Whois privacy talks in Bizarro World as governments and trademark owners urge coronavirus delay

Coronavirus may have claimed another victim at ICANN — closure on talks designed to reopen private Whois data to the likes of law enforcement and trademark owners.

In a remarkable U-turn, the Governmental Advisory Committee, which has lit a series a fires under ICANN’s feet on this issue for over a year, late last week urged that the so-called Expedited Policy Development Process on Whois should not wrap up its work in June as currently planned.

This would mean that access to Whois data, rendered largely redacted worldwide since May 2018 due to the GDPR regulation in Europe, won’t be restored to those who want it as quickly as they’ve consistently said that they want it.

Surprisingly (or perhaps not), pro-access groups including the Intellectual Property Constituency and Business Constituency sided with the GAC’s request.

In an email to the EPDP working group’s mailing list on Thursday, GAC chair Manal Ismail indicated that governments simply don’t have the capacity to deal with the issue due to the coronavirus pandemic:

In light of the COVID-19 pandemic, and its drastic consequences on governments, organizations, private sector and individuals worldwide, I would like to express our serious concerns, as GAC leaders, that maintaining the current pace of work towards completion of Phase 2 by mid-June could jeopardize the delivery, efficacy and legitimacy of the EPDP’s policy recommendations.

While recognizing that the GAC has continually advised for swiftly completing policy development and implementing agreed policy on this critical public policy matter, we believe that given the current global health emergency, which puts many in the EPDP and the community under unprecedented stress (for example governments has been called to heightened duties for the continuity of essential public services), pressing important deliberations and decisions in such a short time frame on already strained participants would mean unacceptably sacrificing the product for the timeline.

We understand there are budget and human resources considerations involved in the completion of Phase 2 of the EPDP. However, we are all living through a global health pandemic, so we call on the EPDP Team to seriously reassess its course and expectations (be it on the duration of its calls, the turn-around time of reviews, its ultimate timeline and budget) emulating what numerous governments, global organizations, and households are doing to adapt during these challenging times across the world.

In April last year, before the EPDP group had even formally started its current phase of talks, Ismail wrote to ICANN to say the GAC expected the discussions to be more or less wrapped up by last November and that the new policy be implemented by this April.

Proponents of the access model such as Facebook have taken to suing registrars for not handing over Whois data in recent months, impressing the need for the issue to be urgently resolved.

So to now request a delay beyond June is a pretty big U-turn.

While Ismail later retracted her request for delay last Thursday, it was nevertheless discussed by the working group that same day, where the IPC, the BC and the ALAC all expressed support for the GAC’s position.

The registrars and registries, the non-commercial users and the ISPs were not supportive.

Delay might be tricky. For starters, hard-sought neutral working group chair Janis Karklins, has said he can’t continue working on the project beyond June 30, and the group has not secured ICANN funding for any further extensions to its work.

It will be up to the GNSO Council to decide whether to grant the extension, and the ICANN board to decide on funding.

The working group decided on Thursday to ask the Council for guidance on how to proceed.

What’s worrying about the request, or at least the IPC and BC’s support of it, is that coronavirus may just be being deployed as an excuse to extend talks because the IP owners don’t like the proposal currently on the table.

“The reality is we’re looking at a result that is… just not going to be sufficient from our perspective,” MPAA lawyer Frank Journoud, an IPC rep on the working group, said on its Thursday call. “We don’t want the perfect to be the enemy of the good, but right now we’re not even going to get to good.”

The current state of play with the working group is that it published its initial report (pdf) for public comment in February.

The group is recommending something called SSAD, for Standardized System for Access and Disclosure, in which a central gateway provider, possibly ICANN itself, would be responsible for granting Whois access credentials and fielding requests to the relevant registries and registries.

The almost 70 comments submitted before the March 23 deadline have been published in an unreadable, eye-fucking Google spreadsheet upon which transparency-loving ICANN may as well have hung a “Beware of the Leopard” sign. The staff summary of the comments is currently nine days late.

