<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
{mso-style-priority:4;
mso-style-link:"Body Text Char";
margin-top:0in;
margin-right:0in;
margin-bottom:12.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.BodyTextChar
{mso-style-name:"Body Text Char";
mso-style-priority:4;
mso-style-link:"Body Text";
font-family:"Times New Roman",serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:193226485;
mso-list-type:hybrid;
mso-list-template-ids:1039179958 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt">Below and attached is input from the ICANN Business Constituency (BC), in response to ICANN’s Request for Information on Identity Verification Methods for SSAD.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Dear ICANN:<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">On behalf of ICANN’s Business Constituency (BC), the following is submitted in reply to ICANN’s Request for Information: Systems and Processes for Standardized System
for Access and Disclosure (SSAD). While the BC does not intend to place a formal bid, our constituency is grateful to ICANN for the opportunity to lodge its constructive thoughts and recommendations.
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Our input is provided in specific reply to Question 31 in RFI Sec. 6.5:<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-left:.5in"><i><span style="font-family:"Calibri",sans-serif">If you have any additional information, ideas, knowledge, assumptions, or comments related to this initiative that you think would be beneficial to share, please
provide a file attachment of the same here (in the ICANN Sourcing tool).<o:p></o:p></span></i></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">The BC welcomes the opportunity to contribute and invites ICANN to follow up with the BC for further discussion as warranted.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">_____________________________________________________________________________________________<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">The BC thanks the ICANN community volunteers and staff who have devoted hundreds of hours of work to Phases 1, 2, and 2a of the expedited policy development process
(EPDP), which of course is meant, in part, to describe to the community a utilitarian SSAD. This has been a significant investment of time and resources, and the BC is grateful to volunteers and staff for their ongoing work.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Unfortunately, however, the SSAD, as currently proposed, falls short of the ongoing needs of the business, security, law enforcement, rights holders and other communities
with legitimate interests in access to and disclosure of domain name registration data (know historically as Whois). The BC -- as well as the Governmental Advisory Committee, the Security and Stability Advisory Committee, the Intellectual Property Constituency,
and the At Large Advisory Committee -- all have registered their concerns with the system as currently proposed, and have encouraged EPDP participants to reconsider their output with an eye toward making the system more robust and functional. The BC’s contributions
herein are designed to contribute to a more holistic solution to the problem.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Further, interceding factors have impacted, or should impact, community considerations. The most significant of these, of course, arises from the European Union
(EU) via the European Commission’s (EC) proposed directive on the security of network and information systems (the
<a href="https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12475-Cybersecurity-review-of-EU-rules-on-the-security-of-network-and-information-systems_en">
NIS2 proposal</a>). This proposed directive clarifies European regulators’ intentions about the availability and accessibility of Whois data which, naturally, should be strongly factored into EPDP deliberations regarding the SSAD. Regrettably, such regulatory
developments mostly have been dismissed by the EPDP working group, which leads to the danger of creating a disclosure system that, from the outset, would be non-compliant with European regulation.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText"><span style="font-family:"Calibri",sans-serif">The need for a highly functioning SSAD is well documented inside and outside the ICANN community. The most recent data set is a
<a href="https://www.m3aawg.org/sites/default/files/m3aawg_apwg_whois_user_survey_report_2021.pdf">
survey</a> conducted in 2021 by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) and the Anti-Phishing Working Group (APWG) on the impact of Europe’s General Data Protection Regulation (GDPR) on Whois. The survey’s findings come as no surprise
to those with a stake in domain name data registration policy: Lack of registrar responsiveness is up, as are delays in providing non-public data for legitimate purposes, both of which have led to, as documented in the survey report, “cyber-investigators…significantly
impaired in their ability to investigate relationships between malicious domains and actors.”<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Data from the study clearly indicates the need for an SSAD that is:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoBodyText" style="margin-bottom:0in;mso-list:l0 level1 lfo1"><span style="font-family:"Calibri",sans-serif">Much more responsive to the time-sensitive nature of online crime and abuse investigations;<o:p></o:p></span></li><li class="MsoBodyText" style="margin-bottom:0in;mso-list:l0 level1 lfo1"><span style="font-family:"Calibri",sans-serif">Capable of handling registration data requests in bulk, without the need to enter data item-by-item; and<o:p></o:p></span></li><li class="MsoBodyText" style="margin-bottom:0in;mso-list:l0 level1 lfo1"><span style="font-family:"Calibri",sans-serif">Not a cost burden to investigators, law enforcement, rights holders, and others entitled to non-public registration data for legitimate
purposes.<o:p></o:p></span></li></ul>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">It is the hope of the BC that these needs will be reflected in the eventual construct of the SSAD.
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Here is specific input the BC requests ICANN to consider in its selection of vendors, and in the design of the SSAD:<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><b><span style="font-family:"Calibri",sans-serif">The primary objective of any operational SSAD should be to provide qualified requesters with timely and consistent access to beneficial registrant data in a responsive
manner.<o:p></o:p></span></b></p>
<p class="MsoBodyText" style="margin-bottom:0in"><b><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></b></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Unfortunately, ICANN’s bifurcation of its privacy/proxy implementation work and the EPDP policy work has resulted in a proposed SSAD which is not fit for purpose.
Specifically, it has resulted in an accreditation and ticketing system that will most likely result in the referral of qualified requesters to privacy/proxy or similar data instead of timely access to the beneficial registrant information they seek.
