This post was co-authored by Russell Pangborn and Syed Abedi of Seed IP Law Group

The ICANN 64 meeting in Kobe concluded two weeks ago, and we are no closer to accessing WHOIS data critical for law enforcement, cybersecurity threat investigators, intellectual property owners, or other consumer protection advocates who rely on the data to act quickly against online abuse in the domain name system. Instead of a balanced approach to WHOIS that serves the public interest, the ICANN Board is set to approve a new global policy that fails to even fully acknowledge critical, allowable uses of WHOIS to protect the public, let alone require any access. Unresolved issues such as access are supposed to be addressed in “Phase 2” of an Expedited Policy Development Process (EPDP) working group, with no date certain for completion, or indication that registrars, registries or ICANN itself is committed to providing WHOIS access.

This is especially troubling as evidence of the growing threat ICANN’s actions pose to internet users’ safety, and security continues to mount. Recently the World Intellectual Property Office (WIPO) reported that cybersquatting cases have reached a record high, and cybersecurity experts report that masking WHOIS contact data has impaired blocklists, thus “dramatically undermining the efficiency of this, and other, security countermeasures.” In the lead-up to the ICANN meeting, the ICANN groups representing business and intellectual property interests (the Business Constituency (BC) and Intellectual Property Constituency (IPC)) voted to not adopt the replacement WHOIS policy, as they had explicitly advocated and worked for a balanced WHOIS policy for the last year and a half. Despite the objections of the BC and IPC, and the cautionary expressions from the ICANN groups representing governments, security experts and the world’s internet users (the Government Advisory Committee, the Security & Stability Advisory Committee, and the At-Large Advisory Committee, respectively), ICANN’s GNSO Council ratified the WHOIS policy and sent it to ICANN’s Board for final approval. No substantive policy changes were considered in Kobe to address these stakeholders’ concerns relating to legitimate access to WHOIS records for critical, allowable uses.

This proposed WHOIS policy raises several red flags that should concern consumer rights advocates, cybersecurity professionals, law enforcement agencies, businesses and internet users alike. Much of critical WHOIS data that was previously available, such as domain name registrants’ contact information, technical contact information, organization information, address, e-mail, etc., will continue to be redacted and extremely challenging to obtain for legitimate purposes. Further, in cases where requests for legitimate access are made, registrars are merely required to acknowledge receipt of a request for WHOIS data within 2 days, but have 30 days to substantively act and no requirements for actually providing access. Since the spread of online fraud or cyberattacks often takes minutes, 30 days is an eternity.

Initial Data Substantiates Concerns

Given the high stakes involved, several independent bodies and researchers have collected and analyzed data pertaining to the consequences of redacting critical WHOIS records. WIPO reported a spike of 12 percent in cybersquatting cases in 2018, reaching record levels. This spike is especially alarming because cybersquatting, e.g., fraudulent or counterfeit goods, affects all consumers. Significantly, WIPO commented that redacting WHOIS information has affected brand owners’ ability to access critical WHOIS records.

In another recent study, security analysts from Interisle Consulting Group, SURBL, and Spamhaus compared blocklisting data prior to redaction, and post-redaction of WHOIS records. The security analysts’ conclusions were distressing: “The onset of masking Whois contact data has had the direct, corresponding, and ongoing effect of reducing the number of blocklisted domains, dramatically undermining the efficiency of this, and other, security countermeasures.” They further note that various online threats could have been “preemptively stopped had Whois contact data remained available.”

Similarly, brand protection companies have reported unacceptably low response rates to documented requests for redacted WHOIS information. Appdetex previously notified ICANN that from over nine thousand requests for redacted WHOIS data for legitimate purposes that comply with GDPR and ICANN’s directive set forth for the Temp Spec (the Temporary Specification for gTLD Registration Data, adopted by ICANN in May 2018), only a paltry three percent of registrars provided full WHOIS records. MarkMonitor reports a fourteen percent response rate for unredacted WHOIS records, and notes a negative impact on its 24/7 threat response timeline, where phishing attacks are measured in effectiveness per minute. These results are deeply troubling for consumer rights advocates, IP owners, cybersecurity professionals, and law enforcement agencies.

This data is in-line with the October 2018 joint survey report, where the Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand the impact of redaction of WHOIS. The survey results were alarming: “From our analysis of over 300 survey responses, we find that the changes to WHOIS access following ICANN’s implementation of the EU GDPR, the [Temp Spec], is significantly impeding cyber applications and forensic investigations and allowing more harm to victims.” The new WHOIS policy, which is more restrictive than the Temp Spec ICANN is currently using, will in all likelihood be even more deleterious.

Phase 2 Uncertainty

While an optimist may look to Phase 2 as an opportunity to address problems associated with redaction of WHOIS records, it appears that ICANN’s Board and contracted parties (registrars and registries) are content to stall. Despite a majority of the ICANN community calling for WHOIS access to protect the internet and its users over the last year and half, and now despite calls for a date certain by which a unified access model would be finalized, no date certain was provided by which to complete Phase 2. In other words, ICANN’s Board can continue to ignore the growing threat and ICANN’s contracted parties can continue to hinder the process of agreeing to solutions to real-world problems of redaction of WHOIS records, given that there is no firm deadline, or urgency (for them). Indeed, it is possible that the issues relating to redaction of WHOIS records will linger while the unbalanced WHOIS policy remains in place. Noting the lack of a timeline, the GAC in its communique post-Kobe, chastised and advised the Board to swiftly and expeditiously conclude Phase 2 activities on a timeline similar to Phase 1. It is yet to be seen whether ICANN will take GAC’s advice and act in the interest of all stakeholders, not just the contracted parties.