[Gdd-gnso-ppsai-impl] Accreditation and de-accreditation of NA-TPPPs
Chris Pelling
chris at netearth.net
Sun Apr 30 17:50:22 UTC 2017
All very good points Theo, food for thought certainly.
Sent from Chris on the move!
On Sun, Apr 30, 2017 at 6:41 PM +0100, "theo geurts" <gtheo at xs4all.nl> wrote:
Hi all,
I think we are jumping the gun when it comes to the
de-accreditation approach as proposed by the poll from last
week.
While trying to come up with a process, it became rather messy,
and eventually, I gave up, as every solution was rather poor.
So I reversed the process and started with the accreditation
process to see if that would yield better results.
The process for registrars offering privacy services or its
affiliates is not problematic as we roughly have an idea and we
have the WG recommendations.
Now the non-affiliated third party privacy providers (NA-TPPP),
that is a rather different beast.
A classic example for those who spend time in the data metrics
policy making WG where you can't qualify or quantify a problem,
and you can't turn to the CPH to ask them for information or
input due to the fact these TPPP are not regulated at all.
NA-TPPP who or what are they?
Some of them seem to be on the surface semi-professional while
others seem to be a hobby project that grown out of portion and
the rest is somewhere in between.
The business model they use:
You give them your registrant data, and they give you a set of
privacy information that you can use at your registrar for free.
One has to wonder how sustainable this business model is.
How to onboard an NA-TPPP?
For Registrars it is easy to get ICANN accredited in a sense,
there is a good reason. A Registrar wants to register .com
domain names? Then the requirement is to become ICANN accredited
and only then you can start the accreditation process with
Verisign.
Onboarding an NA-TPPPs sounds like selling ice cream on the
north pole. We barely have an idea who they are, and for sure
they have no idea who or what ICANN is (sorry if I am bursting
some bubbles here).
Outreach will be problematic.
Fees.
NA-TPPPs do not sell domain names, they "offer" a service. For
every registration and renewal a Registrar pays 18 cents to
ICANN, wich goes into the ICANN budget.
RDE
Though the NA-TTTP might (it better be) have the registrant
data, the Registrar is not included in this escrow deposit as
they do not know where the privacy service info is used by the
registrant.
WDRP
Audit requirement, who is going to pay for this?
ERRP
See WDRP
ICANN involvement when NA-TPPP goes out of business.
Worst case scenario the NA-TPPP gets breached and loses all data
and backups. This has happened before in the past. ICANN would
have to reach out to all registrants and somehow get Registrars
in the mix. I am not sure how this scenario would unfold. Most
likely it will be a costly business.
Operational concerns
IRTP C. This discussion still needs to take place somewhere. But
if an NA-TPPP goes down we need to make sure that there is no
loss of domain names or exposure of personal data.
I think I am going to stop here for now. But I think we still
need to get the accreditation process done first and then move
on to the de-accreditation part.
Best regards,
Theo Geurts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20170430/1edeab80/attachment.html>
More information about the Gdd-gnso-ppsai-impl
mailing list