Latest news of the domain name industry

Recent Posts

Three ways ICANN could gut Whois

Kevin Murphy, January 15, 2018, 13:02:19 (UTC), Domain Policy

ICANN has published three possible models of how Whois could be altered beyond recognition after European privacy law kicks in this May.

Under each model, casual Whois users would no longer have access to the wealth of contact information they do under the current system.

There may also be a new certification program that would grant access to full Whois records to law enforcement, consumer protection agencies and intellectual property interests.

The three models are each intended to address the General Data Protection Regulation, EU law that could see companies fined millions if they fail to protect the personal data of European citizens.

While GDPR affects all data collection on private citizens, for the domain name industry it’s particularly relevant to Whois, where privacy has always been an afterthought.

The three ICANN models, which are now subject to a short public comment period, differ from each other in three key areas: who has their privacy protected, which fields appear in public Whois by default, and how third parties such as law enforcement access the full records.

Model 1 is the most similar to the current system, allowing for the publication of the most data.

Under this model the name and postal address of the registrant would continue to be displayed in the public Whois databases.

Their email address and phone number would be protected, but the email and phone of the administrative and technical contacts — often the same person as the registrant — would be published.

If the registrant were a legal entity, rather than a person, all data fields would continue to be displayed as normal.

The other two models call for more restricted, or at least different, public output.

Under Model 2, the email addresses of the administrative and technical contacts would be published, but all other contact information, including the name of the registrant, would be redacted.

Model 3 proposes a crazy-sounding system whereby everything would be published unless the registrar/registry decided, on a domain-by-domain basis, that the field contained personal information.

This would require manual vetting of each Whois record and is likely to gather no support from the industry.

The three models also differ in how third parties with legitimate interests would access full Whois records.

Model 1 proposes a system similar to how zone files are published via ICANN’s Centralized Zone Data Service.

Under this model, users would self-certify that they have a legit right to the data (if they’re a cop or an IP lawyer, for example) and it would be up to the registry or registrar to approve or decline their request.

Model 2 envisages a more structured, formal, centralized system of certification for Whois users, developed with the Governmental Advisory Committee and presumably administered by ICANN.

Model 3 would require Whois users to supply a subpoena or court order in order to access records, which is sure to make it unpopular among the IP lobby and governments.

Each of the three models also differs in terms of the circumstances under which privacy is provided.

The models range from protecting records only when the registrant, registry, registrar or any other entity involved in the data processing has a presence in the European Economic Area to protecting records of all registrants everywhere regardless of whether they’re a person or a company.

Each model has different data retention policies, ranging from six month to two years after a registration expires.

None of the three models screw with registrars’ ability to pass data to thick-Whois registries, nor to their data escrow providers.

ICANN said it’s created these models based on the legal analyses it commissioned from the Hamilton law firm, as well as submissions from community members.

One such submission, penned by the German trade associated Eco, has received broad industry support.

It would provide blanket protection to all registrants regardless of legal status or location, and would see all personally identifiable information stripped from public Whois output.

Upon carrying out a Whois query, users would see only information about the domain, not the registrant.

There would be an option to request more information, but this would be limited to an anonymized email address or web form for most users.

Special users, such as validated law enforcement or IP interests, would be able to access the full records via a new, centralized Trusted Data Clearinghouse, which ICANN would presumably be responsible for setting up.

It’s most similar to ICANN’s Model 2.

It has been signed off by registries and registrars together responsible for the majority of the internet’s domain registrations: Afilias, dotBERLIN, CentralNic, Donuts, Neustar, Nominet, Public Interest Registry (PIR), Verisign, 1&1, Arsys, Blacknight, GoDaddy, Strato/Cronon, Tucows and United Domains.

ICANN said in a blog post that its three models are now open for public comment until January 29.

If you have strong opinions on any of the proposals, it might be a good idea to get them in as soon as possible, because ICANN plans to identify one of the models as the basis for the official model within 48 hours of the comment period closing.

Tagged: , , , , ,

Comments (2)

  1. JZ says:

    model 1 sounds ok. the rest..not so much.

Add Your Comment