A few weeks ago, Appdetex published a blog with predictions for 2021, and admittedly, at the date of publication, there were already very clear indications that one prediction was already in flight.

In our blog post, we’d said, “With the global domain name system failing to abate abuse, and, in fact, thwarting consumer protection, get ready for a patchwork of local laws targeting attribution and prosecution of bad actors… Get ready for some confusion and turmoil in the world of notice and takedown related to local laws and regulations.”

Since May 2018, it’s been harder for brands to mitigate consumer harm resulting from infringing domain names. A recent study from Interisle Consulting bears this out: WHOIS data has gone from being over 75% available to just above 13% since the implementation of ICANN’s reaction to GDPR. It should come as no surprise, then, that regulators in the US and EU are poised to take action to try to protect consumers. Late last year, both the United States (US) and European Union (EU) governments had already begun to act to make access to domain name registrant contact data (WHOIS) more available to protect consumers and internet users.

In their proposed Revised Directive on Security of Network and Information Systems (NIS2), the EU has become much more specific about intermediaries’ obligations, including Domain Naming Service (DNS) providers. The legislation would specifically identify hosts, DNS providers, TLD registrars, and registries as being part of the solution and is expected to mandate that they act swiftly to mitigate consumer risk and balance privacy and harm more carefully. Public Stakeholder comments have been gathered, and now the EU is readying the legislation for adoption and its implementation by member states.

Meanwhile, buried in the thousands of pages of the omnibus Consolidated Appropriations Act of 2021 is an instruction to the National Telecommunications and Information Administration (NTIA). The NTIA is “directed,” through their position on the Internet Corporation for Assigned Names and Numbers (ICANN) Government Advisory Committee, to “work with ICANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes.” There are also rumblings about stand-alone legislation to protect consumers by making WHOIS data more accessible.

While these actions seem both relevant and helpful on their surface, it represents a failure in ICANN’s ironically-named expedited policy development process (EPDP) that these legislative solutions need to be taken. ICANN’s glacial-paced EPDP has yielded very little in the past two years. The EPDP has proposed a guideline for implementing a toothless tool investigating and abating abuse. This guideline, judged as so useless that even EPDP participants from some constituencies voted against its implementation, will likely require two or more years to implement.

Had ICANN and the multi-stakeholder community acted in a balanced manner to protect both privacy and the internet from harm by bad actors, it would have been unnecessary for governments to act. Sadly, it is now up to brands to do their best to remediate consumer abuse and harm without the help of the governing body of the internet. Worse still, a patchwork of legislation will be yet another complication for both brands and DNS participants.