Zoom Logo

Julie Bisland's Personal Meeting Room
Sarah Wyld (RrSG)
32:03
One moment please, checking with our team
Margie Milam (BC)
32:24
could you repeat the question
Brian King (IPC)
32:25
I'm not sure I understand the question, Janis
Milton Mueller (NCSG)
33:29
next week?
Farzaneh Badii (NCSG)
34:24
Oh we are not even ready to discuss the early input then. what is the GNSO process for considering early input?
Marika Konings
35:45
@Farzaneh - staff developed an early input review tool to facilitate that process by the EPDP Team.
Marika Konings
36:07
See https://community.icann.org/x/zIWGBg
Farzaneh Badii (NCSG)
38:21
thanks
Milton Mueller (NCSG)
38:43
Yes, Janis et al NCSG plans to be ready to discuss nxt week
Marika Konings
38:47
For the record, the RrSG has provided some responses in the google doc
Marika Konings
38:57
And note that the input has already been included in the SSAD worksheet
Marika Konings
39:18
see https://community.icann.org/download/attachments/109479654/EPDP%20Team%20Worksheet%20Template%20-%20SSAD%20-%20updated%2031%20July%202019.docx?version=1&modificationDate=1564605758000&api=v2
Sarah Wyld (RrSG)
39:47
This link should show the doc with our comments: https://drive.google.com/file/d/1yc2xYE79jbiDDn9PtGb0wXQWyhyMDTF7/edit
James Bladel (RrSG)
40:16
Thanks for confirming! We’ll call off the search now.
Alan Greenberg (ALAC)
43:10
Then let's just do the 2nd part.
Alex Deacon (IPC)
43:38
So should any input be added as a comment to the google doc at the link Sarah posted above?
Marika Konings
44:20
@Alex - correct, any clarifying questions or reactions can be added to the google doc. It may also be helpful if groups flag which issues / suggestions require further consideration by the full EPDP?
Alex Deacon (IPC)
45:22
OK - I’ll note I don’t see that google doc link on the wiki page - https://community.icann.org/pages/viewpage.action?pageId=109479372.
Farzaneh Badii (NCSG)
47:02
Why IPC and BC get to vote twice? Aren’t they a part of CSG?
Farzaneh Badii (NCSG)
48:16
if that is the case then NCSG should get to respond twice too. The concept of equal footing in this context is very very simple! NCSG is equal to CSG!
Milton Mueller (NCSG)
49:18
That is correct, SGs and ACs are the basic unit of this EPDP. I have to ask the chair and staff to abide by this basic procedural requirement
Margie Milam (BC)
51:06
Sorry Milton - that's not the way the charter describes our participation - its not limited to SGs
Milton Mueller (NCSG)
52:30
you can participate as IPC and BC and ISPC but in formal voting/survey process you count as one SG. That is what the charter says
Milton Mueller (NCSG)
52:48
That's why we both have 6 representatives
Marika Konings
53:07
@Alex - here is the google link: https://drive.google.com/file/d/1yc2xYE79jbiDDn9PtGb0wXQWyhyMDTF7/edit - we will also post it on the wiki page after this call.
Farzaneh Badii (NCSG)
53:10
Yes the charter is very clear that your participation as Constituencies should not create an imbalance. I will dig out the wording
Alex Deacon (IPC)
54:28
Thanks Marika.
Stephanie Perrin (NCSG)
56:06
WE had quite a skirmish on this particular GNSO voting balance issue when the Charter was drafted. It is very important to us.
Sarah Wyld (RrSG)
56:19
Thanks Janis. I was thinking more the part where you said concerns are submitted in writing - we could add it into a google doc instead of submitting it to the email list
James Bladel (RrSG)
56:42
+1 Sarah. That method would potentially speed things up.
Stephanie Perrin (NCSG)
56:55
And it was resolved when Milton had a conversation with Keith Drake, during the Charter drafting process.
Stephanie Perrin (NCSG)
57:23
Drazek…..hard to get spell check to behave on that name.
Sarah Wyld (RrSG)
57:28
I found it difficult to make clear what we were responding to spoecifically, so doing that in a google doc woudl be better
Alex Deacon (IPC)
59:04
+1 Sarah - using the google doc to collect all comments is a great idea.
Ben Butler (SSAC)
01:00:39
As I said, I am perfectly capable and happy to walk though SSAC 3. I was trying to point out that Greg is more familiar with nuances of such a request from a 3rd party, and that knowledge may be helpful (or may not) to the group deliberations.
