Whois disclosure system coming this year?
ICANN has approved the creation of a Whois Disclosure System, almost six years after Europe’s GDPR rules tore up the rule book on Whois access.
The system is likely to face a name change before going live, due to the fact that it does not guarantee, nor process, the disclosure of private Whois data.
The board of directors passed a resolution February 27, a month later than expected, “to develop and launch the WHOIS Disclosure System (System) as requested by the GNSO Council within 11 months from the date of this resolution.”
That’s two months longer than earlier anticipated, but we’re still looking potentially at a live system that people can sign up for and use a year from now.
The system is expected to be based on the Centralized Zone Data Service that many of us have been using to request and download gTLD zone files for the last decade. While not perfect, CZDS gets the job done and has improved over the years.
The technology will be adapted to create what essentially amounts to a ticketing system, allowing the likes of IP lawyers to request unredacted Whois records. The requests would then be forwarded to the relevant registrar.
It’s an incredibly trimmed-down version of what Whois users had been asking for. Participation is voluntary on both sides of the transaction, and registrars are under no new obligations to approve requests.
If nobody uses the system, it could be turned off. ICANN Org has only been directed to run it for “for up to two years”. ICANN will collect and publish usage data to figure out whether it’s worth the quite substantial number of hours and dollars that have already gone into its development.
The actual cost of development and operation had been pegged at $3.3 million, but the board’s resolution states that most of the cost will be existing staff and excess costs will come from the Supplemental Fund for Implementation of Community Recommendations (SFICR).
ICANN expects to approve Whois Disclosure System next month
ICANN could be offering a centralized system for requesting private domain registration data as early as a year from now, a mere five and a half years after GDPR ruined the global Whois system for many.
The Org recently alluded to its “board’s anticipated January 2023 vote to move forward in implementing the new system to streamline the intake and routing of requests for access to nonpublic gTLD registration data” in a blog post.
It has previously stated that it will take nine months to develop and roll out the system, along with a three-month “ramp-up period”, but that preparatory work may have already started.
The system will be based on CZDS, the service that currently allows people to request zone file data from registries, and cost $3.3 million to develop and run for its anticipated two-year trial period.
Don’t expect it to be called the Whois Disclosure System though. Community feedback has been pretty clear that “disclosure” is an inappropriate word because the system merely manages requests and does not actually disclose anything.
It’s also going to be voluntary for both requesters and registrars/registries for now.
The system was previously known as SSAD Lite, a cut-down version of the community-recommended System for Standardized Access and Disclosure, which ICANN estimated would have cost infinity dollars and take a century to implement.
Whois Disclosure System to cost up to $3.3 million, run for one year
ICANN has published its game plan for rolling out a Whois Disclosure System ahead of next week’s ICANN 75 public meeting in Kuala Lumpur.
The Org reckons the system will take nine months to build and will cost up to $3.3 million to develop and run for two years, although it might wind up getting shut down after just one year.
The Whois Disclosure System, previously known as SSAD Light, is a mechanism whereby anyone with an ICANN account — probably mainly IP lawyers in practice — can request unredacted private Whois data from registrars.
The system is to be built using retooled software from the current Centralized Zone Data Service, which acts as a hub for researchers who want to request zone files from gTLD registry operators.
ICANN’s design paper (pdf), which contains many mock-ups of the likely user interface, describes the new system like this:
Just as in CZDS, a requestor navigates to the WHOIS Disclosure System web page, logs into their ICANN Account, and is presented with a user experience much like the current CZDS. In this experience, requestors can see pending and past requests as well as metadata (timestamps, status, etc.) associated with those requests. For a requestor’s pending requests, they can see all the information related to that request.
Requests filed with the system will be routed to the relevant registrar via the Naming Services Portal, whereupon the registrar can choose how to deal with it. The system doesn’t change the fact that registrars have this discretion.
But the system will be voluntary for not only the requesters — who can still contact the registrar directly if they wish — but also the registrars. One can imagine smaller and frequently abused registrars won’t want the hassle.
The cost of this system will be $2.7 million in staffing costs, with $90,000 in external licensing costs and another $500,000 in contingency costs. Because ICANN has not budgeted for this, it will come from the Supplemental Fund for Implementation of Community Recommendations, which I believe currently has about $20 million in it.
This is far and away cheaper than the full-fat SSAD originally proposed by the GNSO, which ICANN in January estimated could cost up to $27 million to build over five years.
While cheaper, there are still substantial questions remaining about whether it will be popularly used, and whether it will be useful in getting private Whois data into the hands of the people who say they need it.
ICANN is saying that the Whois Disclosure System will run for one year “at which point the data sets collected will be analyzed and presented for further discussion between the GNSO Council and Board”.
The design paper will be discussed at multiple ICANN 75 sessions, starting this weekend.
Whois Disclosure System likely over a year away
ICANN lifted the curtain a little on its fetal Whois Disclosure System this week, but the news is not good if you’re champing at the bit for a usable system for requesting private Whois data from registrars.
The system, formerly referred to as SSAD Lite, will take “seven to nine months” to develop after ICANN staff gets the green light from its board, staffers told a small GNSO volunteer working group on a Wednesday conference call.
That timetable assumes the staffers working on it are 100% devoted to developing the system, rather than sharing their time between competing projects, they quickly clarified.
This raises the specter of months-long delays to the other big, already-delayed, ICANN work-in-progress — the next new gTLD application round.
The responsible staffers plan to publish a design document for the Whois Disclosure System around ICANN 75 next month, but whether the board will give its immediate approval is not clear.
We’re probably looking at at least a year before there’s a system in place that IP lawyers, security researchers and the like can log into, request data, and be disappointed.
And that’s despite the fact that the system will be built using existing technology — namely the CZDS or Centralized Zone Data Service, which has be in use for many years allowing people to request zone files from gTLD registries.
During this week’s webinar, staffers described how, like CZDS, there will be two user interfaces: one for the data requester, one for the data holder. The system will simply act as an intermediary between the two.
It will use ICANN’s existing accounts system, so there will be no user vetting beyond email address verification. There’ll be no integration with registrars’ existing ticketing systems, and any communications between registrar and requester will have to take place via email.
There’ll also be no billing function, because the system will be free to use by all parties and completely voluntary. While registrars are contractually bound to respond to Whois data requests, there’s no such obligation to use the Whois Disclosure System to do so.
Staffers admitted on the call that they’re a bit stumped about how to encourage registrars to sign up when the system goes live.
New gTLD prep work delayed until December
ICANN has confirmed that the current phase of preparation for the next round of new gTLDs will last six weeks longer than previously expected.
The new deadline for the delivery of the Operational Design Assessment for the project is December 12, almost certainly pushing out board consideration of the document out into 2023.
The extension follows the GNSO’s approval of a new Whois Disclosure System, which will suck Org resources from the new gTLDs ODP as work on both continues in parallel.
ICANN chair Maarten Botterman confirmed the delay yesterday, and the precise length was disclosed by staff in a blog post today. It says in part:
While we’re sharing our best estimate of the impact that the WHOIS Disclosure System design paper work could have on the SubPro ODA in the interest of transparency, rest assured that we are simultaneously moving forward on the ODA and actively seeking ways to streamline and minimize the impact as much as possible.
The updated timetable has been published here.
New gTLDs WILL be delayed by Whois work
The next round of new gTLD applications will be delayed by ICANN’s work on Whois reform, ICANN chair Maarten Botterman confirmed today.
In a letter to his GNSO Council counterpart Philippe Fouquart, Botterman states that the new gTLDs Operational Design Phase, which was due to wrap up in October, will have to proceed with an “extended timeline”.
This is because the GNSO has pushed the concept of a Whois Disclosure System, previously known as SSAD Light and meant to provide the foundations of a system for access private Whois data, and ICANN needs time to design it.
Botterman wrote (pdf):
there is an overlap in org resources with the relevant expertise needed to complete these efforts. As a result, work on the [Whois] design paper will impact existing projects. While SubPro [new gTLDs] ODP work will not stop during this period, we anticipate that an extended timeline will be required to account for the temporary unavailability of resources allocated to the design paper work.
Botterman did not put a length of time to these delays, but previous ICANN estimates have talked about six weeks. GNSO members had worried that this estimate might be a low-ball that could be extended.
ICANN had given the GNSO the option to choose to delay Whois work to complete the SubPro ODP, but it could not come to an agreement on which project was more important, and seemed to resent even being asked.
Community tells ICANN to walk and chew gum at the same time
Whois or new gTLDs? Whois or new gTLDs? Whois or new gTLDs?
It’s the question ICANN has been pestering the community with since early May. ICANN can’t work on developing the proposed Whois Disclosure System (formerly known as SSAD) without delaying work on the next round of new gTLDs, Org said, so the community was given a Sophie’s Choice of which of its babies to sacrifice on the altar of failed resource planning.
And now it has its answer: why the heck can’t you do both, and why the heck are you asking us anyway?
GNSO Council chair Philippe Fouquart has written to Maarten Botterman, his counterpart on the ICANN board of directors, to request that Org figure out how to do both Whois and new gTLDs at the same time, and to existing deadlines:
While Council members might differ on which project should take precedence, there is unanimous agreement that the Subsequent Procedures ODP and SSAD development are among the most important tasks before ICANN. Therefore, we urge that every effort should be undertaken by ICANN Org to complete the work in parallel and to meet currently published milestones.
