Latest news of the domain name industry

Recent Posts

Here’s what ICANN’s boss is saying about Whois access now

Kevin Murphy, October 4, 2018, Domain Policy

Should ICANN become the sole source for looking up private domain registrant data? That’s one of the options for the post-GDPR world of Whois currently being mulled over on Waterfront Drive.

ICANN CEO Goran Marby laid out some of ICANN’s current thinking on the future of Whois last week at an occasionally combative meeting in Los Angeles.

One idea would see ICANN act as a centralized gatekeeper for all Whois data. Another could risk ICANN becoming much more tightly controlled by governments.

I’ve listened to the recordings, read the transcripts, chatted to participants, and I’m going to attempt to summarize what I believe is the current state of play.

As regular DI readers know, post-GDPR Whois policy is currently being debated to a tight deadline by an Expedited Policy Development Process working group.

The work has been a tough slog, and there seems to be little hope of the EPDP closing all of its outstanding issues before its first conclusions are due under three weeks from now.

One of the outstanding issues not yet addressed in any depth by the group is the potential creation of a “unified access model” — a standardized way cops, trademark owners, cybersecurity professionals and others could look at the same Whois data they could look at just a few months ago.

While the EPDP has carried on deferring discussion of such a model, ICANN Org has in parallel been beavering away trying to figure out whether it’s even going to be legally possible under the new European privacy law to open up Whois data to the people who want to see it, and it’s come up with some potentially game-changing ideas.

After weeks of conference calls, the EPDP working group — made up of 30-odd volunteers from all sections of the ICANN community — met in LA for three days last week to get down to some intensive face-to-face arguments.

I gather the meeting was somewhat productive, but it was jolted by the publication of an ICANN blog post in which Marby attempted to update the community on ICANN’s latest efforts to get clarity on how GDPR legally interacts with Whois.

Marby wrote that ICANN “wants to understand whether there are opportunities for ICANN, beyond its role as one of the ‘controllers’ with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.”

What did ICANN mean by this? While “controller” is a term of art defined in mind-numbing detail by the GDPR, “coordinating authority” is not. So ICANN’s blog post was open to interpretation.

It turns out I was not the only person confused by the post, and on Tuesday afternoon last week somebody from the EPDP team collared Marby in the corridor at ICANN HQ and dragged him into the meeting room to explain himself.

He talked with them for about an hour, but some attendees were still nonplussed — some sounded downright angry — after he left the room.

This is what I gleaned from his words.

No End-Runs

First off, Marby was at pains to point out, repeatedly, that ICANN is not trying to bypass the community’s Whois work.

It’s up to the community — currently the EPDP working group, and in a few weeks the rest of you — to decide whether there should be a unified access model for Whois, he explained.

What ICANN Org is doing is trying to figure out is whether a unified access model would even be legal under GDPR and how it could be implemented if it is legal, he said.

“If the community decides we should have a policy about a unified access model, that’s your decision,” he told the group. “We are trying to figure out the legal avenues if it’s actually possible.”

He talked about this to persons unknown at the European Commission in Brussels last month.

Whatever ICANN comes up with would merely be one input to the community’s work, he said. If it discovers that a unified access model would be totally illegal, it will tell the community as much.

Marby said ICANN is looking for “a legal framework for how can we diminish the contracted parties’ legal responsibility” when it comes to GDPR.

So far, it’s come up with three broad ideas about how this could happen.

The Certification Body Idea

GDPR sections 40 to 43 talk about the concepts of “codes of conduct” and “certification bodies”.

It’s possible that ICANN was referring to the possibility of itself becoming a certification body when it blogged about being a “coordinating authority”. Marby, during the EPDP meeting, unhelpfully used the term “accreditation house”.

These hypothetical entities (as far as I know none yet exist) would be approved by either national data protection authorities or the pan-EU European Data Protection Board to administer certification schemes for companies that broadly fall into the same category of data processing businesses.

It seems to be tailor-made for ICANN (though it wasn’t), which already has accreditation of registries and registrars as one of its primary activities.

But this legal avenue does not appear to be a slam-dunk. ICANN would presumably have to persuade a DPA or two, or the EDPB, that giving third parties managed access to citizens’ private data is a good thing.

You’d think that DPAs would be dead against such an idea, but the EU members of ICANN’s Governmental Advisory Committee have put their names to advice stating that Whois should remain accessible under certain circumstances, so it’s not impossible they could see it ICANN’s way.

The C.R.A.P. Idea

Marby’s second idea for taking some of the GDPR burden off the shoulders of contracted parties is to basically make ICANN a proxy, or man-in-the-middle, for Whois queries.

“What would happen if ICANN Org legally is the only place you can ask a question through?” he said. “And the only ones that the contracted parties actually can answer a question to would be ICANN Org? Would that move the legal responsibility away from the contracted parties to ICANN Org?”

In many ways, this is typical domain industry tactics — if there’s a rule you don’t want to follow, pass it off to a proxy.

This model was referred to during the session by EPDP members as the “hub and spoke” or “starfish”. I think the starfish reference might have been a joke.

Marby, in a jocular callback to the “Calzone” and “Cannoli” Whois proposals briefly debated in the community earlier this year, said that this model had a secret ICANN-internal code-name that is “something to do with food”.

Because whenever I’ve tried to coin a phrase in the past it has never stuck, I figure this time I may as well go balls-out and call it the “Cuisine-Related Access Plan” for now, if for no other reason than the acronym will briefly annoy some readers.

Despite the name I’ve given it, I don’t necessarily dislike the idea.

It seems to be inspired by, or at least informed by, side-channel communications between Marby and the Intellectual Property Constituency and Business Constituency, which are both no doubt mightily pissed off that the EPDP has so far proven surprisingly resilient to their attempts to get Whois access into the policy discussions as early as possible.

Two months ago, a few influential IP lawyers proposed to Marby (pdf) a centralized Whois model in which registrars collect data from registrants then pass it off to ICANN, which would be responsible for deciding who gets to see it.

Forget “thin” versus “thick” Whois — this one would be positively, arguably dangerously, obese. Contracted parties would be relegated to “processors” of private data under GDPR, with ICANN the sole “controller”.

Benefits of this would include, these lawyers said, reducing contracted parties’ exposure to GDPR.

It’s pretty obvious why the IP lobby would prefer this — ICANN is generally much more amenable to its demands than your typical registry or registrar, and it would very probably be easier to squeeze data out of ICANN.

While Marby specifically acknowledged that ICANN has taken this suggestion as one of its inputs — and has run it by the DPAs — he stopped well short of fully endorsing it during last week’s meeting in LA.

He seemed to instead describe a system whereby ICANN acts as the gatekeeper to the data, but the data is still stored and controlled at the registry or registrar, saying: “We open a window for access to the data so the data is still at the contracted parties because they use that data for other reasons as well”.

The Insane Idea

The third option, which Marby seemed to characterize as the least “sane” of the three, would be to have Whois access recognized by law as a public interest, enabling the Whois ecosystem to basically ignore GDPR.

Remember, back on on GDPR Day, I told you about how the .dk ccTLD registry is carrying on publishing Whois as normal because a Danish law specifically forces it to?

Marby’s third option seems to be a little along those lines. He specifically referred to Denmark and Finland (which appears to have a similar rule in place) during the LA session.

If I understand correctly, it seems there’d have to be some kind of “legal action” in the EU — either legislation in a member state, or perhaps something a little less weighty — that specifically permitted or mandated the publication of otherwise private Whois data in gTLD domains.

Marby offered trademark databases and telephone directories as examples of data sets that appear to be exempt from GDPR protection due to preexisting legislation.

One problem with this third idea, some say, is that it could bring ICANN policy under the direct jurisdiction of a single nation state, something that it had with the US government for the best part of two decades and fought hard to shake off.

If ICANN was given carte blanche to evade GDPR by a piece of legislation in, say, Lithuania, would not ICANN and its global stakeholders forever be slaves to the whims of the Lithuanian legislature?

And what if that US bill granting IP interests their Whois wet dream passes onto the statute books and ICANN finds itself trapped in a jurisdictional clusterfuck?

Oh, my.

Fatuous Conclusion For The Lovely People Who Generously Bothered To Read To The End

I’m not a lawyer, so I don’t pretend to have a comprehensive understanding of any of this, but to be honest I’m not convinced the lawyers do either.

If you think you do, call me. I want to hear from you. I’m “domainincite” on Skype. Cheers.

Euro-Whois advice still as clear as mud

Kevin Murphy, July 6, 2018, Domain Policy

European privacy chiefs have again weighed in to the ongoing debate about GDPR and Whois, offering another thin batch of vague advice to ICANN.

The European Data Protection Board, in its latest missive (pdf), fails to provide much of the granular “clarity” ICANN has been looking for, in my view.

It does offer a few pieces of specific guidance, but it seems to me that the general gist of the letter from EDPB chair Andrea Jelinek to ICANN CEO Goran Marby is basically: “You’re on your own buddy.”

If the question ICANN asked was “How can we comply with GDPR?” the answer, again, appears to be generally: “By complying with GDPR.”

To make matters worse, Jelinek signs off with a note implying that the EDPB now thinks that it has given ICANN all the advice it needs to run off and create a GDPR-compliant accreditation system for legitimate access to private Whois data.

The EDPB is the body that replaced the Article 29 Working Party after GDPR came into effect in May. It’s made up of the data protection authorities of all the EU member states.

On the accreditation discussion — which aims to give the likes of trademark owners and security researchers access to Whois data — the clearest piece of advice in the letter is arguably:

the personal data processed in the context of WHOIS can be made available to third parties who have a legitimate interest in having access to the data, provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of GDPR are met, including the provision of clear information to data subjects.

That’s a fairly straightforward statement that ICANN is fine to go ahead with the creation of an accreditation model for third parties, just as long as it’s quite tightly regulated.

But like so much of its advice, it contains an unhelpful nested reference to GDPR compliance.

The letter goes on to say that logging Whois queries should be part of these controls, but that care should be taken not to tip off registrants being investigated by law enforcement.

But it makes no effort to answer Marby’s questions (pdf) about who these legit third-parties might be and how ICANN might go about identifying them, which is probably the most important outstanding issue right now.

Jelinek also addresses ICANN’s lawsuit against Tucows’ German subsidiary EPAG, and I have to disagree with interpretations of its position published elsewhere.

The Register’s Kieren McCarthy, my Chuckle Brother from another Chuckle Mother, reckons the EDPB has torpedoed the lawsuit by “stating clearly that it cannot force people to provide additional ‘admin’ and ‘technical’ contacts for a given domain name”.

Under my reading, what it actually states is that registrants should be able to either use their own contact data, or anonymized contact information identifying a third party, in these records.

The EDPB clearly anticipates that admin and technical contacts can continue to exist, as long as they contain non-personal contact information such as “admin@example.com”, rather than “kevin@example.com”.

That’s considerably more in line with ICANN’s position than that of Tucows, which wants to stop collecting that data altogether.

One area where EDPB does in fact shoot down ICANN’s new Whois policy is when it comes to data retention.

The current ICANN contracts make registrars retain data for two years, but the EDPB notes that ICANN does not explain why or where that number comes from (I hear it was “pulled out of somebody’s ass”).

The EDPB says that ICANN needs to “re-evaluate the proposed data retention period of two years and to explicitly justify and document why it is necessary”.

Finally, the EDPB weighs in on the issue of Whois records for “legal persons” (as opposed to “natural persons”). It turns out their Whois records are not immune to GDPR either.

If a company lists John Smith and john.smith@example.com in its Whois records, that’s personal data on Mr Smith and therefore falls under GDPR, the letter says.

That should provide a strong incentive for registries and registrars to stop publishing potentially personal fields, if they’re still doing so.