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">The accuracy of and lack of access to relevant non-public registrant data has been a systemic problem, even pre-dating the creation of ICANN. However, instead of
engaging in a <i>holistic</i> approach to finally solve the root problem, the ICANN community has engaged in a nearly two decades-long patchwork approach to address the resulting various harms. Instead of a comprehensive solution, the community, in reality,
has had no solution at all. The arrival of the General Data Protection Regulation offers the ICANN community a generational opportunity to finally get it right. Regrettably, however, it is on the precipice of wasting that chance.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">During ICANN’s SSAD webinar on 13 July 2021, ICANN org stated that the purpose of the now underway Operational Design Phase (ODP) was to “provide the ICANN Board
with relevant information to help decide if a recommendation is in the best interest of the ICANN community or ICANN.” The BC submits that proceeding -- at an estimated cost of US$9 million -- with the design and implementation of an SSAD model that is static,
does not enjoy a mechanism for evolution, and ultimately does not provide qualified requesters with timely access to the beneficial registrant information
<u>is not in the best interest of ICANN community or ICANN</u>. <o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><b><span style="font-family:"Calibri",sans-serif">The RFI uniquely positions ICANN not only to complete its Operational Design Assessment but to address registrant</span></b><span style="font-family:"Calibri",sans-serif">
<b>verification and know-your-business-customer (KYBC) requirements.<o:p></o:p></b></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">While there was consensus within the EPDP on the requirement to properly identify potential requesters, emerging requirements (via the European Union’s Digital Services
act and NIS2 directive) impose similar requirements on domain name registration providers. Like the GDPR, these initiatives will require verification of registrant data to ensure accuracy, and have an extraterritorial scope that would have a direct and material
impact on the broader domain name industry. The confluence of these facts gives ICANN org an opportunity to
<i>proactively</i> address necessary changes rather than play catch-up as it did with the implementation of the GDPR. This should include addressing requirements for privacy/proxy services and providers.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText"><b><span style="font-family:"Calibri",sans-serif">Any operational SSAD solution must be built using standardized and open technologies to promote innovation and competition across a geographically diverse marketplace of providers.<o:p></o:p></span></b></p>
<p class="MsoBodyText"><span style="font-family:"Calibri",sans-serif">It is the hope of the BC that ICANN does not repeat the mistakes of the Trademark Clearinghouse (TMCH) by designing and implementing a technologically cumbersome SSAD solution with limited
value and vendor exclusivity. There already is a vibrant marketplace of companies providing identity verification and credential issuance services. This marketplace includes established companies such as Certificate Authorities (CAs) that have been doing
identity proofing for decades, as well as newer providers using newer technologies.
<o:p></o:p></span></p>
<p class="MsoBodyText"><span style="font-family:"Calibri",sans-serif">ICANN should employ a solution that permits the interoperability of these different technologies, and in the interest of economic efficiency, permit some requesters to use existing forms
of verified identity, provided that the identity provider issuing SSAD credentials meets the requirements established by ICANN.
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><b><span style="font-family:"Calibri",sans-serif">Conclusion<o:p></o:p></span></b></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">While the BC has significant concerns regarding not only the outcomes of SSAD-related policy work but also regarding processes that no longer facilitate compromise,
we remain committed to seeking improved outcomes within ICANN’s multistakeholder model that take into account the legitimate needs of those within and outside the ICANN community.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">ICANN Org now has the opportunity to build on newfound clarity about how GDPR applies to registration data -- clarity it has long sought from European authorities.
Now, with better and more reliable information available to it, ICANN should take the responsible path and save time, frustration and resources by making a course correction today: Return to the GNSO Council the task of revising SSAD policy recommendations
with an eye toward holistically addressing the matter (incorporating privacy/proxy services). ICANN org should actively promote innovative options that can be evaluated for viability before presenting another incomplete solution.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">The BC stands ready to participate in such responsible policy development and looks forward to engaging further with ICANN community colleagues to achieve an equitable
and usable SSAD.<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">--<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">This input is based on these previously-approved BC positions:<o:p></o:p></span></p>
<p class="MsoBodyText" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in">
<span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Comments and proposed amendments of the ICANN Business Constituency on provisions of the draft NIS2 Directive related to domain name registration data. May-2021,
at <a href="https://cbu.memberclicks.net/assets/docs/positions-statements/2021/2021_05May_31%20BC%20position%20paper%20on%20EP%20NIS2%20amendments%20May%202021%5B19%5D.pdf">
https://cbu.memberclicks.net/assets/docs/positions-statements/2021/2021_05May_31%20BC%20position%20paper%20on%20EP%20NIS2%20amendments%20May%202021%5B19%5D.pdf</a>
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Comment for Board consideration of EPDP Phase 2 Policy Recommendations. Mar-2021, at
<a href="https://cbu.memberclicks.net/assets/docs/positions-statements/2021/2021_03March_30%20BC%20comment%20for%20Board%20consideration%20of%20EPDP%20Phase%202%20Policy%20Recommendations.pdf">
https://cbu.memberclicks.net/assets/docs/positions-statements/2021/2021_03March_30%20BC%20comment%20for%20Board%20consideration%20of%20EPDP%20Phase%202%20Policy%20Recommendations.pdf</a>
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif">Minority Statement of the Business Constituency (BC) and Intellectual Property Constituency (IPC) on the EPDP Phase 2 Final Report. Jul-2020, at
<o:p></o:p></span></p>
<p class="MsoBodyText" style="margin-bottom:0in"><span style="font-family:"Calibri",sans-serif"><a href="https://www.icannbc.org/assets/docs/positions-statements/2020/2020_07July_29%20Minority%20Statement%20of%20the%20BC%20and%20IPC%20on%20the%20EPDP%20Phase%202%20Final%20Report.pdf">https://www.icannbc.org/assets/docs/positions-statements/2020/2020_07July_29%20Minority%20Statement%20of%20the%20BC%20and%20IPC%20on%20the%20EPDP%20Phase%202%20Final%20Report.pdf</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> <o:p></o:p></span></p>
</div>
</body>
</html>