Some thoughts on this policy after reading more about it:
1.
The policy was made because ICANN is concerned about registrant information accuracy, along with domain name hijacking. But how is making it harder to update your WHOIS information going to make WHOIS more accurate? It seems more likely to be a deterrent for domain owners, and prevent them from updating WHOIS, particularly if the WHOIS on file is invalid which makes it difficult to update it:
The policy will create a catch-22 after it goes into effect, because it operates based on the assumption that all WHOIS records will be accurate and valid at that time (which they will not). After Dec 1, if somebody discovers that their WHOIS email is invalid, and they want to update it to a valid one, they can’t, because a valid email (and the approval from the owner of this email) is needed to do so. But you can’t supply a valid email, because to supply a valid email requires email verification through a valid email address. It’s a catch-22 situation.
2.
It also creates another complication in terms of ownership for domain buyers. When you buy a domain, you pay for it, and it is transferred/pushed to you, and that’s the end of the transaction. With many registrars, WHOIS information is not automatically updated when you receive a new name, so technically the name is not yet yours at the moment it arrives in your account (seller is still listed in WHOIS as the registrant). However, under the current system, WHOIS and new registrant can easily be updated and saved, either automatically by the registrar when you receive the domain, or manually by yourself as soon as you get the domain into your account. In the future, WHOIS change and verification by both former and new registrant probably needs to be implemented as a compulsory step of every domain transfer, because a transfer that practically gave you ownership before, will not automatically do so in the future, since compliance by the former registrant will not always be a given. This ICANN policy seems to assume that all former owners will readily approve any legitimate change to WHOIS later on, but that’s not always going to be the case.
3.
Where this policy gets really strange, is when it comes to how it offers registrars to deal with scenarios where WHOIS is invalid. ICANN is going to let registrants to make changes by using an email or phone number NOT listed in the WHOIS (ICANN calls this “‘out of band’ authentication based on information that cannot be learned from within the registrar account or publicly available resources such as Whois”). This does not seem to be a required part of the policy, so I guess only some registrars will offer it. A registrar can use your phone number, which is not listed in WHOIS, and authorize a change by “calling or sending an SMS to the Registered Name Holder's telephone number providing a unique code that must be returned in a manner designated by the Registrar”. OpenSRS says that, if WHOIS email is invalid or you don’t have access to it, “your domain provider can explicitly send a link via SMS to the phone number that they have on file. This will allow you to approve the change of registrant request.” If it’s going to be that easy to bypass the procedures introduced by this policy, what’s the point of having such a cumbersome system implemented in the first place?
4.
It seems that ICANN has not specified how to deal with disputes that arise from former registrants explicitly rejecting registrant changes. For example, I have sold a number of domains where my name and email is still listed in WHOIS. After December 1, if the new owners try to update WHOIS, and I reject this, will it be impossible for them to ever update WHOIS? Can I hold the names hostage forever after December 1? The problem here is not about invalid WHOIS email, because here the person listed in WHOIS explicitly rejects these updates (it would be a case where “Change of Registrant was not properly authorized by the Prior Registrant”). However, letting the new owner bypass this would, it seems, invalidate the whole system, but not letting such changes happen, would be a serious obstacle to rightful ownership change and correct WHOIS. ICANN seems to operate on the assumption that all former registrants will be compliant and accommodating to rightful WHOIS changes later on, but not all former registrants are going to behave in this way, and this policy does not outline how such disputes should be handled. What if the person listed in WHOIS is a disgruntled employee who was fired, and who refuses to approve the WHOIS update when the company tries to update WHOIS to list themselves as the owner?
5.
Registrars who integrate the "Designated Agent" option into their transfer/push process will probably be able to implement this policy in a way that causes minimum inconvenience to users. But if both the former and new registrant can opt-into this permanently with a click, it seems like it could undermine the purpose of the policy.
6.
Popular registrars like NameSilo, DynaDot, GD, NameCheap, NameBright, etc. are going to be able to implement this policy, but there are hundreds of tiny, obscure, outdated, and hardly functioning registrars, with virtually no support out there too (like some of the horrendous registrars you occasionally get when you buy domains through SnapNames). Just getting a name transferred away from these registrars under the current system can be incredibly difficult, and I don’t see how these registrars are going to be able to implement and enforce all these changes, and deal with invalid WHOIS info disputes and other issues that will accompany this policy.
7.
This policy should not have an impact on expired domain marketplaces, because registrars can change WHOIS without the consent of the registrant, after “the domain name registration agreement has expired, and the Registered Name Holder no longer has the right to renew or transfer the domain name to another registrar”.
The policy uses quite ambiguous language at times, and the policy as outlined by ICANN, and how it is explained by OpenSRS contains several discrepancies. I have likely misunderstood certain parts of it (so please correct me if I draw any wrong conclusions above).
This seems like a policy that has been designed by someone who has not considered the process of domain transfers and registrant changes in the context of the domain industry, but solely with a focus on certain aims (accurate whois, prevention of domain name hijacking), and without fully considering how it will work with and negatively complicate currently established processes.