Privacy and Proxy Service Provider Accreditation. ICANN58 Working Meeting 11 March 2017

Similar documents
Final Report on the Privacy & Proxy Services Accreditation Issues Policy Development Process

RDAP Implementation. Francisco Arias & Gustavo Lozano 21 October 2015

Registrar Session ICANN Contractual Compliance

RDAP Implementation. 7 March 2016 Francisco Arias & Gustavo Lozano ICANN 55 7 March 2016

IGO/INGO Identifiers Protection Policy Implementation. Meeting with the IRT 9 March 2016

Intellectual Property Constituency (IPC)

Whois Study Table Updated 18 February 2009

Progress Report Negotiations on the Registrar Accreditation Agreement Status as of 1 March 2012

Topic LE /GAC position Registrar Position Agreement in Principle 1. Privacy and Proxy services

Introduction. Prepared by: ICANN Org Published on: 12 January 2018

Rights Protection Mechanisms: User Feedback Session

Next Steps for WHOIS Accuracy Global Domains Division. ICANN June 2015

Draft Thick RDDS (Whois) Consensus Policy and Implementation Notes

Law Enforcement Recommended RAA Amendments and ICANN Due Diligence Detailed Version

Proposed Final Report on the Post-Expiration Domain Name Recovery Policy Development Process Executive Summary

Internet Corporation for Assigned Names & Numbers Contractual Compliance Update

ISSUE CHART FOR THE GNSO RAA REMAINING ISSUES PDP ON PRIVACY/PROXY SERVICES

ICANN Contractual Compliance. ALAC Mee(ng. Sunday, 23 March 2014 #ICANN49

GNSO Council Report to the ICANN Board Locking of a Domain Name subject to UDRP Proceedings PDP

ICANN GDPR Proposed Models Redaction Proposal EXECUTIVE SUMMARY:

Registrar Stakeholder Mee2ng Tuesday, 25 March 2014

Update on ICANN Domain Name Registrant Work

Post-Expiration Domain Name Recovery PDP. Presentation of Final Report

Contractual Compliance. Text. IPC Meeting. Tuesday, 24 June 2014 #ICANN50

Contractual Compliance Update ICANN 52 February 2015

Improving WHOIS- An Update. 20 November, 2013

ICANN Contractual Compliance. IPC Mee(ng. Tuesday, 25 March 2014 #ICANN49

Internet Corporation for Assigned Names & Numbers Contractual Compliance Update

Contractual Compliance

en.pdf

Attachment 3..Brand TLD Designation Application

General Update Contractual Compliance Initiatives and Improvements Audit Program Update Complaints Handling and Enforcement Summary

Reviewing New gtld Program Safeguards Against DNS Abuse. ICANN Operations and Policy Research 28 January 2016

Attachment 3..Brand TLD Designation Application

The registration of Domain Names will be centralized and managed through all DOT accredited Registrars selected by the Registry.

Advisory Statement: Temporary Specification for gtld Registration Data

Proposed Interim Model for GDPR Compliance-- Summary Description

Part 1: Items that Contracted Parties Need from ICANN before May 25 - Prior to Implementation

Registry Internet Safety Group (RISG)

Update on Whois Studies

General Data Protection Regulation (GDPR)

WHOIS Accuracy Reporting System (ARS): Phase 2 Cycle 1 Results Webinar 12 January ICANN GDD Operations NORC at the University of Chicago

TRANSMITTED VIA ELECTRONIC MAIL, FACSIMILE, AND COURIER RE: NOTICE OF BREACH OF REGISTRAR ACCREDITATION AGREEMENT

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

SME License Order Working Group Update - Webinar #3 Call in number:

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

General Update Contractual Compliance Initiatives and Improvements Audit Program Update Complaints Handling and Enforcement Summary

All Things WHOIS: Now and in the Future

Contractual Compliance Update. Contractual Compliance ICANN 57 5 November 2016

.LATROBE TLD REGISTRATION POLICY

Domain Hosting Terms and Conditions

Grid Security Policy

REGISTRY POLICY STATEMENT ACCEPTABLE USE POLICY AND TERMS OF SERVICE

1. Anti-Piracy Services. 2. Brand Protection (SAAS) 3. Brand Protection Services. Data Protection and Permitted Purpose. Services

Post-Expiration Domain Name Recovery PDP Initial Report Update to the GNSO Council. Saturday, 19 June 2010

Schedule Identity Services

Report on Registrar Whois Data Reminder Policy Survey

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Ferrous Metal Transfer Privacy Policy

