Governments demand Whois reopened within a year

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.
The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.
The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.
She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.
It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.
It strikes me as a ludicrously ambitious deadline.
Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.
The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.
IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).
Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.
Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.
The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.
Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.
Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.
The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.
For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.
With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.

Karklins beats LaHatte to chair ICANN’s Whois privacy team

Latvian diplomat and former senior WIPO member Janis Karklins has been appointed chair of the ICANN working group that will decide whether to start making private Whois records available to trademark owners.
Karklins’ appointment was approved by the GNSO Council last week. He beat a single rival applicant, New Zealand’s Chris LaHatte, the former ICANN Ombudsman.
He replaces Kurt Pritz, the former ICANN Org number two, who quit the chair after it finished its “phase one” work earlier this year.
Karklins has a varied resume, including a four-year stint as chair of ICANN’s Governmental Advisory Committee.
He’s currently Latvia’s ambassador to the United Nations in Geneva, as well as president of the Arms Trade Treaty.
Apparently fighting for Latvia’s interests at the UN and overseeing the international conventional weapons trade still gives him enough free time to now also chair the notoriously intense and tiring Expedited Policy Development Process on Whois, which has suffered significant burnout-related volunteer churn.
But it was Karklins’ one-year term as chair of the general assembly of WIPO, the World Intellectual Property Organization, that gave some GNSO Council members pause.
The EPDP is basically a big bloodless ruck between intellectual property lawyers and privacy advocates, so having a former WIPO bigwig in the neutral hot seat could be seen as a conflict.
This issue was raised by the pro-privacy Non-Commercial Stakeholders Group during GNSO Council discussions last week, who asked whether LaHatte could not also be brought on as a co-chair.
But it was pointed out that it would be difficult to find a qualified chair without some connection to some interested party, and that Karklins is replacing Pritz, who at the time worked for a new gTLD registry and could have had similar perception-of-conflict issues.
In the end, the vote to confirm Karklins was unanimous, NCSG and all.
The EPDP, having decided how to bring ICANN’s Whois policy into compliance with the General Data Protection Regulation, is now turning its attention to the far trickier issue of a “unified access model” for private Whois data.
It will basically decide who should be able to request access to this data and how such a system should be administered.
It will not be smooth sailing. If Karklins thinks international arms dealers are tricky customers, he ain’t seen nothing yet.

Trademark posse fails to block Whois privacy policy

The ICANN community’s move to enshrine Whois privacy into formal consensus policy is moving forward, despite votes to block it by intellectual property interests.
During a special meeting yesterday, the GNSO Council voted to approve a set of recommendations that would (probably) bring ICANN’s Whois policy into compliance with the General Data Protection Regulation.
But four councilors — Paul McGrady and Flip Petillion of the Intellectual Property Constituency and Marie Pattullo and Scott McCormick of the Business Constituency — voted against the compromise deal.
Their downvotes were not enough to block it from passing, however. It has now been opened for a month of public comments before being handed to the ICANN board of directors for final approval, whereupon it will become ICANN’s newest consensus policy and binding on all contracted parties.
McGrady, an lawyer with Winston Strawn, claimed that the Expedited Policy Development Process working group that came up with the recommendations failed to reach the level of consensus that it had claimed.
“The consensus call was broken,” he said, adding that the EPDP’s final report “reflects consensus where there really wasn’t any.”
The GNSO was due to vote 10 days ago, but deferred the vote at the request of the IPC and BC. McGrady said that both groups had tried to muster up support in their communities for a “yes” vote in the meantime, but “just couldn’t get there”.
Speaking for the BC from a prepared statement, Pattullo (who works for European brand protection group AIM) told the Council:

The report is a step backwards for BC members’ interests compared to the Temp Spec, especially as the legitimate purposes for collecting and processing data are insufficiently precise, and do not include consumer protection, cybercrime, DNS abuse and IP protection.

