Recent Posts
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
Marby ponders emergency powers to avoid fragmented Whois
ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.
That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.
Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.
But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.
“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”
I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.
Marby has asked European DPAs for two things.
First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.
Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.
“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.
A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.
If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.
“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”
While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.
It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.
ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.
But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.
Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”
He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.
The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.
Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.
Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.
But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.
This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.
Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.
A temporary policy could be replaced by a compatible, community-created Consensus Policy.
It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.
But that’s perhaps getting ahead of ourselves.
Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.
If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.
If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.
And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.
“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.
“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”
The community awaits the DPAs’ guidance with baited breath.
Registrars will miss GDPR deadline by a mile
Registries and registrars won’t be able to implement ICANN’s proposed overhaul of the Whois system in time for the EU’s General Data Protection Regulation coming into effect.
That’s according to an estimated timetable (pdf) sent by ICANN’s contracted parties to the organization this week.
While they feel confident that some elements of ICANN’s GDPR compliance plan could be in place before May 25 this year, when the law kicks in, they feel that other elements could take many months to design and roll out.
Depending on the detail of the finalized plan, we could be looking at the back end of 2019 before all the pieces have been put in place.
Crucially, the contracted parties warn that designing and rolling out a temporary method for granting Whois access to entities with legitimate interests in the data, such as police and trademark owners, could take a year.
And that’s just the stop-gap, Band-Aid hack that individual registries and registrars would put in place while waiting — “quarters (or possibly years), rather than months” — for a fully centralized ICANN accreditation solution to be put in place.
The outlook looks bleak for those hoping for uninterrupted Whois access, in other words.
But the timetable lists many other sources of potential delay too.
Even just replacing the registrant’s email address with a web form or anonymized forwarding address could take up to four months to put online, the contracted parties say.
Generally speaking, the more the post-GDPR Whois differs from the current model the longer the contracted parties believe it will take to roll out.
Likewise, the more granular the controls on the data, the longer the implementation window.
For example, if ICANN forces registrars to differentiate between legal and natural persons, or between European and non-European registrants, that’s going to add six months to the implementation time and cost a bomb, the letter says.
Anything that messes with EPP, the protocol underpinning all registry-registrar interactions, will add some serious time to the roll-out too, due to the implementation time and the contractual requirement for a 90-day notice period.
The heaviest workload highlighted in the letter is the proposed opt-in system for registrants (such as domain investors) who wish to waive their privacy rights in favor of making themselves more contactable.
The contracted parties reckon this would take nine months if it’s implemented only at the registrar, or up to 15 months if coordination between registries and registrars is required (and that timeline assumes no new EPP extensions are going to be needed).
It’s possible that the estimates in the letter could be exaggerated as part of the contracted parties’ efforts to pressure ICANN to adopt the kind of post-GDPR Whois they want to see.
But even if we assume that is the case, and even if ICANN were to finalize its compliance model tomorrow, there appears to be little chance that it will be fully implemented at all registrars and registries in time for May 25.
The letter notes that the timetable is an estimate and does not apply to all contracted parties.
As I blogged earlier today, ICANN CEO Goran Marby has this week reached out to data protection authorities across the EU for guidance, in a letter that also asks the DPAs for an enforcement moratorium while the industry and community gets its act together.
Late last year, ICANN also committed not to enforce the Whois elements of its contracts when technical breaches are actually related to GDPR compliance.
ICANN chief begs privacy watchdogs for Whois advice
ICANN CEO Goran Marby has written to the data protection authorities of all 28 European Union states, along with the European Data Protection Supervisor, to ask for guidance on how to implement new privacy laws.
Marby also asked the DPAs about the possibility of an enforcement moratorium, to give the domain industry and ICANN more time to formulate their collective response to the General Data Protection Regulation.
GDPR, which aims to give EU citizens more control over their personal data, comes into full effect May 25. Companies that break the rules face fines that could amount to millions of euros.
But ICANN does not yet have a firm plan for bringing the distributed Whois system into compliance with GDPR, and has repeatedly indicated that it needs guidance from European DPAs.
“ICANN and more than a thousand of the domain names registries and registrars are at a critical juncture,” Marby wrote (pdf).
“We need specific guidance from European data protection authorities in order to meet the needs of the global internet stakeholder community, including governments, privacy authorities, law enforcement agencies, intellectual property holders, cybersecurity experts, domain name registries, registrars, registrants and ordinary internet users,” he wrote.
ICANN has already written a proposal — known as the “Cookbook” and sent to DPAs three weeks ago — for how gTLD registrars and registries could comply with GDPR by removing most fields from public Whois records.
But Marby’s letter points out that many ICANN community members think the Cookbook either goes too far or not far enough.
