I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment: Contact information that is ultimately revealed is valuable only if it is accurate. The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information. Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information. Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information. Regards, Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com<mailto:vsherman@law.gwu.edu> ________________________________ From: gnso-ppsai-pdp-wg-bounces@icann.org [gnso-ppsai-pdp-wg-bounces@icann.org] on behalf of Metalitz, Steven [met@msk.com] Sent: Monday, March 17, 2014 6:13 AM To: 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 I agree with Todd’s characterization of the status of this discussion, and that the questions he highlights are still open. Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or “manual verification,” which is not defined. How should this apply in the p/p service scenario? Steve Metalitz From: gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Williams, Todd Sent: Friday, March 14, 2014 4:53 PM To: Marika Konings; gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don’t see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how. On the first question (2013 RAA vs. “more”), it appears that more of the responses in the attached argue for “more” than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the “more” side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the “more” should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a “reveal” procedure that is essentially instantaneous in certain cases (once we get to discussing “reveal” procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it. On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the “more” (e.g., email and phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I’m curious to hear what everybody else thinks. Thanks all. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Marika Konings Sent: Thursday, March 13, 2014 7:04 AM To: gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Dear All, Following our call earlier this week, please find attached the updated template for Category B – question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well. Best regards, Marika Draft Preliminary Recommendation – Category B – question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?) The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required. Similar to ICANN’s Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

We also concur with those points. John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Mon, Mar 17, 2014 at 1:17 PM, GBarnett@sgbdc.com <GBarnett@sgbdc.com>wrote:

As Val mentioned, I agree with Todd's and Steve's points, and those noted in Val's email.

Griffin

Griffin M. Barnett

Silverberg, Goldman & Bikoff, LLP

1101 30th Street NW

Suite 120

Washington, DC 20007

(202) 944-3307

gbarnett@sgbdc.com

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [mailto: gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Valeriya Sherman *Sent:* Monday, March 17, 2014 4:09 PM *To:* Metalitz, Steven; 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org

*Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment:

Contact information that is ultimately revealed is valuable only if it is accurate.

The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information.

Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information.

Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information.

Regards,

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com <vsherman@law.gwu.edu> ------------------------------

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [ gnso-ppsai-pdp-wg-bounces@icann.org] on behalf of Metalitz, Steven [ met@msk.com] *Sent:* Monday, March 17, 2014 6:13 AM *To:* 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open.

Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario?

Steve Metalitz

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [ mailto:gnso-ppsai-pdp-wg-bounces@icann.org<gnso-ppsai-pdp-wg-bounces@icann.org>] *On Behalf Of *Williams, Todd *Sent:* Friday, March 14, 2014 4:53 PM *To:* Marika Konings; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how.

On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it.

On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" (*e.g.*, email *and* phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks.

Thanks all.

Todd.

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [ mailto:gnso-ppsai-pdp-wg-bounces@icann.org<gnso-ppsai-pdp-wg-bounces@icann.org>] *On Behalf Of *Marika Konings *Sent:* Thursday, March 13, 2014 7:04 AM *To:* gnso-ppsai-pdp-wg@icann.org *Subject:* [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Dear All,

Following our call earlier this week, please find attached the updated template for Category B - question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well.

Best regards,

Marika

*Draft Preliminary Recommendation - Category B - question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)*

The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required.

Similar to ICANN's Whois Data Reminder Policy ( http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

As you know, accurate whois for abusive domain names equals stolen whois data. Just look at the whois of some of the domains you have reported in the past, I am sure that you will notice that in most cases, the registrant details are 100% accurate, just not those of the actual registrant. If you want to promote identity theft further, this is the ticket... Volker Am 17.03.2014 22:19, schrieb John Horton:

We also concur with those points.

John Horton President, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | _Blog <http://blog.legitscript.com>_ |Google+ <https://plus.google.com/112436813474708014933/posts>

On Mon, Mar 17, 2014 at 1:17 PM, GBarnett@sgbdc.com <mailto:GBarnett@sgbdc.com> <GBarnett@sgbdc.com <mailto:GBarnett@sgbdc.com>> wrote:

As Val mentioned, I agree with Todd's and Steve's points, and those noted in Val's email.

Griffin

Griffin M. Barnett

Silverberg, Goldman & Bikoff, LLP

1101 30^th Street NW

Suite 120

Washington, DC 20007

(202) 944-3307 <tel:%28202%29%20944-3307>

gbarnett@sgbdc.com <http://gbarnett@sgbdc.com>

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] *On Behalf Of *Valeriya Sherman *Sent:* Monday, March 17, 2014 4:09 PM *To:* Metalitz, Steven; 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>

*Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment:

Contact information that is ultimately revealed is valuable only if it is accurate.

The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information.

Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information.

Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information.

Regards,

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 <tel:202.944.2330> Cell 303.589.7477 <tel:303.589.7477> vsherman@sgbdc.com <mailto:vsherman@law.gwu.edu>

------------------------------------------------------------------------

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] on behalf of Metalitz, Steven [met@msk.com <mailto:met@msk.com>] *Sent:* Monday, March 17, 2014 6:13 AM *To:* 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open.

Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario?

Steve Metalitz

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Williams, Todd *Sent:* Friday, March 14, 2014 4:53 PM *To:* Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how.

On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it.

On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" (/e.g./, email _and_ phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks.

Thanks all.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Marika Konings *Sent:* Thursday, March 13, 2014 7:04 AM *To:* gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Dear All,

Following our call earlier this week, please find attached the updated template for Category B -- question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well.

Best regards,

Marika

*Draft Preliminary Recommendation -- Category B -- question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)*

The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required.

Similar to ICANN's Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Just look at the whois of some of the domains you have reported in the past, I am sure that you will notice that in most cases, the registrant details are 100% accurate, just not those of the actual registrant.

Actually, I wouldn't agree with that based on the data in our database. That might be true (I don't know) for domain names we've reported to a particular registrar, and it certainly may happen, but I wouldn't agree with that across all registrars. It's certainly the case with some registrations, but definitely not all, and I actually don't think most, in fact. Offhand, I'd say that we see way more completely falsified Whois registrations (the Whois data isn't stolen; it's just falsified -- no such address, etc.) than stolen Whois information. John Horton President, LegitScript *Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts> On Tue, Mar 18, 2014 at 3:01 AM, Volker Greimann <vgreimann@key-systems.net>wrote:

As you know, accurate whois for abusive domain names equals stolen whois data. Just look at the whois of some of the domains you have reported in the past, I am sure that you will notice that in most cases, the registrant details are 100% accurate, just not those of the actual registrant.

If you want to promote identity theft further, this is the ticket...

Volker

Am 17.03.2014 22:19, schrieb John Horton:

We also concur with those points.

John Horton President, LegitScript

*Follow LegitScript*: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | YouTube <https://www.youtube.com/user/LegitScript> | *Blog <http://blog.legitscript.com>* | Google+<https://plus.google.com/112436813474708014933/posts>

On Mon, Mar 17, 2014 at 1:17 PM, GBarnett@sgbdc.com <GBarnett@sgbdc.com>wrote:

...

As Val mentioned, I agree with Todd's and Steve's points, and those noted in Val's email.

Griffin

Griffin M. Barnett

Silverberg, Goldman & Bikoff, LLP

1101 30th Street NW

Suite 120

Washington, DC 20007

(202) 944-3307 <%28202%29%20944-3307>

gbarnett@sgbdc.com

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [mailto: gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Valeriya Sherman *Sent:* Monday, March 17, 2014 4:09 PM *To:* Metalitz, Steven; 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org

*Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment:

Contact information that is ultimately revealed is valuable only if it is accurate.

The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information.

Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information.

Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information.

Regards,

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com <vsherman@law.gwu.edu> ------------------------------

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [ gnso-ppsai-pdp-wg-bounces@icann.org] on behalf of Metalitz, Steven [ met@msk.com] *Sent:* Monday, March 17, 2014 6:13 AM *To:* 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open.

Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario?

Steve Metalitz

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [ mailto:gnso-ppsai-pdp-wg-bounces@icann.org<gnso-ppsai-pdp-wg-bounces@icann.org>] *On Behalf Of *Williams, Todd *Sent:* Friday, March 14, 2014 4:53 PM *To:* Marika Konings; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how.

On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it.

On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" ( *e.g.*, email *and* phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks.

Thanks all.

Todd.

*From:* gnso-ppsai-pdp-wg-bounces@icann.org [ mailto:gnso-ppsai-pdp-wg-bounces@icann.org<gnso-ppsai-pdp-wg-bounces@icann.org>] *On Behalf Of *Marika Konings *Sent:* Thursday, March 13, 2014 7:04 AM *To:* gnso-ppsai-pdp-wg@icann.org *Subject:* [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Dear All,

Following our call earlier this week, please find attached the updated template for Category B - question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well.

Best regards,

Marika

*Draft Preliminary Recommendation - Category B - question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)*

The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required.

Similar to ICANN's Whois Data Reminder Policy ( http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

_______________________________________________ Gnso-ppsai-pdp-wg mailing listGnso-ppsai-pdp-wg@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

*Draft Preliminary Recommendation -- Category B -- question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)* Answer: ICANN-accredited privacy/proxy service providers should be required to conduct checks and provide data reminder notices that correspond exactly to those periodic checks and notices required of ICANN accredited registrars under the RRA governing the registration. This obligation does not apply for registrations where the privacy/proxy service is set up in such a manner that the periodic checks performed by and data reminder notices provided by the ICANN accredited registrar reach the beneficial owner and contain the underlying data. This would be in my view the most balanced and sensible approach. VG Am 17.03.2014 22:23, schrieb Tim Ruiz:

I agree with the draft recommendation as written by Marika. Going beyond what the 2013 RAA requires makes no sense since even that has no track record as of yet to know if it can be correctly done and actually accomplishes its goal. As the RAA requirements change/increase it would make sense for that to flow through to the p/p services as well.

So, given the split on this issue, we may need to take a head count so we can note both views and the amount of agreement each one carries, and by which stakeholders.

Tim

On Mar 17, 2014, at 4:18 PM, "GBarnett@sgbdc.com <mailto:GBarnett@sgbdc.com>" <GBarnett@sgbdc.com <mailto:GBarnett@sgbdc.com>> wrote:

...

As Val mentioned, I agree with Todd's and Steve's points, and those noted in Val's email.

Griffin

Griffin M. Barnett

Silverberg, Goldman & Bikoff, LLP

1101 30^th Street NW

Suite 120

Washington, DC 20007

(202) 944-3307

gbarnett@sgbdc.com

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Valeriya Sherman *Sent:* Monday, March 17, 2014 4:09 PM *To:* Metalitz, Steven; 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment:

Contact information that is ultimately revealed is valuable only if it is accurate.

The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information.

Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information.

Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information.

Regards,

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com <mailto:vsherman@law.gwu.edu>

------------------------------------------------------------------------

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] on behalf of Metalitz, Steven [met@msk.com <mailto:met@msk.com>] *Sent:* Monday, March 17, 2014 6:13 AM *To:* 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open.

Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario?

Steve Metalitz

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Williams, Todd *Sent:* Friday, March 14, 2014 4:53 PM *To:* Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how.

On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it.

On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" (/e.g./, email _and_ phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks.

Thanks all.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Marika Konings *Sent:* Thursday, March 13, 2014 7:04 AM *To:* gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Dear All,

Following our call earlier this week, please find attached the updated template for Category B -- question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well.

Best regards,

Marika

*Draft Preliminary Recommendation -- Category B -- question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)*

The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required.

