Mediators hired as Whois reformers butt heads
ICANN has hired professional mediators to help resolve strong disagreements in the working group tasked with reforming Whois for the post-GDPR world.
Kurt Pritz, chair of the Expedited Policy Development Process for Whois, last week told the group that ICANN has drafted in the Consensus Building Institute, with which it has worked before, to help “narrow issues and reach consensus”.
Three CBI mediators will brief the EPDP group today, and join them when the WG meets face-to-face for the first time at a three-day session in Los Angeles later this month.
Their goal is not to secure any particular outcome, but to help the disparate viewpoints find common ground, Pritz told the group.
It’s been Pritz’s intention to get the mediators in since day one — he knew in advance how divisive Whois policy is — but it’s taken until now to get the contracts signed.
The EPDP WG’s job is to create a new, privacy-conscious, consensus Whois policy that will apply to all gTLD registries and registrars. Its output will replace ICANN’s post-GDPR Temporary Specification for Registration Data, which in turn replaced the longstanding Whois policy attached to all ICANN registry and registrar contracts.
Since the working group first convened in early August — about 500 emails and 24 hours of painful teleconferences ago — common ground has been hard to find, and in fact the EPDP group did not even attempt to find consensus for the first several weeks of discussions.
Instead, they worked on its first deliverable, which was finalized last week, a “triage report” that sought to compile each faction‘s opinion of each section of ICANN’s Temp Spec.
The idea seemed sensible at the time, but with hindsight it’s arguable whether this was the best use of the group’s time.
The expectation, I believe, was that opposing factions would at least agree on some sections of text, which could then be safely removed from future debate.
But what emerged instead was this, a matrix of disagreement in which no part of the Temp Spec did not have have at least one group in opposition:
The table is potentially misleading, however. Because groups were presented with a binary yes/no option for each part of the spec, “no” votes were sometimes recorded over minor language quibbles where in fact there was agreement in principle.
By restricting the first few weeks of conversation to the language of the Temp Spec, the debate was arguably prematurely hamstrung, causing precious minutes to trickle away.
And time is important — the EPDP is supposed to deliver its consensus-based Initial Report to the ICANN 63 meeting in Barcelona about five weeks from now.
That’s going to be tough.
What’s becoming increasingly clear to me from the post-triage talks is that the WG’s task could be seen as not much less than a wholesale, ground-up, reinvention of the Whois wheel, recreated with GDPR as the legal framework.
Who is Whois for?
Discussions so far have been quite mind-expanding, forcing some fundamental rethinking of long-held, easy assumptions, at least for this lurker. Here’s an example.
One of the fundamental pillars of GDPR is the notion of “purposes”. Companies that collect private data on individuals have to do so only with specific, enumerated purposes in mind.
The WG has started by discussing registrars. What purpose does a registrar have when it collects Whois data from its registrants?
None whatsoever, it was claimed.
“To execute the contract between the registrant and the registrar, it’s really not necessary for registrars to collect any of this information,” GoDaddy head of policy James Bladel, representing registrars, told the group on its latest call Thursday.
Registrars collect data on their customers (not just contact data, but also stuff like credit card details) for billing and support purposes, but this is not the same as Whois data. It’s stored separately and never published anywhere. While covered by GDPR, it’s not covered by Whois policy.
Whois data is only collected by registrars for third parties’ purposes, whether that third party be a registry, ICANN, a data escrow agent, a cop, or an intellectual property enforcer.
“Other than a few elements such as domain name servers, there is nothing that is collected in Whois that is needed for the registrar to do their business,” At-Large Advisory Committee chair Alan Greenberg told the WG. “All of them are being collected for their availability to third parties, should they need it.”
While this may seem like a trivial distinction, drawing a hard line between the purposes of registries, registrars and ICANN itself on the one hand and law enforcement, cybersecurity and IP lawyers on the other is one of the few pieces of concrete advice ICANN has received from European data protection regulators.
There’s by no means unanimous agreement that the registrars’ position is correct, but it’s this kind of back-to-basics discussion that makes me feel it’s very unlikely that the EPDP is going to be able to produce an Initial Report with anything more than middling consensus by the October deadline.
I may be overly pessimistic, but (mediators or no mediators) I expect its output will be weighted more towards outlining and soliciting public comment on areas of disagreement than consent.
And the WG has not yet even looked in depth at the far thornier issue of “access” — the policy governing when third parties such as IP lawyers will be able to see redacted Whois data.
Parties on the pro-access side of the WG have been champing at the bit to bring access into the debate at every opportunity, but have been
Hey, look, a squirrel!
The WG has also been beset by its fair share of distractions, petty squabbles and internal power struggles.
The issues of “alternates” — people appointed by the various constituencies to sit in on the WG sessions when the principles are unavailable — caused some gnashing of teeth, first over their mailing list and teleconference privileges and then over how much access they should get to the upcoming LA meeting.
Debates about GDPR training — which some say should have been a prerequisite to WG participation — have also emerged, after claims that not every participant appeared clued-in as to what the law actually requires. After ICANN offered a brief third-party course, there were complaints that it was inadequate.
Most recently, prickly Iranian GAC rep Kavouss Arasteh last week filed a formal Ombudsman complaint over a throwaway god-themed pun made by Non-Com Milton Mueller, and subsequently defended by fellow non-resident Iranian Farzaneh Badii, in the Adobe Connect chat room at the September 6 meeting.
Mueller has been asked to apologize.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
An ombudsman complaint over something that does not even exist? What is next? Someone complaining because someone else disturbed a fairy circle or stole money from the tooth fairy?
It seems so simple to me. The registrars dont keep the data, because they dont need it. But the registry. And the registry needs to assign resources to manage the access.
Next to a transfer key you could also generate a whois access key for a specific domain. That registrars and the registry can give out for domains they control.
Who need access?
1. The domain owner
2. The former domain owner (for 60 days until after the transfer)
3. The former registrar (for 60 days)
4. The receiving registrar
5. Laywers on a per domain basis
6. law enforcement on a per domain basis
Anti-spam and security researchers can do research with hashes of user data, for the purpose of maintaining the stability of the internet.
Does a registry really need registrant data?
.COM seems to do rather well without for over 2 decades.
Agreed. Some registries might need data, like the ones from Validated TLDs, but most registries have no real use for registrant data.
This is perhaps true, but only for domains registered under gTLDs.
Many ccTLDs have contracts with their registrants (“the triangular model”) and accordingly absolutely need registrant data in order to know who they are in a legal agreement with.
As a general rule, ICANN Whois policy only applies to gTLDs.
Kevin:
Of course, but since many people outside the ccTLD world assume otherwise, it’s important to make the point that the word ‘registry’ is not co-terminous with ‘gTLD registry’.
The contractual situation is particularly noteworthy. Some ccTLDs do follow the gTLD ‘horizontal’ model. Many others have the triangular model.
And the relevant GDPR considerations are affected according.