Home / Blogs

It's About Whois Display And Access

Fabricio Vayra

The need for an access model for non-public Whois data has been apparent since GDPR became a major issue before the community well over a year ago. Now is the time to address it seriously, and not with half measures. We urgently need a temporary model for access to non-public Whois data for legitimate uses, while the community undertakes longer-term policy development efforts.

The pronounced need isn't news to ICANN. The Governmental Advisory Committee (GAC), law enforcement, security experts, IP interests and a host of others sounded the alarm some time ago. And ICANN's CEO even acknowledged it, while stopping short of addressing it. Most recently, the Security and Stability Advisory Committee issued a strongly worded advisory underlining the security and stability harms now accruing thanks to a dark Whois. Alas, we find that the system already is fragmented.

"It's not that bad," some will say. "The parade of horribles hasn't arrived." That would be misdirected thinking. Requests for non-public data may be lower than anticipated because the temporary Whois model approved by ICANN's Board raised more questions that it answered, left avenues for access unclear and fragmented, and left out measures to hold registrars and registries accountable for providing access to non-public Whois for GDRP-allowed uses. Even so, early feedback on requests for non-public WHOIS indicates that many registrars are non-responsive. It's like we're back to the wild west.

It's a good thing that ICANN has now joined the community in acknowledging critical access needs by publishing a "Framework Elements for Unified Access Model for Continued Access to Full WHOIS Data — For Discussion," but it's only a half step. Rather than stick its toe in the access water with this model for a model (for discussion, not for action), ICANN should jump in and commit to solving this problem immediately, rather than focus on a few high-level themes with a suggestion that we all gather to talk about it.

Unfortunately for the victims of e-crime, abuse and infringement, and for the world's Internet users, this "model" is nowhere close to implementable. For example, it tries to impose a substantial amount of work and responsibility on governments and the GAC, which has already told ICANN that it will provide advice within a limited purview and is not responsible for administrative or operational activities. And it's not exactly timely. By its own specification and timetable, the model can't move ahead until at least mid-December 2018. Meanwhile, the harms continue to pile up.

So what we appear to have here is a rapidly deteriorating domain name system, with a vague model to address it that relies on bodies that don't want to run it, and the plan is to talk it over for something like the next six months.

There's a better option.

Over-applying GDPR requirements, the ICANN Board issued a Temporary Specification (Temp Spec) to deal with Whois display. Similarly, applying GDPR requirements for legitimate use should now drive ICANN's Board to take similar steps to put in place a stop-gap measure that immediately provides uniformity and predictability for access to non-public Whois. Just as ICANN sprang into action on the matter of displaying Whois, it's now in a position to do the same for access to Whois.

This isn't to suggest that ICANN shouldn't discuss and further develop with the community its newly released Unified Access Model. But, there's a problem to solve now and solutions have already been offered that should not be ignored. I'm referring to the community access model — now at 47 pages with great detail that answers many of the very questions ICANN asks in its Unified Access Model. Highlighted in this model are technical solutions that will probably be part of the community discussion around the Unified Access Model, and should most certainly be considered as a stop-gap solution to the current need for access to nonpublic Whois.

With available and implementable solutions today, ICANN should be driven by public interest rather than total risk aversion. It's time to move quickly to provide an immediate temporary solution to access while the community works on the Unified Access Model and EPDP.

By Fabricio Vayra, Partner at Perkins Coie LLP
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

BC/IPC model Rubens Kuhl  –  Jun 26, 2018 8:14 AM PST

I believe the name BC/IPC model would better fit the initiative that is being linked to. "Community" would suggest a larger involvement of other communities, which is not quite what happens. ICANN did a good job comparing their model, the BC/IPC model and the Phyly model, which gives for an interesting reading.
It didn't include the NCSG model because it was not available at the time, but a new comparison could be done including such model.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign