Latest news of the domain name industry

Recent Posts

Now GNSO mulls emergency response to GDPR deadline

Kevin Murphy, April 16, 2018, Domain Policy

ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.

With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.

Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.

Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.

CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.

(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)

The call (recorded here with password Eur3wiEK and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.

A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.

The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.

While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.

It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.

The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.

It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.

If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.

Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.

It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.

UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.

Panic stations as Europe plays hardball on Whois privacy

Kevin Murphy, April 14, 2018, Domain Policy

Hopes that Whois records will continue to be available to broad sections of the internet community appeared dashed this week as European data protection heads ripped holes in ICANN’s plan for the industry to comply with the General Data Protection Regulation.

ICANN CEO Goran Marby warned that Whois faces imminent fragmentation and expressed disappointment that authorities have basically ignored his repeated requests for a moratorium on GDPR enforcement.

The Article 29 Working Party, made up of the heads of data protection authorities of EU member states, told ICANN this week that its so-called “Cookbook” compliance plan is nowhere near detailed enough.

In a letter (pdf), it also strongly hinted that intellectual property interests have little hope of retaining access to Whois contact information after GDPR comes into effect next month.

Any notion that WP29 might tell ICANN that the Cookbook was an over-reaction to GDPR, eschewing too many data elements from public records, was firmly put to bed.

Instead, the group explicitly supported ICANN’s plan to replace email addresses in the public Whois with anonymized addresses or a web-based registrant contact form.

It said it “welcomes the proposal to significantly reduce the types of personal data that shall be made publically [sic] available, as well as its proposal [to] introduce alternative methods to contact registrants”.

It also approved of the plan for a “layered” access plan, under which some entities — law enforcement in particular — would be able to access private contact information under an accreditation program.

But WP29 pooh-poohed the idea, put forward by some in the trademark community, that access to Whois could be restricted merely with the use of an IP address white-list.

It warned that the purposes for such access should be explicitly defined and said that what can be accessed should be tightly controlled.

WP29 does not appear to be a fan of anyone, even accredited users, getting bulk access to private Whois data.

While the group endorsed the idea that law enforcement agencies should be able to access Whois, it failed to provide similar comfort to IP interests, security researchers and other groups with self-declared “legitimate interests” in the data.

In what I’m reading as a veiled attack on the IP lobby, the WP29 letter says:

ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet’s unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.

While it would be fairly easy to argue that giving access to security researchers contributes to “stable operation of the Internet’s unique identifier systems”, I think it would be considerably harder to argue that giving trademark owners an easy way to pursue suspected cybersquatters does the same.

In short, the letter clarifies that, rather than complying too much, ICANN has not gone far enough.

WP29 also roundly ignored ICANN’s request for an enforcement moratorium to give the community enough time to come up with a compliance policy and the industry enough time to implement it, irking ICANN into threatening legal action.

Marby said in a blog post yesterday:

Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.

He said that the WP29 statement puts ICANN at odds with the consensus advice of its Governmental Advisory Committee — which, it should be noted, includes the European Commission and most of the EU member states.

The GAC has told ICANN to “Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible” and to reconsider its plan to remove registrant email addresses from public records.

That’s how stupid the situation has become — the same governments telling ICANN to retain email addresses is also telling it to remove them.

Outside of Europe, the United States government has been explicit that it wants Whois access to remain available.

Marby said that an ICANN delegation will attend a meeting of the WP29 Technology Subgroup in Brussels on April 23 to further discuss the outstanding issues.

In a quick response (pdf) to the WP29 letter, he warned that a fragmented Whois and the absence of a moratorium could spell doom for the smooth functioning of the internet.

We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.

Reaction from elsewhere in the community has so far comprised variations of “told you so” and hand-wringing about the impact after May 25.

Michele Neylon, head of the registrar Blacknight, blogged that the letter signaled “game over” for the public Whois.

“Come the end of May, public whois as we know it will be dead,” he wrote.

Academic Farzaneh Badii, executive director of the Internet Governance Project and a leading figure in ICANN’s non-commercial users community, blamed several factors for the current 11th-hour predicament, but mainly the fact that her constituency’s lobbying was ignored for so long.

“The Noncommercial Stakeholders Group was the broken record that everyone perceived as not worth paying attention to. But GDPR got real and ICANN has to deal with it,” she wrote.

Matt Serlin of the IP-centric registrar Brandsight, wrote that the letter was “predictable” and said:

The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for gTLDs is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.

Serlin held out some hope that the unspecified legal action Marby has floated may go some way to extend the May 25 GDPR enforcement date.

The community awaits Marby’s next update with bated breath.

Open Whois must die, Europe privacy chiefs tell ICANN

Kevin Murphy, December 7, 2017, Domain Policy

Unfettered public access to full Whois records is illegal and has to got to go, an influential European Union advisory body has told ICANN.

The Article 29 Working Party on Data Protection, WP29, wrote to ICANN yesterday to say that “that the original purposes of the WHOIS directories can be achieved via layered access” and that the current system “does not appear to meet the criteria” of EU law.

WP29 is made up of representatives of the data protection agencies in each EU member state. It’s named after Article 29 of the EU’s 1995 Data Protection Directive.

This directive is parent legislation of the incoming General Data Protection Regulation, which from May 2018 will see companies fined potentially millions of euros if they fail to protect the privacy of EU citizens’ data.

But WP29 said that there are questions about the legality of full public Whois under even the 1995 directive, claiming to have been warning ICANN about this since 2003:

WP29 wishes to stress that the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.

Under the directive and GDPR, companies are not allowed to make consent to the publication of private data a precondition of a service, which is currently the case with domain registration, according to WP29.

Registrars cannot even claim the publication is contractually mandated, because registrants are not party to the Registrar Accreditation Agreement, the letter (pdf) says.

WP29 adds that law enforcement should still be able to get access to Whois data, but that a “layered” access control approach should be used to prevent full disclosure to anyone with a web browser.

ICANN recently put a freeze on its contract compliance activities surrounding Whois, asking registries and registrars to supply the organization with the framework and legal advice they’re using to become compliant with GDPR.

Registries and registrars are naturally impatient — after a GDPR-compatible workaround is agreed upon, they’ll still need to invest time and resources into actually implementing it.

But ICANN recently told contracted parties that it hopes to lay out a path forward before school breaks up for Christmas December 22.