[Gdd-gnso-ppsai-impl] Accreditation and de-accreditation of NA-TPPPs
theo geurts
gtheo at xs4all.nl
Sun Apr 30 17:40:47 UTC 2017
Hi all,
I think we are jumping the gun when it comes to the de-accreditation
approach as proposed by the poll from last week.
While trying to come up with a process, it became rather messy, and
eventually, I gave up, as every solution was rather poor.
So I reversed the process and started with the accreditation process to
see if that would yield better results.
The process for registrars offering privacy services or its affiliates
is not problematic as we roughly have an idea and we have the WG
recommendations.
Now the non-affiliated third party privacy providers (NA-TPPP), that is
a rather different beast.
A classic example for those who spend time in the data metrics policy
making WG where you can't qualify or quantify a problem, and you can't
turn to the CPH to ask them for information or input due to the fact
these TPPP are not regulated at all.
*NA-TPPP who or what are they?*
Some of them seem to be on the surface semi-professional while others
seem to be a hobby project that grown out of portion and the rest is
somewhere in between.
*The business model they use:*
You give them your registrant data, and they give you a set of privacy
information that you can use at your registrar for free.
One has to wonder how sustainable this business model is.
*How to onboard an NA-TPPP?*
For Registrars it is easy to get ICANN accredited in a sense, there is a
good reason. A Registrar wants to register .com domain names? Then the
requirement is to become ICANN accredited and only then you can start
the accreditation process with Verisign.
Onboarding an NA-TPPPs sounds like selling ice cream on the north pole.
We barely have an idea who they are, and for sure they have no idea who
or what ICANN is (sorry if I am bursting some bubbles here).
Outreach will be problematic.
*Fees. *
NA-TPPPs do not sell domain names, they "offer" a service. For every
registration and renewal a Registrar pays 18 cents to ICANN, wich goes
into the ICANN budget.
*RDE*
Though the NA-TTTP might (it better be) have the registrant data, the
Registrar is not included in this escrow deposit as they do not know
where the privacy service info is used by the registrant.
*WDRP*
Audit requirement, who is going to pay for this?
*ERRP*
See WDRP
*ICANN involvement when NA-TPPP goes out of business. *
Worst case scenario the NA-TPPP gets breached and loses all data and
backups. This has happened before in the past. ICANN would have to reach
out to all registrants and somehow get Registrars in the mix. I am not
sure how this scenario would unfold. Most likely it will be a costly
business.
*Operational concerns*
IRTP C. This discussion still needs to take place somewhere. But if an
NA-TPPP goes down we need to make sure that there is no loss of domain
names or exposure of personal data.
I think I am going to stop here for now. But I think we still need to
get the accreditation process done first and then move on to the
de-accreditation part.
Best regards,
Theo Geurts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20170430/22493f61/attachment.html>
More information about the Gdd-gnso-ppsai-impl
mailing list