Latest news of the domain name industry

Recent Posts

Euro-Whois advice still as clear as mud

Kevin Murphy, July 6, 2018, Domain Policy

European privacy chiefs have again weighed in to the ongoing debate about GDPR and Whois, offering another thin batch of vague advice to ICANN.

The European Data Protection Board, in its latest missive (pdf), fails to provide much of the granular “clarity” ICANN has been looking for, in my view.

It does offer a few pieces of specific guidance, but it seems to me that the general gist of the letter from EDPB chair Andrea Jelinek to ICANN CEO Goran Marby is basically: “You’re on your own buddy.”

If the question ICANN asked was “How can we comply with GDPR?” the answer, again, appears to be generally: “By complying with GDPR.”

To make matters worse, Jelinek signs off with a note implying that the EDPB now thinks that it has given ICANN all the advice it needs to run off and create a GDPR-compliant accreditation system for legitimate access to private Whois data.

The EDPB is the body that replaced the Article 29 Working Party after GDPR came into effect in May. It’s made up of the data protection authorities of all the EU member states.

On the accreditation discussion — which aims to give the likes of trademark owners and security researchers access to Whois data — the clearest piece of advice in the letter is arguably:

the personal data processed in the context of WHOIS can be made available to third parties who have a legitimate interest in having access to the data, provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of GDPR are met, including the provision of clear information to data subjects.

That’s a fairly straightforward statement that ICANN is fine to go ahead with the creation of an accreditation model for third parties, just as long as it’s quite tightly regulated.

But like so much of its advice, it contains an unhelpful nested reference to GDPR compliance.

The letter goes on to say that logging Whois queries should be part of these controls, but that care should be taken not to tip off registrants being investigated by law enforcement.

But it makes no effort to answer Marby’s questions (pdf) about who these legit third-parties might be and how ICANN might go about identifying them, which is probably the most important outstanding issue right now.

Jelinek also addresses ICANN’s lawsuit against Tucows’ German subsidiary EPAG, and I have to disagree with interpretations of its position published elsewhere.

The Register’s Kieren McCarthy, my Chuckle Brother from another Chuckle Mother, reckons the EDPB has torpedoed the lawsuit by “stating clearly that it cannot force people to provide additional ‘admin’ and ‘technical’ contacts for a given domain name”.

Under my reading, what it actually states is that registrants should be able to either use their own contact data, or anonymized contact information identifying a third party, in these records.

The EDPB clearly anticipates that admin and technical contacts can continue to exist, as long as they contain non-personal contact information such as “admin@example.com”, rather than “kevin@example.com”.

That’s considerably more in line with ICANN’s position than that of Tucows, which wants to stop collecting that data altogether.

One area where EDPB does in fact shoot down ICANN’s new Whois policy is when it comes to data retention.

The current ICANN contracts make registrars retain data for two years, but the EDPB notes that ICANN does not explain why or where that number comes from (I hear it was “pulled out of somebody’s ass”).

The EDPB says that ICANN needs to “re-evaluate the proposed data retention period of two years and to explicitly justify and document why it is necessary”.

Finally, the EDPB weighs in on the issue of Whois records for “legal persons” (as opposed to “natural persons”). It turns out their Whois records are not immune to GDPR either.

If a company lists John Smith and john.smith@example.com in its Whois records, that’s personal data on Mr Smith and therefore falls under GDPR, the letter says.

That should provide a strong incentive for registries and registrars to stop publishing potentially personal fields, if they’re still doing so.

ICANN approves messy, unfinished Whois policy

Kevin Murphy, May 18, 2018, Domain Policy

With a week left on the GDPR compliance clock, ICANN has formally approved a new Whois policy that will hit all gTLD registries and registrars next Friday.

The Temporary Specification for gTLD Registration Data represents the first time in its history ICANN has invoked contractual clauses that allow it to create binding policy in a top-down fashion, eschewing the usual community processes.

