Recent Posts
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
Pritz quits Whois privacy group as work enters impossible second phase
Kurt Pritz has quit as chair of the ICANN group working on Whois policy for the GDPR era.
He informed the Whois Expedited Policy Development Process working group in a notice to its mailing list today, saying he was leaving for “a set of personal and professional reasons”.
He said he will stick around until his replacement is selected.
I understand three people had put themselves forward for the role when Pritz was originally selected last July, so there may be a couple of alternates already waiting in the wings.
The announcement comes at a pivotal time for the EPDP, and whoever takes over is going to have to have some seriously masochistic tendencies.
The 30-odd member group just this week put the finishing touches to its “phase one” initial report, which primarily sets out the formal legal purposes for which Whois data is collected and processed across the domain name ecosystem.
That’s going to be voted on by the GNSO Council in a vote delayed from this week to March 4 at the request of the Intellectual Property Constituency and Business Constituency, which want more time to review and comment on it.
For the EPDP WG, it’s soon time to move on to phase two, which will cover the creation (or not) of a unified access mechanism that trademark owners and the like could use to snoop on redacted Whois data.
Even the relatively easy tasks in phase one have been absolute murder on the volunteers and ICANN staff, who have been putting in four or more hours of teleconferences per week since August.
I’ve just been dipping in and out of the mailing list and listening to the odd teleconference, and the level of nitpicking over language has been agonizing to listen to.
Essentially, virtually every debate comes down to a face-off between the IP interests who want to insert as much language concerning access as possible, and those, such as non-commercial users, who oppose them. It sometimes comes across like a proxy war between Facebook and the Internet Governance Project.
More than once, naturally mild-mannered Pritz has had to delegate control to firm-handed mediators drafted in from a specialist outside agency.
Whoever takes over as chair has got his or her work cut out.
Surprise! Most private Whois look-ups come from Facebook
Facebook is behind almost two-thirds of requests for private Whois data, according to stats published by Tucows this week.
Tucows said that it has received 2,100 requests for Whois data since it started redacting records in the public database when the General Data Protection Regulation came into effect last May.
But 65% of these requests came from Facebook and its proxy, AppDetex, that has been hammering many registrars with Whois requests for months.
AppDetex is an ICANN-accredited brand-protection registrar, which counts Facebook as its primary client. It’s developed a workflow tool that allows it, or its clients, to semi-automatically send out Whois requests to registrars.
It sent at least 9,000 such requests between June and October, and has twice sent data to ICANN complaining about registrars not responding adequately to its requests.
Tucows has arguably been the registrar most vocally opposed to AppDetex’s campaign, accusing it of artificially inflating the number of Whois requests sent to registrars for political reasons.
An ICANN policy working group will soon begin to discuss whether companies such as Facebook, as well as security and law enforcement interests, should be able to get credentials enabling them to access private Whois data.
Tucows notes that it sees spikes in Whois requests coinciding with ICANN meetings.
Tucows said its data shows that 92% of the disclosure requests it has received so far come from “commercial interests”, mostly either trademark or copyright owners.
Of this 92%, 85% were identified as trademark interests, and 76% of those were Facebook.
Law enforcement accounted for 2% of requests, and security researchers 1%, Tucows said.
ICANN director Burr leaving Neustar
Neustar is losing its chief privacy officer, Becky Burr, who also sits on ICANN’s board of directors.
Burr, a lawyer, said last week that she’s decided to return to private practice after almost seven years at the registry.
Her last day will be March 1, but she’ll continue to advise the company as outside counsel on issues such as privacy and .us policy.
Lips are sealed on her exact destination, but it’s apparently small, Washington, DC-based, and focused on data protection.
Prior to Neustar, Burr worked for the law firm Wilmer Hale. Prior to that, she was in the US National Telecommunications and Information Administration, where she helped create ICANN 20 years ago.
Despite no longer being directly employed by a registry or registrar, Burr said she’s hoping to be reelected to the ICANN board, where she represents the Contracted Parties House, when her current term expires at the end of the year.
