A Belated +1 to Todd's thoughtful analysis below. Although #1 (publication) does seem to be the default for some re: UDRP filings, it does seem to be intrinsically unfair to publish a Registrants personal/organizational data to the world without at least a *finding* of actual wrongdoing (not the filing of the complaint in and of itself -- what happens if it is a Reverse Domain Name Hijacking decision, or a previous business partner sharing rights to the same name...??) Here, I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution. I think Todd lays it out far more eloquently below... Best, Kathy :

Thanks Mary. One thought for the group to consider (happy to discuss in more detail on the call):

Reviewing the attached, it seems as if there are basically two alternatives for us to debate when it comes to disclosure in the context of cybersquatting and UDRPs (setting aside for now that there are many abuses other than cybersquatting where disclosure may be relevant):

1)One alternative is for the p/p provider to simply funnel those kinds of complaints into a UDRP. This approach basically skips "disclosure" and goes straight to "publication" -- the attached points out that most providers will publish all contact information to the world once a UDRP is filed.

2)The other alternative would require disclosure to the complainant under certain enumerated circumstances where the complainant provides enough information to meet certain prima facie elements (and makes certain averments under penalty of perjury).

Based on the attached, it seems that Option (1) is currently the more common approach. But going forward, isn't Option (2) much better for the consumers/beneficial users who purchase p/p services? As Kathy and others have rightly mentioned, publication (to the world) is a more extreme deviation from the beneficial user's privacy expectations than is disclosure (to a single complainant). So why would we adopt an accreditation regime that skews the process toward the more drastic result?

f

One other thought on this: in many cases disclosure may obviate the need to file a UDRP at all. Maybe the complainant can contact the beneficial user to negotiate a resolution. Or maybe learning the beneficial user's identity will cause the complainant to question its original analysis that the domain name was being used in bad faith. Whatever the reason, I would assume that avoiding a UDRP is almost always going to be the better option for ALL parties involved:

·The complainant gets to save the money that it would otherwise spend on a UDRP.

·The beneficial user gets to avoid the more drastic result of publication to the world.

·The p/p provider gets to avoid being named as a respondent in a UDRP proceeding (which James noted on our call can be problematic), and may get to keep a paying customer that it would otherwise lose once the UDRP is filed and the contact information is published to the world.

So if everybody is better off under Option (2) than Option (1), what I am missing? What is the argument for Option (1)? And why is it the more common approach used today (at least, according to the responses compiled in the attached)?

Thanks.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Mary Wong *Sent:* Thursday, September 25, 2014 7:36 PM *To:* PPSAI WG *Subject:* [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses

Dear WG members,

Please find attached a document that staff has compiled of P/P provider responses to the 5 questions posed by the WG chairs to the group after the call last week, as follows:

1. What are provider practices regarding customer notification when a disclosure request is received, and is the customer given the opportunity to respond?

2. Does any provider offer its customer an option other than disclosure or publication, e.g. an opportunity to cancel the registration instead (i.e. what some WG members have mentioned as a "takedown")?

3. What are provider "standards" for determining disclosure to third parties?

4. Can providers give the WG some general information about the percentage of requests for disclosure that are successful?

5. For Q4, do providers also have information about the type of claims those relate to e.g. If they are from LEA, 3P IP claim etc.?

Please let me know if I have mischaracterized or omitted any response that you may have sent (for which I offer my apologies!). If you have not yet provided a response and are in a position to do so, or if you'd like to add to a response you'd provided previously, please send it along and I'll make sure it gets added to this document.

Finally, please note that certain actual provider terms of service obtained from a sample of providers had previously been compiled as part of the draft template for this Category F, so that may also be helpful -- these are available on the WG wiki here: https://community.icann.org/x/QwbxAg <https://community.icann.org/x/QwbxAg>.

