Latest news of the domain name industry

Recent Posts

Marby ponders emergency powers to avoid fragmented Whois

Kevin Murphy, April 4, 2018, Domain Policy

ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.

That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.

Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.

But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.

“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”

I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.

Marby has asked European DPAs for two things.

First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.

Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.

“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.

A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.

If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.

“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”

While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.

It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.

ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.

But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.

Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”

He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.

The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.

Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.

Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.

But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.

This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.

Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.

A temporary policy could be replaced by a compatible, community-created Consensus Policy.

It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.

But that’s perhaps getting ahead of ourselves.

Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.

If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.

If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.

And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.

“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.

“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”

The community awaits the DPAs’ guidance with baited breath.

ICANN chief begs privacy watchdogs for Whois advice

Kevin Murphy, March 28, 2018, Domain Policy

ICANN CEO Goran Marby has written to the data protection authorities of all 28 European Union states, along with the European Data Protection Supervisor, to ask for guidance on how to implement new privacy laws.

Marby also asked the DPAs about the possibility of an enforcement moratorium, to give the domain industry and ICANN more time to formulate their collective response to the General Data Protection Regulation.

GDPR, which aims to give EU citizens more control over their personal data, comes into full effect May 25. Companies that break the rules face fines that could amount to millions of euros.

But ICANN does not yet have a firm plan for bringing the distributed Whois system into compliance with GDPR, and has repeatedly indicated that it needs guidance from European DPAs.

“ICANN and more than a thousand of the domain names registries and registrars are at a critical juncture,” Marby wrote (pdf).

“We need specific guidance from European data protection authorities in order to meet the needs of the global internet stakeholder community, including governments, privacy authorities, law enforcement agencies, intellectual property holders, cybersecurity experts, domain name registries, registrars, registrants and ordinary internet users,” he wrote.

ICANN has already written a proposal — known as the “Cookbook” and sent to DPAs three weeks ago — for how gTLD registrars and registries could comply with GDPR by removing most fields from public Whois records.

But Marby’s letter points out that many ICANN community members think the Cookbook either goes too far or not far enough.

As we reported a week ago, the Governmental Advisory Committee and Intellectual Property Constituency are not convinced ICANN needs to chop quite as much info from the public Whois as it’s currently planning.

But on the flipside, there are privacy advocates who think far less data should be collected on registrants and fundamentally question ICANN’s power to mandate public Whois access in its registry and registrar contracts.

Both sides of the debate are referenced in the letter.

“Guidance from DPAs on ICANN’s plan of action as presented in the Cookbook, and in particular, the areas where there are competing views, is critical as soon as possible, but particularly during the next few weeks,” Marby wrote.

Whether ICANN will get the answers it needs on the timetable it needs them is open to debate.

Many community members expressed skepticism about whether the DPAs’ commitment to the urgency of the issue matches ICANN’s own, during ICANN 61 earlier this month.

There seemed to be little confidence that the DPAs’ responses, should ICANN receive any, will provide the clarity the industry needs.

It may also be bad timing given the unrelated Cambridge Analytica/Facebook scandal, which appears to be consuming the attention of some European DPAs.