Latest news of the domain name industry

Recent Posts

ICANN board not happy with $100 million Whois reform proposals

Kevin Murphy, January 25, 2022, Domain Policy

ICANN’s board of directors has given its clearest indication yet that it’s likely to shoot down community proposals for a new system for handling requests for private Whois data.

Referring to the proposed System for Standardized Access and Disclosure, ICANN chair Maarten Botterman said “the Board has indicated it may not be able to support the SSAD recommendations as a whole”.

In a letter (pdf) to the GNSO Council last night, Botterman wrote:

the complexity and resources required to implement all or some of the recommendations may outweigh the benefits of an SSAD, and thus may not be in the best interests of ICANN nor the ICANN community.

The SSAD would be a centralized way for accredited users such as trademark lawyers, security researchers and law enforcement officers to request access to Whois data that is currently redacted due to privacy laws such as GDRP.

The system was the key recommendation of a GNSO Expedited Policy Development Process working group, but an ICANN staff analysis last year, the Operational Design Phase, concluded that it could be incredibly expensive to build and operate while not providing the functionality the trademark lawyers et al require of it.

ICANN was unable to predict with any accuracy how many people would likely use SSAD. It will this week present its final ODP findings, estimating running costs of between $14 million and $107 million per year and a user base of 25,000 to three million.

At the same time, ICANN has pointed out that its own policies cannot overrule GDPR. Registries and registrars still would bear the legal responsibility to decide whether to supply private data to requestors, and requestors could go to them directly to bypass the cost of SSAD altogether. Botterman wrote:

This significant investment in time and resources would not fundamentally change what many in the community see as the underlying problem with the current process for requesting non-public gTLD registration data: There is no guarantee that SSAD users would receive the registration data they request via this system.

ICANN management and board seem to be teasing the GNSO towards revising and scaling back its recommendations to make SSAD simpler and less costly, perhaps by eliminating some of its more expensive elements.

This moves ICANN into the perennially tricky territory of opening itself up to allegations of top-down policy-making.

Botterman wrote:

Previously, the Board highlighted its perspective on the importance of a single, unified model to ensure a common framework for requesting non-public gTLD registration data. However, in light of what we’ve learned to date from the ODP, the Board has indicated it may not be able to support the SSAD recommendations as a whole as envisioned by the EPDP. The Board is eager to discuss next steps with the Council, as well as possible alternatives to design a system that meets the benefits envisioned by the EPDP

The board wants to know whether the GNSO Council shares its concerns. The two parties will meet via teleconference on Thursday to discuss the matter. The ODP’s final report may be published before then.

ICANN trying to strangle SSAD in the crib?

Kevin Murphy, January 14, 2022, Domain Policy

ICANN is trying to kill off or severely cripple Whois reform because it thinks the project stands to be too expensive, too time-consuming, and not fit for purpose.

That’s what many long-time community members are inferring from recent discussions with ICANN management about the Standardized System for Access and Disclosure (SSAD), a proposed method of normalizing how people request access to private, redacted Whois data.

The community has been left trying to read the tea leaves following a December 20 briefing in which ICANN staff admitted they have failed to even approximately estimate how well-used SSAD, which has been criticized by potential users as pointless, might be.

During the briefing, staff gave a broad range of implementation times and cost estimates, saying SSAD could take up to four years and $27 million to build and over $100 million a year to operate, depending on adoption.

The SSAD idea was thrown together in, by ICANN standards, super-fast time with a super-tenuous degree of eventual consensus by a cross-community Expedited Policy Development Process working group.

One of the EPDP’s three former chairs, Kurt Pritz, a former senior ICANN staffer who’s been heavily involved in community work since his departure from the Org in 2012, provided his read of the December webinar on a GNSO Council discussion this week.

“I’ve sat through a number of cost justification or cost benefit analyses in my life and got a lot of reports, and I’ve never sat through one that more clearly said ‘Don’t do this’,” Pritz said.

GNSO liaison to the Governmental Advisory Committee Jeff Neuman concurred moments later: “It seemed that we could imply from the presentation that that staff was saying ‘Don’t do it’… we should require them to put that in writing.”

“It was pretty clear from the meeting that ICANN Org does not want to build the SSAD. Many people in the community think its estimates are absurdly inflated in order to justify that conclusion,” Milton Mueller of the Internet Governance Project recently wrote of the same webinar.

These assessments seem fair, to the extent that ICANN appears seriously averse to implementing SSAD as the recommendations are currently written.

ICANN repeated the December 20 cost-benefit analysis in a meeting with the GAC this week, during which CEO Göran Marby described the limitations of SSAD, and how it cannot override privacy laws such as the GDPR:

It’s not a bug, it’s a feature of GDPR to limit access to data…

The SSAD is a recommended system to streamline the process of requesting data access. It cannot itself increase access to the data, as this is actually determined by the law. And so, in practice, the SSAD is expected to have little to no impact on the contracted parties’ ultimate disclosure or nondisclosure response to requests… it’s a ticketing system with added functionality.

While Marby stressed he was not criticizing the EPDP working group, that’s still a pretty damning assessment of its output.

Marby went on to reiterate that even if SSAD came into existence, people wanting private Whois data could still request it directly from registries and registrars, entirely bypassing SSAD and its potentially expensive (estimated at up to $45) per-query fees.

It seems pretty clear that ICANN staff is not enthused about SSAD in its current form and there’s a strong possibility the board of directors will concur.

So what does the policy-making community do?

There seems to be an emerging general acceptance among members of the GNSO Council that the SSAD proposals are going to have to be modified in some way in order for them to be approved by the board.

The question is whether these modifications are made preemptively, or whether the GNSO waits for more concrete feedback from Org and board before breaking out the blue pen.

Today, all the GNSO has seen is a few PowerPoint pages outlining the top-line findings of ICANN’s Operational Design Assessment, which is not due to be published in full until the board sees it next month.

Some Council members believe they should at least wait until the full report is out, and for the board to put something on the record detailing its reservations about SSAD, before any changes are made.

The next update on SSAD is an open community session, likely to cover much of the same ground as the GAC and GNSO meetings, scheduled for 1500 UTC on January 18. Details here.

The GNSO Council is then scheduled to meet January 20 for its regular monthly meeting, during which next steps will be discussed. It will also meet with the ICANN board later in the month to discuss its concerns.

Whois reform to take four years, cost up to $107 million A YEAR, and may still be pointless

Kevin Murphy, January 4, 2022, Domain Policy

ICANN’s proposed post-GDPR Whois system could cost over $100 million a year to run and take up to four years to build, but the Org still has no idea whether anyone will use it.

That appears to be the emerging conclusion of ICANN’s very first Operational Design Phase, which sought to translate community recommendations for a Standardized System for Access and Disclosure (SSAD) into a practical implementation plan.

SSAD is supposed to make it easier for people like trademark owners and law enforcement to request personal information from Whois records that is currently redacted due to privacy laws such as GDPR.

The ODP, which was originally meant to conclude in September but will now formally wrap up in February, has decided so far that SSAD will take “three to four years” to design and build, costing between $20 million and $27 million.

It’s calculated the annual running costs at between $14 million and $107 million, an eye-wateringly imprecise estimate arrived at because ICANN has pretty much no idea how many people will want to use SSAD, how much they’d be prepared to pay, and how many Whois requests they will likely make.

ICANN had previously guesstimated startup costs of $9 million and ongoing annual costs around the same level.

The new cost estimates are based on the number of users being anywhere between 25,000 and three million, with the number of annual queries coming in at between 100,000 and 12 million.

And ICANN admits that the actual demand “may be lower” than even the low-end estimate.

“We haven’t been able to figure out how big the demand is,” ICANN CEO Göran Marby told the GNSO Council during a conference call last month.

“Actual demand is unknowable until well after the launch of the SSAD,” an ICANN presentation (pdf) states. The Org contacted 11 research firms to try to get a better handle on likely demand, but most turned down the work for this reason.

On pricing, the ODP decided that it would cost a few hundred bucks for requestors to get accredited into the system, and then anywhere between $0.45 and $40 for every Whois request they make.

Again, the range is so laughably broad because the likely level of demand is unknown. A smaller number of requests would lead to a higher price and vice versa.

Even if there’s an initial flurry of SSAD activity, that could decline over time, the ODP concluded. In part that’s because registries and registrars would be under no obligation to turn over records, even if requestors are paying $40 a pop for their queries.

It’s also because SSAD would not be mandatory — requestors could still approach contracted parties directly for the info they want, for low or no cost, if they think the price of SSAD is too high or accreditation requirements too onerous.

“There’ll always be a free version of this for everybody,” Marby said on the conference call.

In short, it’s a hell of a lot of money for not much functionality. There’s a better than even chance it could be a huge waste of time and money.

An added complication is that the laws that SSAD is supposed to address, mainly GDPR, are likely to change while it’s being implemented. The European Union’s NIS2 Directive stands to move the goalposts on Whois privacy substantially, and not uniformly, in the not-too-distant future, for example.

This is profoundly embarrassing for ICANN as an organization. Created in the 1990s to operate at “internet speed”, it’s now so bloated, so twisted up it its own knickers, that it’s getting lapped by the lumbering EU legislative process.

The ODP is set to submit its final report to ICANN’s board of directors in February. The board could theoretically decide that it’s not in the interest of ICANN or the public to go ahead with it.

Marby, for his part, seems to be thinking that there could be some benefit from a centralized hub for submitting Whois requests, but that it should be simpler than the current “too complex” proposal, and funded by ICANN.

My take is that ICANN is reluctant to move ahead with SSAD as it’s currently proposed, but because top-down policy-making is frowned upon its hands are tied to make the changes it would like to see.

ICANN teases prices for private Whois lookups

Kevin Murphy, November 4, 2021, Domain Policy

ICANN has started to put some flesh on the bones of the forthcoming (?) SSAD system for accessing private Whois records, including teasing some baseline pricing.

During a session at ICANN 72 last week, staffers said responses to recent requests for information put the cost of having an identity verified as an SSAD user at about $10 to $20.

Those are vendor wholesale prices, however, covering the cost of looking at a government-issue ID and making sure it’s legit, and do not include the extra administration and cost-recovery charges that ICANN plans to place on top.

The verification fee would have to be renewed every two years under ICANN’s proposal, though the verification vendors are apparently pushing for annual renewals.

The fee also would not include the likely per-query charge that users will have to pay to request the true personal data behind a redacted Whois record.

It’s not currently anticipated that any money would flow to registrars, CEO Göran Marby said.

SSAD, the Standardized System for Access and Disclosure, is currently undergoing Operational Design Phase work in ICANN, with monthly webinar updates for the community.

ICANN expects to reveal more pricing details on the December webinar, staffers said.

ICANN adds another six months to Whois reform roadmap

Kevin Murphy, November 4, 2021, Domain Policy

ICANN says that its preparatory work for possible Whois reforms will take another six months.

The Operational Design Phase for the System for Standardized Access and Disclosure will now conclude “by the end of February 2022”, ICANN said this week.

That’s after the Org missed its original September deadline after six months of work.

ICANN program manager Diana Middleton said at ICANN 72 last week that ODP had been delayed by various factors including surveys taking longer than expected and throwing up more questions than they answered.

A survey of Governmental Advisory Committee members due September 17 was extended until the end of October.

But she added that ICANN intends to throw its first draft of the output — an Operational Design Assessment — at its technical writers by the end of the month, with a document going before the board of directors in early February.

SSAD is the proposed system that would funnel requests for private Whois data through ICANN, with a new veneer of red tape for those wishing to access such data.

The ODP is ICANN’s brand-new process for deciding how it could be implemented, how much it would cost, and indeed whether it’s worthwhile implementing it at all.

It’s also being used to prepare for the next round of new gTLDs, with a 13-month initial deadline.

The longer the current ODP runs, the greater the cost to the eventual SSAD user.

Whois rule changes that nobody likes get approved anyway

Kevin Murphy, November 3, 2021, Domain Services

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.

Almost no security researchers asking for Whois records – Tucows

Kevin Murphy, September 29, 2021, Domain Registrars

Security researchers are not asking for private Whois records in anywhere near the numbers you might have been led to believe, according to data released this week by Tucows.

The registrar revealed that it received just one request from the security community between September 2020 and the end of August 2021. That’s not even 1% of the total.

Over the same period, the “commercial litigators” category, presumably including intellectual property interests going after suspected cybersquatters, were behind 87% of requests.

About 9% of requests came from law enforcement agencies, Tucows said.

The company said that it disclosed private registrant data in 74% of cases. It denied the requests in 9% of cases. Other requests were incomplete or abandoned.

Tucows has been offering a Tiered Access service for its Whois records since the General Data Protection Regulation came into effect in May 2018. It has received 4,478 requests since then.

Price of Whois lookups could rise as ICANN delays reform work

Kevin Murphy, September 28, 2021, Domain Policy

ICANN has delayed the conclusion of work on Whois reform, potentially increasing the cost of requesting domain registration data in future.

Back in March, its board of directors gave the Org six months to complete the Operational Design Phase of the so-called SSAD, or System for Standardized Access and Disclosure, but that deadline passed this week.

It appears that ICANN is not even close to concluding its ODP work. No new deadline has been announced, but ICANN intends to talk to the community at ICANN 72 next month.

SSAD is a proposal created by the community and approved — not without controversy — by the GNSO Council. It would essentially create a centralized clearinghouse for law enforcement and intellectual property interests to request private registrant data from registries and registrars.

The ODP is a new process, never before used, whereby ICANN clarifies the community’s intentions and attempts to translate policy recommendations into a roadmap that is feasible and cost-effective to implement.

It seems this process suffered some teething troubles, which are partially responsible for the delays.

But it also appears that ICANN is having a hard time finding potential service provider partners capable of building and operating SSAD all by themselves, raising the prospect of a more complex and expensive piecemeal solution.

It had 17 responses to a recent RFI, but no respondent said it could cover all the bases.

The key sticking point, described by some as a “chicken and egg” problem, is figuring out how many people are likely to use SSAD and how often. If the system is too expensive or fails to deliver results, it will be used less. If it works like a charm and is cost-effective, query volumes would go up.

So ICANN is challenged to gaze into its crystal ball and find a sweet spot, balancing cost, functionality and usage, if SSAD is to be a success. So far, its estimates for usage range from 25,000 users making 100,000 requests a year to 3 million users making 12 million requests.

That’s how far away from concluding its work ICANN is.

Confounding matters, the longer ICANN drags its feet on the ODP phase, the more expensive SSAD is likely to be for the end users who will ultimately wind up paying for it.

In a webinar last week, CEO Göran Marby said that the SSAD project is meant to recover its own costs. Whatever ICANN is spending on the ODP right now is expected to be recouped from access fees when SSAD goes live.

“This should not cost ICANN Org anything,” he said. “The costs should be carried by the user.”

ICANN is working on the assumption that SSAD will eventually happen, but if the ODP decides not to implement SSAD, ICANN will have to eat the costs, he indicated.

When the ICANN board approved this ODP, it did not specify how much money was being allocated to the project.

A second and separate ODP, looking at the next round of new gTLDs, was earlier this month given $9 million to conduct an anticipated 10-month project.

Will you use SSAD for Whois queries?

Kevin Murphy, July 9, 2021, Domain Policy

ICANN is pinging the community for feedback on proposed Whois reforms that would change how people request access to private registrant data.

The fundamental question is: given everything you know about the proposed System for Standardized Access and Disclosure (SSAD), how likely are you to actually use it?

The SSAD idea was dreamed up by a community working group as the key component of ICANN’s response to privacy laws such as GDPR, and was then approved by the Generic Names Supporting Organization.

But it’s been criticized for not going far enough to grant Whois access to the likes of trademark lawyers, law enforcement and security researchers. Some have called it a glorified ticketing system that will cost far more than the value it provides.

Before the policy is approved by ICANN’s board, it’s going through a new procedure called the ODP, for Operational Design Phase, in which ICANN staff, in coordination with the community, attempt to figure out whether SSAD would be cost-effective, or even implementable.

The questionnaire released today will be an input to the ODP. ICANN says it “will play a critical role in assessing the feasibility and associated risks, costs, and resources required in the potential deployment of SSAD.”

There’s only eight questions, and they mostly relate to the volume of private data requests submitted currently, how often SSAD is expected to be used, and what the barriers to use would be.

ICANN said it’s asking similar questions of registries and registrars directly.

There’s a clear incentive here for the IP and security factions within ICANN to low-ball the amount of usage they reckon SSAD will get, whether that’s their true belief or not, if they want ICANN to strangle the system in its crib.

It’s perhaps noteworthy that the potential user groups the questionnaire identifies do not include domain investors nor the media, both of which have perfectly non-nefarious reasons for wanting greater access to Whois data. This is likely because these communities were not represented on the SSAD working group.

You can find the questionnaire over here. You have until July 22.

More non-rules proposed for Whois privacy

Kevin Murphy, June 4, 2021, Domain Policy

An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.

The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.

The answer to both questions is a firm “Maybe”.

The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.

Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.

Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.

There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.

The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.

Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.

They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.

On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:

The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.

Again, the working group is giving registries and registrars the option to implement such systems or not.

The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.

If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.

But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.

So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.

The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation

An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.

The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.