[Gnso-epdp-team] IPC Proposal for Day 1 Automation

Mueller, Milton L milton at gatech.edu
Mon Feb 3 16:51:31 UTC 2020


Brian
If you are being realistic, you are going to have to get yourself and your constituency mentally ready for the fact that TM challenges are never going to be automated. A TM-based disclosure request for domain registration data will in all cases involve a balancing test of two fundamental rights: the IP owner's property right and the registrant's privacy right. It is impossible for automated disclosure to encompass a balancing test.

The logical basis of your argument is, "humans have failed us because they didn't approve all of our requests." With this argument, you could not be doing a better job of making my case for me. Your request for automation is in essence a demand for all of your requests to be granted. It is founded on the notion that any disclosure request an IP owner makes is legitimate and cannot be wrong. We have already been told that this is not legal, because that is the old Whois.

Can you answer a simple question for me? What is the point of having ANY redacted data if any TM or IP owner can get it automatically whenever they think they need it?

--MM

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of King, Brian via Gnso-epdp-team
Sent: Sunday, February 2, 2020 9:39 PM
To: gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] IPC Proposal for Day 1 Automation

Hi Milton,

We have drafted what we think are legally sufficient safeguards, and despite our request,  we note that you did not suggest any further safeguards. I take this to mean that you have legal comfort with the safeguards we have suggested, and that you have policy (as opposed to legal) concerns with automating this use case. We're happy to engage in constructive policy conversations around any additional safeguards you think are needed to minimize the potential for abuse - to be clear though, are your concerns legal concerns, or policy concerns?

In case I'm mischaracterizing your concerns as policy-only, I tried to be clearly "legal" in my comments in line with your message below.

"Policy" comments follow here:


  1.  Your assertion that prima facie reasonable requests will be granted is wholly inconsistent with IP owners' experience under GDPR. MarkMonitor's industry-best brand protection analysts manually sent requests to over 50 registrars for over 1000 domain names infringing more than 15 of the most well-known brands in the world, and were ignored or denied over 85% of the time. With very few exceptions, humans have largely failed IP interests.



  1.  All parties (except some folks in NCSG, maybe?) prefer automation to maximize predictability and standardization, and minimize cost, so long as automation is legally sound. We think in this case, it is.



  1.  In a broader sort of "balancing test," we offer the following perspective: the DNS allows bad actors to infringe IP fundamental rights without manual preliminary review. The only ex ante safeguard the DNS offers IP fundamental rights is that registrants must merely agree that they're not infringing, and in some limited cases (for new gTLDs) they may be notified that their registration could be infringing. There is no benefit of manual preliminary review to protect the fundamental rights of IP owners.



In seeking legal, automated access in limited cases, we are merely proposing closer-to-equal treatment for the fundamental rights our group represents. In fact, the IPC has actually proposed far greater safeguards for infringing registrants than IP owners receive. Registrants are not subject to limits on how many domain names they can register; however, we are proposing reasonable limits requestors' access. Registrants are not required to prove their identity or become "accredited" before they can register a domain name; however, we are proposing that all SSAD users are accredited. Registrants are not subject to being "de-accredited" from the DNS for infringement; however, we are proposing de-accreditation from SSAD for abusive users.



The fundamental rights we represent do not receive the benefit of manual ex ante review, and to be clear, we're not asking for that here. We do, however, need to decide as a policy matter to come closer to restoring balance to the force. We must do that by ensuring access that is not unnecessarily delayed or made unreliable by unnecessary manual review.



Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Mueller, Milton L
Sent: Friday, January 31, 2020 4:59 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] FW: IPC Proposal for Day 1 Automation

Brian:

>Since the free speech example would not be trademark infringement, the
>requestor could not cite that basis to request data for a domain like this.

LOL. That's the problem with automation, Brian. They could cite any basis they pleased and they would get the data. There would be no opportunity to challenge it. No one would even see it.

-They really couldn't. In this use case, we're talking about limited cases where someone has a fundamental right to their intellectual property. That fundamental right further needs to be registered in a government registry (although many IP rights do not require such registration), and their ownership of the trademark needs to be verified by the ICANN-run Accreditation Authority. Then, we're proposing to limit their requests to domain names which contain exactly the string of characters to which the requestor has a fundamental right to some exclusivity, and which they allege is infringing. So, the "they" is extremely limited to entities with established fundamental rights, and the "basis" is limited solely to pursuing the alleged TM infringement.

> Remember that in this use case we're requiring that the requestor allege
> infringement, and fraud or misrepresentation can result in deaccreditation.
>The additional noteworthy safeguards we mention below are tied to this
>representation: that the requestor has a good-faith belief that the domain name is infringing.
>Do you think additional safeguards are required? If so, why? Which ones would you suggest?

Trademark owners often sincerely believe that any use of their mark in any circumstance is an infringement. I invite you to read 1,000 UDRP cases or so if you doubt this. This is no safeguard at all.

-You're missing the value of this safeguard:
1. Requiring this representation allows ICANN to rely on it. This, coupled with the extensive upfront TM validation referenced above and the other safeguards, gives ICANN clear legal basis to disclose in the limited circumstances we're considering here.
2. Requiring this representation has three benefits vis-à-vis the requestor: a) it serves as grounds for de-accreditation of abusive requestors, b) it serves as a deterrent against the same (e.g. attorneys would be barred by ethics rules from making bad-faith requests), and c) TM owners are required by law to police the use of their marks at the risk of losing legal protection, and losing this ability is an incredibly strong deterrent against abuse.

And oh by the way, if the process is automated how is anyone supposed to know what was alleged and how well the allegations matched the actual case? By doing a laborious after the fact log check after millions of disclosures have been made?

-Yes, we have this covered in the logging and auditing portions of the initial report. Do you have any suggestions for improvements on those?

Do we both understand the meaning of the term "automated" here? It means, you enter a query and you get results, no human intervention.

-Yes, this feature is cost-saving and risk-mitigating. The human intervention is actually quite extensive, and it's done upfront in policy making, accreditation, etc.

>As a final point on your note below, it seems like you think the legal standard for disclosure
>is proof of infringement.

No of course I do not think that. You do not need to prove infringement to get disclosure. But we are not having an argument about the criteria for disclosure, we are having an argument about when we can _automate_ disclosure.  You seem to be assuming that if these requests are not automated there will be no disclosure. Clearly that is not the case. You will make a request, it will be reviewed by a human, and if it is prima facie reasonable, you will get disclosure. I will even say that in most cases disclosure will be routine, because the pattern of a domain suspect of trademark infringing is quite common. But routinization is not automation. You can have the former but not the latter.

Dr. Milton L Mueller
School of Public Policy
Georgia Institute of Technology
[IGP_logo_gold block_email sig]


Hi Milton,

The penultimate sentence in your note below is unhelpful, factually incorrect, and inconsistent with guidance we've been given repeatedly not to attribute motive to others' positions. That said, we welcome substantive discussion on our proposal and invite you to engage in that manner going forward.

Since the free speech example would not be trademark infringement, the requestor could not cite that basis to request data for a domain like this. Remember that in this use case we're requiring that the requestor allege infringement, and fraud or misrepresentation can result in deaccreditation. The additional noteworthy safeguards we mention below are tied to this representation: that the requestor has a good-faith belief that the domain name is infringing. Do you think additional safeguards are required? If so, why? Which ones would you suggest?

As a final point on your note below, it seems like you think the legal standard for disclosure is proof of infringement. That's not the case. GDPR allows processing for the "establishment, exercise or defence of legal claims" (emphasis here on establishment, as opposed to proof). Processing for the establishment of legal claims is explicitly allowed above the data subject's right to erasure, right to restriction of processing, and right to object.

Again, we welcome constructive suggestions as to what additional safeguards you think might be needed to ensure the data is requested for the establishment of a legal claim. Thank you.

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Mueller, Milton L
Sent: Thursday, January 30, 2020 1:14 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] FW: IPC Proposal for Day 1 Automation


Brian there are many holes in this call for automation.
The most obvious being that the presence of an exact string match of a trademark is not by itself an infringement of a trademark.
There are many cases of free expression use of a string, such as "don't-buy-nike.TLD"
There are accidental string matches or generic uses. There are uses in different industries that are not confusingly similar.
Your mention of the so-called "noteworthy safeguards" is laughably irrelevant, as it basically presumes that the requestor's interest in disclosure is proof of infringement.
While MarkMonitor's business interest in automatic searching, requesting and intimidation of domain name registrants via demand letters is clear, I do not think that our policies need to be built around those business interests. If you believe a domain is infringing, file a UDRP.

Dr. Milton L Mueller
School of Public Policy
Georgia Institute of Technology



From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of King, Brian via Gnso-epdp-team
Sent: Monday, January 27, 2020 3:52 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] IPC Proposal for Day 1 Automation

Hello EPDP Team,

Please find below our first proposal for automated disclosure.

Trademark Infringement in Domain Name

Requestor Safeguards

  1.  Accreditation Authority determines that the trademark is valid.
  2.  Accreditation Authority determines that Requestor is the legal owner, agent, or service provider of the trademark.

Request Safeguards

  1.  Requestor alleges that the domain name infringes Requestor's trademark.
  2.  Requestor states its own legal basis and purpose for processing the data. Requestor makes a syntactically correct and complete request, including any/all required Authorization Assertions. Requestor makes all representations required by policy: use will be limited to stated purpose, data retention, etc.
  3.  Domain string contains exact match of trademark string (potentially including prefix or suffix, e.g. "nike-shoes.TLD" or "cheap-nike.TLD").

Additional Noteworthy Safeguards

  1.  Registrant committed not to infringe the rights of third parties in its registration agreement, as required by the RA and RAA.
  2.  Registrant was informed at the time that its data was collected that it could be processed for third-party purposes, including intellectual property protection.

In these cases, disclosure can be automated.


Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200203/535d28a9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: image001.jpg
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200203/535d28a9/image001-0001.jpg>


More information about the Gnso-epdp-team mailing list