A Failed Whois Policy

CircleID CircleID: ICANN’s two-year effort to purportedly preserve the Whois public directory to the greatest extent possible while complying with GDPR has failed. Under the latest proposal, the Whois database, once a contractually-required directory of domain name registrants, will be gutted to the point of virtual worthlessness, as registrars, registries, academics, and hand-wringing others ignored the public interest and imposed ever-higher barriers to legitimate, GDPR-compliant access to registration data. The world now is nearly completely without a tool necessary to protect against online abuses and safeguard important rights.

At its core, the policy recommendations resulting from this process affords ICANN Org, registrars and registries a place to hide from doing the right thing, as allowed under the GDPR. ICANN Org — the ultimate overseer of the domain name system (DNS) — is now faced with a stark choice: either step up to properly enforce their own contracts to the greatest extent possible while complying with GDPR (as it should as the accrediting body charged with oversight of the DNS for the public interest), or acknowledge this is a matter that should be resolved from outside of ICANN — and be open to national legislation that can do that.


More than two years ago, ICANN faced a real dilemma. Whois was impacted by GDPR and would need to be revamped.

Registries and registrars, maintainers of the Whois system, needed a way to comply with the new law without violating their contracts with ICANN, which required an operating Whois. At the eleventh hour, ICANN issued a temporary contractual specification for registries and registrars (the “temp spec”) that allowed them to close down Whois, except in circumstances when legitimate interests needed access to registration records. ICANN then chartered a group of domain name industry participants to supplant the temp spec with a permanent policy that set out new rules for the Whois system that provided legitimate access without violating GDPR. Known as an expedited policy development process (EPDP), the team’s work was meant to be thorough but efficient. After two-and-a-half years of deliberations, a final report details its recommendations.

The problem is, of course, the recommendations are quite empty — inadequate on the most basic level. So insufficient are the team’s recommendations, in fact, they are unlikely to garner meaningful support as they’re considered by ICANN’s governing policy council (the Generic Names Support Organization Council) later this week. They simply don’t meet the needs of the community — or the public interest Whois is meant to fulfill — and as a result represent a failed policy.

Warnings from Key Stakeholders Ignored

Broader community reactions also have been swift and damning. Governments and security experts, both tasked with advising the ICANN Board of Directors, have condemned the output, while others, including consumer advocates, have joined the chorus. The common refrain is that the recommendations are woefully inadequate:

World governments, represented by the Governmental Advisory Committee, warn that the “Recommendations are substantially inadequate and not fit for purpose.”
Security experts, represented by the Security and Stability Advisory Committee, denounced the proposals and noted that the process “has not provided outcomes that are reasonably suitable for security and stability.”
End-users, globally represented by the At Large Advisory Committee, said of the proposed Whois access and disclosure mechanism that “the probability of its meeting the goals needed by the communities whose efforts [they] support will be low.”
Global business and intellectual property interests, represented by the Business and Intellectual Property Constituencies, said that the Final Report “fails to deliver a System for Standardized Access that meets the needs of its users.”

It should be no surprise to anyone that a slapdash policy that is worse than the failed, current policy, is met with disapproval.

Why it Failed

From a high level, there are three main reasons why the policy work failed:

First, it doesn’t meet its objective, which was to ensure GDPR compliance while maintaining Whois to the greatest extent possible. Unfortunately, the proposed policy doesn’t avail itself of the GDPR’s most basic tenets on limitations to scope that would allow reasonable access to large swaths of the Whois database (e.g., legal persons, persons outside the European Union). The EPDP team has, instead, chosen to overapply GDPR, and that fails the Whois availability objective entirely.

Second, the recommendations fall short of public interest needs — needs that were recognized by both the European Commission and ICANN itself. The EPDP team focused more on limiting potential registry and registrar liability instead of addressing the public interest needs of the broader community. The recommendations therefore don’t even afford the most basic tools necessary to law enforcement and cybersecurity experts to address their interests, which have been repeatedly relayed to the EPDP team, including by the GAC. Again, this leaves the recommendations unfit for the most basic and widely acknowledged of purposes, particularly in an environment of growing DNS abuse that even ICANN CIIO Ashwin Rangan explicitly stated in an August 5 webinar has been “increasing dramatically.” 

Third, operationally, the EPDP team has produced little more than a ticketing system for people to submit data requests. It potentially could ease the intake burden, sure, but provides no substantive benefit regarding the heart of the issue to be resolved — disclosure responses to legally and legitimately based requests for Whois data. Specifically, the proposal does nothing to resolve the underlying decision-making issue: that is, the same 2000+ registrars and registries who are largely denying and/or ignoring legal and legitimate requests today will be the same parties receiving the requests through the fancy ticketing system the policy proposes — and probably will continue to largely deny and ignore. It presumably doesn’t take two-and-a-half years of policymaking work to produce an intake system ICANN could have independently designed and built itself.

A healthy multistakeholder model would have delivered a balanced solution to the full community, had it been working by design. However, this policy output is arguably worse for users than is the temp spec itself, which at least was less restrictive and could have offered “reasonable access” to Whois data, had it been properly enforced. Instead, the proposed policy has left the Whois system fractured and not fit for purpose.

What’s Next

Those on the side of combating DNS abuse, hunting down criminals, protecting consumers, guarding intellectual property rights, and otherwise making the Internet a safer place must have reasonable access to registration data. Because policy work failed, however, they are now forced to look outside the ICANN process for a workable solution to the data problem and have already begun doing so.

ICANN leadership has responded by going on the attack and defending its multistakeholder model rather than recognize its role in the failure and its fiduciary responsibility to step in and fix the problem. CEO Goran Marby has attempted to spin the failure by stating that “the PDP reached as far as it could,” and “we can’t do more.” In the same breath he indicated that if law enforcement wants access to Whois data — an allowance nearly all in the community support — European data protection authorities will have to update interpretations of the law, or outright change it.

Inexplicably, ICANN Org has now focused its firepower on the GAC. In an antagonistic letter to GAC chair Manal Ismail, ICANN retreats to answering outstanding questions with questions, and obfuscating matters by demanding the GAC further justify its plainly stated concerns over EPDP outcomes with “legal bases.” This overtly confrontational letter shows that ICANN, which has been chronically behind the rest of the world in its reaction to and handling of GDPR, continues to take a hard line on exempting themselves from taking positions or responsibility with oversight of the DNS in the public’s interest. In this vein, the letter reads more like a trade association that is defending the interests of its members than what is expected from an organization charged with oversight of the DNS in the public interest.

More than ever, it’s clear now that this lacking result must be met with assertive action. ICANN should finally act — by saying no to a substandard ticketing system, finding a way to get legal certainty about GDPR application, or even enabling an enforceable code of conduct for registrars as allowed through their existing contracts with registrars. If ICANN compounds policy development failure with its own failure to act, it should expect others in a position to act to take charge. And to do so with the authority ICANN apparently abandoned willingly during this entire misguided process.
Written by Fabricio Vayra, Partner at Perkins Coie LLPFollow CircleID on TwitterMore under: DNS, Domain Names, ICANN, Internet Governance, Policy & Regulation, Whois

The post A Failed Whois Policy appeared first on iGoldRush Domain News and Resources.

Original source: https://www.igoldrush.com/newsfeed/ig650546

Leave a Comment