Latest news of the domain name industry

Recent Posts

The pricey, complex, clusterfuck plan to reopen Whois

Kevin Murphy, August 3, 2020, Domain Policy

After a little more than two years, an ICANN working group has finalized the policy that could allow people to start accessing unredacted Whois records again.

Despite the turnaround time being relatively fast by ICANN standards, the Expedited Policy Development Process group has delivered what could be the most lengthy and complex set of policy recommendations I’ve seen since the policy work on new gTLDs over a decade ago.

Don’t get too excited if you’re itching to get your hands on Whois data once more. It’s a 171-page document containing over a hundred recommendations that’s bound to take ages to implement in full, if it even gets approved in the coming weeks.

I’d be surprised if it’s up and running fully before 2022 at the earliest. If and when the system does eventually come online, don’t expect to get it for free.

It’s already being slammed in multiple quarters, with one constituency saying it could result in a “multi-year-implementation resulting in a system which would effectively be a glorified, overly complex and very expensive ticketing system”.

Trademark owners are livid, saying the proposed policy completely fails to address their needs, and merely entrenches the current system of registrar discretion into formal ICANN policy.

The recommendations describe a proposed system called SSAD, for System for Standardized Access/Disclosure, which would be overseen by ICANN and enforced through its contracts with registries and registrars.

It’s a multi-tiered system involving a few primary functions, wrapped in about a thousand miles of red tape.

First and foremost, you’ve got the Central Gateway Manager. This would either be ICANN, or a company to which ICANN outsources. Either way, ICANN would be responsible for overseeing the function.

The gateway manager’s job is to act as a middleman, accepting Whois data requests from accredited users and forwarding them to registries and registrars for processing.

In order to access the gateway, you’d need to be accredited by an Accreditation Authority. Again, this might be ICANN itself or (more likely) a contractor.

The policy recommendations only envisage one such authority, but it could rely on a multitude of Identity Providers, entities that would be responsible for storing the credentials of users.

It’s possible all of these roles and functions could be bundled up in-house at ICANN, but it appears the far more likely scenario is that there will be a bunch of RFPs coming down the pike for hungry contractors later this year.

But who gets to get accredited?

Anyone with a “legitimate interest or other lawful basis”, it seems. The document is far from prescriptive or proscriptive when it comes to describing possible users.

But the recommendations do give special privileges to governments and government-affiliated entities such as law enforcement, consumer protection bodies and data privacy watchdogs.

For law enforcement agencies, the proposed policy would mandate fully automated processing at the gateway and at the registry/registrar. It sounds like cops would get pretty much instant access to all the Whois data they need.

Requests just the for city field of the record would also be fully automated, for any accredited requestor.

There would be at least three priorities of Whois request under the proposed system.

The first, “Urgent”, would be limited to situations that “pose an imminent threat to life, serious bodily injury, critical infrastructure (online and offline) or child exploitation”. Non-cops could use this method too. Contracted parties would have one business day or three calendar days to respond.

The second would be limited to ICANN-related procedures like UDRP and URS, and registrars would have a maximum of two business days to respond.

The third would encapsulate all other requests, with some priority given to fraud or malware-related requests. Response times here could be a long as 10 days.

I’m trying to keep it simple here, but a lot of the recommendations describe the aforementioned red tape surrounding each stage of the process.

Registrars and registries would be bound to service level agreements, there’d be appeals processes for rejected requests, there’d be logging, audits, reporting, methods to de-accredit users and methods for them to appeal their de-accreditation… basically a shedload of checks and balances.

And who’s going to pay for it all?

ICANN’s latest guesstimate is that SSAD will cost $9 million to build and another $8.9 million annually to operate.

It seems the main burden will be placed on the shoulders of the end-user requestors, which will certainly have to pay for accreditation (which would have to be renewed periodically) and may have to pay per-query too.

Trademark lawyers within the ICANN community are furious about this — not because they have to pay, but because SSAD functionality does “not come close to justifying the costs”.

They’d envisaged a system that would be increasingly automated as time went by, eventually enabling something pretty much like the old way of doing Whois lookups, but say the current proposals preclude that.

It’s also not impossible that the system could lead to higher fees for registrants.

The EPDP group is adamant that domain registrants should not have to pay directly when somebody queries their Whois data, and says the SSAD should be cheaper to run for registrars than the current largely manual system, but acknowledges there’s nothing ICANN can do to stop registrars raising their prices as a result of the proposed policy.

The recommendations say that ICANN should not take a profit from SSAD, but do not discount its contractors from making a fair return from their work.

Prices are, like much else described in this Final Report, still very much TBD. The EPDP working group was given a lot to accomplish in very little time, and there’s a lot of buck-passing going on.

And there’s no guarantee that the policy will even be approved in the short term, given the level of dissent from working group participants.

Before the recommendations become formal Consensus Policy — and therefore binding on all registries and registrars — they first have to be approved by the GNSO Council and then the ICANN board of directors.

The first opportunity for the GNSO Council to vote is at its meeting September 24, but it could be a very tight vote.

For an EPDP to pass, it needs a supermajority vote of the Council, which means a two-thirds majority of both “houses” — the Contracted Parties House (ie, registries and registrars) and the Non-Contracted Parties house — or a 75% approval in one house and a simple majority in the other.

The way things stand, it looks to me like the CPH will very likely vote 100% in favor of the proposal, which means that only seven out of the 13 NCPH members will have to vote in favor of the report in order for it to pass.

The NCPH is made up of six people from the Non-Commercial Stakeholders Group, which generally hold pro-privacy views and have already criticized the report as not going far enough to protect registrants’ data.

Six more NCPH members comprise two members each from the Intellectual Property Constituency, Business Constituency and Internet Service Providers Constituency.

The IPC and BC put their names to a joint minority statement in the Final Report saying that its recommendations:

amount to little more than affirmation of the [pre-EPDP] status quo: the elements of WHOIS data necessary to identify the owners and users of domain names are largely inaccessible to individuals and entities that serve legitimate public and private interests.

I’m chalking those four Council members down as reliable “no” votes, but they’ll need the support of the two ISP guys and the wildcard Nominating Committee appointee in order to bury this policy proposal.

If it does pass the Council, the next and final stage of approval for SSAD would be the ICANN board, probably at ICANN 69 in October.

But then ICANN would actually have to build the damn thing.

This would take many months of implementation and review, then there’d have to be multiple RFP processes to select the companies to write the software and build the infrastructure to run it, who’d then actually have to build and test it.

In the same guesstimate that put a $9 million price tag on the system, ICANN reckoned that it would take a full year for a third party to build and test SSAD. That’s not even taking registrar integration into account.

So, if you’re looking for streamlined Whois access again, you’d best think 2022 at the very earliest, if ever.

If you wish to read the EPDP working group’s Final Report, you can do so here (pdf).

UPDATE: This article originally misstated the date of the next GNSO Council meeting at which this proposal could be considered. It’s not August 20. It’s September 24, which means initial ICANN board consideration is out in October. Add another month to whatever timeline you were hoping for.

GoDaddy starts protecting American customers’ privacy

GoDaddy has today started redacting the Whois records of its US-based customers, bringing them into line with the European counterparts.

The company was one of the few registrars to differentiate its European customers from those elsewhere when it implemented the EU’s General Data Protection Regulation two years ago, primarily because it was also one of the dwindling number of registrars charging for Whois privacy services.

American privacy customers are reportedly to be offered a partial refund or the chance to upgrade to a service that also includes two-factor authentication and malware scans.

From today, Whois records for American registrants only show a registrant organization, state and country. Email addresses and phone numbers are gone.

While this is no doubt a boon to most GoDaddy customers in terms of privacy protection, it’s likely to cause frowns in those parts of the community that rely upon Whois to make the job of tracking down ne’er-do-wells easier.

As the largest registrar by a considerable margin, the likes of law enforcement, intellectual property owners and security researchers have just lost access to millions of records.

There is a contact form at the bottom of each record that can be used to get in touch with the registrant, via GoDaddy, so it should still be possible to communicate with those who want to be communicated with.

Is ICANN chickening out of Whois access role?

Kevin Murphy, May 26, 2020, Domain Policy

As talks over a centralized system for Whois access enter their eleventh hour, confusion has been sown over whether ICANN still wants to play ball.

The ICANN working group tasked with creating a “unified access model” for Whois data, currently rendered private by the GDPR privacy law, was forced last week to ask ICANN’s board of directors three blunt questions about how it sees its future role.

The group has been working for two years on a system of Whois access based around a central gateway for requests, which could be made only by those given credentials by an accreditation authority, which would also be able to revoke access rights if abused.

The proposed model as a whole has come to be known as SSAD, for System for Standardized Access/Disclosure.

The assumption has been that ICANN would act in these roles, either hands-on or by subcontracting the functions out to third parties, largely because ICANN has given every indication that it would and is arguably inventor of the concept.

But that assumption was thrown into doubt last Thursday, during a working group teleconference, when ICANN board liaison Chris Disspain worried aloud that the group may be pushing ICANN into areas beyond its remit.

Disspain said he was “increasingly uncomfortable with the stretching of ICANN’s mandate”, and that there was no guarantee that the board would approve a policy that appeared to push it outside the boundaries of its mission statement and bylaws.

“While it may be convenient and it might seem to solve the problem to say ‘Well, let ICANN do it’, I don’t think anyone should assume that ICANN will,” he said.

He stressed that he was speaking in his personal capacity rather on behalf of the board, but added that he was speaking based on his over eight years of experience on the board.

He spoke within the context of a discussion about how Whois access accreditation could be revoked in the event that the user abused their privileges, and whether an ICANN department such as Compliance should be responsible.

Several working group members expressed surprise at his remarks, with Milton Mueller of the Non-Commercial Stakeholders Group later calling it “a sudden and rather suspicious departure from nearly two years of ICANN Org statements and activities”.

The confusion comes at a critical juncture for the working group, which has to wrap up its work before chair Janis Karklins quits on June 30.

Karklins wrote to the board late last week to ask:

If SSAD becomes an adopted consensus policy, would ICANN Org will perform the Accreditation Authority function?

If SSAD becomes an adopted consensus policy, would ICANN Org will perform the central Gateway function?

If SSAD becomes an adopted consensus policy, would ICANN Org enforces compliance of SSAD users and involved parties with its consensus policy?

It’s a kinda important set of questions, but there’s no guarantee ICANN will provide straight answers.

When the working group, known as the EPDP, wraps up, the policy will go to the GNSO Council for approval before it goes to the board.

Irony alert! Data protection agency complains it can’t get access to private Whois data

Kevin Murphy, May 26, 2020, Domain Policy

A European data protection authority has complained to ICANN after a registrar refused to hand over one of its customers’ private Whois records, citing the GDPR data protection regulation, according to ICANN.

Compounding the irony, the DPA wanted the data as part of its probe into an alleged GDPR violation at the domain in question.

This is the frankly hilarious scenario outlined in a letter (pdf) from ICANN boss Göran Marby to Andrea Jelinek, chair of the European Data Protection Board, last week.

Since May 2018, registrars and registries have been obliged under ICANN rules to redact all personally identifiable information from public Whois records, because of the EU’s General Data Protection regulation.

This has irked the likes of law enforcement and intellectual property owners, who have found it increasingly difficult to discover the identities of suspected bad actors such as fraudsters and cybersquatters.

Registrars are still obliged to hand over data upon request in certain circumstances, but the rules are vague, requiring a judgement call:

Registry and Registrar MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

While an ICANN working group has been attempting to come up with a clearer-cut set of guidelines, administered by a central body, this so-called SSAD (System for Standardized Access/Disclosure) has yet to come to fruition.

So when an unidentified European DPA recently asked a similarly unidentified non-EU registrar for the Whois data of somebody they suspected of GDPR violations, the registrar told it to get stuffed.

It told the DPA it would “not act against a domain name without any clear and unambiguous evidence for the fraudulent behavior” and said it would respond to legal requests in its own jurisdiction, according to ICANN.

The DPA complained to ICANN, and now ICANN is using that complaint to shame the EDPB into getting off the fence and providing some much-needed clarity about when registrars can declassify Whois data without breaking the law.

Marby wrote that registrars are having to apply their “subjective judgment and discretion” and will most often come down on the side of registrants in order to reduce their GDPR risk. He wrote:

ICANN org would respectfully suggest to the EDPB that a more explicit recognition of the importance of certain legitimate interests, including the relevance of public interests, combined with clearer guidelines on balancing, could address these problems.

ICANN org would respectfully suggest to the EDPB to consider issuing additional specific guidance on this topic to ensure that entities with a legitimate interest in obtaining access to non-public gTLD registration data are able to do so. Guidance would in particular be appreciated on how to balance legitimate interests in access to data with the interests of the data subject concerned

ICANN and the EDPB have been communicating about this issue for a couple of years now, with ICANN looking for some clarity on this largely untested area of law, but the EDPB’s responses to data have been pretty vague and unhelpful, almost as if it doesn’t know what the hell it’s doing either.

Will this latest example of the unintended consequences of GDPR give the Board the kick up the bum it needs to start talking in specifics? We’ll have to wait and see.

Whois privacy talks in Bizarro World as governments and trademark owners urge coronavirus delay

Kevin Murphy, April 15, 2020, Domain Policy

Coronavirus may have claimed another victim at ICANN — closure on talks designed to reopen private Whois data to the likes of law enforcement and trademark owners.

In a remarkable U-turn, the Governmental Advisory Committee, which has lit a series a fires under ICANN’s feet on this issue for over a year, late last week urged that the so-called Expedited Policy Development Process on Whois should not wrap up its work in June as currently planned.

This would mean that access to Whois data, rendered largely redacted worldwide since May 2018 due to the GDPR regulation in Europe, won’t be restored to those who want it as quickly as they’ve consistently said that they want it.

Surprisingly (or perhaps not), pro-access groups including the Intellectual Property Constituency and Business Constituency sided with the GAC’s request.

In an email to the EPDP working group’s mailing list on Thursday, GAC chair Manal Ismail indicated that governments simply don’t have the capacity to deal with the issue due to the coronavirus pandemic:

In light of the COVID-19 pandemic, and its drastic consequences on governments, organizations, private sector and individuals worldwide, I would like to express our serious concerns, as GAC leaders, that maintaining the current pace of work towards completion of Phase 2 by mid-June could jeopardize the delivery, efficacy and legitimacy of the EPDP’s policy recommendations.

While recognizing that the GAC has continually advised for swiftly completing policy development and implementing agreed policy on this critical public policy matter, we believe that given the current global health emergency, which puts many in the EPDP and the community under unprecedented stress (for example governments has been called to heightened duties for the continuity of essential public services), pressing important deliberations and decisions in such a short time frame on already strained participants would mean unacceptably sacrificing the product for the timeline.

We understand there are budget and human resources considerations involved in the completion of Phase 2 of the EPDP. However, we are all living through a global health pandemic, so we call on the EPDP Team to seriously reassess its course and expectations (be it on the duration of its calls, the turn-around time of reviews, its ultimate timeline and budget) emulating what numerous governments, global organizations, and households are doing to adapt during these challenging times across the world.

In April last year, before the EPDP group had even formally started its current phase of talks, Ismail wrote to ICANN to say the GAC expected the discussions to be more or less wrapped up by last November and that the new policy be implemented by this April.

Proponents of the access model such as Facebook have taken to suing registrars for not handing over Whois data in recent months, impressing the need for the issue to be urgently resolved.

So to now request a delay beyond June is a pretty big U-turn.

While Ismail later retracted her request for delay last Thursday, it was nevertheless discussed by the working group that same day, where the IPC, the BC and the ALAC all expressed support for the GAC’s position.

The registrars and registries, the non-commercial users and the ISPs were not supportive.

Delay might be tricky. For starters, hard-sought neutral working group chair Janis Karklins, has said he can’t continue working on the project beyond June 30, and the group has not secured ICANN funding for any further extensions to its work.

It will be up to the GNSO Council to decide whether to grant the extension, and the ICANN board to decide on funding.

The working group decided on Thursday to ask the Council for guidance on how to proceed.

What’s worrying about the request, or at least the IPC and BC’s support of it, is that coronavirus may just be being deployed as an excuse to extend talks because the IP owners don’t like the proposal currently on the table.

“The reality is we’re looking at a result that is… just not going to be sufficient from our perspective,” MPAA lawyer Frank Journoud, an IPC rep on the working group, said on its Thursday call. “We don’t want the perfect to be the enemy of the good, but right now we’re not even going to get to good.”

The current state of play with the working group is that it published its initial report (pdf) for public comment in February.

The group is recommending something called SSAD, for Standardized System for Access and Disclosure, in which a central gateway provider, possibly ICANN itself, would be responsible for granting Whois access credentials and fielding requests to the relevant registries and registries.

The almost 70 comments submitted before the March 23 deadline have been published in an unreadable, eye-fucking Google spreadsheet upon which transparency-loving ICANN may as well have hung a “Beware of the Leopard” sign. The staff summary of the comments is currently nine days late.

Facebook WILL sue more registrars for cybersquatting

Kevin Murphy, March 13, 2020, Domain Registrars

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.

Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.

In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.

In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.

Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.

The complaint is very similar to one filed against OnlineNIC (pdf) in October.

And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.

Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.

Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.

The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.

Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.

Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.

The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.

The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.

Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).

Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.

The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.

The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.

The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).

Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.

Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.

The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.

The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.

So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.

If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.

How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.

There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.

This will be a hot topic at ICANN 66 in Montreal next month.

Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

Airline hit with $230 million GDPR fine

Kevin Murphy, July 8, 2019, Domain Policy

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.

This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.

About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..

It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.

The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.

Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.

The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.

GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.

Governments demand Whois reopened within a year

Kevin Murphy, April 29, 2019, Domain Policy

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.

The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.

The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.

She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.

It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.

It strikes me as a ludicrously ambitious deadline.

Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.

The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.

IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).

Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.

Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.

The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.

Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.

Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.

The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.

For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.

With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.

Karklins beats LaHatte to chair ICANN’s Whois privacy team

Kevin Murphy, April 25, 2019, Domain Policy

Latvian diplomat and former senior WIPO member Janis Karklins has been appointed chair of the ICANN working group that will decide whether to start making private Whois records available to trademark owners.

Karklins’ appointment was approved by the GNSO Council last week. He beat a single rival applicant, New Zealand’s Chris LaHatte, the former ICANN Ombudsman.

He replaces Kurt Pritz, the former ICANN Org number two, who quit the chair after it finished its “phase one” work earlier this year.

Karklins has a varied resume, including a four-year stint as chair of ICANN’s Governmental Advisory Committee.

He’s currently Latvia’s ambassador to the United Nations in Geneva, as well as president of the Arms Trade Treaty.

Apparently fighting for Latvia’s interests at the UN and overseeing the international conventional weapons trade still gives him enough free time to now also chair the notoriously intense and tiring Expedited Policy Development Process on Whois, which has suffered significant burnout-related volunteer churn.

But it was Karklins’ one-year term as chair of the general assembly of WIPO, the World Intellectual Property Organization, that gave some GNSO Council members pause.

The EPDP is basically a big bloodless ruck between intellectual property lawyers and privacy advocates, so having a former WIPO bigwig in the neutral hot seat could be seen as a conflict.

This issue was raised by the pro-privacy Non-Commercial Stakeholders Group during GNSO Council discussions last week, who asked whether LaHatte could not also be brought on as a co-chair.

But it was pointed out that it would be difficult to find a qualified chair without some connection to some interested party, and that Karklins is replacing Pritz, who at the time worked for a new gTLD registry and could have had similar perception-of-conflict issues.

In the end, the vote to confirm Karklins was unanimous, NCSG and all.

The EPDP, having decided how to bring ICANN’s Whois policy into compliance with the General Data Protection Regulation, is now turning its attention to the far trickier issue of a “unified access model” for private Whois data.

It will basically decide who should be able to request access to this data and how such a system should be administered.

It will not be smooth sailing. If Karklins thinks international arms dealers are tricky customers, he ain’t seen nothing yet.