[Gdd-gnso-ppsai-impl] Accreditation and de-accreditation of NA-TPPPs

Sun Apr 30 17:40:47 UTC 2017

Hi all,

I think we are jumping the gun when it comes to the de-accreditation 
approach as proposed by the poll from last week.

While trying to come up with a process, it became rather messy, and 
eventually, I gave up, as every solution was rather poor.
So I reversed the process and started with the accreditation process to 
see if that would yield better results.

The process for registrars offering privacy services or its affiliates 
is not problematic as we roughly have an idea and we have the WG 
recommendations.

Now the non-affiliated third party privacy providers (NA-TPPP), that is 
a rather different beast.
  A classic example for those who spend time in the data metrics policy 
making WG where you can't qualify or quantify a problem, and you can't 
turn to the CPH to ask them for information or input due to the fact 
these TPPP are not regulated at all.

*NA-TPPP who or what are they?*
Some of them seem to be on the surface semi-professional while others 
seem to be a hobby project that grown out of portion and the rest is 
somewhere in between.

*The business model they use:*
You give them your registrant data, and they give you a set of privacy 
information that you can use at your registrar for free.
One has to wonder how sustainable this business model is.

*How to onboard an NA-TPPP?*
For Registrars it is easy to get ICANN accredited in a sense, there is a 
good reason. A Registrar wants to register .com domain names? Then the 
requirement is to become ICANN accredited and only then you can start 
the accreditation process with Verisign.

Onboarding an NA-TPPPs sounds like selling ice cream on the north pole. 
We barely have an idea who they are, and for sure they have no idea who 
or what ICANN is (sorry if I am bursting some bubbles here).
Outreach will be problematic.

*Fees. *
NA-TPPPs do not sell domain names, they "offer" a service. For every 
registration and renewal a Registrar pays 18 cents to ICANN, wich goes 
into the ICANN budget.

*RDE*

Though the NA-TTTP might (it better be) have the registrant data, the 
Registrar is not included in this escrow deposit as they do not know 
where the privacy service info is used by the registrant.

*WDRP*
Audit requirement, who is going to pay for this?

*ERRP*
See WDRP

*ICANN involvement when NA-TPPP goes out of business. *
Worst case scenario the NA-TPPP gets breached and loses all data and 
backups. This has happened before in the past. ICANN would have to reach 
out to all registrants and somehow get Registrars in the mix. I am not 
sure how this scenario would unfold. Most likely it will be a costly 
business.

*Operational concerns*
IRTP C. This discussion still needs to take place somewhere. But if an 
NA-TPPP goes down we need to make sure that there is no loss of domain 
names or exposure of personal data.

I think I am going to stop here for now. But I think we still need to 
get the accreditation process done first and then move on to the 
de-accreditation part.

Best regards,

Theo Geurts

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20170430/22493f61/attachment.html>