Current Status of WG Activities

Domain Names & Hosting

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

OnlineNIC PRIVACY Policy

2. COLLECTIO OF PERSO AL I FORMATIO

North American Portability Management, LLC Transition Oversight Manager. TOEP Webcast December 12, 2017

ICANN Contractual Compliance Proforma DNS Infrastructure Abuse November 2018 Registry Audit Request For Information (RFI)*

TRANSMITTED VIA ELECTRONIC MAIL, FACSIMILE, AND COURIER RE: NOTICE OF BREACH OF REGISTRAR ACCREDITATION AGREEMENT

Trademark Clearinghouse. Rights Protection Mechanism Requirements (Revised 6 Aug 2013)

Exploring Replacements for WHOIS A Next Generation Registration Directory Service (RDS)

Privacy Policy. I. How your information is used. Registration and account information. March 3,

Asian Domain Name Dispute Resolution Centre (Beijing Office)

COPENHAGEN ICANN GDD: Privacy and Proxy Service Provider Accreditation Program

Proposal for a model to address the General Data Protection Regulation (GDPR)

TRANSMITTED VIA ELECTRONIC MAIL, FACSIMILE, AND COURIER

Inter-Registrar Transfer Policy (IRTP) Audit Report

HPE DATA PRIVACY AND SECURITY

Registration Abuse Policies Final Report. Greg Aaron, RAPWG Chair Sunday, 20 June 2010

TRANSMITTED VIA ELECTRONIC MAIL, FACSIMILE, AND COURIER

Summary of Expert Working Group on gtld Directory Services June 2014 Final Report

VERISIGN' June 20, 2017 VIA

Privacy and WHOIS Data Policy

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

DRAFT: gtld Registration Dataflow Matrix and Information

Update on GNSOrequested. Studies. Liz Gasster Senior Policy Counselor ICANN. 14 March 2012

Summary of Public Suggestions on Further Studies of WHOIS including the GAC recommendations of 16 April Updated 10 May 2008

Post- Expira,on Domain Name Recovery PDP WG. ICANN San Francisco March 2011

IATF Transition Strategy Presenter: Cherie Reiche, IAOB

INTELLECTUAL PROPERTY CONSTITUENCY COMMENTS ON PROPOSED INTERIM MODELS FOR ICANN COMPLIANCE WITH EU GENERAL DATA PROTECTION REGULATION

Contractual ICANN. An Overview for Newcomers 11 March 2012

ACCEPTABLE USE POLICY

PRIVACY POLICY Let us summarize this for you...

Name Collision Mitigation Update

WHOIS ACCURACY PROGRAM SPECIFICATION

DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

Data Processing Agreement

Learning Management System - Privacy Policy

TRANSMITTED VIA ELECTRONIC MAIL, FACSIMILE, AND COURIER RE: NOTICE OF BREACH OF REGISTRAR ACCREDITATION AGREEMENT

Matters Related to WHOIS

NebraskaLink Acceptable Use Policy

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Transcription:

Privacy and Proxy Service Provider Accreditation ICANN58 Working Meeting 11 March 2017

Agenda 13:45-15:00 15:00-15:15 15:15-16:45 Timeline Check; Policy Document Update; Third- Party Requests Break PSWG Discussion 16:45-17:00 17:00-18:00 18:00 Break Registrar Subteam Discussion Wrap-up, Next Steps 3

Timeline Check

Project Timeline Originally projected Policy Effective Date: 1 January 2019 Increased pace to better align with expiration of interim Registrar Accreditation Agreement specification (1 January 2018) Estimated posting of draft Policy and Contract for public comment: September 2017 Final announcement date will depend on extent of changes needed based on public comments ICANN org will assess timeline status quarterly with IRT 5

Steps to Public Comment: Projected March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 Review of Policy Document Policy Review; Contract Questions LEA Framework; De- Accreditation/ Transfers Contract Review Contract Review Finalize Materials for Public Comment Public Comment 6

Privacy/Proxy IRT Timeline (updated February 2017) Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ICANN Drafting: PPAA Public Comment Period LEA Proposal Drafting IRT Policy Review Final Program Announced; Operational and Compliance Readiness (will extend into 2018)* IRT Review: PPAA * Timing could be impacted significantly by scope of work required after public comment period. 7

Status Check: Updated Policy Document

Overview: Updated Policy Document Draft proposed outline distributed to IRT in November Discussed high-level questions about draft Policy sections in January/February Structure modified based on IRT discussions Draft v2 significantly shorter than v1 Many detailed requirements will be saved for contract IRT will review text in coming weeks 9

