[Gdd-gnso-ppsai-impl] Accreditation and de-accreditation of NA-TPPPs

Sun Apr 30 17:50:22 UTC 2017

All very good points Theo, food for thought certainly. 

Sent from Chris on the move!

On Sun, Apr 30, 2017 at 6:41 PM +0100, "theo geurts" <gtheo at xs4all.nl> wrote:

Hi all,

        I think we are jumping the gun when it comes to the
        de-accreditation approach as proposed by the poll from last
        week. 

        While trying to come up with a process, it became rather messy,
        and eventually, I gave up, as every solution was rather poor. 

        So I reversed the process and started with the accreditation
        process to see if that would yield better results. 

        The process for registrars offering privacy services or its
        affiliates is not problematic as we roughly have an idea and we
        have the WG recommendations. 

        Now the non-affiliated third party privacy providers (NA-TPPP),
        that is a rather different beast.

         A classic example for those who spend time in the data metrics
        policy making WG where you can't qualify or quantify a problem,
        and you can't turn to the CPH to ask them for information or
        input due to the fact these TPPP are not regulated at all. 

        NA-TPPP who or what are they?

        Some of them seem to be on the surface semi-professional while
        others seem to be a hobby project that grown out of portion and
        the rest is somewhere in between. 

        The business model they use:

        You give them your registrant data, and they give you a set of
        privacy information that you can use at your registrar for free.

        One has to wonder how sustainable this business model is. 

        How to onboard an NA-TPPP?

        For Registrars it is easy to get ICANN accredited in a sense,
        there is a good reason. A Registrar wants to register .com
        domain names? Then the requirement is to become ICANN accredited
        and only then you can start the accreditation process with
        Verisign. 

        Onboarding an NA-TPPPs sounds like selling ice cream on the
        north pole. We barely have an idea who they are, and for sure
        they have no idea who or what ICANN is (sorry if I am bursting
        some bubbles here).

        Outreach will be problematic. 

        Fees. 

        NA-TPPPs do not sell domain names, they "offer" a service. For
        every registration and renewal a Registrar pays 18 cents to
        ICANN, wich goes into the ICANN budget. 

        RDE

Though the NA-TTTP might (it better be) have the registrant
        data, the Registrar is not included in this escrow deposit as
        they do not know where the privacy service info is used by the
        registrant. 

        WDRP

        Audit requirement, who is going to pay for this?

        ERRP

        See WDRP 

        ICANN involvement when NA-TPPP goes out of business. 

        Worst case scenario the NA-TPPP gets breached and loses all data
        and backups. This has happened before in the past. ICANN would
        have to reach out to all registrants and somehow get Registrars
        in the mix. I am not sure how this scenario would unfold. Most
        likely it will be a costly business.

        Operational concerns

        IRTP C. This discussion still needs to take place somewhere. But
        if an NA-TPPP goes down we need to make sure that there is no
        loss of domain names or exposure of personal data. 

        I think I am going to stop here for now. But I think we still
        need to get the accreditation process done first and then move
        on to the de-accreditation part. 

Best regards, 

Theo Geurts

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20170430/1edeab80/attachment.html>