As we reported a week ago, the Governmental Advisory Committee and Intellectual Property Constituency are not convinced ICANN needs to chop quite as much info from the public Whois as it’s currently planning.
But on the flipside, there are privacy advocates who think far less data should be collected on registrants and fundamentally question ICANN’s power to mandate public Whois access in its registry and registrar contracts.
Both sides of the debate are referenced in the letter.
“Guidance from DPAs on ICANN’s plan of action as presented in the Cookbook, and in particular, the areas where there are competing views, is critical as soon as possible, but particularly during the next few weeks,” Marby wrote.
Whether ICANN will get the answers it needs on the timetable it needs them is open to debate.
Many community members expressed skepticism about whether the DPAs’ commitment to the urgency of the issue matches ICANN’s own, during ICANN 61 earlier this month.
There seemed to be little confidence that the DPAs’ responses, should ICANN receive any, will provide the clarity the industry needs.
It may also be bad timing given the unrelated Cambridge Analytica/Facebook scandal, which appears to be consuming the attention of some European DPAs.
Privacy could be a million-dollar business for ICANN
ICANN has set out the fees it plans to charge to officially accredit Whois proxy and privacy services, in the face of resistance from some registrars.
VP of finance Becky Nash told registrars during a session at ICANN 61 last week that they can expect to pay $3,500 for their initial accreditation and $4,000 per year thereafter.
Those are exactly the same fees as ICANN charges under its regular registrar accreditation program.
Registrars that also offer privacy should expect to see their annual ICANN flat fees double, in other words. Per-domain transaction fees would be unaffected.
The up-front application fee would be reduced $2,000 when the privacy service is to be offered by an accredited registrar, but it would stay at $3,500 if the company offering service is merely “affiliated” with the registrar.
Nash said all the fees have been calculated on a per-accreditation basis, independent of the volume of applications ICANN receives.
Director of registrar services Jennifer Gore said that while ICANN has not baked an estimate of the number of accredited providers into its calculations, registrars have previously estimated the number at between 200 and 250 companies.
That would put the upper end of annual accreditation fees at $1 million, with $875,000 up-front for initial applications.
Volker Greimann, general counsel of the registrar Key-Systems, pointed out during the session that many registrars give away privacy services for free or at cost.
“This just adds cost to an already expensive service that does not really make money for a lot of providers,” he said.
He suggested that the prices could lead to unexpected negative consequences.
“Pricing this in this region will just lead to a lot of unaccredited providers that will switch names every couple months, an underground that we don’t really want,” he said. “We want to have as many people on board as possible and the way to do that is to keep costs low.”
“Pricing them out of the market is not the way to attract providers to join this scheme,” he said.
Nash responded that registrars are forbidden under the incoming privacy/proxy policy from accepting registrations from unaccredited services.
She added that the fees have been calculated on a “cost-recovery” basis. Costs include the initial background checks, outreach, contract admin, compliance, billing and so on.
But some registrars expressed skepticism that the proposed fees could be justified, given that ICANN does not plan to staff up to administer the program.
Another big question is whether proxy/privacy services are going to continue to have value after May this year, when the European Union’s General Data Protection Regulation kicks in.
The current ICANN plan for GDPR compliance would see individual registrants have all of their private information removed from the public Whois.
It’s not currently clear how many people and what kinds of people will continue to have access to unmasked Whois, so there are likely still plenty of cases where individuals might feel they need an extra layer of protection — if they live in a dictatorship and are engaged in rebellious political speech, for example.
There could also be cases where companies wish to mask their details ahead of, say, a product launch.
And, let’s face it, bad actors will continue to want to use privacy services on domains they intend to misuse.
The proxy/privacy policy came up through the formal GNSO Policy Development Process and was approved two years ago. It’s currently in the implementation phase.
According to a presentation from the ICANN 61 session, ICANN hopes to put the final implementation plan out for public comment by the end of the month.
Now Latvia guts Whois to comply with GDPR
Latvia has become the latest country to announce plans to cut back on Whois provision to comply with incoming European Union privacy law.
Its .lv ccTLD is the first I’m aware of to announce that it plans to cut back on the amount of data it actually collects in addition to how much it publishes.
NIC.lv said it will not longer require registrants to submit one postal address, instead of two. It will not longer require a something called a “fax” number, whatever that is, either.
The registry currently does not publish the names or physical addresses of its natural person registrants, but following the introduction of the General Data Protection Regulation in May it will stop publishing telephone numbers and email addresses too.
It will instead present a form that can be used to contact the registrant, a little like ICANN is proposing for gTLDs.
The company also plans to rate-limit Whois queries to mitigate harvesting.
The proposed changes are open for comments until April 12.
.lv has about 120,000 domains under management, according to its web site.
Austria to stop publishing most Whois data
Austrian ccTLD operator nic.at will no longer publish any Whois information for individual registrants, in order to comply with incoming EU privacy law.
“Natural persons’ data will no longer be published from mid-May 2018,” the company said today.
Data concerning legal entities such as companies will continue to be published, it added.
The move is of course an effort to become compliant with the General Data Protection Regulation, which currently has the industry scrambling around in the dark looking for ways avoid avoid millions of euros of potential fines.
nic.at will continue to collect the private data of individual registrants, but it will only publish technical information such as the name of the registrar and name servers in response to public Whois queries.
Companies will have their names and addresses published, but will have the option to have their email address and phone number hidden.
nic.at said it will disclose records to “law enforcement agencies, lawyers or people who contact nic.at following domain disputes and can prove that their rights have been infringed”.
People will be able to opt-in to having their information published
It’s arguably a more Draconian implementation of GDPR than the one proposed by ICANN for gTLDs, but it appears to be in line with plans already announced by Nominet for .uk and DENIC for .de.
Whois privacy will soon be free for most domains
Enormous changes are coming to Whois that could mark the end of Whois privacy services this year.
ICANN has proposed a new Whois model that would anonymize the majority of domain name registrants’ personal data by default, only giving access to the data to certain certified entities such as the police.
The model, published on Friday and now open for comment, could change in some of the finer details but is likely being implemented already at many registries and registrars.
Gone will be the days when a Whois lookup reveals the name, email address, physical address and phone number of the domain’s owner.
After the model is implemented, Whois users will instead merely see the registrant’s state/province and country, organization (if they have one) and an anonymized, forwarding email address or web form for contact purposes.
Essentially, most Whois records will look very much like those currently hiding behind paid-for proxy/privacy services.
Technical data such as the registrar (and their abuse contact), registration and expiry dates, status code, name servers and DNSSEC information would still be displayed.
Registrants would have the right to opt in to having their full record displayed in the public Whois.
Anyone wanting to view the full record would have to be certified in advance and have their credentials stored in a centralized clearinghouse operated by or for ICANN.
The Governmental Advisory Committee would have a big hand in deciding who gets to be certified, but it would at first include law enforcement and other governmental agencies.
This would likely be expanded in future to include the likes of security professionals and intellectual property lawyers (still no word from ICANN how the legitimate interests of the media or domain investors will be addressed) but there could be a window in which these groups are hamstrung by a lack of access to thick records.
The proposed model is ICANN’s attempt to bring Whois policy, which is enforced in its contracts with registries and registrars, into line with GDPR, the European Union’s General Data Protection Regulation, which kicks in fully in May.
The model would apply to all gTLD domains where there is some connection to the European Economic Area.
If the registrar, registry, registrant or a third party processor such as an escrow agent is based in the EEA, they will have to comply with the new Whois model.
Depending on how registrars implement the model in practice (they have the option to apply it to all domains everywhere) this means that the majority of the world’s 188 million gTLD domains will probably be affected.
While GDPR applies to only personal data about actual people (as opposed to legal persons such as companies), the ICANN model makes no such distinction. Even domains owned by legal entities would have their records anonymized.
The rationale for this lack of nuance is that even domains owned by companies may contain personal information — about employees, presumably — in their Whois records.
Domains in ccTLDs with EEA connections will not be bound to the ICANN model, but will rather have to adopt it voluntarily or come up with their own ways to become GDPR compliant.
The two largest European ccTLDs — .uk and Germany’s .de, which between them account for something like 28 million domains — last week separately outlined their plans.
Nominet said that from May 25 it will no longer publish the name or contact information of .uk registrants in public Whois without their explicit consent. DENIC said something similar too.
Here’s a table of what would be shown in public Whois, should the proposed ICANN model be implemented.
[table id=50 /]
The proposal is open for comment, with ICANN CEO Goran Marby requesting emailed input before the ICANN 61 public meeting kicks off in Puerto Rico this weekend.
With just a couple of months left before the law, with its huge fines, kicks in, expect GDPR to be THE hot topic at this meeting.
ICANN would reject call for “diversity” office
ICANN’s board of directors would reject a call for an “Office of Diversity”, due to its current budget crunch.
The board said as much in remarks filed to a public comment period that got its final report this week.
The report of the CCWG-Accountability Work Stream 2 working group had recommended several potential things ICANN could do to improve diversity in the community, largely focused on collecting and publishing data on diversity.
“Diversity” for the purposes of the recommendations does not have the usual racial connotations of the word. Instead it means: geography, language, gender, age, physical disability, skills and stakeholder group.
Some members of the working group had proposed an independent diversity office, to ensure ICANN sticks to diversity commitments, but this did not gain consensus support and was not a formal recommendation.
Some commenters, including (in a personal capacity) a current vice chair of the Governmental Advisory Committee and a former ICANN director, had echoed the call for an office of diversity.
But ICANN’s board said it would not be able to support such a recommendation:
Given the lack of clarity around this office, lack of consensus support within the subgroup (and presumably within the CCWG-Accountability and the broader community), and noting the previously-mentioned budget and funding constraints and considerations, the Board is not in a position to accept this item if it were to be presented as a formal consensus-based recommendation
In general terms, it encouraged the working group to consider ICANN’s “limited funding” when it makes its final recommendations.
It added that it may be difficult for ICANN to collect personal data on community members, in light of the General Data Protection Regulation, the EU privacy law that kicks in this May.
All the comments on the report can be found here.
Why are you doing that Whois search? DENIC wants to know
In a taste of what might be coming under EU privacy legislation, DENIC wants you to jump through some new hoops before it lets you see Whois data.
When doing a Whois query on its web site today, the German ccTLD registry first asks you to answer the question: “How do you justify your legitimate interest in accessing the whois data?”
It’s a multiple-choice question, with an extra field for typing in your reasons for doing the query.
Possible answers include “because you think that the use of the domain raises a legal problem”, which appears to be for trademark lawyers, and “because you want to collect information about the domain holder for business purposes”, which appears to be for domainers.
There’s no wrong answer that will deny you access to the Whois record you want to see, but users are warned that their use of Whois data is only to be for “legitimate purposes”, under pain of legal action.
A DENIC spokesperson told DI that the new system was introduced today “for statistical reasons”
“Its aim is just to get a better idea of the DENIC whois usage pattern and of the extent to which different user groups are utilising the extended service,” she said.
The move should be viewed in the context of the incoming General Data Protection Regulation, an EU privacy law that becomes fully implemented in May this year.
While there’s been a lot of focus on how this will effect ICANN and its harem of contracted gTLDs, it’s easy to forget that it affects ccTLDs just as much.
By conducting this mandatory survey of real Whois users, DENIC will presumably be able to gather some useful data that will inform how it stays GDPR-compliant after May.
US and EU call for Whois to stay alive
Government officials from both sides of the Atlantic have this week called on ICANN to preserve Whois as it currently is, in the face of incoming EU privacy law, at least for a select few users.
The European Commission wrote to ICANN to ask for a “pragmatic and workable solution” to the apparent conflict between the General Data Protection Regulation and the desire of some folks to continue to access Whois as usual.
Three commissioners said in a letter (pdf) that special consideration should be given to “public interests” including “ensuring cybersecurity and the stability of the internet, preventing and fighting crime, protecting intellectual property and copyright, or enforcing consumer protection measures”.
David Redl, the new head of the US National Telecommunications and Information Administration, echoed these concerns in a speech at the State of the Net conference in Washington DC on Monday.
Redl said that the “preservation of the Whois service” is one of NTIA’s top two priorities at the moment. The other priority is pressing for US interests in the International Telecommunications Union, he said.
Calling Whois “a cornerstone of trust and accountability for the Internet”, Redl said the service “can, and should, retain its essential character while complying with national privacy laws, including the GDPR.”
“It is in the interests of all Internet stakeholders that it does,” he said. “And for anyone here in the US who may be persuaded by arguments calling for drastic change, please know that the US government expects this information to continue to be made easily available through the Whois service.”
He directly referred to the ability of regular internet users to access Whois for consumer protection purposes in his speech.
The European Commission appears to be looking at a more restrictive approach, but it did offer some concrete suggestions as to how GDPR compliance might be achieved.
For example, the commissioners’ letter appears to give tacit approval to the idea of “gated” access to Whois, but called for access by law enforcement to be streamlined and centralized.
It also suggests throttling as a mechanism to reduce abuse of Whois data, and makes it clear that registrants should always be clearly informed how their personal data will be used.
The deadline for GDPR compliance is May this year. That’s when the ability of EU countries to start to levy fines against non-compliant companies, which could run into millions of euros, kicks in.
While ICANN has been criticized by registries and registrars for moving too slowly to give them clarity on how to be GDPR-compliant while also sticking to the Whois provisions of their contracts, its pace has been picking up recently.
Two weeks ago it called for comments on three possible Whois models that could be used from May.
That comment period ended on Monday, and ICANN is expected to publish the model upon which further discussions will be based today.
Recent Comments