[Accred-Model] Fwd: RiskIQ Code of Conduct

[jonmat]

I sent the email below from an email with a personal identifier by
accident. So sending from this one to make sure it gets through. Sorry if
both come through for any inconvenience.

---------- Forwarded message ---------
From: jonathan m <jonathan.matkowsky at riskiq.net>
Date: Sat, Jun 23, 2018 at 9:44 PM
Subject: RiskIQ Code of Conduct
To: accred-model at icann.org <accred-model at icann.org>


Under the RiskIQ code of conduct for legitimate access requests, which we
will deposit with ICANN after its approved by the Commission (we will work
through the ICO), we have competency to make a privacy impact assessment
which doesn't necessarily take more than a few minutes but could take
longer. This doesn't mean that the registrant cannot object and freeze the
processing temporarily. If that happens, the ICO could be notified and help
resolve the matter assuming a complaint is lodged but first they have to
try and resolve the difference with us. If the legitimate interest is
compelling, it can override the objection as long as the processing is
strictly necessary and the legitimate interest at stake is compelling
enough to override those inherent freedoms and rights of the individual.
However there are also circumstances where the safety of RiskIQ or its
customers would be threatened by providing a right to object. If ICANN
could be trusted to step up to the plate, we possibly could use them to
protect our identity but still provide the right to object because our code
provides a reference id that is provided for the person to know how to
complain to ICO (that's who we happen to be using for our code of conduct
approval but it could be any competent authority) or the EDPB, and ICO and
EDPB will know how to reach RiskIQ's DPO. The registrar has an absolute
right under our Code to challenge our assessment that the rights and
freedoms of the individual is outweighed by the legitimate interest under
which the processing is based. We expect RDAP to accommodate our code of
conduct once it's deposited with ICANN after approved by ICO and sent to
the Commission.

Our code covers any digital threat related to cybersecurity, privacy,
network and information security, anti-fraud and intellectual property. If
the registrar objects, then depending on the situation, we'll involve WIPO,
the courts, law enforcement, public officials and/or computer emergency
response teams.

So even if our conformance with the code were accredited, RDAP would not
give access automatically. The benefit of RDAP is that the registrars
aren't equipped to handle the volume of our requests where we all agree as
a processor of the registrar controller that the controller should disclose
the data fields. RDAP will help the registrars not have to worry about
using rate limiting to control abuse because RDAP will verify us as
supervised by ICO. We also need it for the reasons explained by the APWG
when it comes to the hashing proposal we originally recommended. We don't
see ICANN compliance as relevant to mitigating threats because their
process developed through a failed multistakeholder model is embarrassingly
slow. We still plan to hold it accountable as maybe ICANN will wake up and
do its job before it's too late for their own good.

Jonathan Matkowsky
RiskIQ, Inc.
VP - Cybersecurity, Privacy & Intellectual Property
JD, CIPT, CIPP/EU
-- 
Jonathan Matkowsky
-- 
Jonathan Matkowsky

-- 
*******************************************************************
This 
message was sent from RiskIQ, and is intended only for the designated 
recipient(s). It may contain confidential or proprietary information and 
may be subject to confidentiality protections. If you are not a designated 
recipient, you may not review, copy or distribute this message. If you 
receive this in error, please notify the sender by reply e-mail and delete 
this message. Thank you.


*******************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180623/e56a350b/attachment.html>