System for Standardized Access/Disclosure: Difference between revisions
Line 123: | Line 123: | ||
* collect request statuses (e.g., approved, denied) from [[CPH|contracted parties]], and | * collect request statuses (e.g., approved, denied) from [[CPH|contracted parties]], and | ||
* gather data on response times from contracted parties for requests of different priorities.<ref>[https://gnso.icann.org/sites/default/files/policy/2022/correspondence/fouquart-to-botterman-27apr22-en.pdf Status Update EPDP Phase 2 & Review of ODA, GNSO Council Letter to ICANN Board, April 27, 2022]</ref><br/> | * gather data on response times from contracted parties for requests of different priorities.<ref>[https://gnso.icann.org/sites/default/files/policy/2022/correspondence/fouquart-to-botterman-27apr22-en.pdf Status Update EPDP Phase 2 & Review of ODA, GNSO Council Letter to ICANN Board, April 27, 2022]</ref><br/> | ||
At ICANN 74, the GNSO held a session on EPDP Phase 2 concerning the latest developments on the creation of what used to be called SSAD. During this session, [[Ash Rangan]] explained how the Whois disclosure system will work. It will: | At [[ICANN 74]], the GNSO held a session on EPDP Phase 2 concerning the latest developments on the creation of what used to be called SSAD. During this session, [[Ash Rangan]] explained how the Whois disclosure system will work. It will: | ||
* use ICANN systems that already exist | * use ICANN systems that already exist | ||
* leverage existing and proven ICANN design patterns already available for use by the [[ICANN Community]] (such as the naming services portal, operating on salesforce), existing technology stacks (ICANN Account operating on okta identity platform), and | * leverage existing and proven ICANN design patterns already available for use by the [[ICANN Community]] (such as the naming services portal, operating on salesforce), existing technology stacks (ICANN Account operating on okta identity platform), and |
Revision as of 16:07, 11 July 2022
The System for Standardized Access/Disclosure (SSAD) is a system proposed to centrally handle requests for non-public registration data, envisioned in Recommendations 1-18 of the Final Report of the GNSO Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data Phase 2.
History[edit | edit source]
- Era of Whois
- GDPR goes into effect (2018)
- The GNSO engages in an EPDP on the Temporary Specification for gTLD Registration Data
- Recommendations 1-18 from TempSpec Phase 2 EPDP Final Report about what to include in a proposed centralized registration data system (SSAD) is sent to ICANN Board
- the ICANN Board requests an ODP to inform its SSAD deliberations, including whether the recommendations are in the best interests of the ICANN Community and ICANN Organization
- research and deliberations take place and ICANN hosts updated/feedback gathering webinars (2021)
- ODP results in an Operational Design Assessment (ODA)
EPDP Phase 2 Final Report & Recommendations[edit | edit source]
Phase 2 of the EPDP Temp Spec was largely focused on recommendation for creations of a system of access and disclosure of anonymized or proxied registration data. Their final report was issued in July 2020.[1] The report's recommendations were intended to be an integrated set of proposals for a system where accredited parties could request nonpublic registration data from a centralized clearinghouse for such request, and the determinations regarding such requests would be delegated to the relevant contracted parties.[2] The recommendations covered a variety of topics:
- Accreditation of SSAD requestors, including governmental entities;
- Required criteria and content of SSAD requests;
- Response requirements;
- Required Service Level Agreements (SLAs);
- Automation of SSAD processing;
- Terms and conditions of SSAD;
- Logging, auditing, and reporting requirements; and
- Implementation of a GNSO Standing Committee charged with evaluating SSAD operational issues and proposing recommendations for improvement to the GNSO Council.