The Temp Spec is the Temporary Specification currently governing how registries and registrars collect and publish Whois data. It was created as an emergency measure by the ICANN board and is due to expire in May, where it will very probably be replaced by something based on the EPDP recommendations.
In response to the IPC/BC votes, Michele Neylon of the Registrars Constituency and Ayden Férdeline of the Non-Commercial Stakeholders Group read statements claiming that trademark interests had been given substantial concessions during the EPDP talks.
Neylon in particular had some harsh words for the holdout constituencies, accusing them of “bad faith” and pointing out that the EPDP spent thousands of hours discussing its recommendations.
“Our members would want any number of obligations this report contains to be removed, but despite the objections we voiced our support for the final product as a sign of compromise and support for the entire multistakeholder model,” he said.
“Given the objections of certain parts of the community it’s unclear how we can ask this group to carry on with the next phase of its work at the same pace,” he said. “Given the unwillingness of others to participate and negotiate in good faith, how can we ask our reps to spend hours compromising on this work when it’s clear others will simply wait until the last minute and withdraw their consent for hard-fought compromise.”
The EPDP had a hard deadline due to the imminent expiration of the Temp Spec, but that’s not true of its “phase two” work, which will explore possible ways trademark enforcers could get access to redacted private Whois data.
Unfortunately for the IP lobby, there’s a very good chance that this work is going to proceed at a much slower pace than phase one, which wrapped up in basically six months.
During yesterday’s Council call, both Neylon and NCSG rep Tatiana Tropina said that the dedication required of volunteers in phase one — four to five hours of teleconferences a week and intensive mailing list discussions — will not be sustainable over phase two.
They simply won’t be able to round up enough people with enough time to spare, they said.
Coincidentally, neither the registrars nor the non-coms have any strong desire to see a unified access solution developed any time soon, so a more leisurely pace suits them politically too.
It will be up to the EPDP working group, and whoever turns out to be its new chair, to figure out the timetable for the phase two work.

Expect more Whois accuracy emails under new ICANN policy

Registrars will be obliged to send out even more Whois accuracy emails, under a set of recommendations being considered in ICANN.
Assuming recent recommendations out of the Whois policy working group are accepted, every registrant of a gTLD domain with something listed in the “Organization” field will receive a one-off mail from their registrar asking them to confirm its accuracy.
It’s Recommendation 12 of the EPDP Team Final Report, which was published last week (pdf) by ICANN’s first Expedited Policy Development Process working group.
In general, the Organization field would be redacted in the public Whois under the proposed policy, but registrants will be proactively asked if they want to opt in to having it published.
While registrars can pick their own methods to conduct this outreach, email seem like the most likely medium in the vast majority of cases.
These mails would be sent out the registrants of the over 192 million gTLD domains (if they have something in their Org field) at some point between May 2019, when ICANN is likely to formally adopt the policy, and February 29, 2020, which is EPDP group’s recommended implementation deadline.
In theory, the Org field is perhaps the main indicator of whether a domain is registered to a natural person (and therefore subject to the General Data Protection Regulation) or a legal person (and therefore not).
But it’s not uncommon for registrants or registrars to simply populate the field with the name of the natural-person registrant, even when there’s no actual organization involved.
That’s a GDPR problem, as it means personally identifiable information could leak into the public Whois.
Under the EPDP’s recommendation, registrars would be obliged to reach out to their customers to confirm whether the contents of their Org field are correct, and to ask whether they want that information to be made public.
Opting in would mean the registrar would begin to publish Org data in the public Whois. Ignoring the email or actively refusing publication would mean your registrar would redact or delete this field.
After this mass outreach has finished, registrars would stop redacting the Org field, unless the registrant has not consented to its publication.
For new registrations, registrars would have to show you a prominent warning that the Org data will be published and get your consent for it to do so.
The recommendation is among 29 that were arrived at following over six months of intensive discussions in the EPDP group.
Others we’ve previously reported on include the total elimination of the Admin Contact, making the Technical Contact both smaller and completely optional, and the mandatory introduction of an anonymous means for Whois users to contact registrants.
The recommendations have been submitted to the GNSO Council, which will vote on them March 4.
The EPDP report will then be opened for 30 days of public comment, before being sent to the ICANN board of directors for a full, final vote.
The policy will replace the current Temporary Specification governing Whois, which the board rushed through on an emergency basis last May in order to make the DNS ecosystem as GDPR-compliant as possible when the EU law came into effect.
The EPDP group is expected to shortly enter “phase two” of its work, which will look at whether there should be a unified access mechanism for security and intellectual property interests to snoop on otherwise private Whois data.

Pritz quits Whois privacy group as work enters impossible second phase

Kurt Pritz has quit as chair of the ICANN group working on Whois policy for the GDPR era.
He informed the Whois Expedited Policy Development Process working group in a notice to its mailing list today, saying he was leaving for “a set of personal and professional reasons”.
He said he will stick around until his replacement is selected.
I understand three people had put themselves forward for the role when Pritz was originally selected last July, so there may be a couple of alternates already waiting in the wings.
The announcement comes at a pivotal time for the EPDP, and whoever takes over is going to have to have some seriously masochistic tendencies.
The 30-odd member group just this week put the finishing touches to its “phase one” initial report, which primarily sets out the formal legal purposes for which Whois data is collected and processed across the domain name ecosystem.
That’s going to be voted on by the GNSO Council in a vote delayed from this week to March 4 at the request of the Intellectual Property Constituency and Business Constituency, which want more time to review and comment on it.
For the EPDP WG, it’s soon time to move on to phase two, which will cover the creation (or not) of a unified access mechanism that trademark owners and the like could use to snoop on redacted Whois data.
Even the relatively easy tasks in phase one have been absolute murder on the volunteers and ICANN staff, who have been putting in four or more hours of teleconferences per week since August.
I’ve just been dipping in and out of the mailing list and listening to the odd teleconference, and the level of nitpicking over language has been agonizing to listen to.
Essentially, virtually every debate comes down to a face-off between the IP interests who want to insert as much language concerning access as possible, and those, such as non-commercial users, who oppose them. It sometimes comes across like a proxy war between Facebook and the Internet Governance Project.
More than once, naturally mild-mannered Pritz has had to delegate control to firm-handed mediators drafted in from a specialist outside agency.
Whoever takes over as chair has got his or her work cut out.

Surprise! Most private Whois look-ups come from Facebook

Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.
Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.
But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.
AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.
It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.
Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.
An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.
Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.
Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.
Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.
Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.

Crunch Whois privacy talks kick off

ICANN volunteers are meeting this week to attempt to finalize their recommendations on the future of Whois privacy.
Most members of the Expedited Policy Development Process working group have gathered in Toronto for three days of talks on what will likely become, in May this year, new contractually binding ICANN policy.
Discussions are kicking off pretty much at the same time this article is published and will last until Friday afternoon local time.
The EPDP group is due to publish its final report by February 1, leaving enough time for GNSO consideration, public comments, and an ICANN board of directors vote.
Its initial report, which recommended some big changes to Whois output, was published in November. Public comments on this report will lead to largely modest changes to the policy this week.
The timing is tight because Whois policy is currently governed by a one-year Temporary Specification, created by the ICANN board, which expires May 25.
The bulk of the work today will focus on formalizing the “purposes” of Whois data, something that is needed if ICANN policy is to be compliant with the EU General Data Protection Regulation.
The more controversial stuff, where consensus will be extraordinarily difficult to find, comes tomorrow, when the group discusses policies relating to privileged access to private Whois data.
This is the area where intellectual property and security interests, which want a program that enables them to get access to private data, have been clashing with non-commercial stakeholders, which accuse their opponents of advocating “surveillance”.
It’s not expected that a system of standardized, unified access will be created this week or by February 1. Rather, talks will focus on language committing ICANN to work on (or not) such a system in the near future.
Currently, there’s not even a consensus on what the definition of “consensus” is. It could be slow going.
Gluttons for punishment Observers can tune in to the view/listen-only Adobe Connect room for the meetings here.

First chance to have your say on the future of Whois

RIP: the Whois Admin.
Standard Whois output is set to get slimmed down further under newly published policy proposals.
The community working group looking at post-GDPR Whois has decided that the Admin Contact is no longer necessary, so it’s likely to get scrapped next year.
This is among several recommendations of the Expedited Policy Development Process working group on Whois, which published its initial report for public comment late Wednesday.
As expected, the report stops short of addressing the key question of how third-parties such as intellectual property interests, domain investors, security researchers and the media could get streamlined access to private Whois data.
Indeed, despite over 5,000 person-hours of teleconferences and face-to-face meetings and about 1,000 mailing list messages since work began in early August, the EPDP’s 50 members have yet to reach consensus on many areas of debate.
What they have reached is “tentative agreement” on 22 recommendations on how to bring current ICANN Whois policy into line with EU privacy law, the General Data Protection Regulation.
The work is designed to replace the current Temporary Specification, a Band-Aid imposed by the ICANN board of directors, which is due to expire next May.
The EPDP initial report proposes a few significant changes to what data is collected and publicly displayed by the Whois system.
The most notable change is the complete elimination of the Admin Contact fields.
Currently, Whois contains contact information for the registrant, admin contact and technical contact. It’s often the same data replicated across all three records, and under the Temp Spec the large majority of the data is redacted.
Under the EPDP’s proposal, the Admin Contact is superfluous and should be abandoned altogether. Not only would it not be displayed, but registrars would not even collect the data.
The Tech Contact is also getting a haircut. Registrars would now only be able to collect name, phone and email address, and it would be optional for the registrant whether to provide this data at all. In any event, all three fields would be redacted from public Whois output.
For the registrant, all contact information except state/province and country would be redacted.
There’s no agreement yet on whether the optional “organization” field would be redacted, but the group has agreed that registrars should provide better guidance to registrants about whether they need to provide that data.
While data on legal persons such as companies is not protected by GDPR, some fear that natural person registrants may just naively type their own name into that box when registering a name, inadvertently revealing their identities to the public.
Those providing Whois output would be obliged, as they are under the Temp Spec, to publish an anonymized email address or web-based contact form to allow users to contact registrants without personal information being disclosed.
That German lawsuit
The recommendation to slash what data is collected could have an impact on ICANN’s lawsuit against Tucows’ German subsidiary, EPAG.
ICANN is suing EPAG after the registrar decided that collecting admin and tech contact info was not compliant with GPDR. It’s been looking, unsuccessfully, for a ruling forcing the company to carry on collecting this data.
Tucows is of the view that if the admin and tech contacts are third parties to the registration agreement, it has no right to collect data about them under the GDPR.
If ICANN’s own community policy development process is siding with Tucows, this could guide ICANN’s future legal strategy, but not, it appears, until it becomes firm consensus policy.
I asked ICANN general counsel John Jeffrey about whether the EPDP’s work could affect the lawsuit during an interview October 5, shortly after it became clear that the admin/tech contact days might be numbered.
“Maybe,” he said. “If it becomes part of the policy we’ll have to assess that. Until there’s a new policy though, what we’re working with is the Temp Spec. The Temp Spec we believe is enforceable, we believe have the legal support for that, and we’ll continue down that path.”
(It might be worth noting that Thomas Rickert, whose law firm represents EPAG in this case, is on the EPDP working group in his capacity of head of domains for German trade group eco. He is, of course, just one of the 31 EPDP members developing these recommendations at any given time.)
IP wheel-spinning
The main reason it’s taken the EPDP so long to reach the initial report stage — the report was originally due during the ICANN 63 Barcelona meeting a month ago — has been the incessant bickering between those advocating for, and opposing, the rights of intellectual property interests to access private Whois data.
EPDP members from the IP Constituency and Business Constituency have been attempting to future-proof the work by getting as many references to IP issues inserted into the recommendations as they can, before the group has turned its attention to addressing them specifically.
But they’ve been opposed every step of the way by the Non-Commercial Stakeholders Group, which is concerned the IP lobby is trying to policy its way around GDPR as it relates to Whois.
Many hours have been consumed by these often-heated debates.
My feeling is that the NCSG has been generally winning, but probably mainly because the working group’s charter forbade discussion about access until other issues had been addressed.
As it stands today, the initial report contains this language in Recommendation #2:

