AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

23 March 2020

Initial Report of the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data Team – PHASE 2

VOTE

Drafting team volunteer(s):

Hadia Elminiawi

Laurin Weissinger

Bastiaan Goslings

Matthias M. Hudobnik

Alan Greenberg

18 March 2020

20 March 2020

23 March 2020

26 March 2020

23 March 2020

Caitlin Tubergen
caitlin.tubergen@icann.org

Hide the information below, please click here 

Brief Overview

Purpose: This Public Comment proceeding seeks to obtain input on the Initial Report of the Phase 2 EPDP on the Temporary Specification for gTLD Registration Data Team. The Phase 2 EPDP Team is tasked with evaluating a System for Standardized Access/Disclosure to non-public gTLD registration data ("SSAD").

Current Status: This Initial Report is being posted for Public Comment as foreseen in the EPDP Team's charter and EPDP Manual.

Next Steps: Following review of Public Comments submitted, the EPDP Team will integrate Public Comment submissions received as it works towards recommendations for inclusion in its Final Report.

Section I: Description and Explanation

The Initial Report outlines the core issues discussed in relation to the proposed System for Standardized Access/Disclosure to non-public gTLD registration data ("SSAD") and accompanying preliminary recommendations.

On 17 May 2018, the ICANN Board of Directors (ICANN Board) adopted the Temporary Specification for generic top-level domain (gTLD) Registration Data ("Temporary Specification"). The Temporary Specification provides modifications to existing requirements in the Registrar Accreditation and Registry Agreements in order to comply with the European Union's General Data Protection Regulation ("GDPR").1 In accordance with the ICANN Bylaws, the Temporary Specification will expire on 25 May 2019.

On 19 July 2018, the GNSO Council initiated an Expedited Policy Development Process (EPDP) and chartered the EPDP on the Temporary Specification for gTLD Registration Data team. In accordance with the Charter, EPDP team membership was expressly limited. However, all ICANN Stakeholder Groups, Constituencies and Supporting Organizations interested in participating are represented on the EPDP Team (see https://community.icann.org/x/kBdIBg).

This Initial Report concerns phase 2 of the EPDP Team's charter which covers: (i) discussion of a system for standardized access/disclosure to nonpublic registration data, (ii) issues noted in the Annex to the Temporary Specification for gTLD Registration Data ("Important Issues for Further Community Action"), and (iii) outstanding issues deferred from Phase 1, e.g., legal vs. natural persons, redaction of city field, et. al. For further details, please see here.

In order to organize its work, the EPDP Team agreed to divide its work into priority 1 and priority 2 topics. Priority 1 consists of the SSAD and all directly related questions. Priority 2 includes the topics listed on page 7 of the Initial Report. As a result of external dependencies and time constraints, this Initial Report does not include priority 2 items. Once addressed, these are expected to be published in a separate Initial Report.

The EPDP Team will not finalize its responses to the charter questions and recommendations to the GNSO Council until it has conducted a thorough review of the comments received during the Public Comment period on this Initial Report. At this time, no formal consensus call has been taken on these responses and preliminary recommendations, but this Initial Report did receive the support of the EPDP Team for publication for Public Comment.2 Where applicable, the Initial Report indicates where positions within the Team differ.

Notwithstanding the above, the EPDP Team is putting forward preliminary recommendations on the following topics for community consideration (see chapter 3 of the Initial Report for full text of recommendations):

Preliminary Recommendation #1. Accreditation
Preliminary Recommendation #2. Accreditation of governmental entities
Preliminary Recommendation #3. Criteria and Content of Requests
Preliminary Recommendation #4. Third Party Purposes/Justifications
Preliminary Recommendation #5. Acknowledgement of receipt
Preliminary Recommendation #6. Contracted Party Authorization
Preliminary Recommendation #7. Authorization for automated disclosure requests
Preliminary Recommendation #8. Response Requirements
Preliminary Recommendation #9. Determining Variable SLAs for response times for SSAD
Preliminary Recommendation #10. Acceptable Use Policy
Preliminary Recommendation #11. Disclosure Requirement
Preliminary Recommendation #12. Query Policy
Preliminary Recommendation #13. Terms of use
Preliminary Recommendation #14. Retention and Destruction of Data
Preliminary Recommendation #15. Financial Sustainability
Preliminary Recommendation #16. Automation
Preliminary Recommendation #17. Logging
Preliminary Recommendation #18. Audits
Preliminary Recommendation #19. Mechanism for the evolution of SSAD

Following the publication of this Report, the EPDP Team will: (i) continue to seek guidance on legal issues from the European Data Protection Board and others, (ii) carefully review Public Comments received in response to this publication, (iii) continue to review the work-in-progress with the community groups the Team members represent, and (iv) carry on deliberations for the production of a Final Report that will be reviewed by the GNSO Council and, if approved, forwarded to the ICANN Board of Directors for approval as an ICANN Consensus Policy.