Alan Greenberg (ALAC)
01:00:47
I just gave an opinion that it was not a good use of our communal time.
Marika Konings
01:01:06
Staff will go ahead and post the use cases that are discussed during today’s meeting as a google doc to facilitate your input with the understanding that the author of the use case will take ownership of producing a next version based on the input provided.
Milton Mueller (NCSG)
01:01:42
Ben: it's good I think we can continue to walk through SSAC 3
Milton Mueller (NCSG)
01:02:21
If nuances get lost then staff will be posting a google doc that others in SSAC can respond to
Sarah Wyld (RrSG)
01:02:47
Thanks Marika
Stephanie Perrin (NCSG)
01:05:13
lost sound
Andrea Glandon
01:05:45
Sound is okay on our end, Stephanie
Stephanie Perrin (NCSG)
01:06:51
Since they are not usually prosecuting anybody, they cannot make the argument that contact info is necessary
Stephanie Perrin (NCSG)
01:08:42
If I were in a DPA office, first question would be how often do you prosecute (i.e. hand off to LEAs). If the answer is never (or perhaps it is always shared but it is not up to the third party to get the personal data) then the personal data should not be disclosed to the third party
Farzaneh Badii (NCSG)
01:09:05
That’s the pattern of registration you are talking about, which can be done through other means other than disclosure.
Milton Mueller (NCSG)
01:09:24
Didn't say it was never necessary to get contact data, just that it is not required for many forms of phishing mitigation
Stephanie Perrin (NCSG)
01:09:38
If a case is made for prosecution, then the personal data would be released
Sarah Wyld (RrSG)
01:10:23
+1 James.
Amr Elsadr (NCSG)
01:10:48
@James: +1. I recently updated my registration data, as some of it was out-of-date. I promise that there was no bad faith intended while my registration data wasn’t all accurate.
Milton Mueller (NCSG)
01:11:02
Right, Steph. I am arguing for separating out many aspects of this use case into those that require disclosure and those that don't
Farzaneh Badii (NCSG)
01:11:34
Well as I argued before use cases should have been more specific. They are not and we are facing problems
James Bladel (RrSG)
01:13:05
Mark - audio is very faint.
Farzaneh Badii (NCSG)
01:14:18
no we are not using use case methods unfortunately. Use case method is simply : a written description of how users perform tasks. Protecting online buyers or broadly fighting with phishing are not use cases
Alex Deacon (IPC)
01:14:36
@farzaneh - when 20+ specific use cases were submitted the argument was that that was ay to many and that we needed to consolidate them and make them more generic.
Alex Deacon (IPC)
01:15:18
ay=way
Farzaneh Badii (NCSG)
01:15:19
With more details! Not 20+ use cases. But how do you perform a task. You are fighting with phishing how do you do it.
Farzaneh Badii (NCSG)
01:16:01
our method is simply not a use case method.
Farzaneh Badii (NCSG)
01:18:00
No it doesn’t Brian.
Farzaneh Badii (NCSG)
01:18:14
Because it needs to happen quickly doesn’t make it necessary
Milton Mueller (NCSG)
01:19:03
Brian that's exactly why disclosure is usually irrelevant - phishing mitigation requires quick suspension action that does not require a disclosure process and often can't wait for it
James Bladel (RrSG)
01:19:23
Im interested in how we tell the difference (at scale) between “inaccurate” and “falsified.” The latter requires intent.
Beth Bacon (RySG)
01:20:05
Important distinction James
Mark Svancarek (BC) (MSFT)
01:21:09
@James, I don't know how often we can distinguish inaccuracy and fraud. But we did once discover an infrastructure using Yahoo data (names, addresses, email addrs) which is an example of falsification
Milton Mueller (NCSG)
01:22:42
an accuracy complain would take a week or two, though, wouldn't it Margie?
Milton Mueller (NCSG)
01:23:38
agree with your last point, Margie
Margie Milam (BC)
01:24:24
unfortunately - yes - but two weeks is better than months or years;
Milton Mueller (NCSG)
01:24:30
although we don't want to rewrite use cases, we DO want to make sure that the propose use actually requires disclosure! If it doesn't, it's not a use case
Amr Elsadr (NCSG)
01:27:57
@Stephanie: +1
Sarah Wyld (RrSG)
01:29:10
Would those data elements be minimzied based on teh request at hand?
