We’re halfway into ICANN71, and early interactions are posing questions about ICANN Org’s capability to carry out its mission to maintain an orderly domain name system (DNS). Or, if that’s not the case, ICANN leadership seems bent on a hands-off approach to its oversight responsibilities to the DNS.

For years now—years—the ICANN community has raised the volume level about acute issues—a workable Whois management and access system (including clearly delineated controllership) or an effective DNS abuse mitigation strategy, for example. We have neither, nothing particularly useful is on the horizon, and while there’s a great deal of talk, little hard action has followed.

It’s not as though alarm bells haven’t been sounding. In the latest of a series of industry studies showing where work needs to be done on behalf of the DNS, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and the Anti-Phishing Working Group (APWG) have published survey results that show ICANN’s work to date on Whois policy won’t meet the needs of those helping to ward off cyberthreats.

It’s beyond time for ICANN to step up to the plate with updated contracts and a fresh commitment to enforce them. Unfortunately, though, it seems the operative word in ICANN circles in mid-2021 is “can’t.”

Far too many representatives of registries and registrars say they can’t disclose Whois data to legitimate requestors—it’s too complicated under GDPR. (It’s apparently not too complicated, though, when money changes hands to process Whois lookups, in the case of at least one registrar.)

ICANN Org can’t enforce its contracts with registrars and registries—some that harbor DNS abuse. The contracts are too weak, they say.

ICANN Org can’t do anything to ensure Whois records are accurate. We’re not a data controller, so we can’t access the data under GDPR, the Org says.

That of course is not the vocabulary of a bottom-up consensus-based policy development organization charged with oversight of the DNS and with working in the public interest. Nor is it the mantra of an organization that “is not one to do nothing,” as its board chair recently characterized it. It’s the language of an organization that behaves like a trade association defending member interests and of one that is disinterested in upsetting the apple cart.

The adversarial tone of discussions—acknowledged during this week’s ICANN Policy Forum—isn’t helping either. When everyone is in the same Zoom room at ICANN71, discussions are cordial enough, but when it’s time for forward movement on policy development processes, battle lines harden and progress slows to a crawl—if not an altogether standstill.

So what can be done?

ICANN can take advanced steps to align with European Commission directives, which have clarified ICANN’s misapplication of GDPR and many of ICANN’s questions to the EC on the subject, and get involved to design something more usable than a low-level ticketing system that may or may not, someday, enhance cybersecurity.

ICANN Org can admit—as does Appendix C of its Temporary Specification for gTLD Registration Data—that it is a data controller, and do something about data accuracy and be accountable to those it serves in the public interest.

ICANN Org can follow the loud and clear advice of the Governmental Advisory Committee, which on numerous occasions has called for the improvement of contracts with registries and registrars (it’s been almost a decade since it was last done, after all) to give ICANN Compliance the tools it needs, and says it doesn’t have, to stand up for itself and oversee a clean DNS and the very parties ICANN accredits to operate within the DNS. This is well overdue.

The time for tap-dancing is long over. If ICANN refuses to take responsibility and re-center as the oversight body that maintains the DNS in the public’s interest—as I’ve written about and as we’ve seen lately—governmental impatience and frustration will take over. And that’s not the outcome anyone in the multistakeholder community particularly wants. So, I say that we encourage ICANN to move past can’t and won’t to can ... and start with those stronger agreements it says it needs, but doesn’t yet have, to do its job.