In addition to .us, Neustar runs .co, .biz and acts as back-end for dozens of other TLDs.
Crunch Whois privacy talks kick off
ICANN volunteers are meeting this week to attempt to finalize their recommendations on the future of Whois privacy.
Most members of the Expedited Policy Development Process working group have gathered in Toronto for three days of talks on what will likely become, in May this year, new contractually binding ICANN policy.
Discussions are kicking off pretty much at the same time this article is published and will last until Friday afternoon local time.
The EPDP group is due to publish its final report by February 1, leaving enough time for GNSO consideration, public comments, and an ICANN board of directors vote.
Its initial report, which recommended some big changes to Whois output, was published in November. Public comments on this report will lead to largely modest changes to the policy this week.
The timing is tight because Whois policy is currently governed by a one-year Temporary Specification, created by the ICANN board, which expires May 25.
The bulk of the work today will focus on formalizing the “purposes” of Whois data, something that is needed if ICANN policy is to be compliant with the EU General Data Protection Regulation.
The more controversial stuff, where consensus will be extraordinarily difficult to find, comes tomorrow, when the group discusses policies relating to privileged access to private Whois data.
This is the area where intellectual property and security interests, which want a program that enables them to get access to private data, have been clashing with non-commercial stakeholders, which accuse their opponents of advocating “surveillance”.
It’s not expected that a system of standardized, unified access will be created this week or by February 1. Rather, talks will focus on language committing ICANN to work on (or not) such a system in the near future.
Currently, there’s not even a consensus on what the definition of “consensus” is. It could be slow going.
Gluttons for punishment Observers can tune in to the view/listen-only Adobe Connect room for the meetings here.
Now even parked domains will have GDPR notices
Sedo will soon start showing privacy notices and cookie warnings on parked domains using its service.
The company told users today that it has updated its terms of service to comply with the EU’s General Data Protection Regulation. It said:
As a domain owner parking your domains on Sedo’s platform, within the scope of tracking website visitors to monetize your domain(s), Sedo collects and processes personal data on your behalf. The GDPR requires, among other things, that the person responsible, in this case you, the domain owner, display a data protection declaration and a cookie on your parked page.
Sedo said this is a “complimentary feature”, but that it makes no assurances that the notices it displays on its users’ behalf are actually compliant with the regulation.
The terms have been changed such that the user agrees to be “solely responsible” for their own GDPR compliance.
Users have two weeks to object to the changes, but if they do it seems Sedo will terminate their service.
The changes come into effect January 1.
First chance to have your say on the future of Whois
RIP: the Whois Admin.
Standard Whois output is set to get slimmed down further under newly published policy proposals.
The community working group looking at post-GDPR Whois has decided that the Admin Contact is no longer necessary, so it’s likely to get scrapped next year.
This is among several recommendations of the Expedited Policy Development Process working group on Whois, which published its initial report for public comment late Wednesday.
As expected, the report stops short of addressing the key question of how third-parties such as intellectual property interests, domain investors, security researchers and the media could get streamlined access to private Whois data.
Indeed, despite over 5,000 person-hours of teleconferences and face-to-face meetings and about 1,000 mailing list messages since work began in early August, the EPDP’s 50 members have yet to reach consensus on many areas of debate.
What they have reached is “tentative agreement” on 22 recommendations on how to bring current ICANN Whois policy into line with EU privacy law, the General Data Protection Regulation.
The work is designed to replace the current Temporary Specification, a Band-Aid imposed by the ICANN board of directors, which is due to expire next May.
The EPDP initial report proposes a few significant changes to what data is collected and publicly displayed by the Whois system.
The most notable change is the complete elimination of the Admin Contact fields.
Currently, Whois contains contact information for the registrant, admin contact and technical contact. It’s often the same data replicated across all three records, and under the Temp Spec the large majority of the data is redacted.
Under the EPDP’s proposal, the Admin Contact is superfluous and should be abandoned altogether. Not only would it not be displayed, but registrars would not even collect the data.
The Tech Contact is also getting a haircut. Registrars would now only be able to collect name, phone and email address, and it would be optional for the registrant whether to provide this data at all. In any event, all three fields would be redacted from public Whois output.
For the registrant, all contact information except state/province and country would be redacted.
There’s no agreement yet on whether the optional “organization” field would be redacted, but the group has agreed that registrars should provide better guidance to registrants about whether they need to provide that data.
While data on legal persons such as companies is not protected by GDPR, some fear that natural person registrants may just naively type their own name into that box when registering a name, inadvertently revealing their identities to the public.
Those providing Whois output would be obliged, as they are under the Temp Spec, to publish an anonymized email address or web-based contact form to allow users to contact registrants without personal information being disclosed.
That German lawsuit
The recommendation to slash what data is collected could have an impact on ICANN’s lawsuit against Tucows’ German subsidiary, EPAG.
ICANN is suing EPAG after the registrar decided that collecting admin and tech contact info was not compliant with GPDR. It’s been looking, unsuccessfully, for a ruling forcing the company to carry on collecting this data.
Tucows is of the view that if the admin and tech contacts are third parties to the registration agreement, it has no right to collect data about them under the GDPR.
If ICANN’s own community policy development process is siding with Tucows, this could guide ICANN’s future legal strategy, but not, it appears, until it becomes firm consensus policy.
I asked ICANN general counsel John Jeffrey about whether the EPDP’s work could affect the lawsuit during an interview October 5, shortly after it became clear that the admin/tech contact days might be numbered.
“Maybe,” he said. “If it becomes part of the policy we’ll have to assess that. Until there’s a new policy though, what we’re working with is the Temp Spec. The Temp Spec we believe is enforceable, we believe have the legal support for that, and we’ll continue down that path.”
(It might be worth noting that Thomas Rickert, whose law firm represents EPAG in this case, is on the EPDP working group in his capacity of head of domains for German trade group eco. He is, of course, just one of the 31 EPDP members developing these recommendations at any given time.)
IP wheel-spinning
The main reason it’s taken the EPDP so long to reach the initial report stage — the report was originally due during the ICANN 63 Barcelona meeting a month ago — has been the incessant bickering between those advocating for, and opposing, the rights of intellectual property interests to access private Whois data.
EPDP members from the IP Constituency and Business Constituency have been attempting to future-proof the work by getting as many references to IP issues inserted into the recommendations as they can, before the group has turned its attention to addressing them specifically.
But they’ve been opposed every step of the way by the Non-Commercial Stakeholders Group, which is concerned the IP lobby is trying to policy its way around GDPR as it relates to Whois.
Many hours have been consumed by these often-heated debates.
My feeling is that the NCSG has been generally winning, but probably mainly because the working group’s charter forbade discussion about access until other issues had been addressed.
As it stands today, the initial report contains this language in Recommendation #2:
Per the EPDP Team Charter, the EPDP Team is committed to considering a system for Standardized Access to non-public Registration Data once the gating questions in the charter have been answered. This will include addressing questions such as:
• What are the legitimate purposes for third parties to access registration data?
• What are the eligibility criteria for access to non-public Registration data?
• Do those parties/groups consist of different types of third-party requestors?
• What data elements should each user/party have access to?
In this context, amongst others, disclosure in the course of intellectual property infringement and DNS abuse cases will be considered
This is basically a placeholder to assure the IP crowd that their wishes are still on the table for future debate — which I don’t think was ever in any doubt — but even this basic recommendation took hours to agree to.
The EPDP’s final report is due February 1, so it has just 70 days to discuss this hypothetical “Standardized Access” model. That’s assuming it started talks today, which it hasn’t.
It’s just nine weeks if we assume not a lot is going to happen over the Christmas/New Year week (most of the working group come from countries that celebrate these holidays).
For context, it’s taken the working group about 115 days just to get to the position it is in today.
Even if Standardized Access was the only issue being discussed — and it’s not, the group is also simultaneously going to be considering the public comment on its initial report, for starters — this is an absurdly aggressive deadline.
I feel fairly confident in predicting that, come February 1, there will be no agreement on a Standardized Access framework, at least not one that would be close to implementable.
