Recent Posts
- Could ICANN’s chair be ousted by NomCom?
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
ICANN adds another six months to Whois reform roadmap
ICANN says that its preparatory work for possible Whois reforms will take another six months.
The Operational Design Phase for the System for Standardized Access and Disclosure will now conclude “by the end of February 2022”, ICANN said this week.
That’s after the Org missed its original September deadline after six months of work.
ICANN program manager Diana Middleton said at ICANN 72 last week that ODP had been delayed by various factors including surveys taking longer than expected and throwing up more questions than they answered.
A survey of Governmental Advisory Committee members due September 17 was extended until the end of October.
But she added that ICANN intends to throw its first draft of the output — an Operational Design Assessment — at its technical writers by the end of the month, with a document going before the board of directors in early February.
SSAD is the proposed system that would funnel requests for private Whois data through ICANN, with a new veneer of red tape for those wishing to access such data.
The ODP is ICANN’s brand-new process for deciding how it could be implemented, how much it would cost, and indeed whether it’s worthwhile implementing it at all.
It’s also being used to prepare for the next round of new gTLDs, with a 13-month initial deadline.
The longer the current ODP runs, the greater the cost to the eventual SSAD user.
Whois rule changes that nobody likes get approved anyway
ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.
The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.
But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.
The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.
In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.
But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.
The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.
First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?
Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?
The answer on both counts was that it’s up to the registry or registrar to decide.
On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.
On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.
While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.
While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.
Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.
EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.
This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.
The appears to be an understatement.
The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.
The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.
Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.
The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.
IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:
Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.
But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.
The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.
While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:
The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…
With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.
While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:
it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.
The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.
They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.
The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.
The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:
The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.
Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.
The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”
So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.
And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.
Business as usual at the GNSO, in other words.
Almost no security researchers asking for Whois records – Tucows
Security researchers are not asking for private Whois records in anywhere near the numbers you might have been led to believe, according to data released this week by Tucows.
The registrar revealed that it received just one request from the security community between September 2020 and the end of August 2021. That’s not even 1% of the total.
Over the same period, the “commercial litigators” category, presumably including intellectual property interests going after suspected cybersquatters, were behind 87% of requests.
About 9% of requests came from law enforcement agencies, Tucows said.
The company said that it disclosed private registrant data in 74% of cases. It denied the requests in 9% of cases. Other requests were incomplete or abandoned.
Tucows has been offering a Tiered Access service for its Whois records since the General Data Protection Regulation came into effect in May 2018. It has received 4,478 requests since then.
Price of Whois lookups could rise as ICANN delays reform work
ICANN has delayed the conclusion of work on Whois reform, potentially increasing the cost of requesting domain registration data in future.
Back in March, its board of directors gave the Org six months to complete the Operational Design Phase of the so-called SSAD, or System for Standardized Access and Disclosure, but that deadline passed this week.
It appears that ICANN is not even close to concluding its ODP work. No new deadline has been announced, but ICANN intends to talk to the community at ICANN 72 next month.
SSAD is a proposal created by the community and approved — not without controversy — by the GNSO Council. It would essentially create a centralized clearinghouse for law enforcement and intellectual property interests to request private registrant data from registries and registrars.
The ODP is a new process, never before used, whereby ICANN clarifies the community’s intentions and attempts to translate policy recommendations into a roadmap that is feasible and cost-effective to implement.
It seems this process suffered some teething troubles, which are partially responsible for the delays.
But it also appears that ICANN is having a hard time finding potential service provider partners capable of building and operating SSAD all by themselves, raising the prospect of a more complex and expensive piecemeal solution.
It had 17 responses to a recent RFI, but no respondent said it could cover all the bases.
The key sticking point, described by some as a “chicken and egg” problem, is figuring out how many people are likely to use SSAD and how often. If the system is too expensive or fails to deliver results, it will be used less. If it works like a charm and is cost-effective, query volumes would go up.
So ICANN is challenged to gaze into its crystal ball and find a sweet spot, balancing cost, functionality and usage, if SSAD is to be a success. So far, its estimates for usage range from 25,000 users making 100,000 requests a year to 3 million users making 12 million requests.
That’s how far away from concluding its work ICANN is.
Confounding matters, the longer ICANN drags its feet on the ODP phase, the more expensive SSAD is likely to be for the end users who will ultimately wind up paying for it.
In a webinar last week, CEO Göran Marby said that the SSAD project is meant to recover its own costs. Whatever ICANN is spending on the ODP right now is expected to be recouped from access fees when SSAD goes live.
“This should not cost ICANN Org anything,” he said. “The costs should be carried by the user.”
ICANN is working on the assumption that SSAD will eventually happen, but if the ODP decides not to implement SSAD, ICANN will have to eat the costs, he indicated.
When the ICANN board approved this ODP, it did not specify how much money was being allocated to the project.
A second and separate ODP, looking at the next round of new gTLDs, was earlier this month given $9 million to conduct an anticipated 10-month project.
Will you use SSAD for Whois queries?
ICANN is pinging the community for feedback on proposed Whois reforms that would change how people request access to private registrant data.
The fundamental question is: given everything you know about the proposed System for Standardized Access and Disclosure (SSAD), how likely are you to actually use it?
The SSAD idea was dreamed up by a community working group as the key component of ICANN’s response to privacy laws such as GDPR, and was then approved by the Generic Names Supporting Organization.
But it’s been criticized for not going far enough to grant Whois access to the likes of trademark lawyers, law enforcement and security researchers. Some have called it a glorified ticketing system that will cost far more than the value it provides.
Before the policy is approved by ICANN’s board, it’s going through a new procedure called the ODP, for Operational Design Phase, in which ICANN staff, in coordination with the community, attempt to figure out whether SSAD would be cost-effective, or even implementable.
The questionnaire released today will be an input to the ODP. ICANN says it “will play a critical role in assessing the feasibility and associated risks, costs, and resources required in the potential deployment of SSAD.”
There’s only eight questions, and they mostly relate to the volume of private data requests submitted currently, how often SSAD is expected to be used, and what the barriers to use would be.
ICANN said it’s asking similar questions of registries and registrars directly.
There’s a clear incentive here for the IP and security factions within ICANN to low-ball the amount of usage they reckon SSAD will get, whether that’s their true belief or not, if they want ICANN to strangle the system in its crib.
It’s perhaps noteworthy that the potential user groups the questionnaire identifies do not include domain investors nor the media, both of which have perfectly non-nefarious reasons for wanting greater access to Whois data. This is likely because these communities were not represented on the SSAD working group.
You can find the questionnaire over here. You have until July 22.
More non-rules proposed for Whois privacy
An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.
The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.
The answer to both questions is a firm “Maybe”.
The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.
Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.
Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.
There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.
The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.
Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.
They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.
On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:
The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.
Again, the working group is giving registries and registrars the option to implement such systems or not.
The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.
If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.
But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.
So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.
The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation
An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.
The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.
IP lobby demands halt to Whois reform
Trademark interests in the ICANN community have called on the Org to freeze implementation of the latest Whois access policy proposals, saying it’s “not yet fit for purpose”.
The Intellectual Property Constituency’s president, Heather Forrest, has written (pdf) to ICANN chair Maarten Botterman to ask that the so-called SSAD system (for Standardized System for Access and Disclosure) be put on hold.
SSAD gives interested parties such as brands a standardized pathway to get access to private Whois data, which has been redacted by registries and registrars since the EU’s Generic Data Protection Regulation came into force in 2018.
But the proposed policy, approved by the GNSO Council last September, still leaves a great deal of discretion to contracted parties when it comes to disclosure requests, falling short of the IPC’s demands for a Whois that looks a lot more like the automated pre-GDPR system.
Registries and registrars argue that they have to manually verify disclosure requests, or risk liability — and huge fines — under GDPR.
The IPC has a few reasons why it reckons ICANN should slam the brakes on SSAD before implementation begins.
First, it says the recommendations sent to the GNSO Council lacked the consensus of the working group that created them.
Intellectual property, law enforcement and security interests — the likely end users of SSAD — did not agree with big, important chucks of the working group’s report. The IPC reckons eight of the 18 recommendations lacked a sufficient degree of consensus.
Second, the IPC claims that SSAD is not in the public interest. If the entities responsible for “policing the DNS” don’t think they will use SSAD due to its limitations, then why spend millions of ICANN’s money to implement it?
Third, Forrest writes that emerging legislation out of the EU — the so-called NIS2, a draft of a revised information security directive —- puts a greater emphasis on Whois accuracy
Forrest concludes:
We respectfully request and advise that the Board and ICANN Org pause any further work relating to the SSAD recommendations in light of NIS2 and given their lack of community consensus and furtherance of the global public interest. In light of these issues, the Board should remand the SSAD recommendations to the GNSO Council for the development of modified SSAD recommendations that meet the needs of users, with the aim of integrating further EU guidance.
It seems the SSAD proposals will be getting more formal scrutiny than previous GNSO outputs.
When the GNSO Council approved the recommendations in September, it did so with a footnote asking ICANN to figure out whether it would be cost-effective to implement an expensive — $9 million to build, $9 million a year to run — system that may wind up being lightly used.
ICANN has now confirmed that SSAD and the other Whois policy recommendations will be one of the first recipients of the Operational Design Phase (pdf) treatment.
The ODP is a new, additional layer of red tape in the ICANN policy-making sausage machine that slots in between GNSO Council approval and ICANN board consideration, in which the Org, in collaboration with the community, tries to figure out how complex GNSO recommendations could be implemented and what it would cost.
ICANN said this week that the SSAD/Whois recommendations will be subject to a formal ODP in “the coming months”.
Any question about the feasibility of SSAD would be referred back to the GNSO, because ICANN Org is technically not supposed to make policy.
Public comments open on new Whois policies
It’s your last chance to comment on ICANN’s proposed revisions to Whois policy.
ICANN has opened up public comments on what it opaquely calls EPDP Phase 2 Policy Recommendations for Board Consideration.
Why it just can’t use the term “Whois access”, or announce its public comment periods in layman’s terms is beyond me. Doesn’t it want public comments? Still, translating this nonsense into English keeps me in work, so I guess I won’t complain too hard.
The main feature of the proposed policy is a multi-tiered, somewhat centralized system for requesting access to Whois data about private registrants that has been redacted since the EU’s General Data Protection Regulation came into effect in May 2018.
It’s called SSAD, for System for Standardized Access and Disclosure, which was pieced together by a working group of community volunteers over a year.
Domain companies are generally okay with the compromise it represents, but intellectual property interests and others who would actually use the system think it’s a useless waste of money.
It’s expected to cost $9 million to build and $9 million a year to run.
There’s so much uncertainty about the system that in parallel with the public comments ICANN is also consulting with the GNSO Council, which approved the proposals in September, to figure out whether it’s even workable, and with the European Commission to figure out if it’s even legal.
After the public comment period closes on March 30, the comments will be compiled by ICANN staff and burned on a big fire sent to the ICANN board for final approval.
US sneaks public Whois demands into pandemic relief bill
Outgoing US president Donald Trump has signed into law a coronavirus relief bill and spending package that contains a surprise instruction for the government to pursue open access to Whois records.
The Consolidated Appropriations Act of 2021 is focused on federal spending for fiscal 2021, with billions set aside for pandemic-related economic stimulus. It’s the bill you may recall Trump refused to sign for several days on the purported basis that it only provided Americans with a piddling $600 check.
An accompanying document contains encouragement for the National Telecommunications and Information Administration to “to require registrars and registries based in the United States to collect and make public accurate domain name registration information”.
It also asks the NTIA to continue to work within ICANN’s Governmental Advisory Committee to help create “a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information”.
The text can be found in a joint explanatory statement (pdf) accompanying the act. It’s not on the statute books as such, but it does tell NTIA how to spend the money it’s been allocated.
The full text relevant to the domain name industry reads:
NTIA is directed, through its position within the Governmental Advisory Committee o work with I CANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.
As ICANN notes in its analysis, the first sentence is not telling NTIA to do anything it hasn’t been doing since the European Union’s General Data Protection Regulation came into effect two and a half years ago.
The NTIA and GAC have been involved in efforts to create a privacy workaround for rights holders and law enforcement, which in September came up with the widely panned SSAD proposals. ICANN is currently pleading with the EU for clarity on whether it would even be legal.
The second sentence is perhaps a bit more worrying, dangling as it does the possibility of American registries and registrars having to either break EU law or implement a much more complex Whois infrastructure.
But, as ICANN notes, the words “encouraged, as appropriate” are doing a lot of heavy lifting in that sentence, saying “encouragement is aspirational; it is not a mandate”.
However, ICANN appears to be treating it as a warning shot, with head of compliance Jamie Hedlund writing:
It appears to hint that if NTIA and the ICANN community can’t develop a robust access model, Congress could entertain more forceful measures that would impose requirements on U.S.-based registries and registrars to collect and publish domain name registration information.
It seems the NTIA has the wink to cause mischief, should ICANN not deliver what intellectual property lobbyists want.
Whois privacy group finds its new chair
Verisign’s top policy veep is set to become the third chair of the ICANN working group looking at Whois policy in the post-GDPR world.
Keith Drazek has been recommended to head the long-running group, known as the EPDP, and the GNSO Council is due to vote on his appointment next week. He’s likely to be a shoo-in.
He’s VP of policy and government relations at the .com registry, and a long-standing member of the ICANN policy-making community.
I recently opined that ICANN was looking for a “masochistic mug” to chair the group. Drazek was until October the chair of the GNSO Council, and is therefore perfectly qualified for the role.
The third phase of the EPDP process, which in typical ICANNese is denominated “phase 2a”, is likely to be slightly less controversial than the first two.
The EPDP has already decided that ICANN should probably create a Standardized System for Access and Disclosure — SSAD — that may enable law enforcement and intellectual property owners to get their hands on unredacted Whois records.
But governments, IP interests and others have already dismissed the plan as useless, and there’s still a big question mark over whether SSAD is too complex and expensive to be worth implementing.
In the third phase, EPDP members will be discussing rules on distinguishing between legal and natural persons when record-holders decide what info to make public, and whether there should be a standardized system of unique, anonymized email forwarders to contact domain registrants.
They’re both less divisive topics than have been previously addressed, but not without the potential for fireworks.
The email issue, for example, could theoretically enable people to harvest a registrant’s entire portfolio of domains, something very useful for law enforcement and IP lawyers but abhorrent to privacy advocates.
The previous two phases were chaired by Kurt Pritz and Janis Karklins, with Rafik Dammak acting as vice-chair.
Recent Comments