Third-Party Requests

Third-Party Requests Final Report included recommendations related to thirdparty: o Abuse Reports o Relay Requests o Intellectual Property-Related Requests o Reveal Requests (ToS recommendations only) Final Report recommended, A uniform set of minimum mandatory criteria that must be followed for the purpose of reporting abuse and submitting requests (including requests for the Disclosure of customer information) should be developed. 11

Third-Party Requests Step 1: Compile all known requirements for each type of request from Final Report Step 2: IRT to identify gaps, considering: o Who can submit a request? o What does request need to include? o Required Provider actions in response to request? Step 3: Jointly develop solutions based on other known requirements (registrar) and industry best practices and known provider practices 12

Known Requirements for All Third-Party Requests/Reports Receiving Reports o Providers should have ability to categorize reports o Reporting forms should include space for free-form text o Providers shall publish link to request form containing minimum mandatory criteria Escalation of Requests o Providers must publish and maintain mechanism for requesters to follow up on or escalate request 13

Known Requirements for All Third-Party Requests/Reports Terms of Service o ToS shall indicate clearly the grounds upon which Customer details may be Disclosed or Published or service suspended or terminated o ToS shall indicate clearly that requester will be notified in a timely manner of the Provider s decision to (a) notify Customer of the request and (b) whether or not the Provider agrees to comply with the request 14

Abuse Reports (Non-LEA) Who can report? o No eligibility restrictions How to report? o Question to IRT: Can abuse reporting option be a form, or is email address required (mirroring RAA requirement)? o Final Report: The WG noted with approval a recommendation that we consider alternative abuse report options other than publishing an email address on a website and in WHOIS output (to address increasing volumes of spam). 15

Abuse Reports (Non-LEA): How to Define Abuse? Abuse Report Criteria: o Report must allege abuse o o Question to IRT: How to define abuse? Final Report (p. 12) suggested starting with new gtld Registry Agreement PIC Specification and Beijing GAC Communique 16

Abuse Reports (Non-LEA): How to Define Abuse? Lists of abusive activity referenced in Final Report are nearly identical (difference noted in red): o Beijing Communique: distribution of malware, operation of botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law o PICs Specification: distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law 17

Abuse Reports (Non-LEA): Proposed Abuse Definition Proposed Definition of Abuse: distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law Question to IRT: Is this definition of abuse consistent with the intent of the PDP Working Group? Question to IRT: Do you see other gaps where minimum criteria are needed for abuse reports? 18

Abuse Reports (Non-LEA): Required Response Provider Actions Required in Response to Abuse Reports o Requirement From Final Report: Maintain designated point of contact that is capable and authorized to investigate and handle requests (p. 12-13) o Question for IRT: Where Final Report is silent on required Provider actions after receiving an abuse report, did WG intend for requirements to mirror RAA? 19

Abuse Reports (Non-LEA): Required Response Provider Actions Required in Response to Abuse Reports o Proposed Requirement 1 Based on RAA Section 3.18.1: Provider SHALL take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse o Question to IRT: Is this consistent with PDP WG intent? o Question to IRT: Did WG intend any greater specificity here beyond RAA requirement? 20

Abuse Reports (Non-LEA): Required Response Provider Actions Required in Response to Abuse Reports o Proposed Requirement 2 Based on RAA Section 3.18.3: Provider SHALL publish on its website a description of its procedures for the receipt, handling and tracking of abuse reports. The Provider SHALL document its receipt of and response to all such reports. The Provider shall maintain the records related to such reports for the shorter of two (2) years or the longest period permitted by applicable law, and during such period, SHALL provide such records to ICANN upon reasonable notice. o Question to IRT: Is this consistent with PDP WG intent? 21

Relay Requests Who can request relay? o No restrictions How to request relay? o Final Report: Relay electronic requests received including via email and web forms (p. 14) 22

Relay Requests Required Provider actions in response to Relay requests: 1. Relay all communications required by the Registrar Accreditation Agreement and ICANN Consensus Policies; and either: 2. Relay all electronic requests received (may implement safeguards to filter spam and abusive communications); or 3. Relay all electronic requests received from LEA and third parties containing allegations of domain name abuse. 23

Relay Requests Question to IRT: For option 2, should abuse be defined consistently with the definition used for abuse reporting? Question to IRT: Do you see any gaps in required Provider actions on Relay where additional criteria may be needed? Possible gap 1: Ensuring Relayed communications reach Customers o Question to IRT: Should Providers be required to test email forwarding to Customers to ensure forwarding is working properly? 24