To provide your input, please complete the following form which is intended to facilitate your input by focusing on those aspects that the EPDP Team is looking for particular input on, as well as subsequent review by the EPDP Team: https://forms.gle/p6QsdHR86cZXRDbt9. To facilitate off-line work, or for those who may not have access to the form, you can download an off-line version of the form here: https://gnso.icann.org/en/issues/epdp-phase-2-initial-public-comment-input-form-07feb20-en.pdf. Please note that similar to other Public Comment proceedings, all responses will be made public.

Community input will be carefully reviewed and used to support development of final responses to charter questions, as well as recommendations and implementation guidance in the form of a Final Report that is to be submitted to the GNSO for their consideration. Following approval of the proposal(s) by the GNSO, it will be submitted to the ICANN Board for its consideration.

Please note that due to the overall timeline by which the EPDP Team is constrained, it will not be possible to extend the closing date of the Public Comment forum.

1 The GDPR can be found at https://eur-lex.europa.eu/eli/reg/2016/679/oj; for information on the GDPR see, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/.

2 Following a review of Public Comments, the EPDP Team will take a formal consensus call before producing its Final Report.

Section II: Background

The Initial Report outlines the core issues discussed and accompanying preliminary recommendations.

On 17 May 2018, the ICANN Board of Directors (ICANN Board) adopted the Temporary Specification for generic top-level domain (gTLD) Registration Data ("Temporary Specification"). The Temporary Specification provides modifications to existing requirements in the Registrar Accreditation and Registry Agreements in order to comply with the European Union's General Data Protection Regulation ("GDPR").3 In accordance with the ICANN Bylaws, the Temporary Specification will expire on 25 May 2019.

On 19 July 2018, the GNSO Council initiated an Expedited Policy Development Process (EPDP) and chartered the EPDP on the Temporary Specification for gTLD Registration Data team. In accordance with the Charter, EPDP team membership was expressly limited. However, all ICANN Stakeholder Groups, Constituencies and Supporting Organizations interested in participating are represented on the EPDP Team.

During Phase 1 of its work, the EPDP Team was tasked to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy as is, or with modifications. This Initial Report concerns phase 2 of the EPDP Team's charter which covers: (i) discussion of a system for standardized access/disclosure to nonpublic registration data, (ii) issues noted in the Annex to the Temporary Specification for gTLD Registration Data ("Important Issues for Further Community Action"), and (iii) outstanding issues deferred from Phase 1, e.g., legal vs. natural persons, redaction of city field, et. al. For further details, please see here.

As a result of external dependencies and time constraints, this Initial Report does not include priority 2 items. Priority 2 items are detailed on pp. 7 of this Initial Report. Once addressed, these are expected to be published in a separate Initial Report.

3 The GDPR can be found at https://eur-lex.europa.eu/eli/reg/2016/679/oj; for information on the GDPR see, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/.

Section III: Relevant Resources



Section IV: Additional Information


Section V: Reports

FINAL VERSION SUBMITTED (IF RATIFIED)

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.


DRAFT SUBMITTED FOR DISCUSSION

The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).

Updated version by Hadia Elminiawi, Bastiaan Goslings, Laurin Weissinger and Matthias Hudobnik on 21 March 2020:

The ALAC appreciates ICANN putting forward the EPDP on the temporary specification for gTLD registration data, phase 2 report for public comment and takes this opportunity to provide its comment herewith.

For all Recommendations not listed here, we are recommending that the ALAC “Support as written”.

Recommendation #1: Accreditation

Response: Support with wording change.

Accreditation is an important element of the SSAD as it saves the time and effort required by decision-making entities to verify the requestor, provides external assurance that the requestors have been verified and reduces the load on the SSAD. However, the ALAC is concerned that given the fact that requests to SSAD can only be submitted by accredited users, the accreditation process could end up being a bottle neck, limiting access to the system. We therefore see that the accreditation entity in addition to having a uniform baseline application procedure and accompanying requirements should also have a clear timeline for its process and response.   

