Latest news of the domain name industry

Recent Posts

Is the new Whois policy group already doomed to fail?

Kevin Murphy, July 24, 2018, Domain Policy

ICANN’s Generic Names Supporting Organization has set itself extremely aggressive, some might say impossible, targets for its emergency Whois policy work.

The GNSO Council on Thursday approved the charter for a new working group that will attempt to come up with a consensus policy for how to amend the Whois system in light of the EU’s General Data Protection Regulation.

But the vote was not unanimous — three of the six Non-Commercial Stakeholder Group councilors abstained largely because they think intellectual property interests have managed to capture the discussion before it has begun.

The three abstentions were independent consultant Ayden Ferdeline, cybersecurity policy researcher Tatiana Tropina, and privacy consultant Stephanie Perrin.

Tropina said during the Thursday meeting: “I cannot vote ‘yes’ for a document that in my opinion has parts that are not properly worded and, instead of setting the scope of the EPDP [Expedited Policy Development Process] work, set up multiple possibilities to get the work sidetracked.”

She and Ferdeline pointed specifically to section J of the approved charter (pdf), which addresses “reasonable access” to non-public Whois data.

This is the part of the policy work that will decide whether, and to what extent, entities such as trademark owners and cybersecurity researchers will be able to peek behind the curtain of post-GDPR personal data redactions and see who actually owns domain names.

There are several “gating” questions that the working group must answer before it gets to J, however, such as: what data should be collected by registrars, how data transfer to registries should be handled, and are the reasons for this data to be collected all valid?

But when it comes to section J, the abstaining NCSG councilors reckon that the Intellectual Property Community has managed to sneak in the notion that its members should get access to private data as a fait accompli. Section J reads in part:

What framework(s) for disclosure could be used to address (i) issues involving abuse of domain name registrations, including but not limited to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection, (ii) addressing appropriate law enforcement needs, and (iii) provide access to registration data based on legitimate interests not outweighed by the fundamental rights of relevant data subjects?

Ferdeline said in his abstention:

I believe that Section J includes, first and foremost, questions that unnecessarily expand the scope of this EPDP and put perceived answers — rather than genuine, open ended questions — into this important document. Overall I think this section of the charter’s scope is unnecessary and will not allow the EPDP team to complete their work in a timely manner.

Tropina said J “poses the questions that, first of all, imply by default that issues related to intellectual property protection and consumer protection require the disclosure of personal data”, adding that she was bewildered that IP interests had been lumped in with security concerns:

This wording fails me: as I am criminal lawyer working in the field of frameworks for cybercrime investigation, I do not see why cybercrime investigations are separated from law enforcement needs and go to the same basket with intellectual property protection as they are on a completely different level of legitimate demands

In short, the newly approved EPDP charter has been framed in such a way as to make discussions extremely fractious from the outset, pitting privacy interests against those of the trademark lobby on some of the most divisive wedge issues.

This is problematic given that the working group has an extremely aggressive schedule — its members have not yet even been named and yet it expects to produce its Initial Report shortly after ICANN 63, which ends October 25 this year.

It’s an absurdly short space of time to resolve questions that have dogged ICANN for almost two decades.

Will this pressure to come to agreement against the clock work in favor of the trademark community, or will it doom the policy-making process to deadlock?

Attempting to steer the WG through this minefield will be Kurt Pritz, who was confirmed by the Council as its neutral chair on Thursday, as DI first reported a week ago.

The make-up of the group has also proved contentious.

While it is a GNSO process that would lead to a Consensus Policy binding on all gTLD registries and registrars, the decision has been made to bring in voices from other areas of the community, such as the Country Code Names Supporting Organization, which will not be directly affected by the resulting policy.

There will be 29 members in total, not counting the non-voting chair.

The GNSO gets 18 of these seats at the table, comprising: three registries, three registrars, two IPC members, two ISPs, two Business Constituency members, six NCSG members (which, I imagine would be split between the privacy-focused NCUC and more IP-friendly NPOC).

But also joining the group on an equal footing will be two members of the Root Server System Advisory Committee (I’ve no idea why), two from the Security and Stability Advisory Committee, two from the ccNSO, two from the At-Large Advisory Committee and three from the Governmental Advisory Committee.

The actual individuals filling these seats will be named by their respective constituencies in the next few days, ahead of the first WG meeting July 30.

It has been said that these people could expect to devote north of 30 hours a week (unpaid of course, though any necessary travel will be comp’d) to the discussions.

Pritz to be named chair of Whois group

Kevin Murphy, July 16, 2018, Domain Policy

Former ICANN senior vice president Kurt Pritz is expected to be named chair of the group tasked with reforming Whois in the post-GDPR world.

Sources familiar with the situation tell DI that Pritz was selected from three candidates who put themselves forward for the grueling policy-making task.

I’m told that choice was made by GNSO Council’s leadership and selection committee (minus Pritz’s wife, Donna Austin, who recused herself) and will have to be confirmed by the full Council when it meets this Thursday.

Pritz would chair the GNSO’s first-ever Expedited Policy Development Process working group, which is expected to provide an ICANN community response to ICANN org’s recent, top-down Temporary Specification for Whois.

The Temp Spec, written by ICANN in response to the GDPR privacy law, is the thing that is contractually forcing all gTLD registries and registrars to redact personal information from their public Whois records.

Because it’s temporary, it will expire May 24 next year, one year after it came into effect.

The EPDP will put the force of community consensus behind the policy that replaces it, but it’s unlikely to differ a great deal from the Temp Spec, so it would be unwise to get your hopes up that Whois will return to pre-GDPR levels of accessibility — ICANN policy cannot overrule the law.

The EPDP chair’s job is expected to be extremely taxing. During the recent ICANN meeting in Panama, it was said that regular, non-chair working group members could be expected to commit as much as 30 hours a week to the project.

ICANN expects that the EPDP’s core work should be complete before ICANN 63, which begins October 20, with its final report due next February.

Given that the ICANN community has failed to come to much consensus on anything Whois related for two decades, these are extremely aggressive targets.

To maintain focus, the EPDP group is going to be kept relatively small, but there’s still bickering about the make-up of the group, with non-commercial interests upset the commercial side of house is getting more representation.

The chair’s role was therefore potentially controversial — neutrality was seen as a key quality when ICANN advertised the gig a couple of weeks ago.

Pritz currently works for the .art new gTLD registry operator UK Creative Ideas, so technically he would be in the Registries Stakeholder Group.

But he’s also one of the key architects of the new gTLD program, ICANN’s point man on the application process before his resignation in late 2012, so he has extensive experience herding cats in a relatively neutral way.

Since then, he’s had stints as a consultant and as executive director of the Domain Name Association.

Whois working group imploding in GDPR’s wake

Kevin Murphy, May 14, 2018, Domain Policy

An ICANN working group devoted to Whois policy is looking increasingly dead after being trumped by incoming European Union privacy law.

Registration Data Services PDP working group chair Chuck Gomes threw in the towel late last week, resigning from the group shortly after cancelling proposed face-to-face meetings scheduled for the Panama ICANN meeting in June.

That followed his announcement last month that the WG’s teleconferences were to be put on hold while ICANN works out how to respond to the General Data Protection Regulation, which comes into effect May 25, 11 days from now.

The WG had been working on ICANN’s future Whois policy since November 2015 but faced the usual impasses that occur whenever the various sides of the ICANN community face off over privacy.

Gomes, a former Versign executive who retired almost a year ago but stuck around to chair the RDS group, said he’d originally expected its work to wrap up in 2017.

Now, with GDPR rendering much of the discussions moot, there’s a feeling among some WG volunteers that they’ve been wasting their time.

ICANN’s response to GDPR is expected to be an emergency, top-down policy, written by staff and approved by the board, that would stay in place for a year.

The GNSO would then have a year to rally the community, under its own emergency procedures, to make formal policy to replace it for the long term.