Key Figures[edit | edit source]
From ICANN Org[edit | edit source]
EPDP Phase 2 Small Team[edit | edit source]
An EPDP Phase 2 Small Team was formed to review the SSAD ODA and started meeting in February 2022.[3]
- Alan Greenberg
- Steve DelBianco
- Chris Lewis-Evans
- Laureen Kapin
- John McElwaine
- Terri Agnew (Staff)
- Marika Koning (Staff)
- Berry Cobb (Staff)
- Caitlin Tubergen (Staff)
- Thomas Rickert
- Paul McGrady
- Olga Cavalli
- Stephanie Perrin
- Sarah Wyld
- Greg DiBiase (Alternate)
- Marc Anderson
- Sebastien Ducos
Operational Design Phase[edit | edit source]
ICANN staff launched the Operational Design Phase (ODP) for the SSAD recommendations in April 2021.[4] The ODP provided an opportunity to "assess the potential risks, anticipated costs, resource requirements, timelines, dependencies, interaction with the Global Public Interest Framework that is currently being piloted, and other matters related to implementation of the SSAD-related recommendations (1-18)."[4] Because of the complexity of the system being proposed, the ICANN Board determined that it would be valuable for the organization to engage in that assessment.[5] The Board drafted a scoping paper for the ODP, including questions for consideration.[6]
Key Components[edit | edit source]
ICANN Organization gave an update on the SSAD's key components in November 2021.[7]
Actors | Subcategories | Roles | Subsystems | Requests | |
---|---|---|---|---|---|
Data disclosure requestors | natural and legal persons | * submits the data disclosure request * To be accredited and periodically renewed by the accreditation authority in order to submit data disclosure requests and for verification of requestor identity * Manages authentication details, such as supported electronic IDs (eID) and SSAD-specific identity credentials |
RDAP clients | can be for: * Specific domain names * non-public fields (RFC 8982 - RDAP partial response) * Supporting documentation; * Verified requestor identity (name, organization, country/territory); * Verified requestor declarations; * Confidentiality classification need to include purpose and legal basis priority: * Urgent * ICANN administrative proceedings | |
Governments and IGOs | * submits the data disclosure request * submits the data disclosure request * To be accredited and periodically renewed by the accreditation authority in order to submit data disclosure requests and for verification of requestor identity * Manages authentication details, such as supported electronic IDs (eID) and SSAD-specific identity credentials |
||||
Accreditation Authorities | Central Accreditation Authority | * validates request and relays to the central gateway; * vendor contracted to develop and operate the system that acts as the sole interface with SSAD requestors for verifying requestor identity, managing disclosure requests, authenticating requestors on behalf of the central gateway and contracted parties; * notifies requestor; * Manage billing process for requestors; * Transfer request-processing fees to the central gateway; * delegate some functions to “identity providers” in English; * support verifying requestor declarations of trademark ownership; * billing for accreditation/Identity verification, requestor declaration verification, and disclosure request processing; * support federated authentication of requestors using OpenID Connect |
* Web portal *API |
||
Country/territory governmental accreditation authorities | * designated by country/territory government to Implement the same interfaces as the central accreditation; * notifies requestor; * integrate with the central gateway and contracted parties in their chosen languages; * support the verification of declarations for requests processed automatically (as described in Recommendations 9.4.1 and 9.4.2); * billing for accreditation/Identity verification, requestor declaration verification, and disclosure request processing; * support federated authentication of requestors using OpenID Connect |
||||
Central Gateway | * verifies criteria for automated processing (Rec. 9.4); * notifies contracted parties via email and poll message through the API; * relays determination to accreditation authority; * vendor contracted to develop and operate the system; * can implement a recommendation engine for contracted parties on whether to approve or deny disclosure requests |
* Web portal *API |
|||
Abuse Investigator | * vendor contracted to investigate abuse; * Monitors standard operation metrics, requestor compliance with SSAD terms of service * verifies abuse reports contracted parties and data subjects/public * Provides requestors’ redress mechanism (rec. 13.1.3) |
||||
