ICANN sets its sights on privacy and proxy providers


The Privacy & Proxy Services Accreditation Issues Working Group (PPSAI), a working group formed by ICANN advisory body the Generic Names Supporting Organisation (GNSO), has released a 98-page report entitled “Initial Report on Privacy & Proxy Services Accreditation Issues Policy Development Process”. The working group aims to create a framework for regulating these privacy and proxy services, including spelling out how, and under which circumstances, underlying registrant details should be released. The report is underpinned by the notion that privacy and proxy services should be accredited by ICANN in the same way as domain name registrars currently are.   

Both WHOIS privacy and proxy services are used to shield the contact details of registrants and they are in widespread use both by the so-called 'bad actors' of the domain name world as well as legitimate registrants. Privacy services generally show only the name of the domain name registrant but mask other contact details behind the privacy provider's own contact details. Proxy services go one step further by acting as the actual registrant of the domain name; however, the report notes that the two services are to be treated the same way. 

The various privacy and proxy providers currently have their own rules regarding when and how they will release the details of underlying registrants (eg, pursuant to IP or law enforcement agency requests), but most will either provide the registrant details or reveal them publicly in the WHOIS when a UDRP is filed against the domain name. 

The PPSAI group's report hinges on the notion that privacy and proxy providers should be subject to ICANN accreditation in the same way that domain name registrars currently are. This is seen by the working group as the logical extension of ICANN's ongoing efforts to improve the entire WHOIS system. 

Such accreditation would bring with it a host of obligations for service providers, such as the need to periodically verify the validity of underlying WHOIS data, as well as having a designated point of contact to handle abuse reports and information requests. The report calls for the privacy and proxy providers to provide “a link to either a standardised request form or an equivalent list of specific criteria that the provider requires in order to determine whether or not to comply with third party requests”. Under the planned scenario, service providers would also be obliged to clearly set out their terms of service on their website, covering such points as the specific grounds upon which a customer’s details may be disclosed or published and whether the registrant will be informed of such disclosure.

The working group reached preliminary agreement with regard to a proposed disclosure framework for handling requests from IP interests. Under the proposed rules, privacy and proxy service providers would need to provide a point of contact for complaints which would gather proof of trademark infringement according to a kind of checklist for same. Additionally, the new rules would prevent service providers from rejecting requests on the basis that the alleged infringement results from the content of a website rather than the domain name itself.

The working group failed, however, to reach a consensus with regard to a disclosure framework for groups such as law enforcement agencies, and anti-abuse and consumer protection groups. Left up in the air were points such as whether service providers should comply with requests from law enforcement agencies in the provider’s jurisdiction not to notify a customer of the disclosure of information and whether publication for certain types of activity such as malware and viruses should be mandatory. In respect of these grey areas, the working group made a point of stating that it would "particularly welcome specific public comments on those of its deliberations, proposals and options for which there is currently no [working group] consensus" and it is encouraging to see that the public comment period is being promoted as an important part of the policy development process.

Another contentious issue examined by the working group was whether access to privacy and proxy services should be limited to only those domain names that are not actively used for online financial transactions, as certain members of the group wished. However, the working group was divided on this thorny and logistically fraught point and asserted that:

"Attempting to distinguish the end purposes of a domain registration is not practicable for the purposes of determining eligibility for privacy/proxy services, and will unfairly discriminate against vulnerable groups, entrepreneurs, small businesses and organisations who wish to exercise their rights of freedom of expression rights on the Internet."

The growth of the Internet is by nature amorphous and largely unregulated, and this has allowed service providers of all kinds to emerge and write their own rules. It will be interesting to see how the privacy and proxy service providers, particularly some of the outliers, react to an obligation to be accredited by ICANN. Although one would expect these service providers would be keen to have their say on the matter, it is worth noting that, at the time of writing of this article, only one comment has been registered on the public comments forum, although it has been open for around three weeks.

The PPSAI report will be open for public comment until July 21 2015. 

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris

Get unlimited access to all WTR content