Sarah Wyld (RrSG)
01:29:11
for section C
Sarah Wyld (RrSG)
01:29:43
Tech contact will not have an address, but it could have a name, phone & email. Those fields are optoinal
Farzaneh Badii (NCSG)
01:29:54
how does 6(1)(b) applies ????
Milton Mueller (NCSG)
01:30:13
OK it's optional
Milton Mueller (NCSG)
01:30:18
so it may not be there
Mark Svancarek (BC) (MSFT)
01:30:19
optional
Mark Svancarek (BC) (MSFT)
01:30:30
if it is there, it's of interest
Milton Mueller (NCSG)
01:30:46
ok, eliminate address
Sarah Wyld (RrSG)
01:31:07
Thank you Ben.
Milton Mueller (NCSG)
01:31:49
On item d) I am going to have to ask the proposers to narrow down their legal basis and not just through them all in there indiscriminately
Milton Mueller (NCSG)
01:31:59
throw not through
Milton Mueller (NCSG)
01:33:03
+1 Chris
Margie Milam (BC)
01:33:34
My recollection is that this section is to be updated after legal advice is received
Margie Milam (BC)
01:33:41
on the legal bases
Amr Elsadr (NCSG)
01:35:08
Apologies, but I need to drop off the call early. Will catch up via the recording.
Farzaneh Badii (NCSG)
01:36:18
Investigator is different from the controller
Milton Mueller (NCSG)
01:36:35
then it's part of a different use case, Marc
Milton Mueller (NCSG)
01:36:40
Mark
Farzaneh Badii (NCSG)
01:36:55
6(1) (b) is about the contract between data subject and the Controller - nothing else.
Sarah Wyld (RrSG)
01:37:13
+1 Farzaneh re contract parties
Farzaneh Badii (NCSG)
01:38:07
Only 6(1)(f) might apply but you need to carry out the balancing test and justify it.
Mark Svancarek (BC) (MSFT)
01:39:44
No
Mark Svancarek (BC) (MSFT)
01:39:57
(delete allthe bases)
Volker Greimann (RrSG)
01:40:26
all the baseare belong to us?
Farzaneh Badii (NCSG)
01:40:39
yes definitely we need legal advice. most of these clauses don’t apply. But unfortunately when some groups receive a legal response they don’t like they don’t even invoke it or accept it.
Ben Butler (SSAC)
01:40:39
Well played Volker
Milton Mueller (NCSG)
01:41:44
:-) yes indeed
Margie Milam (BC)
01:42:56
going offline but will remain on call
Sarah Wyld (RrSG)
01:44:39
I completlye disagree with that statement Ben
Sarah Wyld (RrSG)
01:44:43
Whois Inaccuracy Program is alive and well
Farzaneh Badii (NCSG)
01:45:43
+1 Sarah
James Bladel (RrSG)
01:46:08
Greg may have been referring to ICANN’s automated system, which I believe has been suspended. But that was relatively new. Anyway, this is part of the problem of trying to guess what Greg was trying to say in this use case.
Ben Butler (SSAC)
01:46:28
Apologies for lack of clarity Sarah. James is correct
Sarah Wyld (RrSG)
01:46:28
+1 James
Sarah Wyld (RrSG)
01:46:32
Thanks Ben
Farzaneh Badii (NCSG)
01:47:01
Reverse look ups is a safeguard????
Stephanie Perrin (NCSG)
01:47:15
Data accuracy requirements, in my opinion, need to be reduced. The repercussions of inaccurate data are far too extreme, and assume criminal intent (or assumption of fraud that would be pursued through civil litigation)
Farzaneh Badii (NCSG)
01:47:16
safeguard for data mining companies
Milton Mueller (NCSG)
01:47:19
Agree with James
Sarah Wyld (RrSG)
01:47:19
Point 1 from section i should be removed entire
Milton Mueller (NCSG)
01:47:25
Yes
Farzaneh Badii (NCSG)
01:48:07
How is reverse look up a safeguard requirement for disclosure system! I am puzzled...
James Bladel (RrSG)
01:48:21
I don’t disagree that these are useful, but they are new features, vulnerable to misuse, and probably unethical and/or illegal.
Farzaneh Badii (NCSG)
01:48:42
Yes useful doesn’t mean legal!
Milton Mueller (NCSG)
01:48:44
wildcards are NOT a "Safeguard" they are a way of eliminating safeguards
Milton Mueller (NCSG)
01:49:09
or fattening
Farzaneh Badii (NCSG)
01:49:32
Those safeguards in section (i) are not safeguards for disclosure system. They actually harm the system…
Alex Deacon (IPC)
01:49:38
@marksv - agree.
Sarah Wyld (RrSG)
01:49:53
better thanks mark
Farzaneh Badii (NCSG)
01:50:01
reverse look up and wild card disclosure are not targeted things.
Ben Butler (SSAC)
01:50:36
We will be removing references to wildcard, etc.
Milton Mueller (NCSG)
01:51:13
stay close to the mic, Mark
Mark Svancarek (BC) (MSFT)
01:51:20
sorry, i am holding the mic right up to my face
Milton Mueller (NCSG)
01:51:27
odd
Mark Svancarek (BC) (MSFT)
01:51:38
annoying!
Mark Svancarek (BC) (MSFT)
01:51:45
sorry
Farzaneh Badii (NCSG)
01:52:02
I am still confused I think section (i) should be thoroughly revised. It’s not about what is useful. It is about safeguards for the disclosure system!
Sarah Wyld (RrSG)
01:52:02
Re Steph's point - yes, especially in section o here. This is an unwarranted assumption.
Alex Deacon (IPC)
01:53:14
but clearly a properly accredited, authenticated, authorized and well formed request would influence the balance.
Sarah Wyld (RrSG)
01:53:39
Janis - certainly we agreed, but it's here in section o so I'm glad it's flagged for adjustment here as well. THanks!
Sarah Wyld (RrSG)
01:53:49
Alex - yes.
Milton Mueller (NCSG)
01:53:51
a well-formed request would, I don't think the others would, Alex
Mark Svancarek (BC) (MSFT)
01:54:03
Thanks James
Alex Deacon (IPC)
01:54:26
@milton - they all need to be taken as input to the balancing test.
Stephanie Perrin (NCSG)
01:54:41
IF we have already agreed that authentication and accreditation does not mean the request is to be trusted, then we need to remove the language, it seems to me.
Sarah Wyld (RrSG)
01:54:47
+1 James - that would be a huge change with significant implications down the road
Stephanie Perrin (NCSG)
01:55:20
Edge cases must be treated as just that…..edge cases
Sarah Wyld (RrSG)
01:59:00
Already commented on o in this chat thanks
Milton Mueller (NCSG)
01:59:07
what does automation mean?
Brian King (IPC)
01:59:13
I'm not interested in discussing accreditation until we get to SSAD and identify a problem that accreditation can help to solve. It's a distraction until then.
Sarah Wyld (RrSG)
01:59:13
And I'm not sure that automation is necessary
Milton Mueller (NCSG)
01:59:17
to the people who wrote this use case?
Marika Konings
01:59:50
staff will post this as a google doc after this meeting - please use the comment functionality to provide your input and suggestions.
Milton Mueller (NCSG)
01:59:54
@Brian - if so, then please stop arguing that accreditation will factor in to a 6.1.f balancing test
Brian King (IPC)
02:00:52
I'll make my own arguments, Milton.
Milton Mueller (NCSG)
02:01:28
try to be logically consistent
Stephanie Perrin (NCSG)
02:01:44
He is only asking you not to so that I won’t go on a full rant, Brian…..
Milton Mueller (NCSG)
02:01:55
fear the rant...
Farzaneh Badii (NCSG)
02:02:59
no Hadia. Lets not go there. please. Lets not re-open that issue. You are wrong
Farzaneh Badii (NCSG)
02:03:13
Lets just go through the use case!
Farzaneh Badii (NCSG)
02:03:30
you can do that without having to argue for consumer protection being in ICANN mandate or not …
Milton Mueller (NCSG)
02:03:54
It's not
James Bladel (RrSG)
02:04:54
Question - why wouldn’t this use case flow thru GAC or LEA?
Farzaneh Badii (NCSG)
02:05:29
Maybe ALAC wants to prosecute fraudsters on its own?
Sarah Wyld (RrSG)
02:05:46
+1 James. This osunds like something that should be reported to LEA
Farzaneh Badii (NCSG)
02:07:11
Ok so the argument is that the online buyer should be disclosed commercial org whois data
Stephanie Perrin (NCSG)
02:11:52
ICANN has no mandate to review website content. Full stop. Consumers should not be encouraged to judge the legitimacy of a vendor by checking through WHOIS, particularly given the intricacy of the ecosystem and the prevalence of managed services, for big and small actors alike
Farzaneh Badii (NCSG)
02:11:53
L says you need requestor contact information. Hmm
Sarah Wyld (RrSG)
02:12:57
+1 Stephanie
Farzaneh Badii (NCSG)
02:12:58
WHOIS sounds like a super multivitamin. It’s good for everything public benefit etc
James Bladel (RrSG)
02:13:05
This sounds like a competition issue and is wayhay out of scope.