Facebook WILL sue more registrars for cybersquatting

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.
Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.
In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.
In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.
Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.
The complaint is very similar to one filed against OnlineNIC (pdf) in October.
And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.
Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.
Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.
The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.
Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.
Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.
The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

Crunch time, again, for Whois access policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.
The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.
Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).
Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.
The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.
The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.
The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).
Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.
Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.
The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.
The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.
So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.
If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.
How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.
There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.
This will be a hot topic at ICANN 66 in Montreal next month.
Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

Airline hit with $230 million GDPR fine

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.
This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.
About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..
It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.
The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.
Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.
The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.
GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.

Governments demand Whois reopened within a year

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.
The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.
The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.
She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.
It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.
It strikes me as a ludicrously ambitious deadline.
Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.
The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.
IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).
Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.
Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.
The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.
Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.
Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.
The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.
For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.
With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.

Karklins beats LaHatte to chair ICANN’s Whois privacy team

Latvian diplomat and former senior WIPO member Janis Karklins has been appointed chair of the ICANN working group that will decide whether to start making private Whois records available to trademark owners.
Karklins’ appointment was approved by the GNSO Council last week. He beat a single rival applicant, New Zealand’s Chris LaHatte, the former ICANN Ombudsman.
He replaces Kurt Pritz, the former ICANN Org number two, who quit the chair after it finished its “phase one” work earlier this year.
Karklins has a varied resume, including a four-year stint as chair of ICANN’s Governmental Advisory Committee.
He’s currently Latvia’s ambassador to the United Nations in Geneva, as well as president of the Arms Trade Treaty.
Apparently fighting for Latvia’s interests at the UN and overseeing the international conventional weapons trade still gives him enough free time to now also chair the notoriously intense and tiring Expedited Policy Development Process on Whois, which has suffered significant burnout-related volunteer churn.
But it was Karklins’ one-year term as chair of the general assembly of WIPO, the World Intellectual Property Organization, that gave some GNSO Council members pause.
The EPDP is basically a big bloodless ruck between intellectual property lawyers and privacy advocates, so having a former WIPO bigwig in the neutral hot seat could be seen as a conflict.
This issue was raised by the pro-privacy Non-Commercial Stakeholders Group during GNSO Council discussions last week, who asked whether LaHatte could not also be brought on as a co-chair.
But it was pointed out that it would be difficult to find a qualified chair without some connection to some interested party, and that Karklins is replacing Pritz, who at the time worked for a new gTLD registry and could have had similar perception-of-conflict issues.
In the end, the vote to confirm Karklins was unanimous, NCSG and all.
The EPDP, having decided how to bring ICANN’s Whois policy into compliance with the General Data Protection Regulation, is now turning its attention to the far trickier issue of a “unified access model” for private Whois data.
It will basically decide who should be able to request access to this data and how such a system should be administered.
It will not be smooth sailing. If Karklins thinks international arms dealers are tricky customers, he ain’t seen nothing yet.

Trademark posse fails to block Whois privacy policy

The ICANN community’s move to enshrine Whois privacy into formal consensus policy is moving forward, despite votes to block it by intellectual property interests.
During a special meeting yesterday, the GNSO Council voted to approve a set of recommendations that would (probably) bring ICANN’s Whois policy into compliance with the General Data Protection Regulation.
But four councilors — Paul McGrady and Flip Petillion of the Intellectual Property Constituency and Marie Pattullo and Scott McCormick of the Business Constituency — voted against the compromise deal.
Their downvotes were not enough to block it from passing, however. It has now been opened for a month of public comments before being handed to the ICANN board of directors for final approval, whereupon it will become ICANN’s newest consensus policy and binding on all contracted parties.
McGrady, an lawyer with Winston Strawn, claimed that the Expedited Policy Development Process working group that came up with the recommendations failed to reach the level of consensus that it had claimed.
“The consensus call was broken,” he said, adding that the EPDP’s final report “reflects consensus where there really wasn’t any.”
The GNSO was due to vote 10 days ago, but deferred the vote at the request of the IPC and BC. McGrady said that both groups had tried to muster up support in their communities for a “yes” vote in the meantime, but “just couldn’t get there”.
Speaking for the BC from a prepared statement, Pattullo (who works for European brand protection group AIM) told the Council:

The report is a step backwards for BC members’ interests compared to the Temp Spec, especially as the legitimate purposes for collecting and processing data are insufficiently precise, and do not include consumer protection, cybercrime, DNS abuse and IP protection.

