Latest news of the domain name industry

Recent Posts

Price of Whois lookups could rise as ICANN delays reform work

Kevin Murphy, September 28, 2021, Domain Policy

ICANN has delayed the conclusion of work on Whois reform, potentially increasing the cost of requesting domain registration data in future.

Back in March, its board of directors gave the Org six months to complete the Operational Design Phase of the so-called SSAD, or System for Standardized Access and Disclosure, but that deadline passed this week.

It appears that ICANN is not even close to concluding its ODP work. No new deadline has been announced, but ICANN intends to talk to the community at ICANN 72 next month.

SSAD is a proposal created by the community and approved — not without controversy — by the GNSO Council. It would essentially create a centralized clearinghouse for law enforcement and intellectual property interests to request private registrant data from registries and registrars.

The ODP is a new process, never before used, whereby ICANN clarifies the community’s intentions and attempts to translate policy recommendations into a roadmap that is feasible and cost-effective to implement.

It seems this process suffered some teething troubles, which are partially responsible for the delays.

But it also appears that ICANN is having a hard time finding potential service provider partners capable of building and operating SSAD all by themselves, raising the prospect of a more complex and expensive piecemeal solution.

It had 17 responses to a recent RFI, but no respondent said it could cover all the bases.

The key sticking point, described by some as a “chicken and egg” problem, is figuring out how many people are likely to use SSAD and how often. If the system is too expensive or fails to deliver results, it will be used less. If it works like a charm and is cost-effective, query volumes would go up.

So ICANN is challenged to gaze into its crystal ball and find a sweet spot, balancing cost, functionality and usage, if SSAD is to be a success. So far, its estimates for usage range from 25,000 users making 100,000 requests a year to 3 million users making 12 million requests.

That’s how far away from concluding its work ICANN is.

Confounding matters, the longer ICANN drags its feet on the ODP phase, the more expensive SSAD is likely to be for the end users who will ultimately wind up paying for it.

In a webinar last week, CEO Göran Marby said that the SSAD project is meant to recover its own costs. Whatever ICANN is spending on the ODP right now is expected to be recouped from access fees when SSAD goes live.

“This should not cost ICANN Org anything,” he said. “The costs should be carried by the user.”

ICANN is working on the assumption that SSAD will eventually happen, but if the ODP decides not to implement SSAD, ICANN will have to eat the costs, he indicated.

When the ICANN board approved this ODP, it did not specify how much money was being allocated to the project.

A second and separate ODP, looking at the next round of new gTLDs, was earlier this month given $9 million to conduct an anticipated 10-month project.

Will you use SSAD for Whois queries?

Kevin Murphy, July 9, 2021, Domain Policy

ICANN is pinging the community for feedback on proposed Whois reforms that would change how people request access to private registrant data.

The fundamental question is: given everything you know about the proposed System for Standardized Access and Disclosure (SSAD), how likely are you to actually use it?

The SSAD idea was dreamed up by a community working group as the key component of ICANN’s response to privacy laws such as GDPR, and was then approved by the Generic Names Supporting Organization.

But it’s been criticized for not going far enough to grant Whois access to the likes of trademark lawyers, law enforcement and security researchers. Some have called it a glorified ticketing system that will cost far more than the value it provides.

Before the policy is approved by ICANN’s board, it’s going through a new procedure called the ODP, for Operational Design Phase, in which ICANN staff, in coordination with the community, attempt to figure out whether SSAD would be cost-effective, or even implementable.

The questionnaire released today will be an input to the ODP. ICANN says it “will play a critical role in assessing the feasibility and associated risks, costs, and resources required in the potential deployment of SSAD.”

There’s only eight questions, and they mostly relate to the volume of private data requests submitted currently, how often SSAD is expected to be used, and what the barriers to use would be.

ICANN said it’s asking similar questions of registries and registrars directly.

There’s a clear incentive here for the IP and security factions within ICANN to low-ball the amount of usage they reckon SSAD will get, whether that’s their true belief or not, if they want ICANN to strangle the system in its crib.

It’s perhaps noteworthy that the potential user groups the questionnaire identifies do not include domain investors nor the media, both of which have perfectly non-nefarious reasons for wanting greater access to Whois data. This is likely because these communities were not represented on the SSAD working group.

You can find the questionnaire over here. You have until July 22.

Public comments open on new Whois policies

Kevin Murphy, February 11, 2021, Domain Policy

It’s your last chance to comment on ICANN’s proposed revisions to Whois policy.

ICANN has opened up public comments on what it opaquely calls EPDP Phase 2 Policy Recommendations for Board Consideration.

Why it just can’t use the term “Whois access”, or announce its public comment periods in layman’s terms is beyond me. Doesn’t it want public comments? Still, translating this nonsense into English keeps me in work, so I guess I won’t complain too hard.

The main feature of the proposed policy is a multi-tiered, somewhat centralized system for requesting access to Whois data about private registrants that has been redacted since the EU’s General Data Protection Regulation came into effect in May 2018.

It’s called SSAD, for System for Standardized Access and Disclosure, which was pieced together by a working group of community volunteers over a year.

Domain companies are generally okay with the compromise it represents, but intellectual property interests and others who would actually use the system think it’s a useless waste of money.

It’s expected to cost $9 million to build and $9 million a year to run.

There’s so much uncertainty about the system that in parallel with the public comments ICANN is also consulting with the GNSO Council, which approved the proposals in September, to figure out whether it’s even workable, and with the European Commission to figure out if it’s even legal.

After the public comment period closes on March 30, the comments will be compiled by ICANN staff and burned on a big fire sent to the ICANN board for final approval.

Whois privacy group finds its new chair

Kevin Murphy, December 8, 2020, Domain Policy

Verisign’s top policy veep is set to become the third chair of the ICANN working group looking at Whois policy in the post-GDPR world.

Keith Drazek has been recommended to head the long-running group, known as the EPDP, and the GNSO Council is due to vote on his appointment next week. He’s likely to be a shoo-in.

He’s VP of policy and government relations at the .com registry, and a long-standing member of the ICANN policy-making community.

I recently opined that ICANN was looking for a “masochistic mug” to chair the group. Drazek was until October the chair of the GNSO Council, and is therefore perfectly qualified for the role.

The third phase of the EPDP process, which in typical ICANNese is denominated “phase 2a”, is likely to be slightly less controversial than the first two.

The EPDP has already decided that ICANN should probably create a Standardized System for Access and Disclosure — SSAD — that may enable law enforcement and intellectual property owners to get their hands on unredacted Whois records.

But governments, IP interests and others have already dismissed the plan as useless, and there’s still a big question mark over whether SSAD is too complex and expensive to be worth implementing.

In the third phase, EPDP members will be discussing rules on distinguishing between legal and natural persons when record-holders decide what info to make public, and whether there should be a standardized system of unique, anonymized email forwarders to contact domain registrants.

They’re both less divisive topics than have been previously addressed, but not without the potential for fireworks.

The email issue, for example, could theoretically enable people to harvest a registrant’s entire portfolio of domains, something very useful for law enforcement and IP lawyers but abhorrent to privacy advocates.

The previous two phases were chaired by Kurt Pritz and Janis Karklins, with Rafik Dammak acting as vice-chair.

ICANN denies Whois policy “failure” as Marby issues EU warning

Kevin Murphy, October 19, 2020, Domain Policy

ICANN directors have denied that recently delivered Whois policy recommendations represent a “failure” of the multistakeholder model.

You’ll recall that the GNSO Council last month approved a set of controversial recommendations, put forward by the community’s EPDP working group, to create a semi-centralized system for requesting access to private Whois data called SSAD.

The proposed policy still has to be ratified by the ICANN board of directors, but it’s not on the agenda for this week’s work-from-home ICANN 69 conference.

That has not stopped there being some robust discussion, of course, with the board talking for hours about the recommendations with its various stakeholder groups.

The EPDP’s policy has been criticized not only for failing to address the needs of law enforcement and intellectual property owners, but also as a failure of the multistakeholder model itself.

One of the sharpest public criticisms came in a CircleID article by Fabricio Vayra, IP lawyer are Perkins Coie, who tore into ICANN last month for defending a system that he says will be worse than the status quo.

But ICANN director Becky Burr told registries and registrars at a joint ICANN 69 session last week: “We don’t think that the EPDP represents a failure of the multistakeholder model, we actually think it’s a success.”

“The limits on what could be done in terms of policy development were established by law, by GDPR and other data protection laws in particular,” she added.

In other words, it’s not possible for an ICANN working group to create policy that supersedes the law, and the EPDP did what it could with what it was given.

ICANN CEO Göran Marby doubled down, not only agreeing with Burr but passing blame to EU bureaucrats who so far have failed to give a straight answer on important liability issues related to the GDPR privacy regulation.

“I think the EPDP came as far as it could,” he said during the same session. “Some of the people now criticizing it are rightly disappointed, but their disappointment is channeled in the wrong direction.”

He then referred to his recent outreach to three European Commission heads, in which he pleaded for clarity on whether a more centralized Whois model, with more liability shifted away from registrars to ICANN, would be legal.

A failure to provide such clarity would be to acknowledge that the EPDP’s policy proposals are all just fine and dandy, despite what law enforcement and some governments believe, he suggested.

“If the European Union, the European Commission, member states in Europe, or the data protection authorities don’t want to do anything, they’re happy with the situation,” he told registrars and registries.

“If they don’t take actions now, or answer our questions, they’re happy with the way people or organizations get access to the Whois data… it seems that if they don’t change or do anything, they’re happy, and then were are where we are,” he said.

He reiterated similar thoughts at sessions with other stakeholders last week.

But he faced some pushback from members of the pro-privacy Non-Commercial Stakeholders Group, particularly during an entertaing exchange with EPDP member Milton Mueller, who’s unhappy with how Marby has been characterizing the group’s output to the EU.

He specifically unhappy with Marby telling the commissioners: “Should the ICANN Board approve the SSAD recommendations and direct ICANN org to implement it, the community has recommended that the SSAD should become more centralized in response to increased legal clarity.”

Mueller reckons this has no basis in what the EPDP recommended and the GNSO Council approved. It is what the IP interests and governments want, however.

In response, Marby talked around the issue and seemed to characterize it as a matter of interpretation, adding that he’s only trying to provide the ICANN community with the legal clarity it needs to make decisions.

Whois plan approved, but it may be a waste of money

Kevin Murphy, September 24, 2020, Domain Policy

ICANN’s GNSO Council has approved a plan to overhaul Whois and sent it to the ICANN board for the royal assent, alongside a warning that it may be a huge waste of money.

All seven members of the Contracted Parties House voted in favor of the plan, created by the so-called EPDP working group, which would create a centralized System for Standardized Access/Disclosure for Whois records.

In the Non-Contracted Parties House, only the two members of the Intellectual Property Constituency and the two members of the Business Constituency voted against the headline resolution, with the remaining nine voting in favor.

This was sufficient to count as a supermajority, which was the threshold required.

But the board will be receiving the SSAD recommendations alongside a request for a consultation on “whether a further cost-benefit analysis should be conducted”:

Noting some of the questions surrounding the financial sustainability of SSAD and some of the concerns expressed within the different minority statements, the GNSO Council requests a consultation with the ICANN Board as part of the delivery of the GNSO Council Recommendations Report to the ICANN Board to discuss these issues, including whether a further cost-benefit analysis should be conducted before the ICANN Board considers all SSAD-related recommendations for adoption.

The cost of SSAD is currently estimated by ICANN loosely at $9 million to build and $8.9 million a year to run. Under the approved recommendations, it would be paid for by accreditation fees paid by end-user data requestors.

And the benefits?

Well, to listen to the IPC, BC, governments and security experts — collectively the expected customers of SSAD — the system will be a bit rubbish and maybe not even worth using.

They complain that SSAD still leaves ultimate responsibility for deciding whether to grant access to Whois records to trained humans at individual registries and registrars. They’d prefer a centralized structure, with much more automation, more closely resembling the pre-GDPR universe.

Contracted parties counter that if GDPR is going to hold them legally responsible for disclosures, they can’t risk offloading decision-making to a third party.

But this could prove a deterrent to adoption, and if fewer companies want to use SSAD that could mean less revenue to fund it which in turn could lead to even higher prices or the need for subsidies out of ICANN’s budget.

The IPC called the recommendations “an outcome that will not meet the needs of, and therefore will not be used by, stakeholders”.

It’s a tricky balancing act for ICANN, and it could further extend the runway to implementation.

The most likely first chance the ICANN board will get to vote on the recommendations would be the AGM, October 22, but if the GNSO consultation concludes another cost/benefit analysis is due, that would likely push the vote out into 2021.

There’s the additional wrinkle that three of ICANN’s four advisory committees, including the governments, have expressed their displeasure with the EPDP outcome, which is likely to add complexity and delay to the roadmap.

And the GNSO’s work on Whois is not even over yet.

Also during today’s meeting, the Council started early talks on whether to reopen the EPDP to address the issues of data accuracy, whether registrars should be obliged to distinguish between legal and natural persons, and whether it’s feasible to have a uniform system of anonymized email addresses in Whois records.

Should YOU have to pay when lawyers access your private Whois info?

Kevin Murphy, September 23, 2020, Domain Policy

The question of who should shoulder the costs of ICANN’s proposed Whois overhaul is being raised, with governments and others suggesting that the burden should fall on registrants themselves.

In separate statements to ICANN recently, the Governmental Advisory Committee and Security and Stability Advisory Committee both put forward the view that registrants, rather than the trademark lawyers behind most requests for private Whois data, should fund the system.

ICANN currently expects the so-called System for Standardized Access/Disclosure (SSAD), proposed after two years of talks in an ICANN community working group, to cost $9 million to build and another $9 million a year to operate.

The working group, known as the EPDP, has recommended in its final report that registrants “MUST NOT bear the costs for having data disclosed to third parties”.

Instead, it recommended that requestors themselves should pay for the system, probably via an annual accreditation fee.

But now the GAC and SSAC have issued minority statements calling that conclusion into question.

The GAC told ICANN (pdf):

While the GAC recognizes the appeal of not charging registrants when others wish to access their data, the GAC also notes that registrants assume the costs of domain registration services as a whole when they register a domain name.

While the SSAC said (pdf):

Data requestors should not primarily bear the costs of maintaining the system. Requestors should certainly pay the cost of getting accredited and maintaining their access to the system. But the current language of [EPDP Recommendation] 14.2 makes victims and defenders cover the costs of the system’s operation, which is unfair and is potentially dangerous for Internet security…

No previous PDP has protected registrants from having the costs associated with “core” registration services or the implementation of consensus policies being passed on to them. No previous PDP has tried to manipulate the functioning of market forces as is proposed in Recommendation 14.

SSAC suggested instead that registrars should be allowed to pass on the costs of SSAD to their customers, and/or that ICANN should subsidize the system.

Over 210 million gTLD domain names, $9 million a year would work out to less than five cents per domain, but one could argue there’s a principle at stake here.

Should registrants have to pay for the likes of Facebook (probably the biggest requestor of private Whois data) to access their private contact information?

The current proposed system would see the estimated $9 million spread out over a far smaller number of requestors, making the fee something like $450 per year.

EPDP member Milton Mueller did the math and concluded that any company willing to pay its lawyers hundreds of thousands of dollars to fight for greater Whois access in ICANN could certainly swallow a measly few hundred bucks a year.

But the minority objections from the GAC, SSAC and Intellectual Property Constituency do not focus wholly on the costs. They’re also bothered that SSAD doesn’t go nearly far enough to actually provide access to Whois data.

Under the current, temporary, post-GDPR system, registries and registrars basically use their own employees’ discretion when deciding whether to approve a Whois data request.

That wouldn’t change significantly under SSAD, but there would be a huge, multi-tiered system of accreditation and request-forwarding that’s been described as “glorified, overly complex and very expensive ticketing system”.

The GAC wants something much more automated, or for the policy to naturally allow increased automation over time. It also wants increased centralization, taking away much of the human decision-making at registrars out of the equation.

The response from the industry has basically been that if GDPR makes them legally liable for their customers’ data, then it’s the registries and registrars that should make the disclosure decisions.

The GAC has a great deal of power over ICANN, so there’s likely to be a bit of a fight about the EPDP’s outcomes and the future of SSAD.

The recommendations are due to be voted on by the GNSO Council at its meeting tomorrow, and as I’ve noted before, it could be tight.

Council chair Keith Drazek seems to be anticipating some lively debate, and he’s already warned fellow members that’s he’s not minded to approve any request for a delay on the vote, noting that the final report has been available for review for several weeks.

By convention, the Council will defer a vote on the request of any of its constituency groups, but this is sometimes exploited.

Should the Council approve the resolution approving the final report — which contains a request for further financial review of SSAD — then it will be forwarded to the ICANN board of directors for final discussion and approval.

But with the GAC on its case, with its special advisory powers, getting SSAD past the board could prove tricky.

Irony alert! Data protection agency complains it can’t get access to private Whois data

Kevin Murphy, May 26, 2020, Domain Policy

A European data protection authority has complained to ICANN after a registrar refused to hand over one of its customers’ private Whois records, citing the GDPR data protection regulation, according to ICANN.

Compounding the irony, the DPA wanted the data as part of its probe into an alleged GDPR violation at the domain in question.

This is the frankly hilarious scenario outlined in a letter (pdf) from ICANN boss Göran Marby to Andrea Jelinek, chair of the European Data Protection Board, last week.

Since May 2018, registrars and registries have been obliged under ICANN rules to redact all personally identifiable information from public Whois records, because of the EU’s General Data Protection regulation.

This has irked the likes of law enforcement and intellectual property owners, who have found it increasingly difficult to discover the identities of suspected bad actors such as fraudsters and cybersquatters.

Registrars are still obliged to hand over data upon request in certain circumstances, but the rules are vague, requiring a judgement call:

Registry and Registrar MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

While an ICANN working group has been attempting to come up with a clearer-cut set of guidelines, administered by a central body, this so-called SSAD (System for Standardized Access/Disclosure) has yet to come to fruition.

So when an unidentified European DPA recently asked a similarly unidentified non-EU registrar for the Whois data of somebody they suspected of GDPR violations, the registrar told it to get stuffed.

It told the DPA it would “not act against a domain name without any clear and unambiguous evidence for the fraudulent behavior” and said it would respond to legal requests in its own jurisdiction, according to ICANN.

The DPA complained to ICANN, and now ICANN is using that complaint to shame the EDPB into getting off the fence and providing some much-needed clarity about when registrars can declassify Whois data without breaking the law.

Marby wrote that registrars are having to apply their “subjective judgment and discretion” and will most often come down on the side of registrants in order to reduce their GDPR risk. He wrote:

ICANN org would respectfully suggest to the EDPB that a more explicit recognition of the importance of certain legitimate interests, including the relevance of public interests, combined with clearer guidelines on balancing, could address these problems.

ICANN org would respectfully suggest to the EDPB to consider issuing additional specific guidance on this topic to ensure that entities with a legitimate interest in obtaining access to non-public gTLD registration data are able to do so. Guidance would in particular be appreciated on how to balance legitimate interests in access to data with the interests of the data subject concerned

ICANN and the EDPB have been communicating about this issue for a couple of years now, with ICANN looking for some clarity on this largely untested area of law, but the EDPB’s responses to data have been pretty vague and unhelpful, almost as if it doesn’t know what the hell it’s doing either.

Will this latest example of the unintended consequences of GDPR give the Board the kick up the bum it needs to start talking in specifics? We’ll have to wait and see.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.

The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.

Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).

Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.

The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.

The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.

The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).

Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.

Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.

The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.

The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.

So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.

If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.

How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.

There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.

This will be a hot topic at ICANN 66 in Montreal next month.

Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.