Recommendation #6: Contracted Party Authorization

Response: Support with wording change.

The recommendation requires the contracted party to determine if the requestor provided legitimate interest or other lawful basis in processing the data and if the data requested is necessary to the requestors stated purpose. If the answer is affirmative the contracted party examines if the requested data contains personal data, if not then the data is disclosed without further consideration. We note that there is no need to examine the lawful basis and legitimate interest of the requestor if no personal data is required. Non-personal information is not protected under GDPR and all requestors are accredited users thus their identity is verified, this is an unnecessary step that:

  1. a) may allow the rejection of a request where the requested data is not protected under GDPR or  b) may delay the response to a request that includes non-personal information.

Recommendation #7: Authorization for automated disclosure requests

Response: Support with wording change.

The EPDP team has indicated only two types of disclosure requests that can be automated from the start. We note that automation provides consistency, sustainability and quicker response time. We recommend trying to put forward more types of disclosure requests for automation by seeking the advice of the DPA’s. Such requests should site explicit classes of requests and the rationale for allowing automated disclosure. 

This work can be done during the implementation phase but must explicitly be described in the final report.

 

Recommendation #9: Determining variable SLAs for response times for SSAD

Response: Support with wording change.

Urgent requests that are defined as circumstances that pose an imminent threat to life, serious bodily injury, critical infrastructure (Online and offline) or child exploitation, are critical situations that require immediate responses. According to the recommendation, the urgent response is one business day that is if the request is submitted on a Friday afternoon the response could be provided on Monday that is after three days, we regard this as a very long response period for an urgent request and recommend that the response time is one day instead of one business day.

The RAA already calls for 24 hour staffing for certain types of urgent requests and this class of disclosure request should be treated similarly.

In addition, the EPDP team should clarify the priority and thus the expected response times for cases of typical DNS abuse, including phishing, malware, and fraud. Furthermore, if the processing of any request is taking longer than the to-be-agreed duration, the responder should be required to inform the requester and record the reasons for the delay.

Recommendation #15: Financial Sustainability

Response: Support with wording change.

The phrase “Data subjects MUST NOT bear the costs for having their data disclosed to third parties” is too vague and subject to mis-interpretation. Registrants, directly or indirectly are the prime source of revenue to ICANN and a major source of revenue to contracted parties. So the costs borne by ICANN and contracted parties implicitly (which this recommendation allows) DOES ultimately come from registrants.

The wording should be changed to say, “A Registrant should not be subjected to explicit additional charges associated with the operation of the SSAD”.

In addition, the ALAC strongly believes that the fee structure must provide preferential treatment to CSIRTS, CERTS, academic research, and similar non-profit endeavors in the public interest.

Recommendation #19 Mechanism for the evolution of the SSAD

Response: Support with wording change.

The ALAC notes the importance of introducing a methodology through which the system can improve and more cases out of experience and learning can be automated. We do not see any existing procedures that can be used to meet this responsibility and suggest forming an SSAD implementation council consisting from all stakeholders. The responsibility of the SSAD implementation council would be looking into the types of disclosures that out of experience are deemed automatable and recommend moving its decision making to the central gateway manager who would provide an automated response to such requests.

To be clear, the “mechanism” that is established by the recommendation must have the authority (with the support of contracted party representatives) to have new classes of automation introduced into the SSAD without referring the matter to the GNSO Council which only has jurisdiction over policy matters (and this present policy recommendation will already allow the creation of new classes of automated responses).


Reporting Requirements

  1. Are there any recommendations the EPDP Team has not considered? If yes, please provide details below.

It would be useful to engage with parties that have been dealing with this for a long time:

ALAC asks the EPDP team to consider reaching out to key actors in the anti-abuse space, including but not limited to M3AAWG, FIRST and APWG. These groups have deep insights into dealing with investigations in the DNS space and have long used the WHOIS. Their practical insights into processes, issues, and key concerns could prove invaluable for developing an efficient and effective system.


General Comment

Finally, the ALAC would like to note the importance of some priority 2 issues like the differentiation between legal vs natural persons and the accuracy of the data. Ending up with a disclosure system that returns inaccurate data and thus useless responses would be a waste to the effort put by all elements of the system and of no use to the requestor. Differentiation between natural and legal persons would offload the system from unnecessary queries that are permissible under GDPR.  