Thanks and cheers

Mary

Mary Wong

Senior Policy Director

Internet Corporation for Assigned Names & Numbers (ICANN)

Telephone: +1 603 574 4892

Email: mary.wong@icann.org <mailto:mary.wong@icann.org>

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Hi Val, Kathy's words were : "I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution." which essentially means (if we are talking about the National Arbitration Forum) this is filing a UDRP case. So disclosure is ONLY once UDRP has been filed, because we are required to provide that information for the UDRP process as the registrar under the RAA. Otherwise in all fairness we will have "willy nilly" requests for information from every tom, dick and harry. I totally agree with Kathy in that the PP service /should not/ be lifted until the UDRP decision/finding has been completed - as at that point if the request has been found "/wanting/" then the customer still has his privacy intact because the UDRP panel has rejected the claim. The UDRP process cost is around $1500, I don't know what lawyers charge on top mind you, but, if I had to protect my IP, $1500 is something simple to find to protect it. You have given certainly the view from the "person trying to get the information" yet totally left out the "I want my privacy protected". Let me give you a "way off" example and yes I know this is way off. A "person" is being stalked, they move to get away from said stalker, BUT, their domain is essential to their keeping, the stalker only has to ask / request the PP service provider for the information - and in your last paragraph you suggest the information should be simply given over. I am sorry, but, thats wrong. It is not an attack on you Val, and we have to think of the best routes for this. UDRP means somebody adjudicates the request - THIS IS FAIR and IMPARTIAL to both parties. If the PP customer is in the wrong - fine, not only do they lose the case and the domain - they lose the PP service as the domain is no longer theirs. We can all go round and round in circles and be here all year, the IP guys want the ability to simply ask for information and be given it, let me put another thought out there : A lawyer provides his customer a PP service, do you really think that the lawyer will simply "give up" the customer information if requested? They may well do, but, I would lean on the side of "No, you cant have it as it is attorney–client privilege" (I am not a lawyer, so that may be the wrong term - but you get the idea) If the lawyer has a court order or subpoena then sure - he/she will provide that info. I am suggesting the same, no more, no less. In the UK, you are innocent until proven guilty, like most places, so, why should someone's data be revealed unless it has been requested/ruled by an authority/judge whatever. At least with being requested LEGALLY like that, the data protection act in the UK (where we are) allows us to provide that information as we have a court order requesting it. Kind regards, Chris On 30/09/2014 11:12 PM, Valeriya Sherman wrote:

We also agree with the points raised by Todd and Kathy below. Disclosure to a Requestor would avoid the more drastic result of Publication associated with the filing of a legal action, which could have negative consequences for all parties.

To echo Todd's point below, Disclosure would help to avoid unnecessary(and expensive) arbitration or litigation. In the context of IP rights enforcement, where many rights are territorial in nature, disclosure of registrant contact information may be essential for a Requestor to properly analyze whether a cause of action exists or further proceedings are merited. In other words, filing a UDRP or a court action without this information is putting the cart before the horse -- it entangles all three parties (Customer, P/P Provider, and Requestor) in potentially premature legal action, that could very well have been avoided through disclosure of Customer information (e.g., jurisdiction) and/or direct communication between Customer and Requestor.

Moreover, we should keep in mind that many Requestors will be smaller businesses and organizations, for which bringing an expensive action without essential facts that could be obtained through Disclosure would be extremely burdensome, potentially to the point where they would be unable to protect their rights against some infringers -- a result fraught with anti-competitive and anti-consumer implications. An effective and fair accreditation regime should aim to prevent such a result.

Thanks, Val

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.3300 Cell 303.589.7477 vsherman@sgbdc.com <mailto:vsherman@law.gwu.edu>

------------------------------------------------------------------------ *From:* gnso-ppsai-pdp-wg-bounces@icann.org [gnso-ppsai-pdp-wg-bounces@icann.org] on behalf of Kathy Kleiman [kathy@kathykleiman.com] *Sent:* Tuesday, September 30, 2014 9:33 AM *To:* gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses

A Belated +1 to Todd's thoughtful analysis below.

Although #1 (publication) does seem to be the default for some re: UDRP filings, it does seem to be intrinsically unfair to publish a Registrants personal/organizational data to the world without at least a *finding* of actual wrongdoing (not the filing of the complaint in and of itself -- what happens if it is a Reverse Domain Name Hijacking decision, or a previous business partner sharing rights to the same name...??)

Here, I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution.

I think Todd lays it out far more eloquently below... Best, Kathy

:

...

Thanks Mary. One thought for the group to consider (happy to discuss in more detail on the call):

Reviewing the attached, it seems as if there are basically two alternatives for us to debate when it comes to disclosure in the context of cybersquatting and UDRPs (setting aside for now that there are many abuses other than cybersquatting where disclosure may be relevant):

1)One alternative is for the p/p provider to simply funnel those kinds of complaints into a UDRP. This approach basically skips “disclosure” and goes straight to “publication” – the attached points out that most providers will publish all contact information to the world once a UDRP is filed.