Per the EPDP Team Charter, the EPDP Team is committed to considering a system for Standardized Access to non-public Registration Data once the gating questions in the charter have been answered. This will include addressing questions such as:
• What are the legitimate purposes for third parties to access registration data?
• What are the eligibility criteria for access to non-public Registration data?
• Do those parties/groups consist of different types of third-party requestors?
• What data elements should each user/party have access to?
In this context, amongst others, disclosure in the course of intellectual property infringement and DNS abuse cases will be considered

This is basically a placeholder to assure the IP crowd that their wishes are still on the table for future debate — which I don’t think was ever in any doubt — but even this basic recommendation took hours to agree to.
The EPDP’s final report is due February 1, so it has just 70 days to discuss this hypothetical “Standardized Access” model. That’s assuming it started talks today, which it hasn’t.
It’s just nine weeks if we assume not a lot is going to happen over the Christmas/New Year week (most of the working group come from countries that celebrate these holidays).
For context, it’s taken the working group about 115 days just to get to the position it is in today.
Even if Standardized Access was the only issue being discussed — and it’s not, the group is also simultaneously going to be considering the public comment on its initial report, for starters — this is an absurdly aggressive deadline.
I feel fairly confident in predicting that, come February 1, there will be no agreement on a Standardized Access framework, at least not one that would be close to implementable.
Have your say
All 22 recommendations, along with a long list of questions, have now been put out for public comment.
The working group is keen to point out that all comments should provide rationales, and consider whether what they’re asking for would be GDPR-compliant, so comments along the lines of “Waaah! Whois should be open!” will likely be rapidly filed to the recycle bin.
It’s a big ask, considering that most people have just a slim grasp of what GDPR compliance actually means.
Complicating matters, ICANN is testing out a new way to process public comments this time around.
Instead of sending comments in by email, which has been the norm for two decades, a nine-page Google form has been created. This is intended to make it easier to link comments to specific recommendations. There’s also a Word version of the form that can be emailed.
Given the time constraints, it seems like an odd moment to be testing out new processes, but perhaps it will streamline things as hoped. We’ll see.

This is how AppDetex works

A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.
AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.
Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.
In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.
First off, Whois Requester appears to be only partially automated.
Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.
“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.
“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.
But, according to AppDetex, these assumptions are not correct.
Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.
AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.
It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.
Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.
The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.
Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.
At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.
If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.
The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.
Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.
Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.
As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.
Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.
Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.
This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.
The fact that human review is required before requests are sent out “just makes it worse”, they also said.

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.
Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.
Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.
They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.
Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.
Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.
The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.
The main sticking point was the extent to which these third parties get a mention in the language.
Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.
The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.
Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.
GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.
It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.
The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.
The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.
While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.
All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.
One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.
Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).
But, yeah, they may have a point.
It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.
They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.
They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.
AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.
The IP crowd and registrars are not the only ones fighting in the corridors, though.
The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.
Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.
I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.
UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.
Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.
AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.
UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.