Have your say
All 22 recommendations, along with a long list of questions, have now been put out for public comment.
The working group is keen to point out that all comments should provide rationales, and consider whether what they’re asking for would be GDPR-compliant, so comments along the lines of “Waaah! Whois should be open!” will likely be rapidly filed to the recycle bin.
It’s a big ask, considering that most people have just a slim grasp of what GDPR compliance actually means.
Complicating matters, ICANN is testing out a new way to process public comments this time around.
Instead of sending comments in by email, which has been the norm for two decades, a nine-page Google form has been created. This is intended to make it easier to link comments to specific recommendations. There’s also a Word version of the form that can be emailed.
Given the time constraints, it seems like an odd moment to be testing out new processes, but perhaps it will streamline things as hoped. We’ll see.
This is how AppDetex works
A small brand-protection registrar with a big friend caused quite a stir at ICANN 63 here in Barcelona this week, after accusing registrars for the second time of shirking their duties to disclose private Whois data to trademark owners.
AppDetex, which has close ties to Facebook, has sent something like 9,000 Whois requests to registrars over the last several months, then complained to ICANN last week that it only got a 3% response rate.
Registrars cried foul, saying that the company’s requests are too vague to action and sometimes seem farcical, suggesting an indiscriminate, automated system almost designed to be overly burdensome to them.
In chats with DI this week, AppDetex CEO Faisal Shah, general counsel Ben Milam and consultant Susan Kawaguchi claimed that the system is nowhere near as spammy as registrars think, then showed me a demo of their Whois Requester product that certainly seemed to support that claim.
First off, Whois Requester appears to be only partially automated.
Tucows had noted in a letter to ICANN that it had received requests related to domains including lincolnstainedglass.com and grifflnstafford.com, which contain strings that look a bit like the “Insta” trademark but are clearly not cybersquatting.
“That no human reviewed these domains was obvious, as the above examples are not isolated,” Tucows CEO Elliot Noss wrote.
“It is abundantly clear to us that the requests we received were generated by an automated system,” Blacknight CEO Michele Neylon, who said he had received similarly odd requests, wrote in his own letter.
But, according to AppDetex, these assumptions are not correct.
Only part of its service is automated, they said. Humans — either customers or AppDetex in-house “brand analysts” — were involved in sending out all the Whois requests generated via its system.
AppDetex itself does not generate the lists of domains of concern for its clients, they said. That’s done separately, using unrelated tools, by the clients themselves.
It’s possible these could be generated from zone files, watch services, abuse reports or something else. The usage of the domain, not just its similarity to the trademark in question, would also play a role.
Facebook, for example, could generate its own list of domains that contain strings matching, partially matching, or homographically similar to its trademarks, then manually input those domains into the AppDetex tool.
The product features the ability to upload lists of domains in bulk in a CSV file, but Kawaguchi told me this feature has never been used.
Once a domain has been input to main Whois Requester web form, a port 43 Whois lookup is automatically carried out in the background and the form is populated with data such as registrar name, Whois server, IANA number and abuse email address.
At this point, human intervention appears to be required to visually confirm whether the Whois result has been redacted or not. This might require also going to the registrar’s web-based Whois, as some registrars return different results over port 43 compared to their web sites.
If a redacted record is returned, users can then select the trademark at issue from a drop-down (Whois Requestor stores its’ customers trademark information) and select a “purpose” from a different drop-down.
The “purposes” could include things like “trademark investigation” or “phishing investigation”. Each generates a different piece of pre-written text to be used in the template Whois request.
Users can then choose to generate, manually approve, and send off the Whois request to the relevant registrar abuse address. The request may have a “form of authorization” attached — a legal statement that AppDetex is authorized to ask for the data on behalf of its client.
Replies from registrars are sent to an AppDetex email address and fed into a workflow tool that looks a bit like an email inbox.
As the demo I saw was on the live Whois Requester site with a dummy account, I did not get a view into what happens after the initial request has been sent.
Registrars have complained that AppDetex does not reply to their responses to these initial requests, which is a key reason they believe them frivolous.
