Comments about Report on Privacy & Proxy Services Accreditation Issues

["roguewolftamer ." <dakre18@xxxxxxxxx>]

I would like to voice my opinion about potential issues that may come up
about domains and the information that comes up when someone checks the
WhoIs information for a domain.  To cut back on how much information I
give, I will copy the question first, then answer it.



·         *What should be the minimum mandatory requirements for escalation
of relay requests in the event of a persistent delivery failure of an
electronic communication?*



The minimum mandatory requirements should be after a specific number of
failed attempts within a certain period of time (like 5 failed attempts in
48 hours, with no more than 1 email every 8 hours for example) would be
considered a persistent delivery failure.  If there is a persistent
delivery failure, then the Requester should be notified of the escalation
steps within 8-16 hours.  The escalation steps need to include an ETA or
information on how long it may take to fix the delivery failure, and if the
delivery failure cannot be fixed within the following 24-48 hours, the
escalation steps they will take to provide an alternative delivery method
will be provided.  The cost of the alternate delivery method needs to be
recovered from the Requester if they decide to go forward with the
escalation steps, or can be recovered from the customer if the request
comes from a court order or any other legal action that requires the
customer’s information to process.  This should only apply in cases where
legal action is being taken against the domain owner directly, and not
against a third party.



·         *Should it be mandatory for accredited P/P service providers to
comply with express requests from LEA in the provider’s jurisdiction not to
notify a customer?*



I would suggest P/P service providers need to maintain customer’s privacy,
and this would include against LEA.  The customer needs to be informed of
the request for their information, because they have a right to know who
requested the customer’s personal information.  The only exception to this
would be a gag order specifically stating the P/P service provider cannot
inform the customer, but they should still make an attempt to fight it.
The last part should be more of a suggestion than a rule, since it should
be up to the P/P service provider if they wish to fight a gag order.



·         *Should registrants of domain names associated with commercial
activities and which are used for online financial transactions be
prohibited from using, or continuing to use, P/P services? If so, why, and
if not, why not?*



As long as the registrants are not using the domain itself for commercial
activities or commercial purpose, they should be eligible for P/P
services.  What is considered as commercial purpose needs to be defined
better, because otherwise that would be any website owner that receives
money for the site.  Just because a journalist receives an award for doing
a great job, shouldn’t put the domain at risk because someone decided that
was considered for commercial purpose.



·         *If you agree with this position, do you think it would be useful
to adopt a definition of “commercial” or “transactional” to define those
domains for which P/P service registrations should be disallowed? If so,
what should the definition(s) be?*



As I already stated that labeling a site as being used for commercial
purpose needs to be defined, so it can’t be used so broadly.  I think it
would be useful to adopt a definition to define which domains should not be
allowed to use P/P services.  The main reason is so a broad definition
can’t be used to grab personal information so easily, but I would like to
state that domain owners should be given the option to provide limited
information publicly if the site can be labeled for commercial purposes
without being tied to a company name or generic structure to prevent
harassment (such as http://whois.icann.org/en/lookup?name=icann.org).  I
say this to protect individuals who may be starting up a company or site,
but can still provide a legitimate email for contact without being left
open to phone or mail harassment.



·         *Would it be necessary to make a distinction in the WHOIS data
fields to be displayed as a result of distinguishing between domain names
used for online financial transactions and domain names that are not?*



No, this should be clear to third parties who visit the site, but I’m not
completely against it if someone has a compelling argument why it should be
on the fields.



Mandatory provisions should be included in an accredited P/P service
provider’s terms of service, because the customer should be given some time
to look for another P/P service provider.  I would think giving them a week
after being notified by the P/P service provider is enough time to look and
apply for another.  I would not think there would be any delays in getting
another P/P service provider, so I would not be against going as low as a
48 hour grace period.  This would give the customer enough time to protect
their information.



This I think is enough information to go on for me, but I do want to point
out that as bigger organizations also bring up their points, there are many
times those opinions are to give their organization an advantage.  My
opinion comes as an individual who is for protecting everyone’s privacy,
and to prevent the abuse or harassment of others.


Sincerely,

William