More non-rules proposed for Whois privacy
An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.
The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.
The answer to both questions is a firm “Maybe”.
The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.
Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.
Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.
There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.
The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.
Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.
They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.
On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:
The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.
Again, the working group is giving registries and registrars the option to implement such systems or not.
The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.
If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.
But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.
So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.
The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation
An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.
The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
EURid, the .eu registry, has handled the issue as follows:
1) The registrant name field has to be filled in.
2) The registrant organisation field may be filled in or left empty.
If the registrant organisation field is filled in (presumably with the name of a company, association…), the entity mentioned in that field is considered as the registrant and as an organisation. If it is left empty, then the person that is mentioned in the registrant name field is considered as the registrant, who is then an individual.
If the organisation field is filled in, the information appears in the whois records. The content of the registrant name field does not appear in any case.
That only works if you start afresh. The way that the org field has been handled in the past and will be handled in the future by existing customers using their existing contact sets is that registrants put _anything_ in there.
Their own names (again), a club name (not a legal entity), something funny, etc. The fact that this field is filled currently means nothing and changing that would be an enourmous task for contracted parties that many doubt is worth the effort.
There is unfortunately an ambiguity that was never resolved at the beginning and hence with different behaviors expectations are not the same. The “name” field is mandatory in EPP, and “org” is optional. Now the question is: what happens if you fill both, with an individual in “name” and an organization in “org”? Does that mean individual X working at organization Y? Or is X basically just void information and the registrant is really Y? And what do you do for a company registering? You put the company name in “name” and nothing in “org”? But then how do you know it is a company? And what about cases where you are an individual and a company like doing business on your own name? So the technical specifications are clear (name mandatory, organization optional) but their use is not, and hence with all variations now in the wild, just looking across TLD at name and org you CAN NOT find out which case is an individual which case is a company.
There’s no reason why the registry/registrar can’t simply provide a unique email address for each domain name.
There’s no reason they’d have to reuse them and completely avoid indirectly associating registrations.
That is the registration-based anonymised email address that was one of the features of the Temp Spec that was continued in the previous phases.
It currently is either this or a webform.