2)The other alternative would require disclosure to the complainant under certain enumerated circumstances where the complainant provides enough information to meet certain prima facie elements (and makes certain averments under penalty of perjury).

Based on the attached, it seems that Option (1) is currently the more common approach. But going forward, isn’t Option (2) much better for the consumers/beneficial users who purchase p/p services? As Kathy and others have rightly mentioned, publication (to the world) is a more extreme deviation from the beneficial user’s privacy expectations than is disclosure (to a single complainant). So why would we adopt an accreditation regime that skews the process toward the more drastic result?

f

One other thought on this: in many cases disclosure may obviate the need to file a UDRP at all. Maybe the complainant can contact the beneficial user to negotiate a resolution. Or maybe learning the beneficial user’s identity will cause the complainant to question its original analysis that the domain name was being used in bad faith. Whatever the reason, I would assume that avoiding a UDRP is almost always going to be the better option for ALL parties involved:

·The complainant gets to save the money that it would otherwise spend on a UDRP.

·The beneficial user gets to avoid the more drastic result of publication to the world.

·The p/p provider gets to avoid being named as a respondent in a UDRP proceeding (which James noted on our call can be problematic), and may get to keep a paying customer that it would otherwise lose once the UDRP is filed and the contact information is published to the world.

So if everybody is better off under Option (2) than Option (1), what I am missing? What is the argument for Option (1)? And why is it the more common approach used today (at least, according to the responses compiled in the attached)?

Thanks.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Mary Wong *Sent:* Thursday, September 25, 2014 7:36 PM *To:* PPSAI WG *Subject:* [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses

Dear WG members,

Please find attached a document that staff has compiled of P/P provider responses to the 5 questions posed by the WG chairs to the group after the call last week, as follows:

1. What are provider practices regarding customer notification when a disclosure request is received, and is the customer given the opportunity to respond?

2. Does any provider offer its customer an option other than disclosure or publication, e.g. an opportunity to cancel the registration instead (i.e. what some WG members have mentioned as a “takedown”)?

3. What are provider “standards" for determining disclosure to third parties?

4. Can providers give the WG some general information about the percentage of requests for disclosure that are successful?

5. For Q4, do providers also have information about the type of claims those relate to e.g. If they are from LEA, 3P IP claim etc.?

Please let me know if I have mischaracterized or omitted any response that you may have sent (for which I offer my apologies!). If you have not yet provided a response and are in a position to do so, or if you’d like to add to a response you’d provided previously, please send it along and I’ll make sure it gets added to this document.

Finally, please note that certain actual provider terms of service obtained from a sample of providers had previously been compiled as part of the draft template for this Category F, so that may also be helpful – these are available on the WG wiki here: https://community.icann.org/x/QwbxAg <https://community.icann.org/x/QwbxAg>.

Thanks and cheers

Mary

Mary Wong

Senior Policy Director

Internet Corporation for Assigned Names & Numbers (ICANN)

Telephone: +1 603 574 4892

Email: mary.wong@icann.org <mailto:mary.wong@icann.org>

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Hi Kristina, In my experience with dealing with WIPO for example, thats not true, we receive from them a request for information to confirm registrant, we reply with the "registrant" information (and all the other questions that are asked) and they then send to the complainee the updated registrant information requesting an amendment to the requested complaint/process docs. I am almost "100"% sure on that - let me check. Kind regards, Chris On 01/10/2014 2:59 PM, Rosette, Kristina wrote:

Under the scenario Chris is suggesting, the UDRP finding would be against the proxy service provider; not its customer. Just something to consider . . . .

*From:*gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Chris Pelling *Sent:* Wednesday, October 01, 2014 5:29 AM *To:* Valeriya Sherman; Kathy Kleiman; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses

Hi Val,

Kathy's words were : "I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution." which essentially means (if we are talking about the National Arbitration Forum) this is filing a UDRP case.

So disclosure is ONLY once UDRP has been filed, because we are required to provide that information for the UDRP process as the registrar under the RAA. Otherwise in all fairness we will have "willy nilly" requests for information from every tom, dick and harry.

I totally agree with Kathy in that the PP service /should not/ be lifted until the UDRP decision/finding has been completed - as at that point if the request has been found "/wanting/" then the customer still has his privacy intact because the UDRP panel has rejected the claim.

The UDRP process cost is around $1500, I don't know what lawyers charge on top mind you, but, if I had to protect my IP, $1500 is something simple to find to protect it. You have given certainly the view from the "person trying to get the information" yet totally left out the "I want my privacy protected". Let me give you a "way off" example and yes I know this is way off.