Stephanie Perrin (NCSG)
02:13:11
If it is an individual looking for WHOIS info to prosecute a consumer complaint, you do need to verify who you are giving the personal information to, if indeed it is personal information.
Farzaneh Badii (NCSG)
02:13:51
+1 Steph
Farzaneh Badii (NCSG)
02:17:34
This case doesn’t pass the necessity test.
Beth Bacon (RySG)
02:18:23
Could this be considered under LEA?
Beth Bacon (RySG)
02:18:34
Fraud in general, I mean
Sarah Wyld (RrSG)
02:18:51
+1 Beth - this sounds like a situation where LEA should be involved
Stephanie Perrin (NCSG)
02:19:14
James has raised one of the points I wanted to make when I raised my hand.
Sarah Wyld (RrSG)
02:19:31
+1 James - very important distinction
Beth Bacon (RySG)
02:19:45
Agreed James
Sarah Wyld (RrSG)
02:20:01
Good point re SSL Cert James
Stephanie Perrin (NCSG)
02:20:05
Exactly, reliability of the domain name provider means nothing in terms of consumer complaints
Chris Lewis-Evans (GAC)
02:20:14
+1 James
Stephanie Perrin (NCSG)
02:20:29
Second point I wanted to raise: the browser should be your go-to, not the WHOIS
Chris Lewis-Evans (GAC)
02:21:41
Think this use case was probably good pre SSL but now this use case the better way to check the data would be via SSL Cert details and could be good to reflect this a a case where there is a better way of accomplishing the same task
James Bladel (RrSG)
02:21:54
I’d call it a “weak association” and getting weaker. SSL is the more robust indicator of trust
James Bladel (RrSG)
02:22:06
+1 Chris.
Beth Bacon (RySG)
02:23:00
I have a meeting that starts promptly at noon so must leave. apologies.
Terri Agnew
02:23:18
**for this traveling to LA for the F2F meeting, reminder to complete your travel plans via email received from ICANN Travel.
James Bladel (RrSG)
02:23:28
Same. Hard stop at the top of the hour. Thanks and goodbyes in advance if I drop abruptly!
Brian King (IPC)
02:24:09
SSL certificates no longer mean trust
Brian King (IPC)
02:24:37
SSL certificates are free, and domain validated SSLs do nothing to confirm domain or site ownership
James Bladel (RrSG)
02:24:47
@Brian - I think I specified EV SSL
Brian King (IPC)
02:24:48
the vast majority of phishing attacks now use an SSL certificate
Julf Helsingius (NCSG)
02:24:53
Brian: depends on what certificate authority you choose to trust
Farzaneh Badii (NCSG)
02:25:04
FTC? Or the consumer?
James Bladel (RrSG)
02:25:29
And someone who is willing to falsify an SSL cert will also falsify WHOIS/RDs. It’s about voluntarily submitting to verification for the purposes of trust.
Leon Sanchez (ICANN Board Liaison)
02:25:45
I have another meeting starting now so I apologize for leaving and not staying till the end
Leon Sanchez (ICANN Board Liaison)
02:25:50
Thanks everyone
Julf Helsingius (NCSG)
02:25:51
@Brian: just tell your browser not to accept self-certified certs
James Bladel (RrSG)
02:25:52
Gotta run. See y’all next week.
Milton Mueller (NCSG)
02:26:10
Alan you need to address the ex ante vs ex post issue.
Brian King (IPC)
02:26:33
@Julf, I'm not sure that's reasonable for the average internet user who has been trained that "the lock" means "trust"
Farzaneh Badii (NCSG)
02:26:38
Bye all.
Mark Svancarek (BC) (MSFT)
02:26:51
bye
Milton Mueller (NCSG)
02:26:51
the premise was that you need to know who the registrant is BEFORE you buy, which is really a matter of curiosity rather than necessity
Hadia Elminiawi (ALAC)
02:27:16
Thank you all
Alan Greenberg (ALAC)
02:27:26
@Milton, I agree.
Ben Butler (SSAC)
02:27:33
Thank you everyone.
Chris Lewis-Evans (GAC)
02:27:36
thanks bye
Rafik Dammak (GNSO Council Liaison)
02:27:36
Thanks all
Hadia Elminiawi (ALAC)
02:27:37
Milton it is not about curios users