The policy, ICANN acknowledges, is not finished and needs some work. I would argue that it’s also still sufficiently vague that implementation in the wild is likely to be patchy.

What’s in public Whois?

The policy is clearest, and mostly unchanged compared to previous drafts, when it comes to describing which data may be published in public Whois and which data must be redacted.

If you do a Whois query on a gTLD domain from next week, you will no longer see the name, address, phone/fax number or email address of the registrant, admin or tech contacts.

You will continue to see the registrant’s organization, if there is one, and the country in which they are based, as well as some information about the registrar and name servers.

In future, public RDAP-based Whois databases will have to output “REDACTED FOR PRIVACY” in these fields, but for now they can just be blank.

While the GDPR is only designed to protect the privacy of humans, rather than companies, and only those connected to the European Union, the ICANN policy generally assumes that all registrants will be treated the same.

It will be possible for any registrant to opt out of having their data redacted, if being contactable is more important to them than their privacy.

What about privacy services?

Since the May 14 draft policy, ICANN has added a carve-out for domains that are already registered using commercial privacy/proxy services.

Whois records for those domains are NOT going to change under the new policy, which now has the text:

in the case of a domain name registration where a privacy/proxy service used (e.g. where data associated with a natural person is masked), Registrar MUST return in response to any query full WHOIS data, including the existing proxy/proxy pseudonymized email.

In the near term, this will presumably require registries/registrars to keep track of known privacy services. ICANN is working on a privacy/proxy accreditation program, but it’s not yet live.

So how do you contact registrants?

The policy begins to get more complicated when it addresses the ability to actually contact registrants.

In place of the registrant’s email address in public Whois, registries/registrars will now have to publish an anonymized email address or link to a web-based contact form.

Neither one of these options should be especially complex to implement — mail forwarding is a staple service at most registrars — but they will take time and effort to put in place.

ICANN indicated earlier this week that it may give contracted parties some breathing room to get this part of the policy done.

Who gets to see the private data?

The policy begins to fall apart when it describes granting access to full, unexpurgated, thick Whois records to third parties.

It seems to do a fairly good job of specifying that known quantities such as URS/UDRP providers, escrow providers, law enforcement, and ICANN itself continue to get access.

But it’s fuzzier when it comes to entities that really would like to continue to access Whois data, such as trademark lawyers, security service providers and consumer protection concerns.

While ICANN is adamant that third parties with “legitimate interests” should get access, the new policy does not enumerate with any specificity who these third parties are and the mechanism(s) contracted parties must use to grant such access.

This is what the policy says:

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject

This appears to give contracted parties the responsibility to make legal judgment calls — balancing the GDPR-based privacy rights of the registrant against the “legitimate interests” of the requester — every time they get a thick Whois request.

The policy goes on to say that when European privacy regulators, the courts, or other legislation or regulation has specifically approved a certain class of requester, ICANN will relay this news to the industry and it will have 90 days to make sure that class gets full Whois access.

But the policy does not specify any formal mechanism by which anyone goes about requesting a thick record.

Do they just phone up the registrar and ask? Does the registrar have to publish a contact address for this purpose? How does the registrar go about confirming the requester is who they say they are? Should they keep white-lists of approved requesters, or approve each request on a domain-by-domain basis? When does the right of a trademark owner outweigh the privacy right of an individual?

None of these questions are answered by the policy, but in a non-binding annex ICANN points to ongoing community work to create an “accreditation and access model”.

That work appears to be progressing at a fair rapid clip, but I suspect that’s largely because the trademarks lawyers are holding the pens and discussions are not following ICANN’s usual consensus-building policy development rules.

When the work is absorbed into the ICANN process, we could be looking at a year or more before something gets finalized.

How will transfers work?

Because Whois is used during the inter-registrar transfer process, ICANN has also had to tweak its Inter-Registrar Transfer Policy to take account of instances where registrars can’t access each other’s databases.

Basically, it’s scrapping the requirement for gaining registrars to obtain a Form of Authorization from the Whois-listed registrant before they start an inbound transfer.

This will remove one hoop registrants have to jump through when they switch registrars (though losing registrars still have to obtain an FOA from them) at the cost of making it marginally easier for domain theft to occur.

What happens next?

ICANN acknowledges, in seven bullet points appended to the policy, that the community has more work to do, mainly on the access/accreditation program.

Its board resolution “acknowledges that there are other implementation items that require further community conversation and that the Board encourages the community to resolve as quickly as possible”.

The board has also asked ICANN staff to produce more explanatory materials covering the policy.

It also temporarily called off its Governmental Advisory Committee consultation, which I wrote about here, after receiving a letter from the GAC.

But the big next step is turning this Temporary Policy into an actual Consensus Policy.

The Temporary Policy mechanism, which has never been used before, is set up such that it has to be renewed by the board every 90 days, up to a maximum of one year.

This gives the GNSO until May 25 next year to complete a formal Policy Development Process. In fact, it will be a so-called “Expedited” PDP or EPDP, that cuts out some of the usual community outreach in order to provide a speedier result.

This, too, will be an unprecedented test of an ICANN policy-making mechanism.

The GNSO will have the Temporary Policy baseline to work from, but the Temporary Policy is also subject to board-level changes so the goalposts may move while the game is being played.

It’s going to be a big old challenge, and no mistake.

Iceland breaks ranks on Whois, will publish emails

Kevin Murphy, April 30, 2018, Domain Policy

Iceland’s ccTLD has become what I believe is the first registry to state that it will continue to publish email addresses in public Whois records after the General Data Protection Regulation comes into effect.

The move seems to put the registry, ISNIC, in direct conflict with the opinions of European data protection authorities.

The company said in a statement last week that after GDPR comes into effect May 25 it will stop publishing almost all personal information about .is registrants in the public Whois.

However, it broke ranks with other European ccTLDs and the likely ruleset for ICANN-regulated gTLDs, by saying it would not expunge email addresses:

ISNIC will however, at least for the time being, continue to publish email addresses, country and techincal information of all NIC-handles associated with .is domains. Those customers (individuals) who have recorded a personally identifiable email address, and do not want it published, will need to change their .is WHOIS email address to something impersonal.

Registrants will be able to opt in to having their full details published.

ISNIC appears to be taking a principled stand against the Draconian regulation. It said in a statement:

Assuming that GDPR directive applies fully to the “WHOIS” service provided for decades by most ccTLD registries, these new restrictions will lead to less transparency in domain registrations and less trust in the domain registration system in general. ISNIC, as many others, strongly disagrees with the view of the European parlament [sic] in this matter and warns that GDPR, as it is being implemented, will neither lead to better privacy nor a safer network environment.

It’s a surprising decision, given that privacy regulators have indicated that they agree that email addresses are personal data that should not be published.

The Article 29 Working Party told ICANN earlier this month that it “welcomed” a proposal to replace email addresses with anonymized emails or web-based contact forms.

Now GNSO mulls emergency response to GDPR deadline

Kevin Murphy, April 16, 2018, Domain Policy

ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.

With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.

Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.

Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.

CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.

(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)

The call (recorded here with password Eur3wiEK and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.

A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.

The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.

While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.

It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.

The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.

It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.

If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.

Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.

It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.

UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.

Panic stations as Europe plays hardball on Whois privacy

Kevin Murphy, April 14, 2018, Domain Policy

Hopes that Whois records will continue to be available to broad sections of the internet community appeared dashed this week as European data protection heads ripped holes in ICANN’s plan for the industry to comply with the General Data Protection Regulation.

ICANN CEO Goran Marby warned that Whois faces imminent fragmentation and expressed disappointment that authorities have basically ignored his repeated requests for a moratorium on GDPR enforcement.

The Article 29 Working Party, made up of the heads of data protection authorities of EU member states, told ICANN this week that its so-called “Cookbook” compliance plan is nowhere near detailed enough.

In a letter (pdf), it also strongly hinted that intellectual property interests have little hope of retaining access to Whois contact information after GDPR comes into effect next month.

Any notion that WP29 might tell ICANN that the Cookbook was an over-reaction to GDPR, eschewing too many data elements from public records, was firmly put to bed.

Instead, the group explicitly supported ICANN’s plan to replace email addresses in the public Whois with anonymized addresses or a web-based registrant contact form.

It said it “welcomes the proposal to significantly reduce the types of personal data that shall be made publically [sic] available, as well as its proposal [to] introduce alternative methods to contact registrants”.

It also approved of the plan for a “layered” access plan, under which some entities — law enforcement in particular — would be able to access private contact information under an accreditation program.

But WP29 pooh-poohed the idea, put forward by some in the trademark community, that access to Whois could be restricted merely with the use of an IP address white-list.

It warned that the purposes for such access should be explicitly defined and said that what can be accessed should be tightly controlled.

WP29 does not appear to be a fan of anyone, even accredited users, getting bulk access to private Whois data.

While the group endorsed the idea that law enforcement agencies should be able to access Whois, it failed to provide similar comfort to IP interests, security researchers and other groups with self-declared “legitimate interests” in the data.

In what I’m reading as a veiled attack on the IP lobby, the WP29 letter says:

ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet’s unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.

While it would be fairly easy to argue that giving access to security researchers contributes to “stable operation of the Internet’s unique identifier systems”, I think it would be considerably harder to argue that giving trademark owners an easy way to pursue suspected cybersquatters does the same.

In short, the letter clarifies that, rather than complying too much, ICANN has not gone far enough.

WP29 also roundly ignored ICANN’s request for an enforcement moratorium to give the community enough time to come up with a compliance policy and the industry enough time to implement it, irking ICANN into threatening legal action.

Marby said in a blog post yesterday:

Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.

He said that the WP29 statement puts ICANN at odds with the consensus advice of its Governmental Advisory Committee — which, it should be noted, includes the European Commission and most of the EU member states.

The GAC has told ICANN to “Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible” and to reconsider its plan to remove registrant email addresses from public records.

That’s how stupid the situation has become — the same governments telling ICANN to retain email addresses is also telling it to remove them.

Outside of Europe, the United States government has been explicit that it wants Whois access to remain available.

Marby said that an ICANN delegation will attend a meeting of the WP29 Technology Subgroup in Brussels on April 23 to further discuss the outstanding issues.

In a quick response (pdf) to the WP29 letter, he warned that a fragmented Whois and the absence of a moratorium could spell doom for the smooth functioning of the internet.

We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.

Reaction from elsewhere in the community has so far comprised variations of “told you so” and hand-wringing about the impact after May 25.

Michele Neylon, head of the registrar Blacknight, blogged that the letter signaled “game over” for the public Whois.

“Come the end of May, public whois as we know it will be dead,” he wrote.

Academic Farzaneh Badii, executive director of the Internet Governance Project and a leading figure in ICANN’s non-commercial users community, blamed several factors for the current 11th-hour predicament, but mainly the fact that her constituency’s lobbying was ignored for so long.

“The Noncommercial Stakeholders Group was the broken record that everyone perceived as not worth paying attention to. But GDPR got real and ICANN has to deal with it,” she wrote.

Matt Serlin of the IP-centric registrar Brandsight, wrote that the letter was “predictable” and said:

The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for gTLDs is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.

Serlin held out some hope that the unspecified legal action Marby has floated may go some way to extend the May 25 GDPR enforcement date.

The community awaits Marby’s next update with bated breath.

  • Page 1 of 2
  • 1
  • 2
  • >