Recent Posts
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
- Domain universe grows despite .com drag
- Did somebody spend a million bucks on a Google domain hack?
Here’s what ICANN’s boss is saying about Whois access now
Should ICANN become the sole source for looking up private domain registrant data? That’s one of the options for the post-GDPR world of Whois currently being mulled over on Waterfront Drive.
ICANN CEO Goran Marby laid out some of ICANN’s current thinking on the future of Whois last week at an occasionally combative meeting in Los Angeles.
One idea would see ICANN act as a centralized gatekeeper for all Whois data. Another could risk ICANN becoming much more tightly controlled by governments.
I’ve listened to the recordings, read the transcripts, chatted to participants, and I’m going to attempt to summarize what I believe is the current state of play.
As regular DI readers know, post-GDPR Whois policy is currently being debated to a tight deadline by an Expedited Policy Development Process working group.
The work has been a tough slog, and there seems to be little hope of the EPDP closing all of its outstanding issues before its first conclusions are due under three weeks from now.
One of the outstanding issues not yet addressed in any depth by the group is the potential creation of a “unified access model” — a standardized way cops, trademark owners, cybersecurity professionals and others could look at the same Whois data they could look at just a few months ago.
While the EPDP has carried on deferring discussion of such a model, ICANN Org has in parallel been beavering away trying to figure out whether it’s even going to be legally possible under the new European privacy law to open up Whois data to the people who want to see it, and it’s come up with some potentially game-changing ideas.
After weeks of conference calls, the EPDP working group — made up of 30-odd volunteers from all sections of the ICANN community — met in LA for three days last week to get down to some intensive face-to-face arguments.
I gather the meeting was somewhat productive, but it was jolted by the publication of an ICANN blog post in which Marby attempted to update the community on ICANN’s latest efforts to get clarity on how GDPR legally interacts with Whois.
Marby wrote that ICANN “wants to understand whether there are opportunities for ICANN, beyond its role as one of the ‘controllers’ with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.”
What did ICANN mean by this? While “controller” is a term of art defined in mind-numbing detail by the GDPR, “coordinating authority” is not. So ICANN’s blog post was open to interpretation.
It turns out I was not the only person confused by the post, and on Tuesday afternoon last week somebody from the EPDP team collared Marby in the corridor at ICANN HQ and dragged him into the meeting room to explain himself.
He talked with them for about an hour, but some attendees were still nonplussed — some sounded downright angry — after he left the room.
This is what I gleaned from his words.
No End-Runs
First off, Marby was at pains to point out, repeatedly, that ICANN is not trying to bypass the community’s Whois work.
It’s up to the community — currently the EPDP working group, and in a few weeks the rest of you — to decide whether there should be a unified access model for Whois, he explained.
What ICANN Org is doing is trying to figure out is whether a unified access model would even be legal under GDPR and how it could be implemented if it is legal, he said.
“If the community decides we should have a policy about a unified access model, that’s your decision,” he told the group. “We are trying to figure out the legal avenues if it’s actually possible.”
He talked about this to persons unknown at the European Commission in Brussels last month.
Whatever ICANN comes up with would merely be one input to the community’s work, he said. If it discovers that a unified access model would be totally illegal, it will tell the community as much.
Marby said ICANN is looking for “a legal framework for how can we diminish the contracted parties’ legal responsibility” when it comes to GDPR.
So far, it’s come up with three broad ideas about how this could happen.
The Certification Body Idea
GDPR sections 40 to 43 talk about the concepts of “codes of conduct” and “certification bodies”.
It’s possible that ICANN was referring to the possibility of itself becoming a certification body when it blogged about being a “coordinating authority”. Marby, during the EPDP meeting, unhelpfully used the term “accreditation house”.
These hypothetical entities (as far as I know none yet exist) would be approved by either national data protection authorities or the pan-EU European Data Protection Board to administer certification schemes for companies that broadly fall into the same category of data processing businesses.
It seems to be tailor-made for ICANN (though it wasn’t), which already has accreditation of registries and registrars as one of its primary activities.
But this legal avenue does not appear to be a slam-dunk. ICANN would presumably have to persuade a DPA or two, or the EDPB, that giving third parties managed access to citizens’ private data is a good thing.
You’d think that DPAs would be dead against such an idea, but the EU members of ICANN’s Governmental Advisory Committee have put their names to advice stating that Whois should remain accessible under certain circumstances, so it’s not impossible they could see it ICANN’s way.
The C.R.A.P. Idea
Marby’s second idea for taking some of the GDPR burden off the shoulders of contracted parties is to basically make ICANN a proxy, or man-in-the-middle, for Whois queries.
“What would happen if ICANN Org legally is the only place you can ask a question through?” he said. “And the only ones that the contracted parties actually can answer a question to would be ICANN Org? Would that move the legal responsibility away from the contracted parties to ICANN Org?”
In many ways, this is typical domain industry tactics — if there’s a rule you don’t want to follow, pass it off to a proxy.
This model was referred to during the session by EPDP members as the “hub and spoke” or “starfish”. I think the starfish reference might have been a joke.
Marby, in a jocular callback to the “Calzone” and “Cannoli” Whois proposals briefly debated in the community earlier this year, said that this model had a secret ICANN-internal code-name that is “something to do with food”.
Because whenever I’ve tried to coin a phrase in the past it has never stuck, I figure this time I may as well go balls-out and call it the “Cuisine-Related Access Plan” for now, if for no other reason than the acronym will briefly annoy some readers.
Despite the name I’ve given it, I don’t necessarily dislike the idea.
It seems to be inspired by, or at least informed by, side-channel communications between Marby and the Intellectual Property Constituency and Business Constituency, which are both no doubt mightily pissed off that the EPDP has so far proven surprisingly resilient to their attempts to get Whois access into the policy discussions as early as possible.
Two months ago, a few influential IP lawyers proposed to Marby (pdf) a centralized Whois model in which registrars collect data from registrants then pass it off to ICANN, which would be responsible for deciding who gets to see it.
Forget “thin” versus “thick” Whois — this one would be positively, arguably dangerously, obese. Contracted parties would be relegated to “processors” of private data under GDPR, with ICANN the sole “controller”.
Benefits of this would include, these lawyers said, reducing contracted parties’ exposure to GDPR.
It’s pretty obvious why the IP lobby would prefer this — ICANN is generally much more amenable to its demands than your typical registry or registrar, and it would very probably be easier to squeeze data out of ICANN.
While Marby specifically acknowledged that ICANN has taken this suggestion as one of its inputs — and has run it by the DPAs — he stopped well short of fully endorsing it during last week’s meeting in LA.
He seemed to instead describe a system whereby ICANN acts as the gatekeeper to the data, but the data is still stored and controlled at the registry or registrar, saying: “We open a window for access to the data so the data is still at the contracted parties because they use that data for other reasons as well”.
The Insane Idea
The third option, which Marby seemed to characterize as the least “sane” of the three, would be to have Whois access recognized by law as a public interest, enabling the Whois ecosystem to basically ignore GDPR.
Remember, back on on GDPR Day, I told you about how the .dk ccTLD registry is carrying on publishing Whois as normal because a Danish law specifically forces it to?
Marby’s third option seems to be a little along those lines. He specifically referred to Denmark and Finland (which appears to have a similar rule in place) during the LA session.
If I understand correctly, it seems there’d have to be some kind of “legal action” in the EU — either legislation in a member state, or perhaps something a little less weighty — that specifically permitted or mandated the publication of otherwise private Whois data in gTLD domains.
Marby offered trademark databases and telephone directories as examples of data sets that appear to be exempt from GDPR protection due to preexisting legislation.
One problem with this third idea, some say, is that it could bring ICANN policy under the direct jurisdiction of a single nation state, something that it had with the US government for the best part of two decades and fought hard to shake off.
If ICANN was given carte blanche to evade GDPR by a piece of legislation in, say, Lithuania, would not ICANN and its global stakeholders forever be slaves to the whims of the Lithuanian legislature?
And what if that US bill granting IP interests their Whois wet dream passes onto the statute books and ICANN finds itself trapped in a jurisdictional clusterfuck?
Oh, my.
Fatuous Conclusion For The Lovely People Who Generously Bothered To Read To The End
I’m not a lawyer, so I don’t pretend to have a comprehensive understanding of any of this, but to be honest I’m not convinced the lawyers do either.
If you think you do, call me. I want to hear from you. I’m “domainincite” on Skype. Cheers.
What a complete f&@$:ng mess ICANN staff and Board have put themselves in.
Zero planning , zero foresight and zero creativity on how to resolve an issue
Of course not one person at ICANN will be held accountable and the semi-annual bonus payments at 100% of target will be paid to all