Fouquart goes on (pdf) to puzzle as to why ICANN decided to “inappropriately include the broad community in the minutiae of ICANN operations planning”.
ICANN had told the GNSO that if it wanted the Whois work to kick off, it would add “at least” six weeks of delay to the new gTLDs Operational Design Phase, which is scheduled to wrap up in October.
Naturally enough, folks such as IP lawyers were very keen that ICANN start to do something — anything — to roll back the damage caused by GDPR, while domain-selling companies are anxious that they get more inventory for their virtual shelves.
The public record has always been a bit sketchy on where the resource bottleneck actually is, in an organization with half a billion bucks in the bank, a $140 million operating budget, and around 400 staff.
Maintaining Whois and the expansion of the root zone are, after all, two of the main things ICANN was founded to do, being unable to do both at once could be seen as embarrassing.
But now it has its answer, as unhelpful as it is.
And it only took two months.
New gTLDs or Whois access? What’s more important?
Should ICANN focus its resources on getting the next round of new gTLDs underway, or making some baby steps towards a post-GDPR system of Whois access?
That’s a question the community is going to have to address when ICANN 74 rolls around next month, after the ICANN board presented it with a divisive question on two of the industry’s most pressing issues that split the GNSO Council along predictable lines at its monthly meeting last week.
It turns out that ICANN doesn’t have the resources to both design a new “SSAD Light” system for handling Whois requests and also carry on its new gTLDs Operational Design Phase, “SubPro”, at the same time.
If the community wants ICANN staff to start work on SSAD Light, work will be paused on the ODP for at least six weeks, ICANN has said. If they want the system also built, the delay to new gTLDs could be much, much longer.
Intellectual property lawyers are of course keen to at least start undoing some of the damage caused by privacy legislation such as GDRP, while registries and consultants are champing at the bit for another expansion of the gTLD space.
This split was reflected on the Council’s monthly call last week, where registry employees Maxim Alzoba, Kurt Pritz and Jeff Neuman were opposed by IP lawyers Paul McGrady and John McElwaine.
“Six weeks is a sneeze in a hurricane,” McGrady said. “We are right on the cusp of taking first steps to solve a problem that has plagued the Community since GDPR came out. I don’t think a six-week delay on SubPro, which again we’re years into and it looks like will be years to go, is a material change to SubPro… a very minor delay seems well worth it.”
At this point, ICANN is still planning to have the SubPro ODP wrapped up in October, thought it has warned that there could be other unforeseen delays.
Neuman warned that even a six-week pause could provide more than six weeks delay to SubPro. Staff can’t just down tools on one project and pick up again six weeks later without losing momentum, he said.
Pritz seemed to echo this concern. The Registries Stakeholder Group hasn’t finished discussing the issue yet, he said, but would be concerned about anything that caused “inefficiencies” and “switching costs”.
The discussion was pretty brief, and no votes were taken. It seems the conversation will pick up again in The Hague when ICANN meets for its short mid-year public meeting on June 13.
After 10 months, ICANN board “promptly” publishes its own minutes
ICANN’s board of directors has approved a huge batch of its own meeting minutes, covering the period from July 15 last year to March 10 this year, raising questions about its commitment to timely transparency.
The board approved the minutes of its last 14 full-board meetings in one huge batch of 14 separate resolutions at its May 12 meeting, and they’ve all now been published on the ICANN web site, along with redacted briefing papers for said meetings.
The period includes decisions on planning for the next new gTLD round and Whois reform, the legal fight with Afilias over the contested .web gTLD, and apparently divisive discussions about the timing of a post-pandemic return to face-to-face meetings.
No explanation has been given for why it’s taken so long for these documents to appear, the timing of which appears to go against ICANN’s bylaws, which state that minutes are supposed to be approved and published “promptly”:
All minutes of meetings of the Board, the Advisory Committees and Supporting Organizations (and any councils thereof) shall be approved promptly by the originating body and provided to the ICANN Secretary (“Secretary”) for posting on the Website.
ICANN almost always published its board’s resolutions within a few days of approval, and a preliminary report — which also includes the number of votes yay or nay, without naming the directors — within a couple of weeks.
The minutes, which are published only after the board rubber-stamps them, typically include a further vote breakdown and a little bit of color on how the discussion went down.
In the newly published batch, some of the documents are somewhat illuminating, while others barely nudge the dimmer switch.
For example, the preliminary report for the July 15, 2021 meeting, published 11 days later, notes that three of the 16 voting directors rebelled on a resolution about making the October annual general meeting in Seattle a virtual-only event, but the just-published minutes name those directors and flesh out some of their reasons for dissenting.
It turns out the directors had a “robust discussion”, with some arguing that it would be safe to go ahead with a “hybrid” meeting comprising both face-to-face and remote participation options.
The dissenting directors were Ron da Silva, Avri Doria, and Ihab Osman, it turns out. Osman and da Silva had voted a similar way a year earlier.
Directors could not reasonably have been expected to know about the impact the Delta variant of Covid-19 would have on world health in the latter half of the year. It had been identified and named by scientists but had yet to spread to the extent it was making headlines.
But they were aware of concerns from the Asia-Pacific members of the community, worried that a hybrid meeting in Seattle would disadvantage those unable to attend due to pandemic travel restrictions. This appears to have been raised during the discussion:
Some Board members expressed desire to see more work done to have ICANN72 as a hybrid meeting. They noted that Seattle has protocols in place to ensure the health and safety of ICANN staff and the community, and ICANN should use this opportunity to begin to return to its normal meeting standards as much as possible. Others noted that the concerns about travel inequities or restrictions for certain parts of the world should not prevent moving forward with an in-person component for ICANN72 because such inequities and restrictions exist with or without the pandemic.
The return to in-person meetings was discussed again in November, when the board decided to junk plans, secured by the dissenting directors in July, for a hybrid meeting in San Juan, Puerto Rico.
Ron da Silva had left the board by this point, but the new minutes show that Doria and Osman were joined by León Sánchez in advocating for a hybrid meeting with an in-person component.
While the July minutes contains a few paragraphs summarizing discussions, the November minutes simply notes that the board “reviewed the proposed resolution and rationale to confirm that it reflects the Board’s discussion and edits”.
And that’s pretty typical for most of the documents published this week — time and again the substantive discussion appears to have either happened off-camera, during non-minuted sessions of the board at unspecified times, or was simply not minuted.
Interested in the talks leading to the approval of the new gTLDs Operational Design Phase? The minutes shed no light.
Interested in how the board reacted to ICANN losing its Independent Review Process case with Afilias about .web? The minutes merely note that the resolution was approved “after discussion”.
There’s also a glaring hole in one set of minutes, raising questions about whether these documents are a reliable record of what happened at all.
We know for a fact that on September 12 the ICANN board approved a resolution naming the new chair and vice chair of its influential Nominating Committee, only to reconvene two weeks later to scrap that decision and name a different chair instead.
But if you read the September 12 minutes, you’ll find no record of NomCom even being discussed, let alone a resolution being passed appointing a chair.
The newly published batch of documents cover several resolutions related to executive pay, but none of the minutes contain the same level of transparency as ICANN displayed in February 2021, when it revealed that three directors voted against CEO Göran Marby’s pay rise.
In terms of transparency, that now appears to fully confirmed as an isolated incident.
ICANN highlights “not getting things done” risk
ICANN’s board of directors addressed a number of existential threats at its latest workshop, including the perception that it’s simply “not getting things done.”
Chair Maarten Botterman disclosed the discussions, which took place at the end of April, in a blog post Friday.
He described how the board broke up into four “brainstorming” groups, which returned with strikingly similar views on the risks ICANN faces.
There’s a worry that the lack of in-person meetings due to the pandemic is harming ICANN’s ability to work and that various unspecified “geopolitical initiatives” may get in the way of the mission. He added:
Moreover, we recognized the risk of ICANN being seen as “not getting things done.” On the opportunity side is the broad awareness within ICANN that we need to continue to deliver on our mission in the face of new challenges, as demonstrated by the prioritization efforts of the Board, Org, and Community, and our ability to adapt to changing circumstances.
The Org and the community have been faced with what I would call organizational inertia in recent months and years.
I wrote a few months ago about how ICANN hadn’t implemented a policy since December 2016 — more than five years previously.
Major issues facing the industry seem to be either stuck in endless feedback loops of community arguments or interminable Org preparatory work.
The SSAD, pitched as a solution to the problem of Whois access, appears doomed to be scrapped entirely or approved in a much-reduced form that many believe will not address the problem of identifying registrants in a post-GDPR world.
And even if the stripped-back SSAD Light gets approved, there’s a good chance this will add many months to the runway of the next round of new gTLDs, which itself is at an impasse because the Governmental Advisory Committee and the the GNSO cannot agree on whether to allow closed generics.
As it stands, 10 years after the last application round new gTLD policy is in the Operational Design Phase within Org, and not expected to come before the board until late this year. Much of what has been disclosed about the ODP to date looks a lot like wheel-spinning.
Recent Comments