Last fall, I wrote about ICANN’s failed effort to achieve its goal of preserving the Whois domain name registration directory to the fullest extent possible. I predicted that if the policy effort failed, governments would take up the legislative pen in order to fulfill the long-ignored needs of those combating domain name system harms. That forecast has now come true through significant regulatory actions in the United States and the European Union in the form of a proposed directive from the European Commission (EC) and instruction from the US Congress to the National Telecommunications and Information Administration (NTIA).

ICANN Org now faces a stark choice: recoil and be a standby witness to what unfolds, or recognize that these further shots across its bow require it to boldly act. This means replacing the weak expedited policy development process (EPDP) team proposals and related implementation with robust requirements that track the EU’s proposed 2.0 version of its Directive on Security of Network and Information Systems (“NIS2 Directive”), redirecting community efforts toward a centralized global access model for Whois that so many have been asking ICANN to develop, and revamping the accuracy requirements for Whois.

The alternative is that ICANN will find itself in the back seat in terms of who really gets to make Whois policy.

Regulatory Action in the European Union Requires ICANN to Revamp its Whois Policies

The developments have come quickly on both sides of the Atlantic.

Starting in Europe, the EC, following a re-examination of critical components of the General Data Protection Regulation (GDPR), now demands continued public access to Whois through a portion of the proposed NIS2 Directive. Specifically, the NIS2 Directive confirms the validity of the Whois database for legitimate purposes, ensures the ongoing collection of data, and mandates its accuracy.

The proposed directive further contains a very detailed set of instructions that deal almost exclusively with the areas of ICANN policymaking failure. In fact, it demands action in the areas all but ignored by the EPDP team output but flagged by the broader ICANN community as woefully inadequate. Specifically:

• Ongoing collection of data by registries (such as .com and .net) and registrars;
• Preventing inaccurate records;
• Distinction between legal and natural persons; and
• Efficient provision of data for legitimate requests (including service level agreements).

The directive prescribes, in particular, that registries and registrars publish non-personal registration data and provide expeditious access for legitimate purposes.

It’s clear that these legislative proposals are intended to resolve the problems created by misapplication of the GDPR by the ICANN community.

US Authorities Recognize the Inadequacy of ICANN’s WHOIS Proposals.

In the United States, end-of-year congressional action brought similar emphasis on Whois.

Specifically, as part of a governmental funding bill, US lawmakers set their sights on fixing the Whois issue, at least in their jurisdiction. Providing reasoning for their requests in a joint explanatory statement, members of Congress tell the NTIA (which sends the US representative to ICANN’s Governmental Advisory Committee) how they expect them to act in exchange for departmental funding—namely, NTIA is directed to work with the GAC to expedite a Whois access model, and is encouraged to require US-based registries and registrars to collect and make public accurate registration data.

ICANN observer Greg Thomas, in a recent blog posting, reinforces the importance and possible impact of this congressional language, writing:

With this report language, Congress is clearly signaling that it is running out of patience with the lack of a mechanism for law enforcement, IP owners and others needing access to registrant identifier information for legitimate purposes such as criminal investigations and protecting rights online.

Even the author of ICANN’s blog post, compliance chief Jamie Hedlund, acknowledges that Congress may look to more aggressive measures if the community can’t produce more effectively than it has. Lack of a credible access model from ICANN means that NTIA will have a hard time defending the ICANN model before Congress when it’s time to decide who ultimately makes domain name policy.

Thus far, ICANN Org has not yet taken this move from Congress as a positive and empowering call to action but has instead made an attempt to explain away at least part of this request, saying that the word encouraged is aspirational and not a mandate in terms of what might be required of registries and registrars. It’s wishful thinking on ICANN’s part. However, ICANN Org would be wise not to bank on semantics in the face of growing governmental frustration from both the US and Europe, which may lead to even stricter regulatory requirements should ICANN ignore these warnings.

A Course Correction Is Needed to Prevent Additional Regulatory Action

ICANN and its policymaking apparatus very much need a course correction on the issue of Whois. “Sooner or later” seems to be finally here, as the warning shots are beginning to look increasingly like governments taking up pen in very specific ways that will direct Whois policy.

This leaves the ICANN Board with no option other than to clearly reject the currently proposed access model—it’s wholly insufficient, anyway—and direct ICANN Org to cease implementation on EPDP team recommendations while it better understands the potential impact of these EC and US Congressional developments. Doing otherwise is to blindly careen down paths that likely lead to conflict with US and EC directives on Whois, and further stretches an already stressed and exhausted ICANN community.