Similar to ICANN's Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Agreed, good solution/answer. Theo Geurts Realtime Register B.V. Ceintuurbaan 32A 8024 AA - ZWOLLE - The Netherlands T: +31.384530759 F: +31.384524734 U: www.realtimeregister.com E: support@realtimeregister.com ----- Oorspronkelijk bericht ----- Van: "Luc SEUFER" <lseufer@dclgroup.eu> Aan: "Volker Greimann" <vgreimann@key-systems.net> Cc: gnso-ppsai-pdp-wg@icann.org Verzonden: Dinsdag 18 maart 2014 12:25:13 Onderwerp: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B- question 2 This is a sound solution which I and all members of EuroDNS legal department agree with. Luc On Mar 18, 2014, at 11:33, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Draft Preliminary Recommendation – Category B – question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?) Answer: ICANN-accredited privacy/proxy service providers should be required to conduct checks and provide data reminder notices that correspond exactly to those periodic checks and notices required of ICANN accredited registrars under the RRA governing the registration. This obligation does not apply for registrations where the privacy/proxy service is set up in such a manner that the periodic checks performed by and data reminder notices provided by the ICANN accredited registrar reach the beneficial owner and contain the underlying data. This would be in my view the most balanced and sensible approach. VG Am 17.03.2014 22:23, schrieb Tim Ruiz: I agree with the draft recommendation as written by Marika. Going beyond what the 2013 RAA requires makes no sense since even that has no track record as of yet to know if it can be correctly done and actually accomplishes its goal. As the RAA requirements change/increase it would make sense for that to flow through to the p/p services as well. So, given the split on this issue, we may need to take a head count so we can note both views and the amount of agreement each one carries, and by which stakeholders. Tim On Mar 17, 2014, at 4:18 PM, "GBarnett@sgbdc.com<mailto:GBarnett@sgbdc.com>" <GBarnett@sgbdc.com<mailto:GBarnett@sgbdc.com>> wrote: As Val mentioned, I agree with Todd’s and Steve’s points, and those noted in Val’s email. Griffin Griffin M. Barnett Silverberg, Goldman & Bikoff, LLP 1101 30th Street NW Suite 120 Washington, DC 20007 (202) 944-3307 gbarnett@sgbdc.com From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Valeriya Sherman Sent: Monday, March 17, 2014 4:09 PM To: Metalitz, Steven; 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment: Contact information that is ultimately revealed is valuable only if it is accurate. The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information. Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information. Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information. Regards, Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com<mailto:vsherman@law.gwu.edu> ________________________________ From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] on behalf of Metalitz, Steven [met@msk.com<mailto:met@msk.com>] Sent: Monday, March 17, 2014 6:13 AM To: 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 I agree with Todd’s characterization of the status of this discussion, and that the questions he highlights are still open. Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or “manual verification,” which is not defined. How should this apply in the p/p service scenario? Steve Metalitz From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Williams, Todd Sent: Friday, March 14, 2014 4:53 PM To: Marika Konings; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don’t see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how. On the first question (2013 RAA vs. “more”), it appears that more of the responses in the attached argue for “more” than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the “more” side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the “more” should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a “reveal” procedure that is essentially instantaneous in certain cases (once we get to discussing “reveal” procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it. On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the “more” (e.g., email and phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I’m curious to hear what everybody else thinks. Thanks all. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Marika Konings Sent: Thursday, March 13, 2014 7:04 AM To: gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Dear All, Following our call earlier this week, please find attached the updated template for Category B – question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well. Best regards, Marika Draft Preliminary Recommendation – Category B – question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?) The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required. Similar to ICANN’s Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg ________________________________ -------------------------------------------------------- This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone. Think of the environment: don't print this e-mail unless you really need to. -------------------------------------------------------- _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

I agree with Tim's statement. I don't see a reason to go beyond 2013 RAA, if there is a reason we should request a change in the RAA. Best regards, Osvaldo El 17/03/2014, a las 17:23, "Tim Ruiz" <tim@godaddy.com<mailto:tim@godaddy.com>> escribió: I agree with the draft recommendation as written by Marika. Going beyond what the 2013 RAA requires makes no sense since even that has no track record as of yet to know if it can be correctly done and actually accomplishes its goal. As the RAA requirements change/increase it would make sense for that to flow through to the p/p services as well. So, given the split on this issue, we may need to take a head count so we can note both views and the amount of agreement each one carries, and by which stakeholders. Tim On Mar 17, 2014, at 4:18 PM, "GBarnett@sgbdc.com<mailto:GBarnett@sgbdc.com>" <GBarnett@sgbdc.com<mailto:GBarnett@sgbdc.com>> wrote: As Val mentioned, I agree with Todd’s and Steve’s points, and those noted in Val’s email. Griffin Griffin M. Barnett Silverberg, Goldman & Bikoff, LLP 1101 30th Street NW Suite 120 Washington, DC 20007 (202) 944-3307 gbarnett@sgbdc.com From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Valeriya Sherman Sent: Monday, March 17, 2014 4:09 PM To: Metalitz, Steven; 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment: Contact information that is ultimately revealed is valuable only if it is accurate. The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information. Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information. Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information. Regards, Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com<mailto:vsherman@law.gwu.edu> ________________________________ From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] on behalf of Metalitz, Steven [met@msk.com<mailto:met@msk.com>] Sent: Monday, March 17, 2014 6:13 AM To: 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 I agree with Todd’s characterization of the status of this discussion, and that the questions he highlights are still open. Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or “manual verification,” which is not defined. How should this apply in the p/p service scenario? Steve Metalitz From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Williams, Todd Sent: Friday, March 14, 2014 4:53 PM To: Marika Konings; gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don’t see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how. On the first question (2013 RAA vs. “more”), it appears that more of the responses in the attached argue for “more” than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the “more” side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the “more” should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a “reveal” procedure that is essentially instantaneous in certain cases (once we get to discussing “reveal” procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it. On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the “more” (e.g., email and phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I’m curious to hear what everybody else thinks. Thanks all. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org<mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Marika Konings Sent: Thursday, March 13, 2014 7:04 AM To: gnso-ppsai-pdp-wg@icann.org<mailto:gnso-ppsai-pdp-wg@icann.org> Subject: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Dear All, Following our call earlier this week, please find attached the updated template for Category B – question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well. Best regards, Marika Draft Preliminary Recommendation – Category B – question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?) The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required. Similar to ICANN’s Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org<mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg ________________________________ El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.

I do not agree with this draft proposal for various reasons: a) The obligations of the p/p provider should match those of the registrar the registration is performed under. In other words, the p/p provider should not be required to perform checks that would not be applicable to the registration as the sponsoring registrar is under a different RAA. b) I disagree with the requirement for manual verification. The provider should have the option to bow out of the agreement as well. c) The draft only uses verify, whereas the RAA differentiates between verification and validation. Any obligation to other service providers should match those of the sponsoring registrar. d) Why should there be (re-)verification of the email address when a different data point is claimed to be incorrect? What purpose does that serve? e) The recommendation should contain a carve-out that the obligation only applies if the reminder to the beneficial owner is not already sent by the registrar. No need to confuse registrants with duplicate reminders. Volker Am 17.03.2014 22:44, schrieb Marika Konings:

Val, please note that the draft preliminary recommendation proposes that 'Similar to ICANN's Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually'.

Does that address your last point? If not, do you or any of the others that have indicated that they agree with Todd's assessment have any suggestions for additions / changes to the draft preliminary recommendation that the WG could review and consider during its meeting tomorrow?

Best regards,

Marika

From: Valeriya Sherman <VSherman@sgbdc.com <mailto:VSherman@sgbdc.com>> Date: Monday 17 March 2014 21:08 To: "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, "'Williams, Todd'" <Todd.Williams@turner.com <mailto:Todd.Williams@turner.com>>, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>>, "gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>" <gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org>> Subject: RE: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment: Contact information that is ultimately revealed is valuable only if it is accurate. The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information. Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information. Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information.

Regards,

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com <mailto:vsherman@law.gwu.edu>

------------------------------------------------------------------------ *From:* gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org>] on behalf of Metalitz, Steven [met@msk.com <mailto:met@msk.com>] *Sent:* Monday, March 17, 2014 6:13 AM *To:* 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open.

Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario?

Steve Metalitz

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Williams, Todd *Sent:* Friday, March 14, 2014 4:53 PM *To:* Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how.

On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it.

On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" (/e.g./, email _and_ phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks.

Thanks all.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Marika Konings *Sent:* Thursday, March 13, 2014 7:04 AM *To:* gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Dear All,

Following our call earlier this week, please find attached the updated template for Category B -- question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well.

Best regards,

Marika

*Draft Preliminary Recommendation -- Category B -- question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)*

The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required.

Similar to ICANN's Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

I am sad to say but the 2013 RAA does _nothing_ to guarantee acurate whois as long as the data makes sense and the email address does not bounce after the first feedback loop, the data is verified/validated with no guarantee that the address actually belongs to the registrant. For example, on the pharmacy domains registered through our platform from time to time, what we see mostly are that most of them use individual data sets that are used for each individual registration, each set perfectly verifiable, 100% accurate, from individuals all around the globe who most likely do not have an inkling of the use of their data in these registrations.

I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment: Contact information that is ultimately revealed is valuable only if it is accurate. The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information. Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information. Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information. Incorrect, the 2013 RAA demands no such thing and neither should we. While whois reminder messages are sent, none of these messages require an affirmative response. Such a model would be customer-unfriendly and dangerous to any established business.

Volker

Regards,

Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 vsherman@sgbdc.com <mailto:vsherman@law.gwu.edu>

------------------------------------------------------------------------ *From:* gnso-ppsai-pdp-wg-bounces@icann.org [gnso-ppsai-pdp-wg-bounces@icann.org] on behalf of Metalitz, Steven [met@msk.com] *Sent:* Monday, March 17, 2014 6:13 AM *To:* 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open.

Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario?

Steve Metalitz

*From:*gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Williams, Todd *Sent:* Friday, March 14, 2014 4:53 PM *To:* Marika Konings; gnso-ppsai-pdp-wg@icann.org *Subject:* Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how.

On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it.

On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" (/e.g./, email _and_ phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks.

Thanks all.

Todd.

*From:*gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] *On Behalf Of *Marika Konings *Sent:* Thursday, March 13, 2014 7:04 AM *To:* gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> *Subject:* [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2

Dear All,

Following our call earlier this week, please find attached the updated template for Category B -- question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well.

Best regards,

Marika

*Draft Preliminary Recommendation -- Category B -- question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?)*

The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required.

Similar to ICANN's Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually.

_______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg

Volker, I believe are three attorneys from the firm of Silverberg, Goldman & Bikoff: James L. Bikoff, David K. Heasley, and Griffin Barnett. It appears that Todd Williams is with Turner Broadcasting. Firm's website - http://www.sgbdc.com/index-3.html (only Bikoff & Heasley listed, .sucks for Griffin Barnett the new associated not even listed on the firm's attorney bio page) WG Statement of Interest webpage where there are statements from all four participants, see https://community.icann.org/pages/viewpage.action?pageId=43985052 In my 15 years of ICANN policy development work I do not recall a prohibition against limiting the participation of multiple employees from the same firm. However, it is a bit odd for three attorneys from a small boutique firm to be participating in a single working group. Just my two cents and looking forward to seeing many of you in Singapore at week's end. Best regards, Michael From: gnso-ppsai-pdp-wg-bounces@icann.org [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Tuesday, March 18, 2014 11:12 AM To: gnso-ppsai-pdp-wg@icann.org Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Am I seeing this correctly? There are four members of the same law firm on this WG, supporting each others positions? Volker Am 17.03.2014 21:08, schrieb Valeriya Sherman: I, Jim Bikoff, David Heasley, and Griffin Barnett agree with Todd's assessment: Contact information that is ultimately revealed is valuable only if it is accurate. The validation/verification requirements should be consistent with the 2013 RAA requirements, but should go above and beyond those requirements to ensure the accuracy of contact information. Registrars already send an annual Whois Data Reminder Policy notification to registrants, reminding them to provide accurate and up-to-date information. Similarly, the privacy/proxy customer's contact information should be verified upon initial registration of the domain name (either by the registrar or the Privacy/Proxy Service Provider) and periodically thereafter by automated annual email re-verification notifications that require an affirmative response by the P/P customer. Absence of a response would trigger a follow-up, reminding the privacy/proxy customer to provide accurate and up-to-date information. Regards, Valeriya Sherman Silverberg, Goldman & Bikoff, L.L.P. 1101 30th Street, N.W. Suite 120 Washington, D.C. 20007 Tel 202.944.2330 Cell 303.589.7477 <mailto:vsherman@law.gwu.edu> vsherman@sgbdc.com _____ From: gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> ] on behalf of Metalitz, Steven [met@msk.com <mailto:met@msk.com> ] Sent: Monday, March 17, 2014 6:13 AM To: 'Williams, Todd'; Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 I agree with Todd's characterization of the status of this discussion, and that the questions he highlights are still open. Another aspect of the second question below is how the p/p service provider should handle situations in which the contact information supplied by the customer cannot be verified. In the parallel situation involving non-proxy registrations, the RAA specification calls either for suspension of the registration, or "manual verification," which is not defined. How should this apply in the p/p service scenario? Steve Metalitz From: gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Williams, Todd Sent: Friday, March 14, 2014 4:53 PM To: Marika Konings; gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> Subject: Re: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Thanks Marika. I missed part of the call on Tuesday where this may have been discussed, but I don't see how the draft preliminary recommendation follows from the attached Word document, insofar as it concludes that p/p customer data should be validated and verified in a manner consistent with the requirements outlined in the 2013 RAA. I thought the current posture was that the WG has basically agreed to the 2013 RAA requirements as a floor, but that there was not yet agreement on: 1) whether validation/verification requirements should go beyond the 2013 RAA; and 2) if so, how. On the first question (2013 RAA vs. "more"), it appears that more of the responses in the attached argue for "more" than not. That also seems to have been an open topic in our email threads (see attached). Just to reiterate from that thread, the basic argument on the "more" side (which I agree with) is that in order to partially offset the delay that will inevitably occur when accessing p/p data, the "more" should consist of whatever reasonable validation/verification steps can be taken to increase the likelihood that the information ultimately obtained will be accurate enough to facilitate contact. I suppose that if we ultimately settle on a "reveal" procedure that is essentially instantaneous in certain cases (once we get to discussing "reveal" procedures), that may mitigate this concern. But absent assurances on that point, I would think we need to address it. On the second question: the attached appears to include multiple proposals as to what may or may not ultimately comprise the "more" (e.g., email and phone vs. or; periodic/annual re-verification vs. re-verification with information suggesting the contact information is incorrect; etc.). Have we debated the relative merits of those? Are some more likely to be effective than others? I have my thoughts, but I'm curious to hear what everybody else thinks. Thanks all. Todd. From: gnso-ppsai-pdp-wg-bounces@icann.org <mailto:gnso-ppsai-pdp-wg-bounces@icann.org> [mailto:gnso-ppsai-pdp-wg-bounces@icann.org] On Behalf Of Marika Konings Sent: Thursday, March 13, 2014 7:04 AM To: gnso-ppsai-pdp-wg@icann.org <mailto:gnso-ppsai-pdp-wg@icann.org> Subject: [Gnso-ppsai-pdp-wg] For your review - updated template Cat B - question 2 Dear All, Following our call earlier this week, please find attached the updated template for Category B - question 2. To facilitate your review, I've posted below the draft preliminary recommendation in which we've aimed to capture the conversation to date taking into account the language of the Whois Accuracy Specification Program of the 2013 RAA. If you are of the view that this does not accurately capture the WG's view to date and/or have specific suggestions for changes / edits, please share those with the mailing list. Also, if there are any other issues that need to be addressed in relation to this question and/or the preliminary recommendation, please share those as well. Best regards, Marika Draft Preliminary Recommendation - Category B - question 2 (Should ICANN-accredited privacy/proxy service providers be required to conduct periodic checks to ensure accuracy of customer contact information; and if so, how?) The WG recommends that proxy and privacy customer data be validated and verified in a manner consistent with the requirements outlined in Whois Accuracy Specification Program of the 2013 RAA. The WG furthermore agrees that in the cases where validation and verification of the P/P customer data was carried out by the registrar, reverification by the P/P service of the same, identical, information should not be required. Similar to ICANN's Whois Data Reminder Policy (http://www.icann.org/en/resources/registrars/consensus-policies/wdrp), the P/P provider should be required to inform the P/P customer annually of his/her requirement to provide accurate and up to date contact information to the P/P provider. If the P/P provider has any information suggesting that the P/P customer information is incorrect (such as P/P service receiving a bounced email notification or non-delivery notification message in connection with compliance with data reminder notices or otherwise) for any P/P customer, the P/P provider must verify or re-verify, as applicable, the email address(es). If, within fifteen (15) calendar days after receiving any such information, P/P service does not receive an affirmative response from the P/P customer providing the required verification, the P/P service shall verify the applicable contact information manually. _______________________________________________ Gnso-ppsai-pdp-wg mailing list Gnso-ppsai-pdp-wg@icann.org <mailto:Gnso-ppsai-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-ppsai-pdp-wg