A "person" is being stalked, they move to get away from said stalker, BUT, their domain is essential to their keeping, the stalker only has to ask / request the PP service provider for the information - and in your last paragraph you suggest the information should be simply given over.

I am sorry, but, thats wrong. It is not an attack on you Val, and we have to think of the best routes for this. UDRP means somebody adjudicates the request - THIS IS FAIR and IMPARTIAL to both parties. If the PP customer is in the wrong - fine, not only do they lose the case and the domain - they lose the PP service as the domain is no longer theirs.

We can all go round and round in circles and be here all year, the IP guys want the ability to simply ask for information and be given it, let me put another thought out there :

A lawyer provides his customer a PP service, do you really think that the lawyer will simply "give up" the customer information if requested? They may well do, but, I would lean on the side of "No, you cant have it as it is attorney–client privilege" (I am not a lawyer, so that may be the wrong term - but you get the idea)

If the lawyer has a court order or subpoena then sure - he/she will provide that info. I am suggesting the same, no more, no less.

In the UK, you are innocent until proven guilty, like most places, so, why should someone's data be revealed unless it has been requested/ruled by an authority/judge whatever. At least with being requested LEGALLY like that, the data protection act in the UK (where we are) allows us to provide that information as we have a court order requesting it.

Kind regards,

Chris

On 30/09/2014 11:12 PM, Valeriya Sherman wrote:

We also agree with the points raised by Todd and Kathy below. Disclosure to a Requestor would avoid the more drastic result of Publication associated with the filing of a legal action, which could have negative consequences for all parties.

To echo Todd's point below, Disclosure would help to avoid unnecessary(and expensive) arbitration or litigation. In the context of IP rights enforcement, where many rights are territorial in nature, disclosure of registrant contact information may be essential for a Requestor to properly analyze whether a cause of action exists or further proceedings are merited. In other words, filing a UDRP or a court action without this information is putting the cart before the horse -- it entangles all three parties (Customer, P/P Provider, and Requestor) in potentially premature legal action, that could very well have been avoided through disclosure of Customer information (e.g., jurisdiction) and/or direct communication between Customer and Requestor.

Moreover, we should keep in mind that many Requestors will be smaller businesses and organizations, for which bringing an expensive action without essential facts that could be obtained through Disclosure would be extremely burdensome, potentially to the point where they would be unable to protect their rights against some infringers -- a result fraught with anti-competitive and anti-consumer implications. An effective and fair accreditation regime should aim to prevent such a result.

Thanks,

Val

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.3300 Cell 303.589.7477 vsherman@sgbdc.com <mailto:vsherman@law.gwu.edu>

------------------------------------------------------------------------

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] on behalf of Kathy Kleiman [kathy@kathykleiman.com <mailto:kathy@kathykleiman.com>] *Sent:* Tuesday, September 30, 2014 9:33 AM *To:* gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses

A Belated +1 to Todd's thoughtful analysis below.

Although #1 (publication) does seem to be the default for some re: UDRP filings, it does seem to be intrinsically unfair to publish a Registrants personal/organizational data to the world without at least a *finding* of actual wrongdoing (not the filing of the complaint in and of itself -- what happens if it is a Reverse Domain Name Hijacking decision, or a previous business partner sharing rights to the same name...??)

Here, I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution.

I think Todd lays it out far more eloquently below... Best, Kathy

:

Thanks Mary. One thought for the group to consider (happy to discuss in more detail on the call):

Reviewing the attached, it seems as if there are basically two alternatives for us to debate when it comes to disclosure in the context of cybersquatting and UDRPs (setting aside for now that there are many abuses other than cybersquatting where disclosure may be relevant):

1)One alternative is for the p/p provider to simply funnel those kinds of complaints into a UDRP. This approach basically skips “disclosure” and goes straight to “publication” – the attached points out that most providers will publish all contact information to the world once a UDRP is filed.

2)The other alternative would require disclosure to the complainant under certain enumerated circumstances where the complainant provides enough information to meet certain prima facie elements (and makes certain averments under penalty of perjury).

Based on the attached, it seems that Option (1) is currently the more common approach. But going forward, isn’t Option (2) much better for the consumers/beneficial users who purchase p/p services? As Kathy and others have rightly mentioned, publication (to the world) is a more extreme deviation from the beneficial user’s privacy expectations than is disclosure (to a single complainant). So why would we adopt an accreditation regime that skews the process toward the more drastic result?

f

One other thought on this: in many cases disclosure may obviate the need to file a UDRP at all. Maybe the complainant can contact the beneficial user to negotiate a resolution. Or maybe learning the beneficial user’s identity will cause the complainant to question its original analysis that the domain name was being used in bad faith. Whatever the reason, I would assume that avoiding a UDRP is almost always going to be the better option for ALL parties involved:

·The complainant gets to save the money that it would otherwise spend on a UDRP.

·The beneficial user gets to avoid the more drastic result of publication to the world.

·The p/p provider gets to avoid being named as a respondent in a UDRP proceeding (which James noted on our call can be problematic), and may get to keep a paying customer that it would otherwise lose once the UDRP is filed and the contact information is published to the world.

So if everybody is better off under Option (2) than Option (1), what I am missing? What is the argument for Option (1)? And why is it the more common approach used today (at least, according to the responses compiled in the attached)?

Thanks.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Mary Wong *Sent:* Thursday, September 25, 2014 7:36 PM *To:* PPSAI WG *Subject:* [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses

Dear WG members,

Please find attached a document that staff has compiled of P/P provider responses to the 5 questions posed by the WG chairs to the group after the call last week, as follows:

1. What are provider practices regarding customer notification when a disclosure request is received, and is the customer given the opportunity to respond?

2. Does any provider offer its customer an option other than disclosure or publication, e.g. an opportunity to cancel the registration instead (i.e. what some WG members have mentioned as a “takedown”)?

3. What are provider “standards" for determining disclosure to third parties?

4. Can providers give the WG some general information about the percentage of requests for disclosure that are successful?

5. For Q4, do providers also have information about the type of claims those relate to e.g. If they are from LEA, 3P IP claim etc.?

Please let me know if I have mischaracterized or omitted any response that you may have sent (for which I offer my apologies!). If you have not yet provided a response and are in a position to do so, or if you’d like to add to a response you’d provided previously, please send it along and I’ll make sure it gets added to this document.

Finally, please note that certain actual provider terms of service obtained from a sample of providers had previously been compiled as part of the draft template for this Category F, so that may also be helpful – these are available on the WG wiki here: https://community.icann.org/x/QwbxAg.

Thanks and cheers

Mary

Mary Wong

Senior Policy Director

Internet Corporation for Assigned Names & Numbers (ICANN)

