I have a brief comment to follow up on Volker’s comments, the spirit of which I completely support. I recognize that my comments may be unpopular. I have kept a low profile in these discussions and I fear that despite heroic work and dedication on the part of all, there is a serious risk of this turning into a train wreck in practice.

Registries and registrars operate under the existing laws of the countries in which they reside. Increasingly they cannot conduct business in countries unless they have a business presence in that country. This gives countries power over registries and registrars, including the power to override elements of contracts with ICANN. How can this reality be reconciled with extending the most extensive privacy protection level to customers in ways that are workable for all providers and their customers?

ICANN can identify the absolute minimum data set required by ICANN. ICANN does not have the country by country experience or exposure of registrars and registries. It could participate in DNS industry led efforts to deal with registries and registrar data requirements, but those efforts are probably best held outside ICANN and (horror of horrors) will likely involve multilateral efforts to reconcile inter-country differences where ICANN could/should engage both as a stakeholder and as an advocate for the common good in Internet governance.

In short, ICANN should (but probably won’t) focus on ICANN’s minimum needs, and then work elsewhere in partnership, as a stakeholder and offer wise counsel, within the larger multilateral and country by country struggle for customer privacy and security in ways workable for all providers and their customers. Does this sound like a new ICANN? Yes. Is there a choice? I think not. Might I be wrong? Maybe. A train wreck? Hope not.

Sam L.


On 6/22/2016 7:06 AM, Volker Greimann wrote:

Frankly, as a provider that is handing over private details of my customer I do not care about anything less than the maximum required protection in any jurisdiction that may be applicable. So what if the states have lower privacy protection requirements than Europe and India has none? The only acceptable result in my eyes is an accomodation of the most extensive privacy protection level that may be required.

If we start looking at the countries which do not care about the privacy of their citizens, then we will get nowhere. Only be adhering to a maximum standard can we ensure that the result is workable for all providers and their customers.

Volker