Latest news of the domain name industry

Recent Posts

More non-rules proposed for Whois privacy

Kevin Murphy, June 4, 2021, Domain Policy

An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.

The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.

The answer to both questions is a firm “Maybe”.

The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.

Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.

Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.

There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.

The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.

Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.

They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.

On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:

The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.

Again, the working group is giving registries and registrars the option to implement such systems or not.

The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.

If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.

But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.

So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.

The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation

An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.

The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.

IP lobby demands halt to Whois reform

Kevin Murphy, March 17, 2021, Domain Policy

Trademark interests in the ICANN community have called on the Org to freeze implementation of the latest Whois access policy proposals, saying it’s “not yet fit for purpose”.

The Intellectual Property Constituency’s president, Heather Forrest, has written (pdf) to ICANN chair Maarten Botterman to ask that the so-called SSAD system (for Standardized System for Access and Disclosure) be put on hold.

SSAD gives interested parties such as brands a standardized pathway to get access to private Whois data, which has been redacted by registries and registrars since the EU’s Generic Data Protection Regulation came into force in 2018.

But the proposed policy, approved by the GNSO Council last September, still leaves a great deal of discretion to contracted parties when it comes to disclosure requests, falling short of the IPC’s demands for a Whois that looks a lot more like the automated pre-GDPR system.

Registries and registrars argue that they have to manually verify disclosure requests, or risk liability — and huge fines — under GDPR.

The IPC has a few reasons why it reckons ICANN should slam the brakes on SSAD before implementation begins.

First, it says the recommendations sent to the GNSO Council lacked the consensus of the working group that created them.

Intellectual property, law enforcement and security interests — the likely end users of SSAD — did not agree with big, important chucks of the working group’s report. The IPC reckons eight of the 18 recommendations lacked a sufficient degree of consensus.

Second, the IPC claims that SSAD is not in the public interest. If the entities responsible for “policing the DNS” don’t think they will use SSAD due to its limitations, then why spend millions of ICANN’s money to implement it?

Third, Forrest writes that emerging legislation out of the EU — the so-called NIS2, a draft of a revised information security directive —- puts a greater emphasis on Whois accuracy

Forrest concludes:

We respectfully request and advise that the Board and ICANN Org pause any further work relating to the SSAD recommendations in light of NIS2 and given their lack of community consensus and furtherance of the global public interest. In light of these issues, the Board should remand the SSAD recommendations to the GNSO Council for the development of modified SSAD recommendations that meet the needs of users, with the aim of integrating further EU guidance.

It seems the SSAD proposals will be getting more formal scrutiny than previous GNSO outputs.

When the GNSO Council approved the recommendations in September, it did so with a footnote asking ICANN to figure out whether it would be cost-effective to implement an expensive — $9 million to build, $9 million a year to run — system that may wind up being lightly used.

ICANN has now confirmed that SSAD and the other Whois policy recommendations will be one of the first recipients of the Operational Design Phase (pdf) treatment.

The ODP is a new, additional layer of red tape in the ICANN policy-making sausage machine that slots in between GNSO Council approval and ICANN board consideration, in which the Org, in collaboration with the community, tries to figure out how complex GNSO recommendations could be implemented and what it would cost.

ICANN said this week that the SSAD/Whois recommendations will be subject to a formal ODP in “the coming months”.

Any question about the feasibility of SSAD would be referred back to the GNSO, because ICANN Org is technically not supposed to make policy.

Public comments open on new Whois policies

Kevin Murphy, February 11, 2021, Domain Policy

It’s your last chance to comment on ICANN’s proposed revisions to Whois policy.

ICANN has opened up public comments on what it opaquely calls EPDP Phase 2 Policy Recommendations for Board Consideration.

Why it just can’t use the term “Whois access”, or announce its public comment periods in layman’s terms is beyond me. Doesn’t it want public comments? Still, translating this nonsense into English keeps me in work, so I guess I won’t complain too hard.

