GNSO Policy Recommendations on Privacy & Proxy Services Accreditation

Why is the Board addressing the issue now?

In initiating negotiations with the Registrar Stakeholder Group for new form of Registrar Accreditation Agreement (RAA) in October 2011, the ICANN Board also requested an Issue Report from the GNSO that, upon the conclusion of the RAA negotiations, would start a GNSO PDP to address remaining issues not dealt with in the RAA negotiations. In June 2013, the ICANN Board approved a new 2013 RAA, and the topic of accrediting privacy and proxy services was identified as the sole issue to be resolved through a GNSO PDP. This topic had also been noted by the Whois Review Team in its Final Report, published in May 2012, in which the Review Team had highlighted the current lack of clear and consistent rules regarding these services, resulting in unpredictable outcomes for stakeholders. The Review Team thought that appropriate regulation and oversight over such services would address stakeholder needs and concerns, and recommended that ICANN consider an accreditation system. Until the development of an accreditation program, only certain aspects of such services are covered by an interim specification to the 2013 RAA, which is due to expire on 1 January 2017 or the implementation by ICANN of an accreditation program, whichever first occurs.

The GNSO Council approved all the final recommendations from the PDP Working Group's Final Report dated 8 December 2015 at its meeting on 21 January 2016, as well as a Recommendations Report to the Board in February 2016. In accordance with the ICANN Bylaws, a public comment period was opened to facilitate public input on the adoption of the recommendations following which the PDP recommendations were forwarded to the Board for its review. On 15 May 2016, the Board resolved to consider action on the recommendations at the first Board meeting following ICANN56 in Helsinki, Finland, to enable the GAC to provide timely advice on public policy concerns raised by the PDP recommendations, if any. The GAC's advice in its Helsinki Communiqué was for the Board to direct that the GAC's concerns be effectively addressed to the greatest extent possible during the implementation phase of the PDP recommendations.

What is the proposal being considered?

The GNSO's policy recommendations include minimum mandatory requirements for the operation of privacy and proxy services; the maintenance of designated contact points for abuse reporting and the publication of a list of accredited providers; requirements related to the handling of requests for disclosure and/or publication of a customer's contact details by certain third party requesters; conditions regarding the disclosure and publication of such details as well as the refusal to disclose or publish; and principles governing the de-accreditation of service providers. The full list and scope of the final recommendations can be found in Annex A of the GNSO Council's Recommendations Report to the Board (see http://gnso.icann.org/en/drafts/council-board-ppsai-recommendations-09fe... [PDF, 491 KB].

Which stakeholders or others were consulted?

As required by the GNSO's PDP Manual, the Working Group reached out to all GNSO Stakeholder Groups and Constituencies as well as other ICANN Supporting Organizations and Advisory Committees for input during the early phase of the PDP. The Working Group also held open community sessions at all the ICANN Public Meetings that occurred during the life cycle of this PDP. It also sought input on potential implementation issues from ICANN's Registrar Services and Compliance teams. Public comment periods were opened for the Preliminary Issue Report that preceded the PDP, the Working Group's Initial Report, and the GNSO Council's adoption of the Working Group's Final Report. The final recommendations as detailed in the Final Report were completed based on the Working Group's review and analysis of all the public comments and input received in response to its Initial Report.

Following the GAC's advice in its Marrakech Communiqué of 9 March 2016 and the Board's resolution of 15 May 2016, discussions also took place amongst the Board and community on the topic at ICANN56 in Helsinki, Finland.

What concerns or issues were raised by the community?

A significant number of public comments were received by the Working Group concerning the possibility that a distinction might be made between domain name registrants with domains serving non-commercial purposes and registrants who conduct online financial transactions. This had been an open question in the Working Group's Initial Report, as at the time a number of Working Group members had supported that distinction. As a result of further Working Group deliberations following review of the public comments received, the Working Group reached consensus on a recommendation that no such distinction be made for purposes of accrediting services.

Concerns had also been expressed over the need to ensure that there are adequate safeguards in place for maintaining the privacy of customer data, and that a reasonable balance is struck as between a legitimate need for access to information (e.g. by law enforcement and intellectual property rights-holders) and that of protecting privacy. Many public comments received in response to the Working Group's Initial Report also highlighted the potential dangers of disclosing private information without cause, including the threat to the physical safety of certain groups of domain name registrants and privacy/proxy customers. The Working Group's final recommendations include a number of suggested principles and policies that aim to provide more concrete guidance than exists at present for privacy and proxy services, third party requesters of customer information, and domain name registrants in relation to topics such as the handling of customer notifications, information requests and domain name transfers.

