Latest news of the domain name industry

Recent Posts

Whois policy published without life-saving disclosure rule

Kevin Murphy, February 23, 2024, Domain Policy

ICANN has updated its Registration Data Policy, the rules that govern what data registries and registrars need to collect from registrants and when to publish or supply it through Whois lookups or disclosure requests.

When it becomes enforceable in August next year, the new RDP will make full-fat ICANN Whois policy compliant with EU privacy law for the first time since the General Data Protection Regulation came into effect in May 2018.

But the new policy, which replaces a functionally very similar temporary policy, is notable not only for the extraordinary amount of time it took to produce, but also for not containing a disputed requirement for registrars and registries to quickly turn over private Whois data when human life is at risk.

The policy dictates what contact information registrars must collect from their customers, what they must share with their registries, escrow agents and others, and what they must redact in the public Whois (or Registration Data Directory Services, as it will become known when Whois is retired next January).

It also says that registries and registrars must acknowledge private data disclosure requests no more than two business days after receipt and respond to the requests in full less than 30 calendar days after that, barring delays caused by “exceptional circumstances”.

But, due purely to ICANN community politicking, the policy for now omits previously considered language on “urgent” disclosure requests for use in “circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation”.

I’d like to think such circumstances are incredibly rare, but if there’s a situation where a Whois disclosure could help prevent a bomb going off at a major internet exchange, a trans rights activist being hounded into suicide, or a little kid getting raped on a livestream, the new ICANN policy does not account for that.

The version of the policy published in July last year (pdf) did include an urgent requests provision, requiring contracted parties to either turn over the data or tell the requester to get lost within 24 hours of receipt.

But it also contained a bunch of exceptions that could allow registrars to extend that deadline by up to three business days. When weekends and public holidays are taken into account, this could mean as much as a full calendar week to process an “urgent”, potentially life-saving request.

For that reason, the Governmental Advisory Committee wrote to ICANN (pdf) last August to ask it to revisit the policy language, chuck out the reference to “business” days, and stick to a 24-hour response window

The original Expedited Policy Development Process Working Group that came up with the policy recommendations had not specified how long registrars and registries should have to respond to urgent disclosure requests, punting that decision to the Implementation Review Team that drafted the final language.

An August 2022 draft (pdf) put out for public comment made the response window two business days, with a possible one-day extension, but this was reduced to 24 hours last year in what registrars describe as a “significant compromise” given the operational reality of responding to disclosure requests.

In August last year, the Registrars Stakeholder Group told ICANN (pdf) that its members “are committed to responding to Urgent requests in the most swift and expeditious manner possible” but said it objected to the GAC’s last-minute demands for the urgent disclosures policy to be rewritten.

From the registrars’ perspective, handling disclosure requests for personal data is not a simple ask. It’s a legal decision, balancing the privacy rights of the registrant with the rights of others to access that information.

Get it wrong, and you’re open to litigation and fines substantial enough to be expressed as a percentage of your revenue. And, money aside, who wants to be the guy who, for example, accidentally helps the Iranian morality police murder a bunch of schoolgirls for wearing the wrong type of hat?

But the argument between the registrars and the governments comes down to issues of ICANN process. Both the GAC and the RrSG claimed the urgent disclosures bunfight highlights deficiencies in ICANN multistakeholderism, but for different reasons.

ICANN’s response to this disagreement was to remove the urgent requests clauses from the policy altogether, in the hope that further talks can find a solution. Chair Tripti Sinha wrote to the RrSG and GAC a couple weeks ago to tell them:

the Board concluded that it is necessary to revisit Policy Recommendation 18 concerning urgent requests in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation, and the manner in which such emergencies are currently handled. For this, we believe that consultation with the GNSO Council is required.

ICANN has essentially kicked the can, which was what the GAC had asked for. The RrSG wanted the July 2023 language (one-plus-three days) or August 2022 language (two-plus-one days) published in the final policy.

It’s stuff like this that makes one scratch one’s head, stroke one’s chin, and wonder whether ICANN really is fit for purpose.

There were 2,312 days between the day the European Commission first proposed the GDPR to the day it became effective in all EU member states.

But 2,590 days will have passed between the day the GNSO Council initiated the EPDP and the day the new Registration Data Policy will become effective on all contracted parties, next August.

The lumbering, then-28-state European Union was faster at passing policy than ICANN, even when ICANN was using an “expedited” process.

And what ICANN eventually came up with couldn’t even agree on ways to help tackle murder, economic catastrophes, and the rape of kids.