The main feature of the proposed policy is a multi-tiered, somewhat centralized system for requesting access to Whois data about private registrants that has been redacted since the EU’s General Data Protection Regulation came into effect in May 2018.

It’s called SSAD, for System for Standardized Access and Disclosure, which was pieced together by a working group of community volunteers over a year.

Domain companies are generally okay with the compromise it represents, but intellectual property interests and others who would actually use the system think it’s a useless waste of money.

It’s expected to cost $9 million to build and $9 million a year to run.

There’s so much uncertainty about the system that in parallel with the public comments ICANN is also consulting with the GNSO Council, which approved the proposals in September, to figure out whether it’s even workable, and with the European Commission to figure out if it’s even legal.

After the public comment period closes on March 30, the comments will be compiled by ICANN staff and burned on a big fire sent to the ICANN board for final approval.

Whois privacy group finds its new chair

Kevin Murphy, December 8, 2020, Domain Policy

Verisign’s top policy veep is set to become the third chair of the ICANN working group looking at Whois policy in the post-GDPR world.

Keith Drazek has been recommended to head the long-running group, known as the EPDP, and the GNSO Council is due to vote on his appointment next week. He’s likely to be a shoo-in.

He’s VP of policy and government relations at the .com registry, and a long-standing member of the ICANN policy-making community.

I recently opined that ICANN was looking for a “masochistic mug” to chair the group. Drazek was until October the chair of the GNSO Council, and is therefore perfectly qualified for the role.

The third phase of the EPDP process, which in typical ICANNese is denominated “phase 2a”, is likely to be slightly less controversial than the first two.

The EPDP has already decided that ICANN should probably create a Standardized System for Access and Disclosure — SSAD — that may enable law enforcement and intellectual property owners to get their hands on unredacted Whois records.

But governments, IP interests and others have already dismissed the plan as useless, and there’s still a big question mark over whether SSAD is too complex and expensive to be worth implementing.

In the third phase, EPDP members will be discussing rules on distinguishing between legal and natural persons when record-holders decide what info to make public, and whether there should be a standardized system of unique, anonymized email forwarders to contact domain registrants.

They’re both less divisive topics than have been previously addressed, but not without the potential for fireworks.

The email issue, for example, could theoretically enable people to harvest a registrant’s entire portfolio of domains, something very useful for law enforcement and IP lawyers but abhorrent to privacy advocates.

The previous two phases were chaired by Kurt Pritz and Janis Karklins, with Rafik Dammak acting as vice-chair.

Masochistic mug urgently wanted for thankless, pay-free ICANN leadership role

Kevin Murphy, November 17, 2020, Domain Policy

ICANN still hasn’t found itself a volunteer to head up the next round of no-doubt contentious discussions about Whois policy.

Today it put out its second call for a chair of the Expedited Policy Development Process working group, which is continuing to square the circle of keeping Whois data compliant with data protection law whilst also allowing cops and IP lawyers access to the data.

The EPDP was supposed to have concluded a few months ago with the end of the second phase of talks, but a couple of issues were left unresolved, leading to the creation of a third phase, being spun as “Phase 2a”.

The first issue still to be discussed is if and how registries and registrars should be obliged to make a distinction between the data of private individuals, which is protected by law, and legal entities, which isn’t.

The second is whether it would be possible to have a uniform system of anonymized email addresses across Whois records.

They’re not exactly the most controversial of topics under the Whois umbrella, but they’re not easy asks either.

And the role of chair is time-consuming, uncompensated, with few perks.

ICANN wants somebody who is neutral and, unstated but perhaps more importantly, perceived to be neutral. The chairs of the previous two phases have been policy heavy-hitters Kurt Pritz and Janis Karklins.

It also wants somebody with “considerable experience in chairing working groups”, which immediately drains the pool of potential applicants.

If previous phases of the EPDP are any guide, the successful applicant will have to herd the cats through dozens of hours of teleconferences — the more-complex phase two had 74 meetings, most of which were two hours long.

For their efforts, the chair gets no money, and because of coronavirus travel restrictions they won’t even get paid junkets to international face-to-face meetings.

And if the output of the next phase is anywhere as near as divisive as phase two, they probably won’t win much praise either.

That’s perhaps why ICANN has extended the deadline for expressions of interest from last Friday to November 23.

Applicants go here.

ICANN denies Whois policy “failure” as Marby issues EU warning

Kevin Murphy, October 19, 2020, Domain Policy

ICANN directors have denied that recently delivered Whois policy recommendations represent a “failure” of the multistakeholder model.

You’ll recall that the GNSO Council last month approved a set of controversial recommendations, put forward by the community’s EPDP working group, to create a semi-centralized system for requesting access to private Whois data called SSAD.

The proposed policy still has to be ratified by the ICANN board of directors, but it’s not on the agenda for this week’s work-from-home ICANN 69 conference.

That has not stopped there being some robust discussion, of course, with the board talking for hours about the recommendations with its various stakeholder groups.

The EPDP’s policy has been criticized not only for failing to address the needs of law enforcement and intellectual property owners, but also as a failure of the multistakeholder model itself.

One of the sharpest public criticisms came in a CircleID article by Fabricio Vayra, IP lawyer are Perkins Coie, who tore into ICANN last month for defending a system that he says will be worse than the status quo.

But ICANN director Becky Burr told registries and registrars at a joint ICANN 69 session last week: “We don’t think that the EPDP represents a failure of the multistakeholder model, we actually think it’s a success.”

“The limits on what could be done in terms of policy development were established by law, by GDPR and other data protection laws in particular,” she added.

In other words, it’s not possible for an ICANN working group to create policy that supersedes the law, and the EPDP did what it could with what it was given.

ICANN CEO Göran Marby doubled down, not only agreeing with Burr but passing blame to EU bureaucrats who so far have failed to give a straight answer on important liability issues related to the GDPR privacy regulation.

“I think the EPDP came as far as it could,” he said during the same session. “Some of the people now criticizing it are rightly disappointed, but their disappointment is channeled in the wrong direction.”

He then referred to his recent outreach to three European Commission heads, in which he pleaded for clarity on whether a more centralized Whois model, with more liability shifted away from registrars to ICANN, would be legal.

A failure to provide such clarity would be to acknowledge that the EPDP’s policy proposals are all just fine and dandy, despite what law enforcement and some governments believe, he suggested.

“If the European Union, the European Commission, member states in Europe, or the data protection authorities don’t want to do anything, they’re happy with the situation,” he told registrars and registries.

“If they don’t take actions now, or answer our questions, they’re happy with the way people or organizations get access to the Whois data… it seems that if they don’t change or do anything, they’re happy, and then were are where we are,” he said.

He reiterated similar thoughts at sessions with other stakeholders last week.

But he faced some pushback from members of the pro-privacy Non-Commercial Stakeholders Group, particularly during an entertaing exchange with EPDP member Milton Mueller, who’s unhappy with how Marby has been characterizing the group’s output to the EU.

He specifically unhappy with Marby telling the commissioners: “Should the ICANN Board approve the SSAD recommendations and direct ICANN org to implement it, the community has recommended that the SSAD should become more centralized in response to increased legal clarity.”

Mueller reckons this has no basis in what the EPDP recommended and the GNSO Council approved. It is what the IP interests and governments want, however.

In response, Marby talked around the issue and seemed to characterize it as a matter of interpretation, adding that he’s only trying to provide the ICANN community with the legal clarity it needs to make decisions.

Should YOU have to pay when lawyers access your private Whois info?

Kevin Murphy, September 23, 2020, Domain Policy

The question of who should shoulder the costs of ICANN’s proposed Whois overhaul is being raised, with governments and others suggesting that the burden should fall on registrants themselves.

In separate statements to ICANN recently, the Governmental Advisory Committee and Security and Stability Advisory Committee both put forward the view that registrants, rather than the trademark lawyers behind most requests for private Whois data, should fund the system.

ICANN currently expects the so-called System for Standardized Access/Disclosure (SSAD), proposed after two years of talks in an ICANN community working group, to cost $9 million to build and another $9 million a year to operate.

The working group, known as the EPDP, has recommended in its final report that registrants “MUST NOT bear the costs for having data disclosed to third parties”.

Instead, it recommended that requestors themselves should pay for the system, probably via an annual accreditation fee.

But now the GAC and SSAC have issued minority statements calling that conclusion into question.

The GAC told ICANN (pdf):

While the GAC recognizes the appeal of not charging registrants when others wish to access their data, the GAC also notes that registrants assume the costs of domain registration services as a whole when they register a domain name.

While the SSAC said (pdf):

Data requestors should not primarily bear the costs of maintaining the system. Requestors should certainly pay the cost of getting accredited and maintaining their access to the system. But the current language of [EPDP Recommendation] 14.2 makes victims and defenders cover the costs of the system’s operation, which is unfair and is potentially dangerous for Internet security…

No previous PDP has protected registrants from having the costs associated with “core” registration services or the implementation of consensus policies being passed on to them. No previous PDP has tried to manipulate the functioning of market forces as is proposed in Recommendation 14.

SSAC suggested instead that registrars should be allowed to pass on the costs of SSAD to their customers, and/or that ICANN should subsidize the system.

Over 210 million gTLD domain names, $9 million a year would work out to less than five cents per domain, but one could argue there’s a principle at stake here.

Should registrants have to pay for the likes of Facebook (probably the biggest requestor of private Whois data) to access their private contact information?

The current proposed system would see the estimated $9 million spread out over a far smaller number of requestors, making the fee something like $450 per year.

EPDP member Milton Mueller did the math and concluded that any company willing to pay its lawyers hundreds of thousands of dollars to fight for greater Whois access in ICANN could certainly swallow a measly few hundred bucks a year.

But the minority objections from the GAC, SSAC and Intellectual Property Constituency do not focus wholly on the costs. They’re also bothered that SSAD doesn’t go nearly far enough to actually provide access to Whois data.

Under the current, temporary, post-GDPR system, registries and registrars basically use their own employees’ discretion when deciding whether to approve a Whois data request.

That wouldn’t change significantly under SSAD, but there would be a huge, multi-tiered system of accreditation and request-forwarding that’s been described as “glorified, overly complex and very expensive ticketing system”.

The GAC wants something much more automated, or for the policy to naturally allow increased automation over time. It also wants increased centralization, taking away much of the human decision-making at registrars out of the equation.

The response from the industry has basically been that if GDPR makes them legally liable for their customers’ data, then it’s the registries and registrars that should make the disclosure decisions.

The GAC has a great deal of power over ICANN, so there’s likely to be a bit of a fight about the EPDP’s outcomes and the future of SSAD.

The recommendations are due to be voted on by the GNSO Council at its meeting tomorrow, and as I’ve noted before, it could be tight.

Council chair Keith Drazek seems to be anticipating some lively debate, and he’s already warned fellow members that’s he’s not minded to approve any request for a delay on the vote, noting that the final report has been available for review for several weeks.

By convention, the Council will defer a vote on the request of any of its constituency groups, but this is sometimes exploited.

Should the Council approve the resolution approving the final report — which contains a request for further financial review of SSAD — then it will be forwarded to the ICANN board of directors for final discussion and approval.

But with the GAC on its case, with its special advisory powers, getting SSAD past the board could prove tricky.

The pricey, complex, clusterfuck plan to reopen Whois

Kevin Murphy, August 3, 2020, Domain Policy

After a little more than two years, an ICANN working group has finalized the policy that could allow people to start accessing unredacted Whois records again.

Despite the turnaround time being relatively fast by ICANN standards, the Expedited Policy Development Process group has delivered what could be the most lengthy and complex set of policy recommendations I’ve seen since the policy work on new gTLDs over a decade ago.

