Latest news of the domain name industry

Recent Posts

How ICANN thinks YOU could get full Whois access

Kevin Murphy, June 20, 2018, 14:14:31 (UTC), Domain Policy

With blanket public Whois access now firmly a thing of the past due to GDPR, ICANN has set the ball rolling on an accreditation system that would reopen the data doors to certain select parties.

The org yesterday published a high-level framework document for a “Unified Access Model” that could give Whois access to approved users such as police, lawyers, and even common registrants.

It contains many elements that are sure to be controversial, such as paying fees for Whois access, the right of governments to decide who gets approved, and ICANN’s right to see every single Whois query carried out under the program.

It’s basically ICANN’s attempt to frame the conversation about Whois access, outlining what it expects from community members such as registries and registrars, governments and others.

It outlines a future in which multiple “Authenticating Bodies” would hand out credentials (either directly or via referral to a central authority) to parties they deem eligible for full Whois access.

These Authenticating Bodies could include entities such as WIPO or the Trademark Clearinghouse for trademark lawyers and Interpol or Europol for law enforcement agencies.

Once suitably credentialed, Whois users would either get unexpurgated Whois access or access to only fields appropriate to their stated purpose. That’s one of many questions still open for discussion.

There could be fees levied at various stages of the process, but ICANN says there should be a study of the financial implications of the model before a decision is made.

Whois users would have to agree to a code of conduct specific to their role (cop, lawyer, registrant, etc) that would limit how they could use the data they acquire.

Additionally, registrars and registries would have to log every single Whois query and hand those logs over to ICANN for compliance and audit purposes. ICANN said:

based on initial discussions with members of the Article 29 Working Party, ICANN proposes that registry operators and registrars would be required to maintain audit logs of domain name queries for non-public WHOIS data, unless logging a particular entry is contrary to a relevant court order. The logs would be available to ICANN org for audit/compliance purposes, relevant data protection authorities, the registrant, or pursuant to a court order.

On the higher-level question of who should be given the keys to the new gates Whois — it’s calling them “Eligible User Groups” — ICANN wants to outsource the difficult decisions to either governments or, as a backstop, the ICANN community.

The proposal says: “Eligible User Groups might include intellectual property rights holders, law enforcement authorities, operational security researchers, and individual registrants.”

It wants the European Economic Area members of its Governmental Advisory Committee, and then the GAC as a whole, to “identify or facilitate identification of broad categories” of eligible groups.

ICANN’s next public meeting, ICANN 62, kicks off in Panama at the weekend, so the GAC’s next formal communique, which could address this issue, is about a week away.

ICANN also wants the GAC to help it identify potential Authenticating Bodies that would hand out credentials.

But the GAC, in its most recent communique, has already declined such a role, saying in March that it “does not envision an operational role in designing and implementing the proposed accreditation programs”.

If it sticks with that position, ICANN says it will turn to the community to have this difficult conversation.

It notes specifically the informal working group that is currently developing a “community” Accreditation & Access Model For Non-Public WHOIS Data.

This group is fairly controversial as it is perceived by some, fairly I think, as being dominated by intellectual property interests.

The group’s draft model is already in version 1.6 (pdf), and at 47 pages is much more detailed than ICANN’s proposal, but its low-traffic mailing list has almost no contracted parties on board and the IP guys are very decidedly holding the pen.

There’s also a separate draft, the Palage Differentiated Registrant Data Access Model (or “Philly Special”) (Word doc), written by consultant Michael Palage, which has received even less public discussion.

ICANN’s proposal alludes to these drafts, but it does not formally endorse either as some had feared. It does, however, provide a table (pdf) comparing its own model to the other two.

What do not get a mention are the access models already being implemented by individual registrars.

Notably, Tucows is ready to launch TieredAccess.com, a portal for would-be Whois users to obtain credentials to view Tucows-managed Whois records.

This system grants varying levels of access to “law enforcement, commercial litigation interests, and security researchers”, with law enforcement given the highest level of access, Tucows explained in a blog post yesterday.

That policy is based on the GDPR principle of “data minimization”, which is the key reason it’s currently embroiled in an ICANN lawsuit (unrelated to accreditation) in Germany.

Anyway, now that ICANN has published its own starting point proposal, it is now expected that the community will start to discuss the draft in a more formal ICANN setting. There are several sessions devoted to GDPR and Whois in Panama.

ICANN also expects to take the proposal to the European Data Protection Board, the EU committee of data protection authorities that replaced the Article 29 Working Party when GDPR kicked in last month.

However, in order for any of this to become binding on registries and registrars it will have to be baked into their contracts, which will mean it going through the regular ICANN policy development process, and it’s still not clear how much enthusiasm there is for that step happening soon.

Tagged: , , , ,

Add Your Comment