Most registrars are shunning ICANN’s new Whois system

Kevin Murphy, November 30, 2023, Domain Policy

Most of the largest domain registrars are not currently participating in ICANN’s new Registration Data Request Service, according to my research.

I used the RDRS tool to check domains managed by every accredited registrar that has over a million domains under management and discovered that at least 25 out of these 40 registrars do not currently support the service.

The number may be 26, but RDRS did not recognize any domains managed by Chinese registrar Ali Baba as valid, giving instead a “domain does not exist” error message, even for alibaba.com itself.

In total, the 25 registrars coming up blank look after over 63 million gTLD domains, about 28% of the total.

Some very recognizable brands are not in the system.

Squarespace Domains II, the new name for the old Google Domains, the fourth-largest registrar, is the largest company not participating. Together with its original accreditation, Squarespace Domains, they have over 10 million domains under management.

TurnCommerce, GMO, IONOS, NameSilo, PDR, Gname, Dynadot, Wix, OVH, Register.com, FastDomain, Name.com, Domain.com, Hostinger, Sav.com, Xin Net, West.cn, Cronon, Domain Robot, Automattic, DNSPod, and Cloudflare are also not in the system.

Oh, and neither is Markmonitor.

While I only checked 40 registrars, not the full 2,702 that were active in the July registry transaction reports, I would expect the level of support to decline the lower down the list you get, particularly as hundreds of accreditations have a trivial number of domains or are merely aliases for companies already known to not support RDRS.

It’s quite possible some of the registrars I’ve named here are planning to sign up and have just been slow to do so, but they’ve had plenty of time — ICANN has been onboarding registrars since September 20.

The level of support from the registrar industry will be critical to judging whether the RDRS project is deemed a success.

In a recent letter to the GNSO Council discussing “success criteria” for the program, ICANN chair Tripti Sinha wrote (pdf):

The Board agrees that the participation of a sufficient number of registrars with a sufficient number of domain name registrations under management will be important with respect to gathering data.

On the bright side, GoDaddy, Tucows and Namecheap are on board, and that represents about 90 million domains. GoDaddy alone accounts for 65 million, slightly more than the combined total of the 25 large registrars that are not participating.

RDRS is a system designed to simplify the process of requesting non-public Whois data by passing all such requests to the relevant registrars through a central hub.

Of course, it’s only useful if the registrars are actually in the system.

Whois disclosure system coming this year?

Kevin Murphy, March 2, 2023, Domain Tech

ICANN has approved the creation of a Whois Disclosure System, almost six years after Europe’s GDPR rules tore up the rule book on Whois access.

The system is likely to face a name change before going live, due to the fact that it does not guarantee, nor process, the disclosure of private Whois data.

The board of directors passed a resolution February 27, a month later than expected, “to develop and launch the WHOIS Disclosure System (System) as requested by the GNSO Council within 11 months from the date of this resolution.”

That’s two months longer than earlier anticipated, but we’re still looking potentially at a live system that people can sign up for and use a year from now.

The system is expected to be based on the Centralized Zone Data Service that many of us have been using to request and download gTLD zone files for the last decade. While not perfect, CZDS gets the job done and has improved over the years.

The technology will be adapted to create what essentially amounts to a ticketing system, allowing the likes of IP lawyers to request unredacted Whois records. The requests would then be forwarded to the relevant registrar.

It’s an incredibly trimmed-down version of what Whois users had been asking for. Participation is voluntary on both sides of the transaction, and registrars are under no new obligations to approve requests.

If nobody uses the system, it could be turned off. ICANN Org has only been directed to run it for “for up to two years”. ICANN will collect and publish usage data to figure out whether it’s worth the quite substantial number of hours and dollars that have already gone into its development.

The actual cost of development and operation had been pegged at $3.3 million, but the board’s resolution states that most of the cost will be existing staff and excess costs will come from the Supplemental Fund for Implementation of Community Recommendations (SFICR).

ICANN expects to approve Whois Disclosure System next month

Kevin Murphy, December 20, 2022, Domain Policy

ICANN could be offering a centralized system for requesting private domain registration data as early as a year from now, a mere five and a half years after GDPR ruined the global Whois system for many.

The Org recently alluded to its “board’s anticipated January 2023 vote to move forward in implementing the new system to streamline the intake and routing of requests for access to nonpublic gTLD registration data” in a blog post.

It has previously stated that it will take nine months to develop and roll out the system, along with a three-month “ramp-up period”, but that preparatory work may have already started.

The system will be based on CZDS, the service that currently allows people to request zone file data from registries, and cost $3.3 million to develop and run for its anticipated two-year trial period.

Don’t expect it to be called the Whois Disclosure System though. Community feedback has been pretty clear that “disclosure” is an inappropriate word because the system merely manages requests and does not actually disclose anything.

It’s also going to be voluntary for both requesters and registrars/registries for now.

The system was previously known as SSAD Lite, a cut-down version of the community-recommended System for Standardized Access and Disclosure, which ICANN estimated would have cost infinity dollars and take a century to implement.

Registrars CAN charge for Whois, ICANN grudgingly admits

Kevin Murphy, December 1, 2022, Domain Registrars

ICANN is powerless to prevent registrars from charging for access to non-public Whois data, the Org has reluctantly admitted.

In a recent advisory, ICANN said it is “concerned” that registrars including Tucows have been charging fees to process requests for data that would otherwise be redacted in the free public Whois.

But it said there’s nothing in the Registrar Accreditation Agreement, specifically the Temporary Specification governing Whois in the post-GDPR world, that bans such services:

While the RAA explicitly requires access to public registration data directory services to be provided free of charge, the Temporary Specification does not specifically address the issue of whether or not a registrar may charge a fee for considering requests for access to redacted registration data.

So basic Whois results, with all the juicy info redacted, has to be free, but registrars can bill organizations who ask for the veil to be lifted. ICANN wrote:

ICANN org is concerned that registrars’ imposition of fees for consideration of requests for access to nonpublic gTLD registration data may pose an access barrier. Access to registration data serves the public interest and contributes to the security and stability of the Internet

The advisory calls out Tucows’ Tiered Access Compliance and Operations system, TACO, as the primary example of a registrar charging for data, but notes that others are too.

Not long after the advisory was published, Tucows posted an article in which it explained that the fees are necessary to cover the cost of the “thousands” of automated requests it has received in the last four years.

Charging fees for compliance with other forms of legal process is not uncommon in the industry, and the vast majority of requests for registration data (approximately 90%) continue to come from commercial litigation interests and relate to suspected intellectual property infringement.

Facebook, now Meta, was at first, and may still well be, a frequent bulk filer.

Tucows said that it “frequently” waives its fees upon request for “single-use requestors and private parties”.

Whois Disclosure System to cost up to $3.3 million, run for one year

Kevin Murphy, September 13, 2022, Domain Policy

ICANN has published its game plan for rolling out a Whois Disclosure System ahead of next week’s ICANN 75 public meeting in Kuala Lumpur.

The Org reckons the system will take nine months to build and will cost up to $3.3 million to develop and run for two years, although it might wind up getting shut down after just one year.

The Whois Disclosure System, previously known as SSAD Light, is a mechanism whereby anyone with an ICANN account — probably mainly IP lawyers in practice — can request unredacted private Whois data from registrars.

The system is to be built using retooled software from the current Centralized Zone Data Service, which acts as a hub for researchers who want to request zone files from gTLD registry operators.

ICANN’s design paper (pdf), which contains many mock-ups of the likely user interface, describes the new system like this:

Just as in CZDS, a requestor navigates to the WHOIS Disclosure System web page, logs into their ICANN Account, and is presented with a user experience much like the current CZDS. In this experience, requestors can see pending and past requests as well as metadata (timestamps, status, etc.) associated with those requests. For a requestor’s pending requests, they can see all the information related to that request.

Requests filed with the system will be routed to the relevant registrar via the Naming Services Portal, whereupon the registrar can choose how to deal with it. The system doesn’t change the fact that registrars have this discretion.

But the system will be voluntary for not only the requesters — who can still contact the registrar directly if they wish — but also the registrars. One can imagine smaller and frequently abused registrars won’t want the hassle.

The cost of this system will be $2.7 million in staffing costs, with $90,000 in external licensing costs and another $500,000 in contingency costs. Because ICANN has not budgeted for this, it will come from the Supplemental Fund for Implementation of Community Recommendations, which I believe currently has about $20 million in it.

This is far and away cheaper than the full-fat SSAD originally proposed by the GNSO, which ICANN in January estimated could cost up to $27 million to build over five years.

While cheaper, there are still substantial questions remaining about whether it will be popularly used, and whether it will be useful in getting private Whois data into the hands of the people who say they need it.

ICANN is saying that the Whois Disclosure System will run for one year “at which point the data sets collected will be analyzed and presented for further discussion between the GNSO Council and Board”.

The design paper will be discussed at multiple ICANN 75 sessions, starting this weekend.

Belgium slashes its ICANN funding in “mission creep” protest

Kevin Murphy, August 12, 2022, Domain Policy

DNS Belgium has cut its contribution to ICANN’s budget by two thirds, in protest at ICANN’s “mission creep” and its handling of GDPR.

The Belgian ccTLD registry informed ICANN CFO Xavier Calvez that it will only pay $25,000 this fiscal year, compared to the $75,000 it usually pays.

Registry general manager Philip Du Bois wrote (pdf) that “during recent years there has been a shift in focus which is not in the benefit of ccTLD’s”.

ICANN has become a large corporate structure with a tendency to suffer from “mission creep”… At the same time ICANN seems to fail in dealing in an appropriate way with important issues such as GDPR/privacy. It goes beyond our comprehension that ICANN and its officers don’t feel any reluctancy to “advise” European institutions and national governmental bodies to embrace “standards developed by the multi-stakeholder structures on international level” while at the same time it is obvious that ICANN itself has not yet mastered the implementation of important European legislation.

Based in the heart of the EU, DNS Belgium was a strong proponent of Whois privacy many years before the GDPR came into effect in 2018.

Calvez, in his reply (pdf), acknowledges that ccTLD contributions are voluntary, but seems to insinuate (call me a cynic) that the criticisms are hollow and that the registry might simply be trying to reduce its costs during an economic downturn:

We do appreciate any amount of contribution, and also that the ability for any ccTLD to contribute varies over time, including based on economic circumstances. We do understand that the reduction of DNS Belgium’s contribution from US$75,000 to US$25,000 represents a significant and meaningful reduction of costs for DNS Belgium.

DNS Belgium seems to be doing okay, based on its latest annual financial report. It’s not a huge company, but registrations and revenue have been growing at a slow and steady rate for the last several years.

All ccTLD contributions to ICANN are voluntary, but there are suggested donations based on how many domains a registry has under management, ranging from the $225,000 paid by the likes of the UK registry to the $500 paid by the likes of Pitcairn.

DNS Belgium, which manages about 1.7 million names, falls into the third-highest band, with a $75,000 suggested contribution.

ICANN is budgeting for funding of $152 million in its current FY23.

Feds warn of Covid risk from “dark” Whois

Kevin Murphy, July 19, 2022, Domain Policy

The US Food and Drug Administration has escalated its beef with ICANN, warning that inaccessible Whois data is making it harder to tackle bogus Covid-19 “cures” and the country’s opioid crisis.

Catherine Hermsen from the FDA’s Office of Criminal Investigations wrote to ICANN CEO Göran Marby last week to complain that some registrars do not adequately respond to abuse complaints and that ICANN ignores follow-up complaints from government agencies.

She doubled down on the FDA’s previous complaint that ICANN’s inaction may be because it is funded by the industry, but back-pedaled on previous insinuations that ICANN’s leadership were putting their own big salaries ahead of public safety.

The beef started in early June, when an organization called Coalition for a Secure & Transparent Internet — basically a front for the likes of DomainTools and other companies whose business models are threatened by privacy legislation — held a one-sided webinar entitled “The Threat of a Dark WHOIS”.

On that webinar, Daniel Burke, chief of the FDA’s Investigative Services Division, lamented the lack of cooperation his agency gets when requesting private Whois data from “certain” registrars, and pointed to cases where the FDA’s inability to quickly get fake pharma sites, including those related to Covid-19, shut down have led to deaths.

He also said that complaints to ICANN about non-compliant registrars fall on deaf ears, to the point that it no longer bothers complaining, and suggested that ICANN and domain companies are financially incentivized to be uncooperative.

Burke quoted the writer Upton Sinclair: “It is difficult to get a man to understand something when his salary depends on his not understanding it.”

“I have found that’s the case with my interactions with ICANN and certain registries and registrars,” Burke said. “They just don’t want to listen… it’s a money-maker for them right now, it’s not profitable for them to deal with it.”

Marby also “spoke” on the CSTI webinar, but his brief intervention was actually just an out-of-context snippet — the “GDPR is not my fault!” T-shirt speech — taken from a recording of an ICANN webinar back in January and presented — dishonestly in my opinion — as if it had been filmed as a contribution to the CSTI discussion.

His inability to directly respond to Burke live led him to write to the FDA (pdf) a couple of weeks later to dispute some of his claims.

First, Marby said the the FDA does not need to obtain a subpoena to get access to Whois data. Registrars are obliged to respond to “legitimate interest” requests, when balanced against the privacy rights of the registrant, he said. He added:

In a few instances, government agencies have submitted complaints to ICANN Contractual Compliance regarding registrars’ refusal to provide non-public registration data. These agencies were ultimately successful in gaining access to the requested data without having to obtain a subpoena or lawful order.

Second, Marby disputed the financial motivation claims, writing: “ICANN’s leadership’s salaries are in no way tied to or dependent upon domain name registrations.”

Third, he offered a (pretty weak, in my view) defense against the claim that ICANN ignores complaints from government agencies, pointing out: “ICANN is not political and, therefore, takes actions to ensure that the workings of the Internet are not politicized.”

He also pointed out that ICANN operates a system called DNSTICR which monitors reports of DNS abuse related to the pandemic and alerts the relevant registries and registrars.

The problem here is that ICANN’s definition of abuse is pretty narrow and does not extend to web sites that sell industrial bleach as a Covid cure. That would count as “content” and ICANN is not the “content police”.

That’s pretty much what Hermsen says in the latest missive (pdf) in this row.

DNS security threats such as malware and phishing, however, were not what SA Burke was referring to in his presentation. Given the agency’s public health mission, FDA has been working during the pandemic to protect Americans from unproven or fraudulent medical products claiming to treat, cure, prevent, mitigate or diagnose COVID-19…

Given your stated concerns regarding COVID-19-related malware and phishing activity, we trust that you are equally concerned about registrars who may not be following the [Registrar Accreditation Agreement’s] requirements to “investigate” and “respond appropriately” following receipt of notifications about abuse, particularly complaints reporting activity involving COVID-19-related fraud or activity exacerbated the current opioid addiction crisis — especially in light of ICANN’s singular ability to enforce the terms of RAAs.

She also comes back, splitting hairs in my opinion, on the ICANN salaries claim, stating: “SA Burke was not referring to ICANN’s leadership salaries… SA Burke was referring more generally to the substantial source of funding ICANN receives from domain name registries and registrars.”

ICANN has just started work on a Whois Disclosure System that, while pretty weak, may make it slightly easier for government agencies to obtain the data they want.

New gTLDs or Whois access? What’s more important?

Kevin Murphy, May 23, 2022, Domain Policy

Should ICANN focus its resources on getting the next round of new gTLDs underway, or making some baby steps towards a post-GDPR system of Whois access?

That’s a question the community is going to have to address when ICANN 74 rolls around next month, after the ICANN board presented it with a divisive question on two of the industry’s most pressing issues that split the GNSO Council along predictable lines at its monthly meeting last week.

It turns out that ICANN doesn’t have the resources to both design a new “SSAD Light” system for handling Whois requests and also carry on its new gTLDs Operational Design Phase, “SubPro”, at the same time.

If the community wants ICANN staff to start work on SSAD Light, work will be paused on the ODP for at least six weeks, ICANN has said. If they want the system also built, the delay to new gTLDs could be much, much longer.

Intellectual property lawyers are of course keen to at least start undoing some of the damage caused by privacy legislation such as GDRP, while registries and consultants are champing at the bit for another expansion of the gTLD space.

This split was reflected on the Council’s monthly call last week, where registry employees Maxim Alzoba, Kurt Pritz and Jeff Neuman were opposed by IP lawyers Paul McGrady and John McElwaine.

“Six weeks is a sneeze in a hurricane,” McGrady said. “We are right on the cusp of taking first steps to solve a problem that has plagued the Community since GDPR came out. I don’t think a six-week delay on SubPro, which again we’re years into and it looks like will be years to go, is a material change to SubPro… a very minor delay seems well worth it.”

At this point, ICANN is still planning to have the SubPro ODP wrapped up in October, thought it has warned that there could be other unforeseen delays.

Neuman warned that even a six-week pause could provide more than six weeks delay to SubPro. Staff can’t just down tools on one project and pick up again six weeks later without losing momentum, he said.

Pritz seemed to echo this concern. The Registries Stakeholder Group hasn’t finished discussing the issue yet, he said, but would be concerned about anything that caused “inefficiencies” and “switching costs”.

The discussion was pretty brief, and no votes were taken. It seems the conversation will pick up again in The Hague when ICANN meets for its short mid-year public meeting on June 13.

ICANN hasn’t implemented a policy since 2016

Kevin Murphy, January 31, 2022, Domain Policy

It’s been over five years since ICANN last implemented a policy, and many of its ongoing projects are in limbo.

Beggars belief, doesn’t it?

The ongoing delays to new gTLD program policy and the push-back from ICANN on Whois policy recently got me thinking: when was the last time ICANN actually did anything in the policy arena apart from contemplate its own navel?

The Org’s raison d’être, or at least one of them, is to help the internet community build consensus policies about domain names and then implement them, but it turns out the last time it actually did that was in December 2016.

And the implementation projects that have come about since then are almost all frozen in states of uncertainty.

ICANN policies covering gTLD domains are usually initiated by the Generic Names Supporting Organizations. Sometimes, the ICANN board of directors asks the GNSO Council for a policy, but generally it’s a bottom-up, grass-roots process.

The GNSO Council kicks it off by starting a Policy Development Process, managed by working group stocked with volunteers from different and often divergent special interest groups.

After a few years of meetings and mailing list conversations, the working group produces a Final Report, which is submitted to the Council, and then the ICANN board, for approval. There may be one or more public comment periods along the way.

After the board gives the nod, the work is handed over to an Implementation Review Team, made up of ICANN staff and working group volunteers, which converts the policy into implementation, such as enforceable contract language.

The last time an IRT actually led to a GNSO policy coming into force, was on December 1, 2016. Two GNSO consensus policies became active that day, their IRTs having concluded earlier that year.

One was the Thick WHOIS Transition Policy, which was to force the .com, .net and .jobs registries to transition to a “thick” Whois model by February 2019.

This policy was never actually enforced, and may never be. The General Data Protection Regulation emerged, raising complex privacy questions, and the transition to thick Whois never happened. Verisign requested and obtain multiple deferrals and the board formally put the policy on hold in November 2019.

The other IRT to conclude that day was the Inter-Registrar Transfer Policy Part D, which tweaked the longstanding Transfer Dispute Resolution Policy and IRTP to streamline domain transfers.

That was the last time ICANN actually did anything in terms of enforceable, community-driven gTLD policy.

You may be thinking “So what? If the domain industry is ticking over nicely, who cares whether ICANN is making new policies or not?”, which would be a fair point.

But the ICANN community hasn’t stopped trying to make policy, its work just never seems to make the transition from recommendation to reality.

According to reports compiled by ICANN staff, there are 12 currently active PDP projects. Three are in the working group stage, five are awaiting board attention, one has just this month been approved by the board, and three are in the IRT phase.

Of the five PDPs awaiting board action, the average time these projects have been underway, counted since the start of the GNSO working group, is over 1,640 days (median: 2,191 days). That’s about four and a half years.

Counting since final policy approval by the GNSO Council, these five projects have been waiting an average of 825 days (median: 494 days) for final board action.

Of the five, two are considered “on hold”, meaning no board action is in sight. Two others are on a “revised schedule”. The one project considered “on schedule” was submitted to the board barely a month ago.

The three active projects that have made it past the board, as far as the IRT phase, have been there for an average of 1,770 days (median: 2,001 days), or almost five years, counted from the date of ICANN board approval.

So why the delays?

Five of the nine GNSO-completed PDPs, including all three at the IRT stage, relate to Whois policy, which was thrown into confusion by the introduction of the European Union’s introduction of the GDPR legislation in May 2018.

Two of them pre-date the introduction of GDPR in May 2018, and have been frozen by ICANN staff as a result of it, while three others came out of the Whois EPDP that was specifically designed to bring ICANN policy into line with GDPR.

All five appear to be intertwined and dependent on the outcome of the ICANN board’s consideration of the EPDP recommendations and the subsequent Operational Design Assessment.

As we’ve been reporting, these recommendations could take until 2028 to implement, by which time they’ll likely be obsolete, if indeed they get approved at all.

Unrelated to Whois, two PDPs relate to the protection of the names and acronyms of international governmental and non-governmental organizations (IGOs/INGOs).

Despite being almost 10 years old, these projects are on-hold because they ran into resistance from the Governmental Advisory Committee and ICANN board. A separate PDP has been created to try to untangle the problem that hopes to provide its final report to the board in June.

Finally, there’s the New gTLD Subsequent Procedures PDP, which is in its Operational Design Phase and is expected to come before the board early next year, some 2,500 days (almost seven years) after the PDP was initiated.

I’m not sure what conclusions to draw from all this, other than that ICANN has turned into a convoluted mess of bureaucracy and I thoroughly understand why some community volunteers believe their patience is being tested.