Shah and Milam told me that over the last several months, if a registrar reply has included a request for additional information, the Whois Requester system has been updated with a new template for that registrar, and the request resent.
This, they said, may account for duplicate requests registrars have been experiencing, though two registrars I put this to dispute whether it fits with what they’ve been seeing.
The fact that human review is required before requests are sent out “just makes it worse”, they also said.
ICANN denies it’s in bed with trademark lawyers
ICANN chair Cherine Chalaby has strongly denied claims from non-commercial stakeholders that its attitude to Whois reform is “biased” in favour of “special interests” such as trademark lawyers.
In a remarkably fast reply (pdf) to a scathing October 17 letter (pdf) from the current and incoming chairs of the Non-Commercial Stakeholders Group, Chalaby dismissed several of the NCSG’s claims of bias as “not true”.
The NCSG letter paints ICANN’s efforts to bring Whois policy into line with the General Data Protection Regulation as rather an effort to allow IP owners to avoid GDPR altogether.
It even suggests that ICANN may be veering into content regulation — something it has repeatedly and specifically disavowed — by referring to how Whois may be used to combat “fake news”.
The “demonstrated intention of ICANN org has been to ensure the unrestrained and unlawful access to personal data demanded by special interest groups”, the NCSG claimed.
It believes this primarily due to ICANN’s efforts to support the idea of a “unified access model” — a way for third parties with “legitimate interests” to get access to private Whois data.
ICANN has produced a couple of high-level framework documents for such a model, and CEO Goran Marby has posted articles playing up the negative effects of an inaccessible Whois.
But Marby has since insisted that a unified access model is still very much an “if”, entirely dependent on whether the community, in the form of the Whois EPDP working group, decides there should be one.
That message was reiterated in Chalaby’s new letter to the NCSG.
The conversation on whether to adopt such a model must continue, but the outcomes of those discussions are for the community to decide. We expect that the community, using the bottom-up multistakeholder model, will take into account all stakeholders’ views and concerns.
He denied that coordinating Whois data is equivalent to content regulation, saying it falls squarely within ICANN’s mandate.
“ICANN’s mission related to ‘access to’ this data has always encompassed lawful third-party access and use, including for purposes that may not fall within ICANN’s mission,” he wrote.
The exchange of letters comes as parties on the other side of the Whois debate also lobby ICANN and its governmental advisors over the need for Whois access.
Here’s what ICANN’s boss is saying about Whois access now
Should ICANN become the sole source for looking up private domain registrant data? That’s one of the options for the post-GDPR world of Whois currently being mulled over on Waterfront Drive.
ICANN CEO Goran Marby laid out some of ICANN’s current thinking on the future of Whois last week at an occasionally combative meeting in Los Angeles.
One idea would see ICANN act as a centralized gatekeeper for all Whois data. Another could risk ICANN becoming much more tightly controlled by governments.
I’ve listened to the recordings, read the transcripts, chatted to participants, and I’m going to attempt to summarize what I believe is the current state of play.
As regular DI readers know, post-GDPR Whois policy is currently being debated to a tight deadline by an Expedited Policy Development Process working group.
The work has been a tough slog, and there seems to be little hope of the EPDP closing all of its outstanding issues before its first conclusions are due under three weeks from now.
One of the outstanding issues not yet addressed in any depth by the group is the potential creation of a “unified access model” — a standardized way cops, trademark owners, cybersecurity professionals and others could look at the same Whois data they could look at just a few months ago.
While the EPDP has carried on deferring discussion of such a model, ICANN Org has in parallel been beavering away trying to figure out whether it’s even going to be legally possible under the new European privacy law to open up Whois data to the people who want to see it, and it’s come up with some potentially game-changing ideas.
After weeks of conference calls, the EPDP working group — made up of 30-odd volunteers from all sections of the ICANN community — met in LA for three days last week to get down to some intensive face-to-face arguments.
I gather the meeting was somewhat productive, but it was jolted by the publication of an ICANN blog post in which Marby attempted to update the community on ICANN’s latest efforts to get clarity on how GDPR legally interacts with Whois.
Marby wrote that ICANN “wants to understand whether there are opportunities for ICANN, beyond its role as one of the ‘controllers’ with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.”
What did ICANN mean by this? While “controller” is a term of art defined in mind-numbing detail by the GDPR, “coordinating authority” is not. So ICANN’s blog post was open to interpretation.
It turns out I was not the only person confused by the post, and on Tuesday afternoon last week somebody from the EPDP team collared Marby in the corridor at ICANN HQ and dragged him into the meeting room to explain himself.
He talked with them for about an hour, but some attendees were still nonplussed — some sounded downright angry — after he left the room.
This is what I gleaned from his words.
No End-Runs
First off, Marby was at pains to point out, repeatedly, that ICANN is not trying to bypass the community’s Whois work.
It’s up to the community — currently the EPDP working group, and in a few weeks the rest of you — to decide whether there should be a unified access model for Whois, he explained.
What ICANN Org is doing is trying to figure out is whether a unified access model would even be legal under GDPR and how it could be implemented if it is legal, he said.
“If the community decides we should have a policy about a unified access model, that’s your decision,” he told the group. “We are trying to figure out the legal avenues if it’s actually possible.”
He talked about this to persons unknown at the European Commission in Brussels last month.
Whatever ICANN comes up with would merely be one input to the community’s work, he said. If it discovers that a unified access model would be totally illegal, it will tell the community as much.
Marby said ICANN is looking for “a legal framework for how can we diminish the contracted parties’ legal responsibility” when it comes to GDPR.
So far, it’s come up with three broad ideas about how this could happen.
The Certification Body Idea
GDPR sections 40 to 43 talk about the concepts of “codes of conduct” and “certification bodies”.
It’s possible that ICANN was referring to the possibility of itself becoming a certification body when it blogged about being a “coordinating authority”. Marby, during the EPDP meeting, unhelpfully used the term “accreditation house”.
These hypothetical entities (as far as I know none yet exist) would be approved by either national data protection authorities or the pan-EU European Data Protection Board to administer certification schemes for companies that broadly fall into the same category of data processing businesses.
It seems to be tailor-made for ICANN (though it wasn’t), which already has accreditation of registries and registrars as one of its primary activities.
But this legal avenue does not appear to be a slam-dunk. ICANN would presumably have to persuade a DPA or two, or the EDPB, that giving third parties managed access to citizens’ private data is a good thing.
You’d think that DPAs would be dead against such an idea, but the EU members of ICANN’s Governmental Advisory Committee have put their names to advice stating that Whois should remain accessible under certain circumstances, so it’s not impossible they could see it ICANN’s way.
The C.R.A.P. Idea
Marby’s second idea for taking some of the GDPR burden off the shoulders of contracted parties is to basically make ICANN a proxy, or man-in-the-middle, for Whois queries.
“What would happen if ICANN Org legally is the only place you can ask a question through?” he said. “And the only ones that the contracted parties actually can answer a question to would be ICANN Org? Would that move the legal responsibility away from the contracted parties to ICANN Org?”
In many ways, this is typical domain industry tactics — if there’s a rule you don’t want to follow, pass it off to a proxy.
This model was referred to during the session by EPDP members as the “hub and spoke” or “starfish”. I think the starfish reference might have been a joke.
Marby, in a jocular callback to the “Calzone” and “Cannoli” Whois proposals briefly debated in the community earlier this year, said that this model had a secret ICANN-internal code-name that is “something to do with food”.
Because whenever I’ve tried to coin a phrase in the past it has never stuck, I figure this time I may as well go balls-out and call it the “Cuisine-Related Access Plan” for now, if for no other reason than the acronym will briefly annoy some readers.
Despite the name I’ve given it, I don’t necessarily dislike the idea.
It seems to be inspired by, or at least informed by, side-channel communications between Marby and the Intellectual Property Constituency and Business Constituency, which are both no doubt mightily pissed off that the EPDP has so far proven surprisingly resilient to their attempts to get Whois access into the policy discussions as early as possible.
Two months ago, a few influential IP lawyers proposed to Marby (pdf) a centralized Whois model in which registrars collect data from registrants then pass it off to ICANN, which would be responsible for deciding who gets to see it.
Forget “thin” versus “thick” Whois — this one would be positively, arguably dangerously, obese. Contracted parties would be relegated to “processors” of private data under GDPR, with ICANN the sole “controller”.
Benefits of this would include, these lawyers said, reducing contracted parties’ exposure to GDPR.
It’s pretty obvious why the IP lobby would prefer this — ICANN is generally much more amenable to its demands than your typical registry or registrar, and it would very probably be easier to squeeze data out of ICANN.
While Marby specifically acknowledged that ICANN has taken this suggestion as one of its inputs — and has run it by the DPAs — he stopped well short of fully endorsing it during last week’s meeting in LA.
He seemed to instead describe a system whereby ICANN acts as the gatekeeper to the data, but the data is still stored and controlled at the registry or registrar, saying: “We open a window for access to the data so the data is still at the contracted parties because they use that data for other reasons as well”.
The Insane Idea
The third option, which Marby seemed to characterize as the least “sane” of the three, would be to have Whois access recognized by law as a public interest, enabling the Whois ecosystem to basically ignore GDPR.
Remember, back on on GDPR Day, I told you about how the .dk ccTLD registry is carrying on publishing Whois as normal because a Danish law specifically forces it to?
Marby’s third option seems to be a little along those lines. He specifically referred to Denmark and Finland (which appears to have a similar rule in place) during the LA session.
If I understand correctly, it seems there’d have to be some kind of “legal action” in the EU — either legislation in a member state, or perhaps something a little less weighty — that specifically permitted or mandated the publication of otherwise private Whois data in gTLD domains.
Marby offered trademark databases and telephone directories as examples of data sets that appear to be exempt from GDPR protection due to preexisting legislation.
One problem with this third idea, some say, is that it could bring ICANN policy under the direct jurisdiction of a single nation state, something that it had with the US government for the best part of two decades and fought hard to shake off.
If ICANN was given carte blanche to evade GDPR by a piece of legislation in, say, Lithuania, would not ICANN and its global stakeholders forever be slaves to the whims of the Lithuanian legislature?
And what if that US bill granting IP interests their Whois wet dream passes onto the statute books and ICANN finds itself trapped in a jurisdictional clusterfuck?
Oh, my.
Fatuous Conclusion For The Lovely People Who Generously Bothered To Read To The End
I’m not a lawyer, so I don’t pretend to have a comprehensive understanding of any of this, but to be honest I’m not convinced the lawyers do either.
If you think you do, call me. I want to hear from you. I’m “domainincite” on Skype. Cheers.
Mediators hired as Whois reformers butt heads
ICANN has hired professional mediators to help resolve strong disagreements in the working group tasked with reforming Whois for the post-GDPR world.
Kurt Pritz, chair of the Expedited Policy Development Process for Whois, last week told the group that ICANN has drafted in the Consensus Building Institute, with which it has worked before, to help “narrow issues and reach consensus”.
Three CBI mediators will brief the EPDP group today, and join them when the WG meets face-to-face for the first time at a three-day session in Los Angeles later this month.
Their goal is not to secure any particular outcome, but to help the disparate viewpoints find common ground, Pritz told the group.
It’s been Pritz’s intention to get the mediators in since day one — he knew in advance how divisive Whois policy is — but it’s taken until now to get the contracts signed.
The EPDP WG’s job is to create a new, privacy-conscious, consensus Whois policy that will apply to all gTLD registries and registrars. Its output will replace ICANN’s post-GDPR Temporary Specification for Registration Data, which in turn replaced the longstanding Whois policy attached to all ICANN registry and registrar contracts.
Since the working group first convened in early August — about 500 emails and 24 hours of painful teleconferences ago — common ground has been hard to find, and in fact the EPDP group did not even attempt to find consensus for the first several weeks of discussions.
Instead, they worked on its first deliverable, which was finalized last week, a “triage report” that sought to compile each faction‘s opinion of each section of ICANN’s Temp Spec.