Telephone: +1 603 574 4892

Email: mary.wong@icann.org <mailto:mary.wong@icann.org>

_______________________________________________

Gnso-ppsai-pdp-wg mailing list

Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

_______________________________________________

Gnso-ppsai-pdp-wg mailing list

Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Hi Alex, In that regard "we" = registrar as the UDRP claim is sent to the registrar from the UDRP provider. My understanding of that is the UDRP process has to go to the registrar first so that the registrar can answer a bunch of questions and then apply the locks etc. Chris ----- Original Message ----- From: "Alex Deacon" <Alex_Deacon@mpaa.org> To: chris@netearth.net Cc: krosette@cov.com, VSherman@sgbdc.com, kathy@kathykleiman.com, gnso-ppsai-pdp-wg@icann.org Sent: Wednesday, 1 October, 2014 7:28:57 PM Subject: Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses Hi Chris, Can you clarify who the “we” is in your reply to Kristina below? (“we receive…”, “we reply…”) Is it the P/P service? Or the Registrar? Or both? Thanks. Alex On Oct 1, 2014, at 11:10 AM, Chris Pelling < chris@netearth.net > wrote: Hi Kristina, In my experience with dealing with WIPO for example, thats not true, we receive from them a request for information to confirm registrant, we reply with the "registrant" information (and all the other questions that are asked) and they then send to the complainee the updated registrant information requesting an amendment to the requested complaint/process docs. I am almost "100"% sure on that - let me check. Kind regards, Chris On 01/10/2014 2:59 PM, Rosette, Kristina wrote: Under the scenario Chris is suggesting, the UDRP finding would be against the proxy service provider; not its customer. Just something to consider . . . . From: gnso-ppsai-pdp-wg-bounces@icann.org [ mailto:gnso-ppsai-pdp-wg-bounces@icann.org ] On Behalf Of Chris Pelling Sent: Wednesday, October 01, 2014 5:29 AM To: Valeriya Sherman; Kathy Kleiman; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses Hi Val, Kathy's words were : "I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution." which essentially means (if we are talking about the National Arbitration Forum) this is filing a UDRP case. So disclosure is ONLY once UDRP has been filed, because we are required to provide that information for the UDRP process as the registrar under the RAA. Otherwise in all fairness we will have "willy nilly" requests for information from every tom, dick and harry. I totally agree with Kathy in that the PP service should not be lifted until the UDRP decision/finding has been completed - as at that point if the request has been found " wanting " then the customer still has his privacy intact because the UDRP panel has rejected the claim. The UDRP process cost is around $1500, I don't know what lawyers charge on top mind you, but, if I had to protect my IP, $1500 is something simple to find to protect it. You have given certainly the view from the "person trying to get the information" yet totally left out the "I want my privacy protected". Let me give you a "way off" example and yes I know this is way off. A "person" is being stalked, they move to get away from said stalker, BUT, their domain is essential to their keeping, the stalker only has to ask / request the PP service provider for the information - and in your last paragraph you suggest the information should be simply given over. I am sorry, but, thats wrong. It is not an attack on you Val, and we have to think of the best routes for this. UDRP means somebody adjudicates the request - THIS IS FAIR and IMPARTIAL to both parties. If the PP customer is in the wrong - fine, not only do they lose the case and the domain - they lose the PP service as the domain is no longer theirs. We can all go round and round in circles and be here all year, the IP guys want the ability to simply ask for information and be given it, let me put another thought out there : A lawyer provides his customer a PP service, do you really think that the lawyer will simply "give up" the customer information if requested? They may well do, but, I would lean on the side of "No, you cant have it as it is attorney–client privilege" (I am not a lawyer, so that may be the wrong term - but you get the idea) If the lawyer has a court order or subpoena then sure - he/she will provide that info. I am suggesting the same, no more, no less. In the UK, you are innocent until proven guilty, like most places, so, why should someone's data be revealed unless it has been requested/ruled by an authority/judge whatever. At least with being requested LEGALLY like that, the data protection act in the UK (where we are) allows us to provide that information as we have a court order requesting it. Kind regards, Chris On 30/09/2014 11:12 PM, Valeriya Sherman wrote: We also agree with the points raised by Todd and Kathy below. Disclosure to a Requestor would avoid the more drastic result of Publication associated with the filing of a legal action, which could have negative consequences for all parties. To echo Todd's point below, Disclosure would help to avoid unnecessary(and expensive) arbitration or litigation. In the context of IP rights enforcement, where many rights are territorial in nature, disclosure of registrant contact information may be essential for a Requestor to properly analyze whether a cause of action exists or further proceedings are merited. In other words, filing a UDRP or a court action without this information is putting the cart before the horse -- it entangles all three parties (Customer, P/P Provider, and Requestor) in potentially premature legal action, that could very well have been avoided through disclosure of Customer information (e.g., jurisdiction) and/or direct communication between Customer and Requestor. Moreover, we should keep in mind that many Requestors will be smaller businesses and organizations, for which bringing an expensive action without essential facts that could be obtained through Disclosure would be extremely burdensome, potentially to the point where they would be unable to protect their rights against some infringers -- a result fraught with anti-competitive and anti-consumer implications. An effective and fair accreditation regime should aim to prevent such a result. Thanks, Val Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.3300 Cell 303.589.7477 vsherman@sgbdc.com From: gnso-ppsai-pdp-wg-bounces@icann.org [ gnso-ppsai-pdp-wg-bounces@icann.org ] on behalf of Kathy Kleiman [ kathy@kathykleiman.com ] Sent: Tuesday, September 30, 2014 9:33 AM To: gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses A Belated +1 to Todd's thoughtful analysis below. Although #1 (publication) does seem to be the default for some re: UDRP filings, it does seem to be intrinsically unfair to publish a Registrants personal/organizational data to the world without at least a *finding* of actual wrongdoing (not the filing of the complaint in and of itself -- what happens if it is a Reverse Domain Name Hijacking decision, or a previous business partner sharing rights to the same name...??) Here, I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution. I think Todd lays it out far more eloquently below... Best, Kathy : Thanks Mary. One thought for the group to consider (happy to discuss in more detail on the call): Reviewing the attached, it seems as if there are basically two alternatives for us to debate when it comes to disclosure in the context of cybersquatting and UDRPs (setting aside for now that there are many abuses other than cybersquatting where disclosure may be relevant): 1) One alternative is for the p/p provider to simply funnel those kinds of complaints into a UDRP. This approach basically skips “disclosure” and goes straight to “publication” – the attached points out that most providers will publish all contact information to the world once a UDRP is filed. 2) The other alternative would require disclosure to the complainant under certain enumerated circumstances where the complainant provides enough information to meet certain prima facie elements (and makes certain averments under penalty of perjury). Based on the attached, it seems that Option (1) is currently the more common approach. But going forward, isn’t Option (2) much better for the consumers/beneficial users who purchase p/p services? As Kathy and others have rightly mentioned, publication (to the world) is a more extreme deviation from the beneficial user’s privacy expectations than is disclosure (to a single complainant). So why would we adopt an accreditation regime that skews the process toward the more drastic result? f One other thought on this: in many cases disclosure may obviate the need to file a UDRP at all. Maybe the complainant can contact the beneficial user to negotiate a resolution. Or maybe learning the beneficial user’s identity will cause the complainant to question its original analysis that the domain name was being used in bad faith. Whatever the reason, I would assume that avoiding a UDRP is almost always going to be the better option for ALL parties involved: · The complainant gets to save the money that it would otherwise spend on a UDRP. · The beneficial user gets to avoid the more drastic result of publication to the world. · The p/p provider gets to avoid being named as a respondent in a UDRP proceeding (which James noted on our call can be problematic), and may get to keep a paying customer that it would otherwise lose once the UDRP is filed and the contact information is published to the world. So if everybody is better off under Option (2) than Option (1), what I am missing? What is the argument for Option (1)? And why is it the more common approach used today (at least, according to the responses compiled in the attached)? Thanks. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org [ mailto:gnso-ppsai-pdp-wg-bounces@icann.org ] On Behalf Of Mary Wong Sent: Thursday, September 25, 2014 7:36 PM To: PPSAI WG Subject: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses Dear WG members, Please find attached a document that staff has compiled of P/P provider responses to the 5 questions posed by the WG chairs to the group after the call last week, as follows: 1. What are provider practices regarding customer notification when a disclosure request is received, and is the customer given the opportunity to respond? 2. Does any provider offer its customer an option other than disclosure or publication, e.g. an opportunity to cancel the registration instead (i.e. what some WG members have mentioned as a “takedown”)? 3. What are provider “standards" for determining disclosure to third parties? 4. Can providers give the WG some general information about the percentage of requests for disclosure that are successful? 5. For Q4, do providers also have information about the type of claims those relate to e.g. If they are from LEA, 3P IP claim etc.? Please let me know if I have mischaracterized or omitted any response that you may have sent (for which I offer my apologies!). If you have not yet provided a response and are in a position to do so, or if you’d like to add to a response you’d provided previously, please send it along and I’ll make sure it gets added to this document. Finally, please note that certain actual provider terms of service obtained from a sample of providers had previously been compiled as part of the draft template for this Category F, so that may also be helpful – these are available on the WG wiki here: https://community.icann.org/x/QwbxAg . Thanks and cheers Mary Mary Wong Senior Policy Director Internet Corporation for Assigned Names & Numbers (ICANN) Telephone: +1 603 574 4892 Email: mary.wong@icann.org _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Thank you Kathy. Just one quick point of clarification on an issue where I think that you and I may agree (but which I just wanted to make explicit): I'm not arguing that in the cybersquatting abuse case disclosure should only come after a UDRP has been filed. Perhaps that is a good time for it, but it shouldn't be the only time. In other words, filing a UDRP should not be a prerequisite for disclosure, for at least three reasons: 1) the complainant shouldn't have to pay for a UDRP just to get disclosure; 2) perhaps disclosure will lead to a negotiated resolution (which should be preferable to adjudication); and 3) such a rule would be putting the cart before the horse (in that, in some cases - but not all - it may be difficult for the complainant to fully assess the merits of its UDRP claim without knowing the identity of the beneficial user). This last point is one that has relevance beyond just the UDRP context. Many of the judgments/analyses that we've been discussing can be difficult for a complainant to make in the absence of any information on the identity of the beneficial user: * We've discussed jurisdiction - but it's easy to think of fact patterns where the identity or contact information of the beneficial user may be relevant to the jurisdictional analysis. * We've discussed fair use - but it's easy to think of fact patterns where the identity of the beneficial user may be relevant to the fair use analysis. * We've discussed cybersquatting - but it's easy to think of fact patterns where the identity of the beneficial user may be relevant to the bad faith analysis. And so on. Just something to keep in mind: p/p services by definition introduce information asymmetries that are not present otherwise (perhaps in some cases for good reasons - that's not really my point). In discussing something like how high a disclosure standard should be, we can't forget that: we can't set up a system where in order to get certain information you have to allege something or do something that assumes you already have that information. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Tuesday, September 30, 2014 9:34 AM To: gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses A Belated +1 to Todd's thoughtful analysis below. Although #1 (publication) does seem to be the default for some re: UDRP filings, it does seem to be intrinsically unfair to publish a Registrants personal/organizational data to the world without at least a *finding* of actual wrongdoing (not the filing of the complaint in and of itself -- what happens if it is a Reverse Domain Name Hijacking decision, or a previous business partner sharing rights to the same name...??) Here, I think disclosure to the Complainant and the Forum would be sufficient to meet the needs of the Complainant, and provide information that can be used for both the formal dispute and perhaps an informal resolution. I think Todd lays it out far more eloquently below... Best, Kathy : Thanks Mary. One thought for the group to consider (happy to discuss in more detail on the call): Reviewing the attached, it seems as if there are basically two alternatives for us to debate when it comes to disclosure in the context of cybersquatting and UDRPs (setting aside for now that there are many abuses other than cybersquatting where disclosure may be relevant): 1) One alternative is for the p/p provider to simply funnel those kinds of complaints into a UDRP. This approach basically skips "disclosure" and goes straight to "publication" - the attached points out that most providers will publish all contact information to the world once a UDRP is filed. 2) The other alternative would require disclosure to the complainant under certain enumerated circumstances where the complainant provides enough information to meet certain prima facie elements (and makes certain averments under penalty of perjury). Based on the attached, it seems that Option (1) is currently the more common approach. But going forward, isn't Option (2) much better for the consumers/beneficial users who purchase p/p services? As Kathy and others have rightly mentioned, publication (to the world) is a more extreme deviation from the beneficial user's privacy expectations than is disclosure (to a single complainant). So why would we adopt an accreditation regime that skews the process toward the more drastic result? f One other thought on this: in many cases disclosure may obviate the need to file a UDRP at all. Maybe the complainant can contact the beneficial user to negotiate a resolution. Or maybe learning the beneficial user's identity will cause the complainant to question its original analysis that the domain name was being used in bad faith. Whatever the reason, I would assume that avoiding a UDRP is almost always going to be the better option for ALL parties involved: * The complainant gets to save the money that it would otherwise spend on a UDRP. * The beneficial user gets to avoid the more drastic result of publication to the world. * The p/p provider gets to avoid being named as a respondent in a UDRP proceeding (which James noted on our call can be problematic), and may get to keep a paying customer that it would otherwise lose once the UDRP is filed and the contact information is published to the world. So if everybody is better off under Option (2) than Option (1), what I am missing? What is the argument for Option (1)? And why is it the more common approach used today (at least, according to the responses compiled in the attached)? Thanks. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Mary Wong Sent: Thursday, September 25, 2014 7:36 PM To: PPSAI WG Subject: [Gnso-ppsai-pdp-wg] Compilation of P/P provider responses Dear WG members, Please find attached a document that staff has compiled of P/P provider responses to the 5 questions posed by the WG chairs to the group after the call last week, as follows: 1. What are provider practices regarding customer notification when a disclosure request is received, and is the customer given the opportunity to respond? 2. Does any provider offer its customer an option other than disclosure or publication, e.g. an opportunity to cancel the registration instead (i.e. what some WG members have mentioned as a "takedown")? 3. What are provider "standards" for determining disclosure to third parties? 4. Can providers give the WG some general information about the percentage of requests for disclosure that are successful? 5. For Q4, do providers also have information about the type of claims those relate to e.g. If they are from LEA, 3P IP claim etc.? Please let me know if I have mischaracterized or omitted any response that you may have sent (for which I offer my apologies!). If you have not yet provided a response and are in a position to do so, or if you'd like to add to a response you'd provided previously, please send it along and I'll make sure it gets added to this document. Finally, please note that certain actual provider terms of service obtained from a sample of providers had previously been compiled as part of the draft template for this Category F, so that may also be helpful - these are available on the WG wiki here: https://community.icann.org/x/QwbxAg. Thanks and cheers Mary Mary Wong Senior Policy Director Internet Corporation for Assigned Names & Numbers (ICANN) Telephone: +1 603 574 4892 Email: mary.wong@icann.org<mailto:mary.wong@icann.org> _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg