Home / Blogs

Too Little, Too Late? Why ICANN's Proposed WHOIS Access System Isn't Worth It

After two years of grueling, complex and contentious debate, the ICANN EPDP team delivered its Phase 2 Final Report on July 31st, 2020. Unfortunately, and disappointingly, the policy recommended for the so-called "System for Standardized Access/Disclosure" (SSAD) fails to meet the needs of the users it supposedly is designed to benefit. Those interested in all of the reasons why this is the case should read the numerous minority statements from the stakeholders representing security practitioners, businesses, brand holders, governments, and end-users across the globe.1

Before I detail my personal views on the result, here is a quick history for those of you lucky enough not to be following closely over the past two years.

On August 1st, 2018 ICANN kicked off the first phase of a two-phase Expedited Policy Development Process (EPDP) tasked with evaluating the Temporary Specification for generic top-level domain (gTLD) Registration Data (a.k.a. WHOIS data) with the main goal of ensuring compliance with European Union's General Data Protection Regulation (GDPR). The EPDP Phase 1 Final Report was delivered on February 20, 2019. The EPDP team then moved onto Phase 2 that was focused on developing policy for a system for standardized access to non-public registration data — essentially policy that would enable access to important domain name registration data for legitimate purposes like combating cyberattacks, enforcing intellectual property rights and protecting public safety and welfare online.

Assessing the Value

Since the EPDP team delivered its final report, I've spent much time reflecting on both the process and the outcome. Personally, the issue that resonates with me most is the question of value. What value does the SSAD bring to the users of the SSAD? Does that value justify the costs of using the system? Does that value justify the costs of building and maintaining the system?

Put yourself in the shoes of a typical SSAD user, such as a cybersecurity investigator or an intellectual property owner. How much value is there in a system that…

  • often delivers inaccurate data.
  • misapplies the GDPR by allowing the redaction of legal person data.
  • is not timely, especially for issues related to consumer protection where access to data to properly investigate and remediate cybersecurity attacks is required on the order of hours not business days.2
  • does not prioritize requests related to consumer protection, such as phishing.
  • results in inconsistent and unpredictable access to registrant data — as 2000+ contracted parties (e.g. registries and registrars) will review each request manually and make their own individual decisions as to disclose or not disclose.
  • explicitly limits ICANN's enforcement authority, especially in cases of improper disclosure decisions.
  • will, based on analysis of the existing disclosure regime, result in the disclosure of data at most 30% of the time.34
  • lacks automated or centralized disclosure decision making resulting in a system that cannot scale. This especially impacts the system's utility for users involved in large scale global cybersecurity investigations.5
  • does not support a mechanism for quick and agile improvements to the system, including when required by regulation or supported by legal guidance. Effectively users will be stuck with a system that is difficult if not impossible to evolve and improve over time.6

To me, the answer is pretty clear. The value and benefits of the SSAD do not come anywhere close to justifying the costs to build it and maintain it, let alone use it.

A House of Cards

This cost-benefit analysis is further complicated by policy7 that mandates that the users of the SSAD pay for all costs of the ongoing operation and maintenance of the SSAD. It's important to note that the IPC made it clear that they were happy to pay for accreditation and other fees in order to use the system. However, financial sustainability recommendations will result in a funding model that is designed to fail. An SSAD that has little value to requestors will lead to a situation where individuals and organizations don't sign up to use it (or decide to stop using it) which leads to higher costs to use the system which, I assert, will ultimately lead to a situation where ICANN will have no choice but to close it down. The policy constraints will result in what can only be seen as a sure-to-collapse house of cards.8

There is no doubt that the question of value will be at the core of the decision that the GNSO Council and perhaps the ICANN Board (assuming the Council approves the policy) will have to make during their deliberation and vote on the Final Report in the coming months.

A Disturbing Pattern

While the ICANN community waits to see how the GNSO Council and ICANN Board will vote on the Final Report, it is important to step away from looking at the preverbal single "tree" that the EPDP Phase 2 policy represents and look at the "forest" of ICANN policies that have also been impacted by the GDPR. When you do, a disturbing pattern emerges. ICANN's response to the GDPR will unnecessarily end up invalidating existing policy that was set and approved by the ICANN bottom-up policy development process.

In my short time being involved in ICANN policy development (since 2013), none of the policies I've been involved in developing (either directly or indirectly) have seen the light of day. (And yes, I have considered that perhaps I am the root cause!) In summary —

  • Thick WHOIS: Policy approved Oct 2013 (seven years ago!), implemented and operationalized, but now paused with no plan on when or if it will continue.
  • Privacy Proxy: Policy approved Dec 2015. Implementation paused (work was about 90% complete) with no plan on when it will continue.
  • EPDP Phase 1: Policy approved Feb 2019 with Board comments/input, yet the "expedited" IRT is still working after 16 months (!) with much work still to be completed and no concrete schedule or plan to complete it. Even once approved the current timeline indicates it will take up to an additional 18 months to fully operationalize across all contracted parties.9

Given the impact not only on the Phase 2 Policy but also on the policies listed above, perhaps it is time to admit that the ICANN policy development process may not be properly suited to address complex legal issues such as the GDPR. The minority statement of the BC and IPC concludes with the following paragraph.

"Despite the IPC and BC's best intentions, the EPDP experiment has failed. It has proven incapable of handling a purely legal issue created by the GDPR. Regulators and legislators should note that the ICANN multi-stakeholder model has failed the needs of consumer protection, cybersecurity, and law enforcement. As a result, there is a need for clear regulatory guidance for the GDPR, and to pursue alternative legal and regulatory approaches."

While I do not believe this should be interpreted as an indictment of the multi-stakeholder process as a whole, it does indicate that that model does have its limitations. It also indicates that it would be a mistake for the ICANN community to proceed in developing and deploying an SSAD based on the Phase 2 Policy without additional regulatory guidance from the European Union or alternative regulatory approaches defined elsewhere.

Conclusion

Like many of the participants in this process, I am also extremely disappointed and frustrated with where the EPDP Phase 2 policy ended up. I have no doubt that many of my friends and colleagues will find it difficult to understand why those whose interests the SSAD was designed to serve may decide to reject it in the end. However, it is crystal clear that the SSAD does not sufficiently serve those interests. They may also argue that the policy will ultimately result in a better experience for those requesting disclosure of non-public data. However, other than centralized request tracking functionality, it will not result in additional efficiency above and beyond the fragmented, non-standard, and ineffective method that exists today.

Finally, no one should be shocked that constituencies may not support policy that is not in their interest. The ICANN model of policy development doesn't exist to define policy simply for the sake of defining policy. It exists to define consensus policy that allows ICANN to maintain the security and stability of the Internet's system of unique identifiers. It exists to ensure ICANN can meet its obligations laid out in its bylaws — including those related to registration directory services (WHOIS). It exists to ensure consensus policy can be enforced by ICANN compliance. Unfortunately, the EPDP Phase 2 Policy does not meet any of these needs.

So, we must ask ourselves — Is it worth it? I'm convinced it is not.

By Alex Deacon, Founder, Cole Valley Consulting

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Sidenote By Theo Geurts  –  Aug 27, 2020 12:32 am PDT

Just an observation as an alternate EPDP member.

The SSAD often delivers inaccurate data? I think that always be the case for domain names engaged in criminal activities.
Our investigations into BEC fraud demonstrates that the last 2 years criminals have become very stealthy.

Of course, this trend has gone somewhat unnoticed due to the redaction of WHOIS data.
I conclude that registration data for domain names engaged in malicious activities that the data

-Will pass every syntax check
-Can pass any crossfield validation. Country, City, postal code, street always match. Criminals can now easily use fake ID generators.
-Manual verification is sometimes very hard and requires much effort to prove that the data is incorrect.

For investigations, I rely mostly on SOCMINT data as the registration data usually does not yield much info.

compromise... By Volker Greimann  –  Aug 27, 2020 5:04 am PDT

It is an attempt of a compromise between the legal obligations of the parties processing the data and the needs of the parties that want access to this data.

It was clear from that start that GDPR killed Whois (or RDS) as we knew it, so we had to find a form of controlled access on a basis of legitimate interest and legal rights.

Like any compromise, it has its flaws, but to identify these flaws and continue to imrove the system, a mechanism was built that will allow continuous impovements.

I also blieve it will greatly reduce the number of denials. Today, many denials are caused by flawed or incomplete requests as well as varying requirements by the data processors. The new system will lead to a higher number in well qualified requests and at the same time unify the requirements, so more requests can be positively answered.

I agree with Theo though that this will not address the issue of those registrants that wilfully provide false data, e.g. the criminals. But if we are honest, this was already the case with public whois.

Finally, I would like to remind the councillors of the IPC and the BC that it is not the role of the GNSO council to debate the substance of the work done by the ePDP, but exclusively whether proper policy was followed in creating the recommendations.

How about an "Opt Out of GDPR" option? By Bill Butkevich  –  Sep 01, 2020 8:25 pm PDT

I'm a US-based domaineer… given any particular domain name of mine, my business relies on prospects being able to readily determine my contact information.  This latest GDPR inspired phase of registrars applying these new "privacy" rules and effectively shutting down all publicly accessible whois data may be fine for EU citizens ("GDPR"=EU… correct?), but as a US citizen I'm asserting to my US-based registrars that the GDPR does not specifically apply to any US-based company or person (like them and me), and I'm requesting they not apply this rule to me… I'm requesting they provide me (and all other non-EU persons/companies) an "Opt Out Of GDPR" option such that I can keep all of my domains' full info 100% publicly accessible.

One of my US based registrars (EnCirca) is seemingly all gung-ho on applying these foreign rules against their US customers - all of my whois data (that I've strongly asserted to them need to remain 100% publicly accessible) have been effectively shutdown… as per the dictates of the EU GDPR (they assert).

My research revealed some US based registrars behaving in this same manner, but others that better understood the nonsense of blindly applying the unwanted GDPR against their US customers (wishing to opt out like me).  My only solution is to transfer my ~100 domain names away from EnCirca onto the the more reasonable & accommodating US-based non-GDPR-asserting registrars. 

From the tone of this article, it sounds like there's no option (and therefor no discussion or consideration) for non-EU persons & companies from opting out of this GDPR, and that it's a foregone conclusion that all US registrars will soon have no legal option but to comply enforcing this foreign rule against their US customers (lest they face losing their ICANN controlled access to the root DN resolvers?).

If this issue didn't already get addressed here in the US with a pro-business presidential administration like Trump's in office now, it's chance of ever getting addressed post-Trump (it seems inevitable) is nil.

Given such, the only solution I can fathom is for a competing alternative shadow-like whois system being formed… So your (US, etc) non-EU registrar is forced to hide your whois data… but what's to stop anyone (desiring such like me) from still publishing these full contact details on a parallel alternative system?  Would the EU & ICANN take exception to this? Would they have international legal grounds? I'm living in Florida, US, conducting my business 100% from here only with US-based customers. Can the EU (via their GDPR, etc) & ICANN really boss me around like this?

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias