It seems to me a much simpler and more effective solution is the following:
  1. Every registrar must have a designated point of contact for high priority situations.  This information does NOT need to be publicly available.  Instead, the information should be available to trusted parties.

    There is little risk involved in disclosing information to trusted parties.  They are identified and accountable, and the disclosure is made in good faith.

  2. Requests and disclosure made via this solution should be documented and reported appropriately.

  3. There is no need for contractual language that sets forth a specific timeline.  The requirement for a point of contact is all that's needed in the contract.


Steve, while such a policy could be an option, it’s not the one we are implementing. So this would require more cycles of the policy process, something we should start only if the deadlock is found to be unsolvable. 

As a separate but related matter, I believe there is similar treatment for reports of DNS Abuse.  If a similar structure has already been agreed to for DNS Abuse, it's puzzling why the same solution is not being used for both purposes.

There is something very different between handling DNS Abuse and disclosing personal data: fines established by privacy regulations. In take-downs, if the wrong decision is made, that might lead to a civil suit by the registrant, but that’s all that can happen. This liability might be limited either to the registration fee or to some measure of monetary damages, depending on jurisdiction and specifics of the case. On the other hand, privacy regulations fines are up to x% of the anual revenue of a contracted party. 

Take-downs are usually the realm of information security or compliance staffers, while registration data disclosures require lawyers. If contracted parties requires around the clock lawyers, that will be a significant change from current business practices of the industry. 



Rubens