The idea seemed sensible at the time, but with hindsight it’s arguable whether this was the best use of the group’s time.
The expectation, I believe, was that opposing factions would at least agree on some sections of text, which could then be safely removed from future debate.
But what emerged instead was this, a matrix of disagreement in which no part of the Temp Spec did not have have at least one group in opposition: 
The table is potentially misleading, however. Because groups were presented with a binary yes/no option for each part of the spec, “no” votes were sometimes recorded over minor language quibbles where in fact there was agreement in principle.
By restricting the first few weeks of conversation to the language of the Temp Spec, the debate was arguably prematurely hamstrung, causing precious minutes to trickle away.
And time is important — the EPDP is supposed to deliver its consensus-based Initial Report to the ICANN 63 meeting in Barcelona about five weeks from now.
That’s going to be tough.
What’s becoming increasingly clear to me from the post-triage talks is that the WG’s task could be seen as not much less than a wholesale, ground-up, reinvention of the Whois wheel, recreated with GDPR as the legal framework.
Who is Whois for?
Discussions so far have been quite mind-expanding, forcing some fundamental rethinking of long-held, easy assumptions, at least for this lurker. Here’s an example.
One of the fundamental pillars of GDPR is the notion of “purposes”. Companies that collect private data on individuals have to do so only with specific, enumerated purposes in mind.
The WG has started by discussing registrars. What purpose does a registrar have when it collects Whois data from its registrants?
None whatsoever, it was claimed.
“To execute the contract between the registrant and the registrar, it’s really not necessary for registrars to collect any of this information,” GoDaddy head of policy James Bladel, representing registrars, told the group on its latest call Thursday.
Registrars collect data on their customers (not just contact data, but also stuff like credit card details) for billing and support purposes, but this is not the same as Whois data. It’s stored separately and never published anywhere. While covered by GDPR, it’s not covered by Whois policy.
Whois data is only collected by registrars for third parties’ purposes, whether that third party be a registry, ICANN, a data escrow agent, a cop, or an intellectual property enforcer.
“Other than a few elements such as domain name servers, there is nothing that is collected in Whois that is needed for the registrar to do their business,” At-Large Advisory Committee chair Alan Greenberg told the WG. “All of them are being collected for their availability to third parties, should they need it.”
While this may seem like a trivial distinction, drawing a hard line between the purposes of registries, registrars and ICANN itself on the one hand and law enforcement, cybersecurity and IP lawyers on the other is one of the few pieces of concrete advice ICANN has received from European data protection regulators.
There’s by no means unanimous agreement that the registrars’ position is correct, but it’s this kind of back-to-basics discussion that makes me feel it’s very unlikely that the EPDP is going to be able to produce an Initial Report with anything more than middling consensus by the October deadline.
I may be overly pessimistic, but (mediators or no mediators) I expect its output will be weighted more towards outlining and soliciting public comment on areas of disagreement than consent.
And the WG has not yet even looked in depth at the far thornier issue of “access” — the policy governing when third parties such as IP lawyers will be able to see redacted Whois data.
Parties on the pro-access side of the WG have been champing at the bit to bring access into the debate at every opportunity, but have been
Hey, look, a squirrel!
The WG has also been beset by its fair share of distractions, petty squabbles and internal power struggles.
The issues of “alternates” — people appointed by the various constituencies to sit in on the WG sessions when the principles are unavailable — caused some gnashing of teeth, first over their mailing list and teleconference privileges and then over how much access they should get to the upcoming LA meeting.
Debates about GDPR training — which some say should have been a prerequisite to WG participation — have also emerged, after claims that not every participant appeared clued-in as to what the law actually requires. After ICANN offered a brief third-party course, there were complaints that it was inadequate.
Most recently, prickly Iranian GAC rep Kavouss Arasteh last week filed a formal Ombudsman complaint over a throwaway god-themed pun made by Non-Com Milton Mueller, and subsequently defended by fellow non-resident Iranian Farzaneh Badii, in the Adobe Connect chat room at the September 6 meeting.
Mueller has been asked to apologize.
Recent Comments