Latest news of the domain name industry

Recent Posts

Marby ponders emergency powers to avoid fragmented Whois

Kevin Murphy, April 4, 2018, 07:36:04 (UTC), Domain Policy

ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.
That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.
Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.
But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.
“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”
I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.
Marby has asked European DPAs for two things.
First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.
Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.
“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.
A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.
If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.
“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”
While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.
It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.
ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.
But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.
Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”
He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.
The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.
Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.
Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.
But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.
This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.
Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.
A temporary policy could be replaced by a compatible, community-created Consensus Policy.
It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.
But that’s perhaps getting ahead of ourselves.
Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.
If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.
If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.
And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.
“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.
“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”
The community awaits the DPAs’ guidance with baited breath.

Tagged: , , , , , ,

Comments (17)

  1. Jean Guillon says:

    “a black hole of indeterminate duration”? No worry, we’re used to this 🙂

  2. Volker Greimann says:

    Göran is absolutely right when he describes this as a feature, not a bug. This result was intended by legislators as data privacy rights have been ignored for too long by too many players.

    • gpmgroup says:

      What are most of the domain registrations for?
      The idea that the majority are for individuals to put up their own personal web pages is a naïve world view, it’s about as bright as putting up a cookie notice page on every website.
      If ICANN is not very careful there will be a loss of confidence in the domain name system then registration numbers will collapse.

      • Volker Greimann says:

        Nonsense. Whois – and the personal information contained therein – has nothing to do with confidence in the DNS. Confidence in the DNS is lost by man-in-the-middle-attacks, DDOSes and redirection attacks.
        Most regular users of the DNS (I am not specifying any specific subgroup, eh Graeme?) have never once looked at the whois and instead rely on the data on the website or references on other websites to tell them how trustworthy a certain operator is.

        • Charles Christopher says:

          >to tell them how trustworthy a certain operator is.
          You have it backwards.
          Its not about my confidence in someone else’s website.
          Its about my confidence to invest my time and effort to building a website that I can’t easily prove I OWN. The the confidence is in my retaining control and ownership.
          That this escapes peoples understanding is staggering.
          As a thought experiment, lets say all your “important records” are burned and lost. Remind me, why was it you considered them “important records”? It is because having them in your hand proved something important?

  3. Rubens Kuhl says:

    Even temporary policies can’t go against the law, so invoking them doesn’t solve the problem. Only clear cut determinations of what is lawful and what is not can achieve that, and in light of such determination, contracted parties won’t need any further guidance of what to do, they will follow the contracts to the maximum extent the law allows.

    • Kevin Murphy says:

      Will they?

      • Rubens Kuhl says:

        Yes, Compliance will make sure of that. The grey area now is exactly in defining what is the law; GDPR is both a shield and a sword. If there is no threat (sword) to do something specified in the contract, then contracted parties lose the shield to do things the way they choose.

    • Charles Christopher says:

      >go against the law
      Someone explain to me how it is that world borders are now out the window and being in the US I am now required to follow “the law” of another country?
      How is it the EU has now been lifted to definer of “the law” around the world?
      Welcome to world government and loss of individual sovereignty, not to mention property rights.
      At this moment I can’t think of a better why to have destroyed domain value, and the domain secondary market.
      While the context is domains, this will apply to other industries as well. In any case that a public document/registration has served to establish ownership, that proof of ownership has now been lost. Lets see what happens with land recorders around the world …. Or did they somehow get a pass on implementing this in their systems? If someone in the EU buys a home I’m my county will my county be liable for making that record public? Can I obtain EU citizenship and then use that to force my country records to hide my land ownership details thus preventing liens from being placed against my house? How about using EU citizenship to force the credit agencies to make all my records disappear, as this would be the ultimate in identity theft protection as my identity would no longer exists.
      Yeah, this is a great idea ….

      • Rubens Kuhl says:

        EU is not the first jurisdiction to apply its laws everywhere. Courts all over the world have prosecuted foreign citizens and corporations for a long time, the only difference in GDPR is in scale, not in principle.
        Land registries are specifically required under EU law to be public, if I recall correctly… so while people keep comparing domains to real estate, that does not hold when it comes to law. It suggests though that there are situations where the benefit of public record outweighs privacy rights, and getting EU legislators to pass something in that direction would solve lots of problems for a lot of people.

        • Charles Christopher says:

          >It suggests though that there are situations
          >where the benefit of public record outweighs
          >privacy rights,
          Says who? When and where did domain registrants get to have a say in the matter?

          “In a scam that authorities say has proliferated in recent years, Cleland fell victim to swindlers who used bogus quitclaim deeds to secretly strip her of the property, then sold the home to a Pembroke Pines investment firm.”
          “It’s just too easy to steal somebody’s property by filing a fraudulent quitclaim deed,” Miami-Dade Inspector General Mary Cagle told the Miami Herald”

  4. Theo Geurts says:

    The GDPR can be summed up in one word: responsibility.
    Privacy is about having control of your data.
    The current WHOIS is zero control.
    And that clashes in a hard way. But with the new fines, who is going to take that risk?

    • gpmgroup says:

      It isn’t about responsibility it is just the opposite! It is about not having to take responsibility in an exchange for a transfer of power and then expecting a whole bunch of other people to do the heavy lifting to mitigate the damage.

    • Charles Christopher says:

      >The current WHOIS is zero control.
      I’ve not had problems with it in 20 years.
      Its shown exactly what I put in there. And when I have clicked “privacy” its also shows exactly what I wanted.
      Are we even talking about the same thing?

  5. Theo Geurts says:

    UN artilce 12
    It is in the ICANN bylaws.

    • Charles Christopher says:

      Not Civil Law, not Criminal, and not Legislative Law. Not any law that I have a say in or have the ability to vote on those creating these pretty pieces of paper with pretty writing on them.
      Where any bureaucrat gets to craft a pretty piece of paper with pretty writing and the world is required to follow it.
      Ok so lets try a thought experiment. I hope it has not escaped anyones noticed that China is particularly intrusive regarding its citizens. So we are ignoring the fact that we can’t serve two masters, and now the EU overrules my US laws/rights. What happens if China passes “a law” that has the same penalties for NOT providing full whois without and the ability to use privacy?
      Do I flip a coin, or can I say, I live in the US and that is not law here. The issue of the US gov not telling the EU to fly a kite has not escaped my notice.
      I hope people understand that in the case of domain names the GDPR is destroying rights not enhancing them in any way.
      Anybody that wanted to hide their whois can select privacy whois. Its been that way for about 16 years. Not if you want to use the Whois to protect yourself you can’t. No where in GDPR does it say I am not allowed to display me whois if I want to. But this is where everyone has decided to go.

  6. Barry Shein says:

    Put the WHOIS information into the DNS, possibly as a new RR (optional.)
    That puts the information entirely under the domain owner’s control.
    Then registries/registrars/ICANN can manage domain registration information according to generally accepted business practices independent of WHOIS.

Add Your Comment