There’s an open question about whether the RDS WG could be re-purposed to take on this task, but it’s my sense it’s more likely that a new group would be formed.

It may prove more challenging to recruit volunteers to such a group given the experiences of the RDS crowd.

Gomes, a long-time ICANN veteran and former GNSO Council chair, plans to spend more time travelling around in his RV with his wife. We wish them well.

Van Gelder remembered in GNSO resolution

Kevin Murphy, April 30, 2018, Domain Policy

Former GNSO Council chair Stéphane Van Gelder, who died last month, has been remembered in a motion passed by the Council on Friday.

The motion noted that Van Gelder was “a well-respected and much liked” member of the ICANN community, “admired for his passion, his fairness, his ability to find the best in people and his true gift for uniting people.”

It recognizes the “significant contribution” he made to the GNSO, his “genuine passion, energy and commitment” to his role, and concludes by offering “heartfelt sympathies to his family and friends”.

I’m reproducing the whole motion, which was obviously passed unanimously, here:

Whereas:

  1. 1. Stéphane Van Gelder first entered the domain name business in the late 1990s when he founded Indom, a registrar in France, which later become part of the GroupNBT based in the United Kingdom. It was while Stéphane was General manager of INDOM that he was elected to the GNSO Council by the Registrar Stakeholder Group.
  2. 2. Stéphane served on the GNSO Council from 2008 through 2012, as an elected representative of the Registrars Constituency.
  3. 3. Stéphane served as Vice Chair of the GNSO Council in 2010 and was elected and served two consecutive terms as Chair of the GNSO Council in 2011 and 2012.
  4. 4. As Chair of the GNSO Council, Stéphane was an impartial and neutral facilitator on all issues. For Stéphane, remaining neutral was key to ensuring collective dialogue.
  5. 5. Stéphane made significant contributions to ICANN and was a strong and respected community leader. During his tenure as GNSO Chair, Stéphane oversaw and shepherded the:
    1. a. completion of an extensive update of the GNSO’s operating procedures;
    2. b. establishment of the DNS Security & Stability Analysis working group jointly with the ALAC, ccNSO and NRO;
    3. c. completion of the Fast Flux, Post-Expiration Domain Name Recovery and Inter-Registrar Transfer Policy (IRTP) Part B Policy Development Processes (PDPs) and the joint ccNSO-GNSO Internationalized Domain Name working group;
    4. d. launch of the IRTP Part C, Thick WHOIS and Locking of Domain Names subject to Uniform Dispute Resolution Policy Proceedings PDPs; and (e) continuing work on WHOIS studies, registration abuse policies, and multiple other GNSO projects.
    5. e. the completion of the Applicant Guidebook for the 2012 New gTLD Program and the launch of the Program.
    6. f. Stéphane was a well-respected and much liked member of not only the GNSO, but of the broader ICANN Community. He was admired for his passion, his fairness, his ability to find the best in people and his true gift for uniting people.
    7. g. Stéphane’s passing is a great loss to the many people in the ICANN community that had the pleasure to work and interact with him, and for his many friends at ICANN the loss is significant.

Resolved:

  1. 1. The GNSO Council wishes to recognize the significant contribution Stéphane made to the GNSO Council during his tenure and his notable achievements during this time.
  2. 2. Stéphane’s genuine passion, energy and commitment to the Internet and all that it brought to the world was second to none and we will miss him dearly.
  3. 3. On behalf of the current and previous GNSO Councils, we offer our deepest and heartfelt sympathies to his family and friends at this most difficult time.

Van Gelder died after an automobile accident, which also injured his wife, in Switzerland at the end of March.

Now GNSO mulls emergency response to GDPR deadline

Kevin Murphy, April 16, 2018, Domain Policy

ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.

With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.

Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.

Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.

CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.

(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)

The call (recorded here with password Eur3wiEK and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.

A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.

The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.

While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.

It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.

The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.

It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.

If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.

Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.

It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.

UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.