I have a question regarding responding to court orders.  Even if we don't
have that as the _only_ option for gaining access to the registration data
(however brief or extensive it gets decided in the end) won't the law
enforcement, and other parties, government and intellectual property 
lawyers still have the option to request and obtain court orders even
if that option is not included in the ICANN policy?

How can ICANN enforce contracts to ignore local or international court
orders, or even force contractors to resist in any manner when presented
with what appears to be a court order?  I can't see ICANN revoking Verisign's
contract to operate .com based solely on complying with a court order for
a person/organization in the EU even if a court in the EU would not issue
such an order for a European-based registrar, for instance.

My concern is that if we have the option that is proposed (and the position
is well stated and convincingly argued for) that sets up special rights for
law enforcement and other parties, then it appears to me that we also get
the option 3 as well.   Thus we have to attempt to monitor both mechanisms
which makes it more difficult to ensure that the those individuals and
organization that we are arguing should be protected are actually protected.

Also, no matter what the mechanism, I would like to see disclosure of data
breaches disclosed immediately by registries and registrars even if local
laws do not require public reporting of intrusions.   And if security of
the data from intrusion is part of the contract then auditing and enforcement
of data security practices directly by ICANN should be incorporated for 
user's protection.

If the registry or registrar contracts out proxy services, then the
registry or registrar should be required to have that proxy service make
themselves subject to ICANN policies through direct agreement with ICANN
along with auditing and verification of security as well.  If the registrar
or registry goes belly-up then ICANN needs to step in immediately and see
that the data stays protected.   This should also be required of archiving/
backup/escrow services.

It may be just conspiracy theories, but if state actors and powerful criminal
elements can penetrate any conceivable defenses, then any ICANN policies are
really ultimately ineffective if the data is collected at all.   So I agree
that minimum data for current purposes must be part of the policy, not the
traditional WHOIS menu -- because shouldn't employees (technical and
administrative contacts) have the same protection as the owner of the domain?

Thanks for the great work of our representatives on the policy forming
areas of ICANN and for the informative comments on the mailing list.

-ron wickersham