The Temp Spec is the Temporary Specification currently governing how registries and registrars collect and publish Whois data. It was created as an emergency measure by the ICANN board and is due to expire in May, where it will very probably be replaced by something based on the EPDP recommendations.
In response to the IPC/BC votes, Michele Neylon of the Registrars Constituency and Ayden Férdeline of the Non-Commercial Stakeholders Group read statements claiming that trademark interests had been given substantial concessions during the EPDP talks.
Neylon in particular had some harsh words for the holdout constituencies, accusing them of “bad faith” and pointing out that the EPDP spent thousands of hours discussing its recommendations.
“Our members would want any number of obligations this report contains to be removed, but despite the objections we voiced our support for the final product as a sign of compromise and support for the entire multistakeholder model,” he said.
“Given the objections of certain parts of the community it’s unclear how we can ask this group to carry on with the next phase of its work at the same pace,” he said. “Given the unwillingness of others to participate and negotiate in good faith, how can we ask our reps to spend hours compromising on this work when it’s clear others will simply wait until the last minute and withdraw their consent for hard-fought compromise.”
The EPDP had a hard deadline due to the imminent expiration of the Temp Spec, but that’s not true of its “phase two” work, which will explore possible ways trademark enforcers could get access to redacted private Whois data.
Unfortunately for the IP lobby, there’s a very good chance that this work is going to proceed at a much slower pace than phase one, which wrapped up in basically six months.
During yesterday’s Council call, both Neylon and NCSG rep Tatiana Tropina said that the dedication required of volunteers in phase one — four to five hours of teleconferences a week and intensive mailing list discussions — will not be sustainable over phase two.
They simply won’t be able to round up enough people with enough time to spare, they said.
Coincidentally, neither the registrars nor the non-coms have any strong desire to see a unified access solution developed any time soon, so a more leisurely pace suits them politically too.
It will be up to the EPDP working group, and whoever turns out to be its new chair, to figure out the timetable for the phase two work.

Registrars given six months to deploy Whois killer

ICANN has started the clock ticking on the mandatory industry-wide deployment of RDAP.
gTLD registries and registrars have until August 26 this year to roll out RDAP services, which will one day replace the age-old Whois spec, ICANN said this week.
Registration Data Access Protocol fulfills the same function as Whois, but it’s got better support for internationalization and, importantly given imminent work on Whois privacy, tiered access to data.
ICANN’s RDAP profile was created in conjunction with contracted parties and public comments. The registries and registrars knew it was coming and told ICANN this week that they’re happy for the 180-day implementation deadline to come into effect.
The profile basically specs out what registrars and registries have to show in their responses to Whois (or RDAP, if you’re being pedantic) queries.
It’s based on the current Temporary Specification for Whois, and will presumably have to be updated around May this year, when it is expected that the Temp Spec will be replaced by the spec created by the Whois EPDP.

Expect more Whois accuracy emails under new ICANN policy

Registrars will be obliged to send out even more Whois accuracy emails, under a set of recommendations being considered in ICANN.
Assuming recent recommendations out of the Whois policy working group are accepted, every registrant of a gTLD domain with something listed in the “Organization” field will receive a one-off mail from their registrar asking them to confirm its accuracy.
It’s Recommendation 12 of the EPDP Team Final Report, which was published last week (pdf) by ICANN’s first Expedited Policy Development Process working group.
In general, the Organization field would be redacted in the public Whois under the proposed policy, but registrants will be proactively asked if they want to opt in to having it published.
While registrars can pick their own methods to conduct this outreach, email seem like the most likely medium in the vast majority of cases.
These mails would be sent out the registrants of the over 192 million gTLD domains (if they have something in their Org field) at some point between May 2019, when ICANN is likely to formally adopt the policy, and February 29, 2020, which is EPDP group’s recommended implementation deadline.
In theory, the Org field is perhaps the main indicator of whether a domain is registered to a natural person (and therefore subject to the General Data Protection Regulation) or a legal person (and therefore not).
But it’s not uncommon for registrants or registrars to simply populate the field with the name of the natural-person registrant, even when there’s no actual organization involved.
That’s a GDPR problem, as it means personally identifiable information could leak into the public Whois.
Under the EPDP’s recommendation, registrars would be obliged to reach out to their customers to confirm whether the contents of their Org field are correct, and to ask whether they want that information to be made public.
Opting in would mean the registrar would begin to publish Org data in the public Whois. Ignoring the email or actively refusing publication would mean your registrar would redact or delete this field.
After this mass outreach has finished, registrars would stop redacting the Org field, unless the registrant has not consented to its publication.
For new registrations, registrars would have to show you a prominent warning that the Org data will be published and get your consent for it to do so.
The recommendation is among 29 that were arrived at following over six months of intensive discussions in the EPDP group.
Others we’ve previously reported on include the total elimination of the Admin Contact, making the Technical Contact both smaller and completely optional, and the mandatory introduction of an anonymous means for Whois users to contact registrants.
The recommendations have been submitted to the GNSO Council, which will vote on them March 4.
The EPDP report will then be opened for 30 days of public comment, before being sent to the ICANN board of directors for a full, final vote.
The policy will replace the current Temporary Specification governing Whois, which the board rushed through on an emergency basis last May in order to make the DNS ecosystem as GDPR-compliant as possible when the EU law came into effect.
The EPDP group is expected to shortly enter “phase two” of its work, which will look at whether there should be a unified access mechanism for security and intellectual property interests to snoop on otherwise private Whois data.

Pritz quits Whois privacy group as work enters impossible second phase

Kurt Pritz has quit as chair of the ICANN group working on Whois policy for the GDPR era.
He informed the Whois Expedited Policy Development Process working group in a notice to its mailing list today, saying he was leaving for “a set of personal and professional reasons”.
He said he will stick around until his replacement is selected.
I understand three people had put themselves forward for the role when Pritz was originally selected last July, so there may be a couple of alternates already waiting in the wings.
The announcement comes at a pivotal time for the EPDP, and whoever takes over is going to have to have some seriously masochistic tendencies.
The 30-odd member group just this week put the finishing touches to its “phase one” initial report, which primarily sets out the formal legal purposes for which Whois data is collected and processed across the domain name ecosystem.
That’s going to be voted on by the GNSO Council in a vote delayed from this week to March 4 at the request of the Intellectual Property Constituency and Business Constituency, which want more time to review and comment on it.
For the EPDP WG, it’s soon time to move on to phase two, which will cover the creation (or not) of a unified access mechanism that trademark owners and the like could use to snoop on redacted Whois data.
Even the relatively easy tasks in phase one have been absolute murder on the volunteers and ICANN staff, who have been putting in four or more hours of teleconferences per week since August.
I’ve just been dipping in and out of the mailing list and listening to the odd teleconference, and the level of nitpicking over language has been agonizing to listen to.
Essentially, virtually every debate comes down to a face-off between the IP interests who want to insert as much language concerning access as possible, and those, such as non-commercial users, who oppose them. It sometimes comes across like a proxy war between Facebook and the Internet Governance Project.
More than once, naturally mild-mannered Pritz has had to delegate control to firm-handed mediators drafted in from a specialist outside agency.
Whoever takes over as chair has got his or her work cut out.