Relay Requests Possible gap 2: Timing of Relay Final Report: All third party electronic requests alleging abuse by a P/P service customer will be promptly Relayed to the customer. A Requester will be promptly notified of a persistent failure of delivery that a P/P service provider becomes aware of. Question to IRT: Should there be a required timeframe for the mandatory Relay? 25

Reveal Requests Very few requirements for Reveal in Final Report Who can request? No restrictions How to request? o No restrictions; Final Report seemed to imply that a form-based option could be used o o Question to IRT: Do you see any gaps where minimum mandatory criteria should be developed? Question to IRT: Should there be target service level commitments for request responses? 26

Reveal Requests Terms of Service Requirements o ToS shall indicate clearly the grounds upon which Customer details may be Disclosed or Published or service suspended or terminated o ToS shall indicate clearly that requester will be notified in a timely manner of the Provider s decision to (a) notify Customer of the request and (b) whether or not the Provider agrees to comply with the request 27

Break: We Will Resume at 15:15

Public Safety Working Group Discussion

PSWG Discussion: Background Final Report did not include a Law Enforcement Authority disclosure framework, but said that: o Accredited Providers must, upon LEA request, relay all communications that contain allegations of abuse; o o Accredited Providers should comply with express requests from LEA to keep a request confidential where this is required by applicable law; and Any future LEA framework should require certain minimum requirements. 30

PSWG Discussion: Background Minimum requirements for any future LEA framework: o Requester must agree to comply with all applicable data protection laws and to use any information disclosed to it solely to determine whether further action is warranted, to contact the customer, or in a legal proceeding; o Framework should exempt disclosure where the customer has provided or Provider has found, specific information, facts or circumstances showing Disclosure would endanger Customer s safety. 31

PSWG Discussion: Background In December, Board directed ICANN org to encourage dialogue between IRT and PSWG to address GAC concerns during implementation IRT LEA issues subteam convened (16 members) Request sent to PSWG (in January) to develop strawman proposal for LEA framework to be developed with the subteam before presentation to the full IRT 32

Drafting of LEA Disclosure Framework Current Status o ICANN GDD requested that PSWG draft a proposal in consultation with IRT o Nick Shorey (UK) issued a call for volunteers to GAC and PSWG in Dec. 2016 o A PSWG Task Force of 7 members was formed in Jan. 2017 and has started meeting and deliberating issues 33

Drafting of LEA Disclosure Framework Key Questions o Definition of a Law Enforcement Authority and issue of jurisdiction o o o Definition of requirements for acceptable disclosure request Processing and prioritization of requests Notification of registrant Next Steps o Further drafting, PSWG and GAC briefings during ICANN 58 and securing GAC endorsement of Draft Framework when appropriate 34

Break: We Will Resume At 17:00

Registrar Subteam Discussion

Registrar Subteam Question 1 Final Report: Registrars are not to knowingly accept registrations from privacy or proxy service providers who are not accredited through the process developed by ICANN. (p. 7) Question to IRT/Subteam: How do you envision registration lifecycle when Provider is not Affiliated with Registrar? o This could impact labeling and other requirements Question to IRT/Subteam: Should there be a mechanism to authenticate unaffiliated providers? 37

Registrar Subteam Question 2 Final Report: Registrars are not to knowingly accept registrations from privacy or proxy service providers who are not accredited through the process developed by ICANN. For non-accredited entities registering names on behalf of third parties, the WG notes that the obligations for Registered Name Holders as outlined in Section 3.7.7 of the 2013 RAA would apply. Discussion Question (first raised 10 Jan): What should a registrar be required to do when it becomes aware of a registration involving an unaccredited provider? 38

Registrar Subteam Question Alternatives Previously Raised for Discussion Registrar could treat situation as a WHOIS accuracy issue and verify/re-verify the email address (this may not reach root issue because email may be working). Registrar could be required to notify unaccredited Provider of the requirement that Providers maintain ICANN accreditation, and provide Provider/Customer a period of time to remedy the situation before suspending the registration. In all cases, should allow significant period for onboarding before enforcing this requirement. 39

Wrap-Up, Action Items and Next Steps

Engage with ICANN Thank You and Questions Email: amy.bivins@icann.org IRT wiki: https://community.icann.org/display/irt/privacy+an d+proxy+services+accreditation+implementation twitter.com/icann soundcloud.com/icann facebook.com/icannorg weibo.com/icannorg youtube.com/user/icannnews flickr.com/photos/icann linkedin.com/company/icann slideshare.net/icannpresentations 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback