Recent Posts
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
- Domain universe grows despite .com drag
More non-rules proposed for Whois privacy
An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.
The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.
The answer to both questions is a firm “Maybe”.
The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.
Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.
Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.
There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.
The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.
Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.
They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.
On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:
The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.
Again, the working group is giving registries and registrars the option to implement such systems or not.
The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.
If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.
But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.
So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.
The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation
An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.
The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.
IP lobby demands halt to Whois reform
Trademark interests in the ICANN community have called on the Org to freeze implementation of the latest Whois access policy proposals, saying it’s “not yet fit for purpose”.
The Intellectual Property Constituency’s president, Heather Forrest, has written (pdf) to ICANN chair Maarten Botterman to ask that the so-called SSAD system (for Standardized System for Access and Disclosure) be put on hold.
SSAD gives interested parties such as brands a standardized pathway to get access to private Whois data, which has been redacted by registries and registrars since the EU’s Generic Data Protection Regulation came into force in 2018.
But the proposed policy, approved by the GNSO Council last September, still leaves a great deal of discretion to contracted parties when it comes to disclosure requests, falling short of the IPC’s demands for a Whois that looks a lot more like the automated pre-GDPR system.
Registries and registrars argue that they have to manually verify disclosure requests, or risk liability — and huge fines — under GDPR.
The IPC has a few reasons why it reckons ICANN should slam the brakes on SSAD before implementation begins.
First, it says the recommendations sent to the GNSO Council lacked the consensus of the working group that created them.
Intellectual property, law enforcement and security interests — the likely end users of SSAD — did not agree with big, important chucks of the working group’s report. The IPC reckons eight of the 18 recommendations lacked a sufficient degree of consensus.
Second, the IPC claims that SSAD is not in the public interest. If the entities responsible for “policing the DNS” don’t think they will use SSAD due to its limitations, then why spend millions of ICANN’s money to implement it?
Third, Forrest writes that emerging legislation out of the EU — the so-called NIS2, a draft of a revised information security directive —- puts a greater emphasis on Whois accuracy
Forrest concludes:
We respectfully request and advise that the Board and ICANN Org pause any further work relating to the SSAD recommendations in light of NIS2 and given their lack of community consensus and furtherance of the global public interest. In light of these issues, the Board should remand the SSAD recommendations to the GNSO Council for the development of modified SSAD recommendations that meet the needs of users, with the aim of integrating further EU guidance.
It seems the SSAD proposals will be getting more formal scrutiny than previous GNSO outputs.
When the GNSO Council approved the recommendations in September, it did so with a footnote asking ICANN to figure out whether it would be cost-effective to implement an expensive — $9 million to build, $9 million a year to run — system that may wind up being lightly used.
ICANN has now confirmed that SSAD and the other Whois policy recommendations will be one of the first recipients of the Operational Design Phase (pdf) treatment.
The ODP is a new, additional layer of red tape in the ICANN policy-making sausage machine that slots in between GNSO Council approval and ICANN board consideration, in which the Org, in collaboration with the community, tries to figure out how complex GNSO recommendations could be implemented and what it would cost.
ICANN said this week that the SSAD/Whois recommendations will be subject to a formal ODP in “the coming months”.
Any question about the feasibility of SSAD would be referred back to the GNSO, because ICANN Org is technically not supposed to make policy.
Public comments open on new Whois policies
It’s your last chance to comment on ICANN’s proposed revisions to Whois policy.
ICANN has opened up public comments on what it opaquely calls EPDP Phase 2 Policy Recommendations for Board Consideration.
Why it just can’t use the term “Whois access”, or announce its public comment periods in layman’s terms is beyond me. Doesn’t it want public comments? Still, translating this nonsense into English keeps me in work, so I guess I won’t complain too hard.
The main feature of the proposed policy is a multi-tiered, somewhat centralized system for requesting access to Whois data about private registrants that has been redacted since the EU’s General Data Protection Regulation came into effect in May 2018.
It’s called SSAD, for System for Standardized Access and Disclosure, which was pieced together by a working group of community volunteers over a year.
Domain companies are generally okay with the compromise it represents, but intellectual property interests and others who would actually use the system think it’s a useless waste of money.
It’s expected to cost $9 million to build and $9 million a year to run.
There’s so much uncertainty about the system that in parallel with the public comments ICANN is also consulting with the GNSO Council, which approved the proposals in September, to figure out whether it’s even workable, and with the European Commission to figure out if it’s even legal.
After the public comment period closes on March 30, the comments will be compiled by ICANN staff and burned on a big fire sent to the ICANN board for final approval.
US sneaks public Whois demands into pandemic relief bill
Outgoing US president Donald Trump has signed into law a coronavirus relief bill and spending package that contains a surprise instruction for the government to pursue open access to Whois records.
The Consolidated Appropriations Act of 2021 is focused on federal spending for fiscal 2021, with billions set aside for pandemic-related economic stimulus. It’s the bill you may recall Trump refused to sign for several days on the purported basis that it only provided Americans with a piddling $600 check.
An accompanying document contains encouragement for the National Telecommunications and Information Administration to “to require registrars and registries based in the United States to collect and make public accurate domain name registration information”.
It also asks the NTIA to continue to work within ICANN’s Governmental Advisory Committee to help create “a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information”.
The text can be found in a joint explanatory statement (pdf) accompanying the act. It’s not on the statute books as such, but it does tell NTIA how to spend the money it’s been allocated.
The full text relevant to the domain name industry reads:
NTIA is directed, through its position within the Governmental Advisory Committee o work with I CANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.
As ICANN notes in its analysis, the first sentence is not telling NTIA to do anything it hasn’t been doing since the European Union’s General Data Protection Regulation came into effect two and a half years ago.
The NTIA and GAC have been involved in efforts to create a privacy workaround for rights holders and law enforcement, which in September came up with the widely panned SSAD proposals. ICANN is currently pleading with the EU for clarity on whether it would even be legal.
The second sentence is perhaps a bit more worrying, dangling as it does the possibility of American registries and registrars having to either break EU law or implement a much more complex Whois infrastructure.
But, as ICANN notes, the words “encouraged, as appropriate” are doing a lot of heavy lifting in that sentence, saying “encouragement is aspirational; it is not a mandate”.
However, ICANN appears to be treating it as a warning shot, with head of compliance Jamie Hedlund writing:
It appears to hint that if NTIA and the ICANN community can’t develop a robust access model, Congress could entertain more forceful measures that would impose requirements on U.S.-based registries and registrars to collect and publish domain name registration information.
It seems the NTIA has the wink to cause mischief, should ICANN not deliver what intellectual property lobbyists want.
Whois privacy group finds its new chair
Verisign’s top policy veep is set to become the third chair of the ICANN working group looking at Whois policy in the post-GDPR world.
Keith Drazek has been recommended to head the long-running group, known as the EPDP, and the GNSO Council is due to vote on his appointment next week. He’s likely to be a shoo-in.
He’s VP of policy and government relations at the .com registry, and a long-standing member of the ICANN policy-making community.
I recently opined that ICANN was looking for a “masochistic mug” to chair the group. Drazek was until October the chair of the GNSO Council, and is therefore perfectly qualified for the role.
The third phase of the EPDP process, which in typical ICANNese is denominated “phase 2a”, is likely to be slightly less controversial than the first two.
The EPDP has already decided that ICANN should probably create a Standardized System for Access and Disclosure — SSAD — that may enable law enforcement and intellectual property owners to get their hands on unredacted Whois records.
But governments, IP interests and others have already dismissed the plan as useless, and there’s still a big question mark over whether SSAD is too complex and expensive to be worth implementing.
In the third phase, EPDP members will be discussing rules on distinguishing between legal and natural persons when record-holders decide what info to make public, and whether there should be a standardized system of unique, anonymized email forwarders to contact domain registrants.
They’re both less divisive topics than have been previously addressed, but not without the potential for fireworks.
The email issue, for example, could theoretically enable people to harvest a registrant’s entire portfolio of domains, something very useful for law enforcement and IP lawyers but abhorrent to privacy advocates.
The previous two phases were chaired by Kurt Pritz and Janis Karklins, with Rafik Dammak acting as vice-chair.
After 20 years, DomainTools takes its first VC dough
DomainTools has taken a “significant” investment from a venture capital firm, the first outside funding its received in its 20-year history.
The amount of the investment is undisclosed, but DomainTools said its investor is Battery Ventures.
Battery already owns stakes in numerous software and technology companies, but this appears to be its first foray into the domain name space.
Its principal, Jordan Welu, and partner Dave Tabors will join DomainTools’ board of directors and Andy Rothery, a Battery “executive-in-residence”, will become its executive chairman.
DomainTools said in a press release:
This investment will drive more rapid innovation in DomainTools’ platform capabilities for machine learning-based threat analytics and predictive risk scoring, along with enhanced product development around automating threat intelligence and incident response workflows.
The company is all about the “threat intelligence” nowadays, no doubt partly due to the fact that its original mission of aggregating the world’s Whois data will become decreasingly useful in light of privacy laws such as GDPR.
As a private company its financial position is unknown, but I’ll note that it did take a big chunk of change out of the US taxpayers’ pocket earlier this year under a government coronavirus-related corporate-relief program.
Masochistic mug urgently wanted for thankless, pay-free ICANN leadership role
ICANN still hasn’t found itself a volunteer to head up the next round of no-doubt contentious discussions about Whois policy.
Today it put out its second call for a chair of the Expedited Policy Development Process working group, which is continuing to square the circle of keeping Whois data compliant with data protection law whilst also allowing cops and IP lawyers access to the data.
The EPDP was supposed to have concluded a few months ago with the end of the second phase of talks, but a couple of issues were left unresolved, leading to the creation of a third phase, being spun as “Phase 2a”.
The first issue still to be discussed is if and how registries and registrars should be obliged to make a distinction between the data of private individuals, which is protected by law, and legal entities, which isn’t.
The second is whether it would be possible to have a uniform system of anonymized email addresses across Whois records.
They’re not exactly the most controversial of topics under the Whois umbrella, but they’re not easy asks either.
And the role of chair is time-consuming, uncompensated, with few perks.
ICANN wants somebody who is neutral and, unstated but perhaps more importantly, perceived to be neutral. The chairs of the previous two phases have been policy heavy-hitters Kurt Pritz and Janis Karklins.
It also wants somebody with “considerable experience in chairing working groups”, which immediately drains the pool of potential applicants.
If previous phases of the EPDP are any guide, the successful applicant will have to herd the cats through dozens of hours of teleconferences — the more-complex phase two had 74 meetings, most of which were two hours long.
For their efforts, the chair gets no money, and because of coronavirus travel restrictions they won’t even get paid junkets to international face-to-face meetings.
And if the output of the next phase is anywhere as near as divisive as phase two, they probably won’t win much praise either.
That’s perhaps why ICANN has extended the deadline for expressions of interest from last Friday to November 23.
Applicants go here.
ICANN denies Whois policy “failure” as Marby issues EU warning
ICANN directors have denied that recently delivered Whois policy recommendations represent a “failure” of the multistakeholder model.
You’ll recall that the GNSO Council last month approved a set of controversial recommendations, put forward by the community’s EPDP working group, to create a semi-centralized system for requesting access to private Whois data called SSAD.
The proposed policy still has to be ratified by the ICANN board of directors, but it’s not on the agenda for this week’s work-from-home ICANN 69 conference.
That has not stopped there being some robust discussion, of course, with the board talking for hours about the recommendations with its various stakeholder groups.
The EPDP’s policy has been criticized not only for failing to address the needs of law enforcement and intellectual property owners, but also as a failure of the multistakeholder model itself.
One of the sharpest public criticisms came in a CircleID article by Fabricio Vayra, IP lawyer are Perkins Coie, who tore into ICANN last month for defending a system that he says will be worse than the status quo.
But ICANN director Becky Burr told registries and registrars at a joint ICANN 69 session last week: “We don’t think that the EPDP represents a failure of the multistakeholder model, we actually think it’s a success.”
“The limits on what could be done in terms of policy development were established by law, by GDPR and other data protection laws in particular,” she added.
In other words, it’s not possible for an ICANN working group to create policy that supersedes the law, and the EPDP did what it could with what it was given.
ICANN CEO Göran Marby doubled down, not only agreeing with Burr but passing blame to EU bureaucrats who so far have failed to give a straight answer on important liability issues related to the GDPR privacy regulation.
“I think the EPDP came as far as it could,” he said during the same session. “Some of the people now criticizing it are rightly disappointed, but their disappointment is channeled in the wrong direction.”
He then referred to his recent outreach to three European Commission heads, in which he pleaded for clarity on whether a more centralized Whois model, with more liability shifted away from registrars to ICANN, would be legal.
A failure to provide such clarity would be to acknowledge that the EPDP’s policy proposals are all just fine and dandy, despite what law enforcement and some governments believe, he suggested.
“If the European Union, the European Commission, member states in Europe, or the data protection authorities don’t want to do anything, they’re happy with the situation,” he told registrars and registries.
“If they don’t take actions now, or answer our questions, they’re happy with the way people or organizations get access to the Whois data… it seems that if they don’t change or do anything, they’re happy, and then were are where we are,” he said.
He reiterated similar thoughts at sessions with other stakeholders last week.
But he faced some pushback from members of the pro-privacy Non-Commercial Stakeholders Group, particularly during an entertaing exchange with EPDP member Milton Mueller, who’s unhappy with how Marby has been characterizing the group’s output to the EU.
He specifically unhappy with Marby telling the commissioners: “Should the ICANN Board approve the SSAD recommendations and direct ICANN org to implement it, the community has recommended that the SSAD should become more centralized in response to increased legal clarity.”
Mueller reckons this has no basis in what the EPDP recommended and the GNSO Council approved. It is what the IP interests and governments want, however.
In response, Marby talked around the issue and seemed to characterize it as a matter of interpretation, adding that he’s only trying to provide the ICANN community with the legal clarity it needs to make decisions.
Europe’s top dogs could decide the future of Whois
ICANN is pleading with the European Commission for legal clarity to help solve the two-year-old fight over the future of Whois in the age of GDPR.
CEO Göran Marby has written to three commissioners to ask for a definitive opinion on whether a centralized, mostly automated Whois system would free up registries and registrars from legal liability if their customers’ data is inappropriately disclosed.
It’s a question ICANN has been asking for years, but this time it comes after the ICANN community has come up with a set of policy recommendations that would create something called SSAD, for System for Standardized Access/Disclosure.
SSAD is supported by registries, registrars and non-commercial interests, but has been broadly criticized by governments, intellectual property interests, security experts and others as being not fit for purpose.
While it would create a centralized gateway for funneling Whois queries to contracted parties, and an accreditation system for those making the queries, the decision to accept or refuse the query would still lie with registries and registrars and be largely human-powered.
It’s been described as a glorified, $9 million-a-year ticketing system that will fail to provide better access to Whois to those who say they need it (largely the IP interests).
But registries and registrars say they cannot accept a solution that offloads decision-making to a centralized third party such as ICANN, unless that third party shoulders all the legal liability for mistakes, and whether that’s possible is far from clear this early in the life of GDPR.
As Marby told the commissioners:
Legal clarity could mean the difference between ICANN having a fragmented system that routes most requests for access to non-public registration data from requestors to thousands of individual registries and registrars for a decision, on the one hand, versus ultimately being able to implement a centralized, predictable solution in which decisions about whether or not to disclose non-public registration data in most or all cases could be made consistently, predictably, in a manner that is transparent and accountable to requestors and data subjects alike.
In GDPR lingo, the question is who becomes the “controller” of the data in a centralized system. The controller is the one that could get slapped with huge fines in the event of a privacy breach.
There’s a concept of “successive controllers”, where data is passed through a chain of handlers. ICANN wants clarity on whether, should a registrar send data to an ICANN central gateway, its liability ends there, before the final disclosure decision is made.
It’s asking the European Commission to exercise its authority under the GDPR to force the European Data Protection Board to issue a blanket opinion clarifying these issues, with the expectation that SSAD as currently envisaged could evolve over time to be something more like what the IP folk want.
For ICANN, such a ruling could help quell criticism from its influential advisory bodies, notably the Governmental Advisory Committee, which have come out strongly against the SSAD proposals.
If ICANN chooses to wait for the European Commission and EDPB responses to its new request, it’s highly unlikely we’re going to see the ICANN board fully approve SSAD at its annual general meeting later this month.
Whois plan approved, but it may be a waste of money
ICANN’s GNSO Council has approved a plan to overhaul Whois and sent it to the ICANN board for the royal assent, alongside a warning that it may be a huge waste of money.
All seven members of the Contracted Parties House voted in favor of the plan, created by the so-called EPDP working group, which would create a centralized System for Standardized Access/Disclosure for Whois records.
In the Non-Contracted Parties House, only the two members of the Intellectual Property Constituency and the two members of the Business Constituency voted against the headline resolution, with the remaining nine voting in favor.
This was sufficient to count as a supermajority, which was the threshold required.
But the board will be receiving the SSAD recommendations alongside a request for a consultation on “whether a further cost-benefit analysis should be conducted”:
Noting some of the questions surrounding the financial sustainability of SSAD and some of the concerns expressed within the different minority statements, the GNSO Council requests a consultation with the ICANN Board as part of the delivery of the GNSO Council Recommendations Report to the ICANN Board to discuss these issues, including whether a further cost-benefit analysis should be conducted before the ICANN Board considers all SSAD-related recommendations for adoption.
The cost of SSAD is currently estimated by ICANN loosely at $9 million to build and $8.9 million a year to run. Under the approved recommendations, it would be paid for by accreditation fees paid by end-user data requestors.
And the benefits?
Well, to listen to the IPC, BC, governments and security experts — collectively the expected customers of SSAD — the system will be a bit rubbish and maybe not even worth using.
They complain that SSAD still leaves ultimate responsibility for deciding whether to grant access to Whois records to trained humans at individual registries and registrars. They’d prefer a centralized structure, with much more automation, more closely resembling the pre-GDPR universe.
Contracted parties counter that if GDPR is going to hold them legally responsible for disclosures, they can’t risk offloading decision-making to a third party.
But this could prove a deterrent to adoption, and if fewer companies want to use SSAD that could mean less revenue to fund it which in turn could lead to even higher prices or the need for subsidies out of ICANN’s budget.
The IPC called the recommendations “an outcome that will not meet the needs of, and therefore will not be used by, stakeholders”.
It’s a tricky balancing act for ICANN, and it could further extend the runway to implementation.
The most likely first chance the ICANN board will get to vote on the recommendations would be the AGM, October 22, but if the GNSO consultation concludes another cost/benefit analysis is due, that would likely push the vote out into 2021.
There’s the additional wrinkle that three of ICANN’s four advisory committees, including the governments, have expressed their displeasure with the EPDP outcome, which is likely to add complexity and delay to the roadmap.
And the GNSO’s work on Whois is not even over yet.
Also during today’s meeting, the Council started early talks on whether to reopen the EPDP to address the issues of data accuracy, whether registrars should be obliged to distinguish between legal and natural persons, and whether it’s feasible to have a uniform system of anonymized email addresses in Whois records.
Recent Comments