Consideration of GNSO Policy Recommendations concerning the Accreditation of Privacy and Proxy Services

Why is the Board addressing the issue now?

In its October 2011 initiation of negotiations with the Registrar Stakeholder Group for a new form of Registrar Accreditation Agreement (RAA), the ICANN Board also requested an Issue Report from the GNSO to start a GNSO PDP addressing remaining issues not dealt with in the RAA. In June 2013, the ICANN Board approved a new 2013 RAA, and the topic of accrediting privacy and proxy services was identified as the sole issue to be resolved through a GNSO PDP. This topic had also been noted by the Whois Review Team in its Final Report, published in May 2012, in which the Review Team had highlighted the current lack of clear and consistent rules regarding these services, resulting in unpredictable outcomes for stakeholders. The Review Team thought that appropriate oversight over such services would address stakeholder needs and concerns, and recommended that ICANN consider an accreditation system. Until the development of an accreditation program, only certain aspects of such services are covered by an interim specification to the 2013 RAA, which is due to expire on 1 January 2017 or the implementation by ICANN of an accreditation program, whichever first occurs.

The GNSO Council approved all the final recommendations from the PDP Working Group's Final Report dated 8 December 2015 at its meeting on 21 January 2016, and a Recommendations Report from the Council to the Board on the topic in February 2016. In accordance with the ICANN Bylaws, a public comment period was opened to facilitate public input on the adoption of the recommendations. The public comment period closed on 16 March 2016. As outlined in Annex A of the ICANN Bylaws, the PDP recommendations are now being forwarded to the Board for its review and action.

What is the proposal being considered?

The GNSO's policy recommendations include minimum mandatory requirements for the operation of privacy and proxy services; the maintenance of designated contact points for abuse reporting and the publication of a list of accredited providers; requirements related to the handling of requests for disclosure and/or publication of a customer's contact details by certain third party requesters; conditions regarding the disclosure and publication of such details as well as the refusal to disclose or publish; and principles governing the de-accreditation of service providers. The full list and scope of the final recommendations can be found in Annex A of the GNSO Council's Recommendations Report to the Board (see http://gnso.icann.org/en/drafts/council-board-ppsai-recommendations-09fe...) [PDF, 491 KB].

Which stakeholders or others were consulted?

As required by the GNSO's PDP Manual, the Working Group reached out to all GNSO Stakeholder Groups and Constituencies as well as other ICANN Supporting Organizations and Advisory Committees for input during the early phase of the PDP. The Working Group also held open community sessions at all the ICANN Public Meetings that occurred during the lifetime of this PDP. It also sought input on potential implementation issues from ICANN's Registrar Services and Compliance teams. Public comment periods were opened for the Preliminary Issue Report that preceded the PDP, the Working Group's Initial Report, and the GNSO Council's adoption of the Working Group's Final Report. The final recommendations as detailed in the Final Report were completed based on the Working Group's review and analysis of all the public comments and input received in response to its Initial Report.

What concerns or issues were raised by the community?

A significant number of public comments were received by the Working Group concerning the possibility that a distinction might be made between domain name registrants with domains serving non-commercial purposes and registrants who conduct online financial transactions. This had been an open question in the Working Group's Initial Report, as at the time a number of Working Group members had supported that distinction. As a result of further Working Group deliberations following review of the public comments received, the Working Group reached consensus on a recommendation that no such distinction be made for purposes of accrediting services.

Concerns had also been expressed over the need to ensure that there are adequate safeguards in place for maintaining the privacy of customer data, and that a reasonable balance is struck as between a legitimate need for access to information (e.g. by law enforcement and intellectual property rights-holders) and that of protecting privacy. Many public comments received in response to the Working Group's Initial Report also highlighted the potential dangers of disclosing private information without cause, including the threat to the physical safety of certain groups of domain name registrants and privacy/proxy customers. The Working Group's final recommendations include a number of suggested principles and policies that aim to provide more concrete guidance than exists at present for privacy and proxy services, third party requesters of customer information, and domain name registrants in relation to topics such as the handling of customer notifications, information requests and domain name transfers.

The Working Group also received several comments concerning the lack of a detailed framework for the submission and confidential handling of disclosure requests from law enforcement authorities, including from the GAC's Public Safety Working Group. In its Initial Report, the Working Group sought community input on the question as to whether and how such a framework might be developed as well as on more specific questions such as whether it should be mandatory for accredited providers to comply with express requests from law enforcement authorities in the provider's jurisdiction not to notify a customer. Based on input received, the Working Group agreed that accredited privacy and proxy service providers should comply with express law enforcement requests not to notify a customer where this is required by applicable law. Providers would be free to voluntarily adopt more stringent standards or otherwise cooperate with law enforcement authorities. As the Working Group did not receive concrete proposals on how a specific framework applicable to law enforcement requests could be developed, its Final Report contains a suggestion for certain minimum requirements that could be included if such a framework is developed in the future.

What significant materials did the Board review?

The Board reviewed the PDP Working Group's Final Report, the GNSO Council's Recommendations Report on the topic to the Board, the summary of public comments received in response to the public comment period that was opened following the GNSO Council's adoption of the recommendations contained in the Final Report, and GAC advice received on the topic.

What factors did the Board find to be significant?

The recommendations were developed following the GNSO Policy Development Process as set out in Annex A of the ICANN Bylaws and have received the unanimous support of the GNSO Council. As outlined in the ICANN Bylaws, the Council's supermajority support obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the recommended policy is not in the best interests of the ICANN community or ICANN.

The Bylaws also allow for input from the GAC in relation to public policy concerns that might be raised if a proposed policy is adopted by the Board. The GAC has noted that public policy concerns might be raised in the adoption of these policy recommendations, and as such the Board is obliged to take into account any advice that the GAC may provide in a timely manner on the topic. Therefore, it is prudent for the Board to allow time for the GAC to provide that advice as indicated in its March 2016 Communiqué.

Are there positive or negative community impacts?

Developing a full accreditation program for privacy and proxy service providers will require significant resources and take a substantial period of time. Deferring adoption of the PDP recommendations will also mean that the need to extend the interim specification in the 2013 RAA beyond its current expiration date will become more urgent.

At present, there is no accreditation scheme in place for privacy and proxy services and no agreed community-developed set of best practices for the provision of such services. This PDP represents an attempt to develop a sound basis for the development and implementation of a proxy/privacy accreditation framework by ICANN. This is part of ICANN's ongoing efforts to improve the Whois system, including implementing recommendations made previously by the Whois Review Team. Implementing many of the GNSO recommendations would create a more uniform set of standards for many aspects of privacy and proxy services, including more consistent procedures for the handling, processing and determination of third party requests by accredited providers, into which reasonable safeguards to protect consumer privacy can be incorporated.

Nevertheless, as highlighted above, the implementation of all the recommendations from the PDP will be time- and resource-intensive due to the scale of the project and the fact that this will be the first time ICANN has implemented such a program for this industry sector. While the RAA may serve as a useful reference point for this program, the Working Group's Final Report acknowledged that this may not be the most appropriate model for a number of reasons.

The Working Group's Final Report also notes a few areas where additional work may be required, which could increase the community's workload in the near term. For example, the issue of privacy and proxy services in the context of domain name transfers will need to be addressed in the next review of the Inter-Registrar Transfer Policy. To the extent that the GAC provides the Board with timely advice of relevant public policy concerns and the Board accepts such advice, the development of a disclosure framework for law enforcement authorities and other third parties may also need to be considered, possibly in parallel with implementation of the overall accreditation program.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

There may be fiscal impacts on ICANN associated with the creation of a new accreditation program specifically covering providers of privacy and proxy services if the PDP recommendations are adopted, regardless of whether this occurs immediately or in the future. However, as the current interim specification in the RAA applicable to such services is due to expire on 1 January 2017, consideration will need to be given to either extending its duration (e.g. to allow for implementation should the PDP recommendations be adopted) or amending and updating it in the event that the PDP recommendations are not adopted.

Are there any security, stability or resiliency issues relating to the DNS?

There are no security, stability or resiliency issues relating to the DNS that can be directly attributable to the implementation of the PDP recommendations. While the accreditation of privacy and proxy service providers is part of the overall effort at ICANN to improve the Whois system, it does not affect or change either the Whois protocol (including the rollout of the new RDAP, or Registration Data Access Protocol) or the current features of the Whois system. The Working Group made its final recommendations with the understanding that implementation of its recommendations would be done in the context of any other policy or technical changes to the Whois system, which are outside the scope of this PDP.

Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?

The recommendations at issue are a result of the defined GNSO Policy Development Process. No public comment is required for this deferral action.