Whois rule changes that nobody likes get approved anyway
ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.
The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.
But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.
The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.
In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.
But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.
The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.
First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?
Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?
The answer on both counts was that it’s up to the registry or registrar to decide.
On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.
On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.
While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.
While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.
Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.
EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.
This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.
The appears to be an understatement.
The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.
The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.
Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.
The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.
IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:
Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.
But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.
The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.
While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:
The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…
With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.
While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:
it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.
The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.
They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.
The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.
The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:
The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.
Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.
The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”
So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.
And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.
Business as usual at the GNSO, in other words.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
Recent Comments