PPSAI Working Group Initial Report (id:jdw2)

[Jeff Wheelhouse <jdw@xxxxxxxxxxxxxx>]

The working group's report frequently interchanges the roles of the domain 
registrar and the domain privacy provider.  For example, there are several 
places that propose to make a domain privacy provider responsible for the 
publication of certain fields or details in the whois database.  But domain 
privacy providers have no access to the whois database entries for domains they 
serve; that is a function of the domain registrar.  Sometimes they are same 
company, and that appears to be the only scenario considered by the working 
group, but many privacy services are fully independent.

Unless it is the working group's goal to outright ban the existence of 
independent privacy providers (which would clearly benefit the dues-paying 
ICANN-accredited domain registrars that offer privacy service of their own), 
any plan that proposes to place requirements on privacy providers that can only 
be met by registrars is fundamentally unworkable.

Closely related to this, the working group appears to be trying to double-up 
rules that already exist.  For example, the subject of what to do if a privacy 
provider is unable to reach a domain registrant is discussed at great length 
and often without consensus.  However, it need not be discussed at all.  If a 
domain shows the use of a given privacy service and that privacy service cannot 
reach the registrant, then the contact information for that domain is invalid.  
That situation is the registrar's to resolve — the privacy provider cannot 
suspend the name or change the contact information,  and providing 
known-invalid information to a requestor servers no purpose.  Furthermore, the 
registrar’s role and response in such situations is already more than 
adequately covered by WAPS and other requirements of the existing RAA.  

As the general manager of an independent domain privacy service which has been 
in business for seven years and which has provided conscientious, high-quality 
privacy services for tens of thousands of domain names, when dealing with our 
own customers we have very few cases of inability to reach a customer, and none 
that were not resolved through interaction with the relevant domain registrar.  
On a total of two occasions in our history we have discovered domains that were 
falsely set up with whois details to make it look like they were using our 
service.  (In both cases after a transfer to a new registrant who did not 
bother to update the information.)  In both cases, we reported the situation to 
the relevant registrar and it was resolved.

Registrars are already responsible to ensure that the whois database is 
accurate and, unlike privacy providers, have the tools necessary to do so, like 
the ability to edit the whois database and the ability to suspend domain names 
if a registrant proves willfully noncompliant.  A listing that shows a privacy 
provider that cannot reach a registrant is no different than a listing that 
shows "Mickey Mouse" as the registrant.  The problem of what to do if a privacy 
provider cannot reach a registrant is already solved and does not need to be 
solved again.