Contracted parties | Registries | * (secondary) reviews the request and communicates determination back to the central gateway; * may opt out/request an exemption for automated processing of any specific category of disclosure requests from recommendation 9.4; * the sole authorizers of data disclosure requests directed at them |
RDAP service | ||
ICANN-accredited registrars | * (primary) reviews the request and communicates determination back to the central gateway; * may opt out/request an exemption for automated processing of any specific category of disclosure requests from recommendation 9.4; * the sole authorizers of data disclosure requests directed at them |
RDAP service | |||
Auditors | * vendor contracted to audit system | ||||
Data subjects | |||||
ICANN org | Publishes on a quarterly basis a summary of the: * Number of disclosure requests received, Approved/Denied, Automated/Manual * Third-Party purposes/justifications * Complaints per priority level with average response times * Information about the financial sustainability of SSAD * New EDPB guidance or new topical jurisprudence * Technical or system difficulties * Operational and system enhancements * Contractual Compliance is responsible for the investigation of complaints regarding: Contracted parties’ procedural deficiencies in SSAD responses; and Failure to respond to urgent priority requests within the timeframes established by the SLA |
* icann.org portal * NSp |
Projected Specifications and Reasons[edit | edit source]
On December 20, 2021, ICANN Organization and several ICANN Board members briefed the GNSO Council on the initial findings of the org's ODP analysis, including the following details.[8]
Development Timeframe | Development Costs | Operational Costs | Cost Recovery | |
---|---|---|---|---|
Amount | 3 - 4 Years (including parallel IRT for 2 years) | $20M - $27M | $14M - $107M/Year | * Accreditations/Identity Verifications: $86 - $21 (low - high usage) * Requestor Declaration Verification: $190 - $160 (low - high usage) * Disclosure Requests: $40 - $0.45 (low - high usage) |
Reasons | * Selection of vendors * Vendor ramp-up * System development * Legal instrument development * Communications plan and support * Development and confirmation of requirements * Policy document development |
* development outsourced | * Ongoing operations outsourced * User accreditation volume drives cost * ICANN org oversees ongoing operations, vendors, etc. * 7 functions to fill through RFPs |
ICANN Org assumes there will be between 25,000 and 3 million users and 100,000 and 12 million requests based on contracted parties and ICANN Community surveys, RDDS requests, and abuse rates and because requestors may still directly go to the contracted party, bypassing SSAD entirely. |
Operational Design Assessment[edit | edit source]
ICANN org published its Operational Design Assessment on January 25, 2022.[9] The Assessment identified a number of challenges with SSAD as proposed by the recommendations.[10] One of the largest issues was SSAD's interaction with proxy and privacy services offered by registrars. The assessment took note of a study by Interisle from January 2021 that approximated that 86.5% of registered gTLDs were covered by either a proxy service or a privacy shield.[11] As a result, the ODA noted, "the existence of proxy and privacy services poses several challenges to the system’s operations..."[10] The SSAD as designed "assumes the system will only handle base-case requests for data for non-proxy/privacy service registrations,"[10] and does not make any provision to compel production of registration data that is cloaked by a proxy or privacy service. Beyond the expectation that privacy or proxy services provide "full information" about the privacy or proxy service and the means of contacting such services, the Temporary Specification did not address such services. Because the EPDP charter addressed only the text of the Temporary Specification, the handling of proxied or private data was largely unaddressed.[10]
This finding gave rise to substantial concern among the ICANN Board. As Maarten Botterman noted in a letter to the GNSO Council, "[t]here is no guarantee that SSAD users would receive the registration data they request via this system" because such a high volume of registration data is contained within a proxy or privacy service.[12] Botterman's letter was intended to initiate conversation and thought prior to a scheduled meeting of the Board and GNSO Council on January 27, 2022.[12][4] That meeting was a constructive exchange of views on the viability of SSAD, although no conclusions were drawn. In particular, the discussants raised topics such as the merits and costs of accreditation, the legal risks involved in SSAD, the development of a requestor code of conduct, the need for a pilot version, shortening the timeline, and improving the estimate of potential users.
Whois Disclosure System (FKA Simple Ticketing System or SSAD Light)[edit | edit source]
One outcome of the ODA is the development of an idea for a simple ticketing system (STS) designed to centralize requests for registrant information disclosures.[13] If it runs as a pilot version of the SSAD, it will provide data that may help ICANN staff refine the SSAD proposal. Following its review of the ODA and a meeting and several rounds of correspondence with the board, the GNSO Council formed a small team to develop the concept of the simple ticketing system (STS) and ICANN Staff began researching the STS's development cost and timeframe. The STS will document requests' nature, receiving registrars, response speed (if at all), and appropriateness of disclosure. The STS will also yield estimates of how many users and requests to expect of the eventual SSAD.[14]
At the April 2022 GNSO Council meeting, Sebastien Ducos explained that the idea was for the Board to pause any decision on the SSAD and instead enter what was a pilot phase but became a proof of concept phase (as of April 4, 2022) to arrive at a simplified SSAD version to run for up to two years in six-month increments to review/test hypotheses about who, what, when, why in terms of traffic at each interval and estimate what would be required and how to deliver it.[15]
On April 27, 2022, the GNSO Council requested that while its STS small team worked on the proof of concept now called the "SSAD Light," the ICANN Board pause consideration of the SSAD recommendations.[16]
The SSAD Light Concept was developed by ICANN Org to reflect the small team's recommendations for a more affordable, simpler ticketing system, which will not include:
- all the EPDP Phase 2 policy recommendations,
- central or governmental accreditation authorities,
- identity verification of requestors,
- an abuse investigator,
- an obligation or expectation of automated processing of certain requests by contracted parties, or
- billing since ICANN will not pass operational costs to requestors.
Instead, the SSAD Light proof of concept will:
- be based on the design described in the SSAD ODA,
- incorporate changes in the design to allow for a more effective model,
- minimize development and operational costs of the system,
- collect request statuses (e.g., approved, denied) from contracted parties, and
- gather data on response times from contracted parties for requests of different priorities.[17]
At ICANN 74, the GNSO held a session on EPDP Phase 2 concerning the latest developments on the creation of what used to be called SSAD. During this session, Ash Rangan explained how the Whois disclosure system will work. It will:
- use ICANN systems that already exist
- leverage existing and proven ICANN design patterns already available for use by the ICANN Community (such as the naming services portal, operating on salesforce), existing technology stacks (ICANN Account operating on okta identity platform), and
- rely on in-house expertise and users.
The Whois disclosure system needs to be written but will be a traffic cop in the middle. The latest version of this proof of concept or minimal viable product proposal involves the removal of authentication. What's left are accreditation and access.<ref>GNSO:EPDP Phase 2 Session, ICANN 74
References[edit | edit source]
- ↑ EPDP Temp Spec Workspace - Phase 2 Final Report, July 31, 2020.
- ↑ ICANN.org Blog - EPDP Phase 2 Team Publishes Final Report, August 10, 2020
- ↑ EPDP Phase 2 Small Team, ICANN Community
- ↑ 4.0 4.1 4.2 ICANN.org - SSAD Operational Design Phase Dashboard, last updated January 25, 2022
- ↑ Resolution of the Board initiating the SSAD ODP, March 25, 2021
- ↑ ICANN.org - SSAD Non-Public Registration Data ODP Scoping, March 25, 2021
- ↑ SSAD ODP Update Presentation, Nov 2021, ICANN
- ↑ Estimated SSAD Costs and Fees Presented to GNSO Council, ICANN Blogs
- ↑ ICANN.org - ICANN Delivers ODA of SSAD Recommendations, January 25, 2022
- ↑ 10.0 10.1 10.2 10.3 ICANN.org - SSAD Operational Design Assessment, January 25, 2022
- ↑ Interisle.net: WHOIS Contact Data Availability and Registrant Classification Study, January 2021, page 3 (PDF)
- ↑ 12.0 12.1 GNSO Council Listserv Archive - Board to Council re: Upcoming SSAD Consultation, January 24, 2022
- ↑ ICANN SSAD Proposal Poised to Succeed, Paul McGrady, CircleID
- ↑ ICANN SSAD Proposal Poised to Succeed, Paul McGrady, CircleID
- ↑ GNSO Council Meeting April 4, 2022, Transcript pg. 16, GNSO, ICANN.org
- ↑ Status Update EPDP Phase 2 & Review of ODA, GNSO Council Letter to ICANN Board, April 27, 2022
- ↑ Status Update EPDP Phase 2 & Review of ODA, GNSO Council Letter to ICANN Board, April 27, 2022