Home / Blogs

More Warning Shots for ICANN, or the End of the Road?

Last fall, I wrote about ICANN's failed effort to achieve its goal of preserving the Whois domain name registration directory to the fullest extent possible. I predicted that if the policy effort failed, governments would take up the legislative pen in order to fulfill the long-ignored needs of those combating domain name system harms. That forecast has now come true through significant regulatory actions in the United States and the European Union in the form of a proposed directive from the European Commission (EC) and instruction from the US Congress to the National Telecommunications and Information Administration (NTIA).

ICANN Org now faces a stark choice: recoil and be a standby witness to what unfolds, or recognize that these further shots across its bow require it to boldly act. This means replacing the weak expedited policy development process (EPDP) team proposals and related implementation with robust requirements that track the EU's proposed 2.0 version of its Directive on Security of Network and Information Systems ("NIS2 Directive"), redirecting community efforts toward a centralized global access model for Whois that so many have been asking ICANN to develop, and revamping the accuracy requirements for Whois.

The alternative is that ICANN will find itself in the back seat in terms of who really gets to make Whois policy.

Regulatory Action in the European Union Requires ICANN to Revamp its Whois Policies

The developments have come quickly on both sides of the Atlantic.

Starting in Europe, the EC, following a re-examination of critical components of the General Data Protection Regulation (GDPR), now demands continued public access to Whois through a portion of the proposed NIS2 Directive. Specifically, the NIS2 Directive confirms the validity of the Whois database for legitimate purposes, ensures the ongoing collection of data, and mandates its accuracy.

The proposed directive further contains a very detailed set of instructions that deal almost exclusively with the areas of ICANN policymaking failure. In fact, it demands action in the areas all but ignored by the EPDP team output but flagged by the broader ICANN community as woefully inadequate. Specifically:

  • Ongoing collection of data by registries (such as .com and .net) and registrars;
  • Preventing inaccurate records;
  • Distinction between legal and natural persons; and
  • Efficient provision of data for legitimate requests (including service level agreements).

The directive prescribes, in particular, that registries and registrars publish non-personal registration data and provide expeditious access for legitimate purposes.

It's clear that these legislative proposals are intended to resolve the problems created by misapplication of the GDPR by the ICANN community.

US Authorities Recognize the Inadequacy of ICANN's WHOIS Proposals.

In the United States, end-of-year congressional action brought similar emphasis on Whois.

Specifically, as part of a governmental funding bill, US lawmakers set their sights on fixing the Whois issue, at least in their jurisdiction. Providing reasoning for their requests in a joint explanatory statement, members of Congress tell the NTIA (which sends the US representative to ICANN's Governmental Advisory Committee) how they expect them to act in exchange for departmental funding — namely, NTIA is directed to work with the GAC to expedite a Whois access model, and is encouraged to require US-based registries and registrars to collect and make public accurate registration data.

ICANN observer Greg Thomas, in a recent blog posting, reinforces the importance and possible impact of this congressional language, writing:

With this report language, Congress is clearly signaling that it is running out of patience with the lack of a mechanism for law enforcement, IP owners and others needing access to registrant identifier information for legitimate purposes such as criminal investigations and protecting rights online.

Even the author of ICANN's blog post, compliance chief Jamie Hedlund, acknowledges that Congress may look to more aggressive measures if the community can't produce more effectively than it has. Lack of a credible access model from ICANN means that NTIA will have a hard time defending the ICANN model before Congress when it's time to decide who ultimately makes domain name policy.

Thus far, ICANN Org has not yet taken this move from Congress as a positive and empowering call to action but has instead made an attempt to explain away at least part of this request, saying that the word encouraged is aspirational and not a mandate in terms of what might be required of registries and registrars. It's wishful thinking on ICANN's part. However, ICANN Org would be wise not to bank on semantics in the face of growing governmental frustration from both the US and Europe, which may lead to even stricter regulatory requirements should ICANN ignore these warnings.

A Course Correction Is Needed to Prevent Additional Regulatory Action

ICANN and its policymaking apparatus very much need a course correction on the issue of Whois. "Sooner or later" seems to be finally here, as the warning shots are beginning to look increasingly like governments taking up pen in very specific ways that will direct Whois policy.

This leaves the ICANN Board with no option other than to clearly reject the currently proposed access model — it's wholly insufficient, anyway — and direct ICANN Org to cease implementation on EPDP team recommendations while it better understands the potential impact of these EC and US Congressional developments. Doing otherwise is to blindly careen down paths that likely lead to conflict with US and EC directives on Whois, and further stretches an already stressed and exhausted ICANN community.

By Fabricio Vayra, Partner at Perkins Coie LLP

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

A centralized global access model for Whois By John Poole  –  Jan 14, 2021 7:30 pm PDT

For .COM domain names, we already have a working, free and fully accessible to everyone in the world (via internet connection and web browser), GDPR-compliant centralized model for accessing .COM domain name registration data:
Step 1: go to https://lookup.icann.org/ and enter the .COM domain name (e.g., "eff.com") and click "LOOKUP"
Step 2: Read the information given. Need more information? Contact the registrar whose name and contact information was given as a result of completing Step 1 above.
If it ain't broke, don't fix it. More info here.

lookup.icann.org is helplessly broken By Alex Deacon  –  Jan 18, 2021 5:57 pm PDT

A simple search for domain names like verisign.com or icann.org or go daddy.com (and others) make it plain how broken and useless the lookup tool is.  IMO whoever decided lookup.icann.org was was ready for general availability and in a state to replace the old whois.icann.org (and whois.internic.net) should be fired.  It is clear that not even the basic level of manual testing has taken place by ICANN and many registrars and registries.  Sad....but par for the course.

Registrar contact information is the key By John Poole  –  Jan 19, 2021 11:39 am PDT

The lookup tool is not broken Alex. It does the one thing that ICANN is competent to do, it provides the world with the key contact information for every registered gTLD domain name (including .COM domain names) in existence: the name and contact information of the respective ICANN-accredited Registrar which holds ALL of the registration data (including information NOT required by ICANN). It may be better for each Registrar to have a URL listed e.g., lookup.godaddy.com, in addition to, or instead of a telephone number and email address, in order to cope with a large volume of inquiries in this new era of data privacy. I expect large registrars such as GoDaddy will quickly adapt and build batch tools to quickly process, in different ways, inquiries which originate from law enforcement and other governmental entities, trademark counsel and other attorneys, and the general public.

bizarro world By Alex Deacon  –  Jan 20, 2021 3:06 pm PDT

Understood. 

But we (well I at least) do not live in some alternate reality where some Bizarro-ICANN has set policy for their Bizarro-WHOIS system that only requires the contact info for the registrar to be returned in response to a query. 

The "real-world" ICANN requires registrant data to be collected and returned per policy defined in the Temp Spec, Phase 1 Policy and others.

A very simple review of responses returned by lookup.icann.org confirms it is broken and thus useless as a RDS lookup tool.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign