Dennis, Thanks for your note. This working group is the restart of the IRT process for the Privacy and Proxy Services Accreditation policy. Quite a bit of time has passed since that policy was passed. There were some serious issues with the policy when it was adopted, and the situation has become worse. Accordingly, I am raising some questions about where we're going. This is a first draft of what I expect will become a more complete memo intended for wider distribution. It feels appropriate to share these thoughts first within this working group. Privacy and proxy services are intended to protect the identity of and restrict access to registrants. The fact that they have become widely used is a strong indication that registrants feel the need for such protection. (And, I think it needs to be said, their widespread use is also due in part to active sales efforts. People are spending a noticeable amount of money on these services, so this is an important source of revenue.) *Privacy Services* Let me address Privacy services first. When a registrant uses a Privacy service, the name of the registrant is provided to the registrar, but the registrant's address, email and phone number are not. Instead, the address, email and phone number of the Privacy service is provided to the registrar. If the registrant makes those data elements available to a requestor, the requestor will be able to contact Privacy service. The requestor will also know the name of the registrant and may be able to find other ways to contact the registrant. The troubling aspect of a Privacy service is the requestor has no explicit way of knowing whether the address, email and phone number are associated with the registrant or with a Privacy service. The intent of the Privacy and Proxy Service Accreditation policy is to make it clear to requestors that the data they are receiving is for a Privacy service. From my point of view, overloading the registrant's address, email and phone number fields with the Privacy service's data elements is unnecessarily confusing. *A simpler and more straightforward approach is to add a correspondence address, email and/or phone number to the registration data.* Of course, in order for this to accomplish the intended purpose, the registrant's address, email and phone number would NOT be easily available. And that involves the rules for disclosure of non-public data. More on this below. *Proxy service vs NIS2 and GDPR* A Proxy service differs from a Privacy service by hiding all data about the registrant. The registrant has no data about the actual registrant. Or, to be more precise, the registrant sees the Proxy service as the actual registrant, and the term that's often used to refer to the Proxy service's client is the "beneficial registrant." Today, Proxy service providers operate outside the ICANN contractual structure. With the exception of formal judicial processes, e.g. a government agent serving a warrant or subpoena, there is no way to compel a Proxy service to disclose the identity and other data about the beneficial registrant. The intent of the Privacy and Proxy Accreditation policy is to require Privacy and Proxy services to: - register with ICANN, - agree to an accreditation process, - conform with whatever rules are adopted later regarding collecting accurate data, and - conform to whatever rules are adopted later regarding disclosing that data. Meanwhile, ICANN is very, very, very slowly developing rules regarding the accuracy of the registration data and the disclosure of that data to appropriate requestors. ICANN has spent an inordinate amount of time wrestling with the GDPR. The sequence from SSAD to RDRS has been wasteful and ineffective. NIS2 is going to require accurate data, and we have not yet begun to take that requirement into account. The question that seems obvious to me is how these two sets of rules will interact. For example : - If registrants achieve greater protection using a Proxy service than without, does that mean the protection provided by registrars is insufficient? - The other side of that same question relates to disclosure. If a requestor has a legitimate need for registration data, but the data in its database is only the name of the Proxy service, doesn't that undermine the concept of providing registration to appropriate requestors for legitimate purposes? There are other questions related to the creation of a new bureaucracy that deserve attention, but I think those questions should come after we have a sensible understanding of how the overall system is supposed to work. *Whither the PPSAI working group?* The PPSAI working is focused on implementing an accreditation process for Privacy and Proxy services. What's missing in my view is clarity as to the purpose of this accreditation and clarity as to whether accrediting P/P Services will accomplish the purpose. In brief, we don't have a policy that is fit for purpose. ============================================= As I said at the top, this is a first draft. I invite responses, and I am particularly interested in others who wish to join the effort to make sense of this effort. Thanks, Steve sender