'Relays' isn't a big deal. In fact, it was already a requirement for registrars to deal with registrants in the first place. After all, registrars were required to send out WDRP notices and potentially schedule a domain for deletion if those emails bounced. Moreover, registrars required valid email addresses so that domain transfers could take place and, also, so that people could be billed.
'Relays' requires that email forwarding works on the provider's side when WHOIS privacy is in place. There are other complicating factors that can cause issues here, such as SPF records for the domain that don't mention the forwarding mailserver, but that's really it.
'Reveal' is a consequence of the situation with third-party WHOIS privacy services being normalised. Up until now, you were effectively in breach of your contract with ICANN as a registrant if you used a third-party WHOIS privacy/proxy service because the registrar had invalid contact details for the registrant.
'Reveal' does not mean that just anybody will be able to ask or demand that the provider disclose the contact details behind a private registration. Most registrars have LEA liaisons who they use to validate that a request from a law-enforcement agency is genuine. If we get a legal demand disclose to disclose details, that goes straight to our solicitors, and we would only reveal them if there's a genuine legal reason for doing so. Any other requests are invalid and, at least here in the EU, giving out the contact details of a proxy registration would be against data protection law. So no, the argument that this would be a conduit for doxxing isn't a valid one. The exact baseline requirements for the reveal process haven't been locked down yet, but they will likely be similar to what I've outlined.
You see, both of these processes are already mandatory based on other parts of the registrar-registrant relationship and existing legal requirements. The difference is that it wasn't explicitly formalised and non-registrar WHOIS privacy was a massive grey area.
I'm generally supportive of privacy providers being required to forward important communication to the registrant. I hope the finalized requirements will be sensible, and I hope there will be no attempts to equate contacting the privacy provider with having given registrants sufficient legal notice.
I, like most of people, live outside the EU and lack experience with EU privacy protection laws. So it is difficult to evaluate your optimism.
Here in the USA, for example, we'd be concerned about not only LEA requests but also requests by individuals and corporations. We just don't have privacy laws that are sufficient to protect against inappropriate disclosures to such parties.
Here, and in many other places I suspect, the best case would be privacy providers voluntarily adhering to a standard where they refuse to disclose registrant information to any party unless compelled to do so by law. If language like "Disclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena;" remains in the final cut, privacy providers won't be able to do this and remain accredited.
'Relays' requires that email forwarding works on the provider's side when WHOIS privacy is in place. There are other complicating factors that can cause issues here, such as SPF records for the domain that don't mention the forwarding mailserver, but that's really it.
'Reveal' is a consequence of the situation with third-party WHOIS privacy services being normalised. Up until now, you were effectively in breach of your contract with ICANN as a registrant if you used a third-party WHOIS privacy/proxy service because the registrar had invalid contact details for the registrant.
'Reveal' does not mean that just anybody will be able to ask or demand that the provider disclose the contact details behind a private registration. Most registrars have LEA liaisons who they use to validate that a request from a law-enforcement agency is genuine. If we get a legal demand disclose to disclose details, that goes straight to our solicitors, and we would only reveal them if there's a genuine legal reason for doing so. Any other requests are invalid and, at least here in the EU, giving out the contact details of a proxy registration would be against data protection law. So no, the argument that this would be a conduit for doxxing isn't a valid one. The exact baseline requirements for the reveal process haven't been locked down yet, but they will likely be similar to what I've outlined.
You see, both of these processes are already mandatory based on other parts of the registrar-registrant relationship and existing legal requirements. The difference is that it wasn't explicitly formalised and non-registrar WHOIS privacy was a massive grey area.
If you think this is bad, just be happy that you don't live in Germany, Switzerland, or Austria: https://en.wikipedia.org/wiki/Impressum