Don’t get too excited if you’re itching to get your hands on Whois data once more. It’s a 171-page document containing over a hundred recommendations that’s bound to take ages to implement in full, if it even gets approved in the coming weeks.

I’d be surprised if it’s up and running fully before 2022 at the earliest. If and when the system does eventually come online, don’t expect to get it for free.

It’s already being slammed in multiple quarters, with one constituency saying it could result in a “multi-year-implementation resulting in a system which would effectively be a glorified, overly complex and very expensive ticketing system”.

Trademark owners are livid, saying the proposed policy completely fails to address their needs, and merely entrenches the current system of registrar discretion into formal ICANN policy.

The recommendations describe a proposed system called SSAD, for System for Standardized Access/Disclosure, which would be overseen by ICANN and enforced through its contracts with registries and registrars.

It’s a multi-tiered system involving a few primary functions, wrapped in about a thousand miles of red tape.

First and foremost, you’ve got the Central Gateway Manager. This would either be ICANN, or a company to which ICANN outsources. Either way, ICANN would be responsible for overseeing the function.

The gateway manager’s job is to act as a middleman, accepting Whois data requests from accredited users and forwarding them to registries and registrars for processing.

In order to access the gateway, you’d need to be accredited by an Accreditation Authority. Again, this might be ICANN itself or (more likely) a contractor.

The policy recommendations only envisage one such authority, but it could rely on a multitude of Identity Providers, entities that would be responsible for storing the credentials of users.

It’s possible all of these roles and functions could be bundled up in-house at ICANN, but it appears the far more likely scenario is that there will be a bunch of RFPs coming down the pike for hungry contractors later this year.

But who gets to get accredited?

Anyone with a “legitimate interest or other lawful basis”, it seems. The document is far from prescriptive or proscriptive when it comes to describing possible users.

But the recommendations do give special privileges to governments and government-affiliated entities such as law enforcement, consumer protection bodies and data privacy watchdogs.

For law enforcement agencies, the proposed policy would mandate fully automated processing at the gateway and at the registry/registrar. It sounds like cops would get pretty much instant access to all the Whois data they need.

Requests just the for city field of the record would also be fully automated, for any accredited requestor.

There would be at least three priorities of Whois request under the proposed system.

The first, “Urgent”, would be limited to situations that “pose an imminent threat to life, serious bodily injury, critical infrastructure (online and offline) or child exploitation”. Non-cops could use this method too. Contracted parties would have one business day or three calendar days to respond.

The second would be limited to ICANN-related procedures like UDRP and URS, and registrars would have a maximum of two business days to respond.

The third would encapsulate all other requests, with some priority given to fraud or malware-related requests. Response times here could be a long as 10 days.

I’m trying to keep it simple here, but a lot of the recommendations describe the aforementioned red tape surrounding each stage of the process.

Registrars and registries would be bound to service level agreements, there’d be appeals processes for rejected requests, there’d be logging, audits, reporting, methods to de-accredit users and methods for them to appeal their de-accreditation… basically a shedload of checks and balances.

And who’s going to pay for it all?

ICANN’s latest guesstimate is that SSAD will cost $9 million to build and another $8.9 million annually to operate.

It seems the main burden will be placed on the shoulders of the end-user requestors, which will certainly have to pay for accreditation (which would have to be renewed periodically) and may have to pay per-query too.

Trademark lawyers within the ICANN community are furious about this — not because they have to pay, but because SSAD functionality does “not come close to justifying the costs”.

They’d envisaged a system that would be increasingly automated as time went by, eventually enabling something pretty much like the old way of doing Whois lookups, but say the current proposals preclude that.

It’s also not impossible that the system could lead to higher fees for registrants.

The EPDP group is adamant that domain registrants should not have to pay directly when somebody queries their Whois data, and says the SSAD should be cheaper to run for registrars than the current largely manual system, but acknowledges there’s nothing ICANN can do to stop registrars raising their prices as a result of the proposed policy.

The recommendations say that ICANN should not take a profit from SSAD, but do not discount its contractors from making a fair return from their work.

Prices are, like much else described in this Final Report, still very much TBD. The EPDP working group was given a lot to accomplish in very little time, and there’s a lot of buck-passing going on.

And there’s no guarantee that the policy will even be approved in the short term, given the level of dissent from working group participants.

Before the recommendations become formal Consensus Policy — and therefore binding on all registries and registrars — they first have to be approved by the GNSO Council and then the ICANN board of directors.

The first opportunity for the GNSO Council to vote is at its meeting September 24, but it could be a very tight vote.

For an EPDP to pass, it needs a supermajority vote of the Council, which means a two-thirds majority of both “houses” — the Contracted Parties House (ie, registries and registrars) and the Non-Contracted Parties house — or a 75% approval in one house and a simple majority in the other.

The way things stand, it looks to me like the CPH will very likely vote 100% in favor of the proposal, which means that only seven out of the 13 NCPH members will have to vote in favor of the report in order for it to pass.

The NCPH is made up of six people from the Non-Commercial Stakeholders Group, which generally hold pro-privacy views and have already criticized the report as not going far enough to protect registrants’ data.

Six more NCPH members comprise two members each from the Intellectual Property Constituency, Business Constituency and Internet Service Providers Constituency.

The IPC and BC put their names to a joint minority statement in the Final Report saying that its recommendations:

amount to little more than affirmation of the [pre-EPDP] status quo: the elements of WHOIS data necessary to identify the owners and users of domain names are largely inaccessible to individuals and entities that serve legitimate public and private interests.

I’m chalking those four Council members down as reliable “no” votes, but they’ll need the support of the two ISP guys and the wildcard Nominating Committee appointee in order to bury this policy proposal.

If it does pass the Council, the next and final stage of approval for SSAD would be the ICANN board, probably at ICANN 69 in October.

But then ICANN would actually have to build the damn thing.

This would take many months of implementation and review, then there’d have to be multiple RFP processes to select the companies to write the software and build the infrastructure to run it, who’d then actually have to build and test it.

In the same guesstimate that put a $9 million price tag on the system, ICANN reckoned that it would take a full year for a third party to build and test SSAD. That’s not even taking registrar integration into account.

So, if you’re looking for streamlined Whois access again, you’d best think 2022 at the very earliest, if ever.

If you wish to read the EPDP working group’s Final Report, you can do so here (pdf).

UPDATE: This article originally misstated the date of the next GNSO Council meeting at which this proposal could be considered. It’s not August 20. It’s September 24, which means initial ICANN board consideration is out in October. Add another month to whatever timeline you were hoping for.

Is ICANN chickening out of Whois access role?

Kevin Murphy, May 26, 2020, Domain Policy

As talks over a centralized system for Whois access enter their eleventh hour, confusion has been sown over whether ICANN still wants to play ball.

The ICANN working group tasked with creating a “unified access model” for Whois data, currently rendered private by the GDPR privacy law, was forced last week to ask ICANN’s board of directors three blunt questions about how it sees its future role.

The group has been working for two years on a system of Whois access based around a central gateway for requests, which could be made only by those given credentials by an accreditation authority, which would also be able to revoke access rights if abused.

The proposed model as a whole has come to be known as SSAD, for System for Standardized Access/Disclosure.

The assumption has been that ICANN would act in these roles, either hands-on or by subcontracting the functions out to third parties, largely because ICANN has given every indication that it would and is arguably inventor of the concept.

But that assumption was thrown into doubt last Thursday, during a working group teleconference, when ICANN board liaison Chris Disspain worried aloud that the group may be pushing ICANN into areas beyond its remit.

Disspain said he was “increasingly uncomfortable with the stretching of ICANN’s mandate”, and that there was no guarantee that the board would approve a policy that appeared to push it outside the boundaries of its mission statement and bylaws.

“While it may be convenient and it might seem to solve the problem to say ‘Well, let ICANN do it’, I don’t think anyone should assume that ICANN will,” he said.

He stressed that he was speaking in his personal capacity rather on behalf of the board, but added that he was speaking based on his over eight years of experience on the board.

He spoke within the context of a discussion about how Whois access accreditation could be revoked in the event that the user abused their privileges, and whether an ICANN department such as Compliance should be responsible.

Several working group members expressed surprise at his remarks, with Milton Mueller of the Non-Commercial Stakeholders Group later calling it “a sudden and rather suspicious departure from nearly two years of ICANN Org statements and activities”.

The confusion comes at a critical juncture for the working group, which has to wrap up its work before chair Janis Karklins quits on June 30.

Karklins wrote to the board late last week to ask:

If SSAD becomes an adopted consensus policy, would ICANN Org will perform the Accreditation Authority function?

If SSAD becomes an adopted consensus policy, would ICANN Org will perform the central Gateway function?

If SSAD becomes an adopted consensus policy, would ICANN Org enforces compliance of SSAD users and involved parties with its consensus policy?

It’s a kinda important set of questions, but there’s no guarantee ICANN will provide straight answers.

When the working group, known as the EPDP, wraps up, the policy will go to the GNSO Council for approval before it goes to the board.

Irony alert! Data protection agency complains it can’t get access to private Whois data

Kevin Murphy, May 26, 2020, Domain Policy

A European data protection authority has complained to ICANN after a registrar refused to hand over one of its customers’ private Whois records, citing the GDPR data protection regulation, according to ICANN.

Compounding the irony, the DPA wanted the data as part of its probe into an alleged GDPR violation at the domain in question.

This is the frankly hilarious scenario outlined in a letter (pdf) from ICANN boss Göran Marby to Andrea Jelinek, chair of the European Data Protection Board, last week.

Since May 2018, registrars and registries have been obliged under ICANN rules to redact all personally identifiable information from public Whois records, because of the EU’s General Data Protection regulation.

This has irked the likes of law enforcement and intellectual property owners, who have found it increasingly difficult to discover the identities of suspected bad actors such as fraudsters and cybersquatters.

Registrars are still obliged to hand over data upon request in certain circumstances, but the rules are vague, requiring a judgement call:

Registry and Registrar MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

While an ICANN working group has been attempting to come up with a clearer-cut set of guidelines, administered by a central body, this so-called SSAD (System for Standardized Access/Disclosure) has yet to come to fruition.

So when an unidentified European DPA recently asked a similarly unidentified non-EU registrar for the Whois data of somebody they suspected of GDPR violations, the registrar told it to get stuffed.

It told the DPA it would “not act against a domain name without any clear and unambiguous evidence for the fraudulent behavior” and said it would respond to legal requests in its own jurisdiction, according to ICANN.

The DPA complained to ICANN, and now ICANN is using that complaint to shame the EDPB into getting off the fence and providing some much-needed clarity about when registrars can declassify Whois data without breaking the law.

Marby wrote that registrars are having to apply their “subjective judgment and discretion” and will most often come down on the side of registrants in order to reduce their GDPR risk. He wrote:

ICANN org would respectfully suggest to the EDPB that a more explicit recognition of the importance of certain legitimate interests, including the relevance of public interests, combined with clearer guidelines on balancing, could address these problems.

ICANN org would respectfully suggest to the EDPB to consider issuing additional specific guidance on this topic to ensure that entities with a legitimate interest in obtaining access to non-public gTLD registration data are able to do so. Guidance would in particular be appreciated on how to balance legitimate interests in access to data with the interests of the data subject concerned

ICANN and the EDPB have been communicating about this issue for a couple of years now, with ICANN looking for some clarity on this largely untested area of law, but the EDPB’s responses to data have been pretty vague and unhelpful, almost as if it doesn’t know what the hell it’s doing either.

Will this latest example of the unintended consequences of GDPR give the Board the kick up the bum it needs to start talking in specifics? We’ll have to wait and see.