[Gnso-epdp-team] SSAD Use Cases which are automatable

Mon Feb 3 10:11:23 UTC 2020

Hi Mark,

I think we can agree on use case 1.

Use case 2 has the issues I outlined in my mail to Brian. I doubt that 
any TM claim can be as clear cut as you assume.

Use case 3 should be ok in most cases, but it might break down in 
smaller towns or villages in the countryside where there are only 5-10 
houses and two familiy names. Naming the city field there could already 
considered as providing personal information. But I give you that one as 
an extreme edge case, in most cases it should be fine.

Use case 4 is generally possible, I assume, but it may be helpful to add 
additional safeguards here to prevent abuse of this process to 
circumvent the existing redactions.

Use case 5 requires ICANN accepting its controllership (as you outlined) 
and a need for the specific data. If the investigation is possible with 
redacted data, the need for this processing activity goes away. Data 
accuracy investigations are not an ICANN remit for example, but the 
investigation of a registrars obligation to the same is.

Use case 6 only applies if the DPA is competent for the disclosing 
party. I think this could be merged with use case 1.

Use case 7 could be made workable, however there should be a 
verification element included in the reegistry policies to avoid 
registrants who circumvented an unchecked policy requiry.

Use case 8 will need to be further investigated for validity of the 
consent provided at registration.

Use case 9: You mean domain name, not TLD? The problem is that this can 
change at any time, and ownerchanges are not necessarily listed as a 
"domain updated" event. And the SSAD system would not know whether an 
update to the registration data has occurred.

Use case 10: Same issue as UC 9. Also please detail how an automated 
process would detect "patently false information".

Use case 11: There is no use case 11?

UC 12: "Involved in" also includes victims of website hacking? Then no.

UC 13: How would the SSAD system detect phishing activity? Also see my 
comments in my mail to Brian.

Bonus: UC 14: Domain flagged by disclosing party as disclosable. Not 
sure how this would be implemented, but I would assume we would want an 
ability for a data subject to consent to automated disclosure, or for a 
contracted party to determine whether automated disclossure is possible 
for any given domain name.

These thoughts are my own, we have not yet internally discussed on the team.

Best,

Volker

Am 27.01.2020 um 22:16 schrieb Mark Svancarek (CELA) via Gnso-epdp-team:
>
> Feedback requested.
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200203/a8d6f95d/attachment-0001.html>