The Working Group also received several comments concerning the lack of a detailed framework for the submission and confidential handling of disclosure requests from law enforcement authorities, including from the GAC's Public Safety Working Group. In its Initial Report, the Working Group sought community input on the question as to whether and how such a framework might be developed as well as on more specific questions such as whether it should be mandatory for accredited providers to comply with express requests from law enforcement authorities in the provider's jurisdiction not to notify a customer. Based on input received, the Working Group agreed that accredited privacy and proxy service providers should comply with express law enforcement requests not to notify a customer where this is required by applicable law. Providers would be free to voluntarily adopt more stringent standards or otherwise cooperate with law enforcement authorities. The Working Group's Final Report also contains a suggestion for certain minimum requirements that could be included if such a framework is to be developed during the implementation phase of the adopted PDP recommendations.

What significant materials did the Board review?

The Board reviewed the PDP Working Group's Final Report, the GNSO Council's Recommendations Report on the topic to the Board, the summary of public comments received in response to the public comment period that was opened following the GNSO Council's adoption of the recommendations contained in the Final Report, and GAC advice received on the topic, as provided in the Marrakech and Helsinki Communiqués.

What factors did the Board find to be significant?

The recommendations were developed following the GNSO Policy Development Process as set out in Annex A of the ICANN Bylaws and have received the unanimous support of the GNSO Council. As outlined in the ICANN Bylaws, the Council's supermajority support obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the recommended policy is not in the best interests of the ICANN community or ICANN.

The Bylaws also allow for input from the GAC in relation to public policy concerns that might be raised if a proposed policy is adopted by the Board. The GAC had raised this possibility with respect to this PDP and the Board will continue to consider the advice that the GAC provided.

Are there positive or negative community impacts?

Developing a full accreditation program for privacy and proxy service providers will require significant resources and take a substantial period of time. It is likely that the interim specification contained in the 2013 RAA will need to be extended beyond its current expiration date of 1 January 2017, to allow for development of such a program.

Implementing the GNSO's recommendations will result in a more uniform set of standards for many aspects of privacy and proxy services, including more consistent procedures for the handling, processing and determination of third party requests by accredited providers, into which reasonable safeguards to protect consumer privacy can be incorporated and public policy concerns highlighted by the GAC addressed as far as possible. At present, there is no accreditation scheme in place for privacy and proxy services and no agreed community-developed set of best practices for the provision of such services. This PDP represents an attempt to develop a sound basis for the development and implementation of an accreditation framework by ICANN and is part of ICANN's on-going efforts to improve the Whois system, including implementing recommendations made previously by the Whois Review Team.

Nevertheless, as highlighted above, the implementation of all the recommendations from the PDP will be time and resource-intensive due to the scale of the project and the fact that this will be the first time ICANN has implemented such a program for this industry sector. While the RAA may serve as a useful reference point for this program, the Working Group's Final Report acknowledged that this may not be the most appropriate model for a number of reasons. Ensuring that the implementation planning addresses as fully as possible the public policy concerns that have been identified by the GAC, including possibly developing a disclosure framework for law enforcement authorities, is likely to form a substantial part of the implementation work.

The Working Group's Final Report also notes areas where additional work may be required, which could increase the community's workload in the near term. For example, the issue of privacy and proxy services in the context of domain name transfers will need to be addressed in the next review of the Inter-Registrar Transfer Policy.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

There may be fiscal impacts on ICANN associated with the creation of a new accreditation program specifically covering providers of privacy and proxy services. The implementation plan should take into account costs and timelines for implementation. As the current interim specification in the RAA applicable to such services is due to expire on 1 January 2017, consideration will also need to be given to extending its duration upon adoption of the PDP recommendations.

Are there any security, stability or resiliency issues relating to the DNS?

There are no security, stability or resiliency issues relating to the DNS that can be directly attributable to the implementation of the PDP recommendations. While the accreditation of privacy and proxy service providers is part of the overall effort at ICANN to improve the Whois system, it does not affect or change either the Whois protocol (including the rollout of the new RDAP) or the current features of the Whois system. The Working Group made its final recommendations with the understanding that implementation of its recommendations would be done in the context of any other policy or technical changes to the Whois system, which are outside the scope of this PDP.