding automation part of the mandate of the SSAD. We see no need to expand the categories of disclosure requests that an be automated. We see evolution of categories of requests as an administrative detail that could be handled by the gateway operator (ICANN or ICANN-contractor) unilaterally as long as changes did not impact policy. We note that the operator of the TMCH We see the SLA Matrix as a matter of compliance to be negotiated by ICANN and the Contracted Parties.

If no suitable existing processes / procedures can be used, what type of mechanism should be created factoring in: Who should guidance be provided to? How is guidance developed / agreed to? How should it be structured?
An existing process (GNSO council subcommittee) can be used

What information is needed to ensure the continuous evolution of SSAD?
We object to the term "continuous evolution." We believe there should be a stable, firm and largely unchanging set of policies governing the SSAD which can be changed via PDPs. We recognize a need for updating and revising implementation details in ways that do not change policy or "evolve" it into something new.

How is guidance of the Mechanism expected to be implemented?
The administrator can propose operational improvements; the GNSO Council subcommittee can review them to see if they implicate policy or alter policy or might have bad effects. Council approval should be required to go forward. In some cases public comment might be useful and required.

Implementation Guidance #i.
Please find a link to Implementation Guidance #i. here: https://docs.google.com/document/d/1uh3VfWkOZyU7NpVupPU7VBuoW6Lo1N65HUUPnGbBgr4/edit?usp=sharing<https://www.google.com/url?q=https://docs.google.com/document/d/1uh3VfWkOZyU7NpVupPU7VBuoW6Lo1N65HUUPnGbBgr4/edit?usp%3Dsharing&sa=D&ust=1582062123871000&usg=AFQjCNHKvBdhLJ6FceM0b4WUdVCH6ksIaA>.

Choose your level of support of Implementation Guidance #i:
·         ( ) Support implementation guidance as written
·         ( ) Support implementation guidance with edits
·         ( ) Intent and wording of this implementation guidance requires amendment
·         (X) Delete implementation guidance
·         ( ) No opinion

If you do not support Implementation Guidance #i, please provide proposed edits or changes and rationale here.
As noted in an earlier comment, we think the bundling of multiple domain names into the same request undermines the policy requirement in Recommendation 8 regarding the weighing and evaluation of requests, unless the system can automatically dis aggregate the requests and send them on to the CPs in an individualized form. We think it amounts to a de facto form of automated disclosure and skirts legal review processes.

Reporting Requirements
Implementation Guidance #ii currently provides: Following the public comment period, the EPDP Team will further review what reporting requirements are necessary to support the SSAD.

What type of reporting should be required as part of SSAD?
1. Aggregate data about the volume of requests, request categories, and disclosure decision rate should be published quarterly by ICANN. 2. Data about requests should be broken down by domain name, by the requestors' corporate identity (e.g., Facebook, Inc., California Attorney General, etc.) and by category (e.g., trademark, copyright, cybersecurity, etc). Also on a quarterly basis 3. Data about disclosure rates should be broken down by the contracted party's corporate identity (e.g., Network Solutions, Gandi, etc.). Also on a quarterly basis 4. Data about registrant objections to disclosure and any complaints to Data Protection Authorities should be published on a quarterly basis

Other Comments & Submission

Are there any recommendations the EPDP Team has not considered? If yes, please provide details below.

Are there any other comments or issues you would like to raise pertaining to the Initial Report? If yes, please enter your comments here. If applicable, please specify the section or page number in the Initial Report to which your comments refer.
The comments were only permitted to address specific recommendations. Some of the text prior to the recommendations, e.g. pages 5 - 13. reflects assumptions that were challenged in our comments on the recommendations. We assume that if changes are made in response to our comments on the recommendations, that these changes will also be reflected in the preceding text of the report. We'd also like to commend the support staff for their hard work in bringing this together

Save Your Progress
Create your own Google Form<https://docs.google.com/forms?usp=mail_form_link>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-ec/attachments/20200310/7cb85669/attachment.html>


More information about the NCUC-EC mailing list