Original draft posted by Alan Greenberg on 19 March 2020 at 02:00 UTC:

The ALAC appreciates ICANN putting forward the EPDP on the temporary specification for gTLD registration data, phase 2 report for public comment and takes this opportunity to provide its comment herewith.

For all Recommendations not listed here, we are recommending that the ALAC “Support as written”.

Recommendation #1: Accreditation

Response: Support with wording change.

Accreditation is an important element of the SSAD as it saves the time and effort required by decision-making entities to verify the requestor, provides external assurance that the requestors have been verified and reduces the load on the SSAD. However, the ALAC is concerned that given the fact that requests to SSAD can only be submitted by accredited users, the accreditation process could end up being a bottle neck, limiting access to the system. We therefore see that the accreditation entity in addition to having a uniform baseline application procedure and accompanying requirements should also have a clear timeline for its process and response.   

Recommendation #6: Contracted Party Authorization

Response: Support with wording change.

The recommendation requires the contracted party to determine if the requestor provided legitimate interest or other lawful basis in processing the data and if the data requested is necessary to the requestors stated purpose. If the answer is affirmative the contracted party examines if the requested data contains personal data, if not then the data is disclosed without further consideration. We note that there is no need to examine the lawful basis and interest of the requestor if no personal data is required. Non-personal information is not protected under GDPR and all requestors are accredited users thus their identity is verified, this is an unnecessary step that: a) may allow the rejection of a request where the requested data is not protected under GDPR or  b) may delay the response to a request that includes non-personal information.

Recommendation #7: Authorization for automated disclosure requests

Response: Support with wording change.The EPDP team has indicated only two types of disclosure requests that can be automated from the start. We note that automation provides consistency, sustainability and quicker response time. We recommend trying to put forward more types of disclosure requests for automation by seeking the advice of the DPA’s. Such requests should site explicit classes of requests and the rationale for allowing automated disclosure. 

This work can be done during the implementation phase but must explicitly be described in the final report.

Recommendation #9: Determining variable SLAs for response times for SSAD

Response: Support with wording change.

Urgent requests that are defined as circumstances that pose an imminent threat to life, serious bodily injury, critical infrastructure (Online and offline) or child exploitation, are critical situations that require immediate responses. According to the recommendation, the urgent response is one business day that is if the request is submitted on a Friday afternoon the response could be provided on Monday that is after three days, we regard this as a very long response period for an urgent request and recommend that the response is one day instead of one business day.

The RAA already calls for 24 hour staffing for certain types of urgent requests and this class of disclosure request should be treated similarly.

Recommendation #15: Financial Sustainability

Response: Support with wording change.

The phrase “Data subjects MUST NOT bear the costs for having their data disclosed to third parties” is too vague and subject to mis-interpretation. Registrants, directly or indirectly are the prime soruce of revenue to ICANN and a major source of revenue to contracted parties. So the costs borne by ICANN and contracted parties implicitly (which this recommendation allows)  DOES ultimately come from registrants.

The wording should be changed to say “a Registrant should not be subjected to explicit additional charges associated with the operation of the SSAD”.

In addition, the ALAC strongly believes that the fee structure must provide preferential treatment to CERTS, academic research and similar endeavours.

Recommendation #19 Mechanism for the evolution of the SSAD

Response: Support with wording change.The ALAC notes the importance of introducing a methodology through which the system can improve and more cases out of experience and learning can be automated. We do not see any existing procedures that can be used to meet this responsibility and suggest forming an SSAD implementation council consisting from all stakeholders. The responsibility of the SSAD implementation council would be looking into the types of disclosures that out of experience are deemed to automatable and recommend moving its decision making to the central gateway manager who would provide an automated response to such requests. To be clear, the “mechanism” that is established by the recommendation must have the authority (with the support of contracted party representatives) to have new classes of automation introduced into the SSAD without referring the matter to the GNSO Council which only has jurisdiction over policy matters (and this present policy recommendation will already allow the creation of new classes of automated responses).

General Comment

Finally, the ALAC would like to note the importance of some priority 2 issues like the differentiation between legal vs natural persons and the accuracy of the data. Ending up with a disclosure system that returns inaccurate data and thus useless responses would be a waste to the effort put by all elements of the system and of no use to the requestor. Differentiation between natural and legal persons would offload the system from unnecessary queries that are permissible under GDPR.  

  • No labels