Home / Blogs

ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet

ICANN has consistently said its intention in complying with the European Union’s General Data Protection Regulation (GDPR) is to comply while at the same time maintaining access to the WHOIS domain name registration database “to greatest extent possible.” On February 28, ICANN published its proposed model. Strangely, while ICANN acknowledges that some of the critical purposes for WHOIS include consumer protection, investigation of cybercrimes, mitigation of DNS abuse, and intellectual property protection, the model ICANN proposes provides no meaningful pathway to use WHOIS in those ways. Under ICANN’s model, use of WHOIS “to the greatest extent possible,” really means use will become practically impossible. They are, in effect, proposing to end the internet’s operational transparency.

Today, while users can easily access a full set of publicly available WHOIS data for purposes like fighting fraud or enforcing IP rights, the published ICANN model removes most information from public view and turns WHOIS into a tiered or “gated” access system, where the vast majority of key data will only be available for users who are accredited—at some undefined point in the future—to pass through the gate. Although a gated access model could be crafted to provide full access to approved users, ICANN did not appear to incorporate any of the approaches found in the community proposed models relating to gated access. Although ICANN originally said that it was not set on picking one of its own models and would be open to taking elements from the community models, it appears not to have done so and to have instead charted its own course.

Denial of appropriate WHOIS access will force law enforcement, cybersecurity professionals, and intellectual property rights holders to pursue John Doe lawsuits, simply to identify registrants through subpoenas and court orders. That will not only greatly amplify overall online enforcement costs for all concerned, but also waste judicial resources, and increase overhead costs and liability for contracted parties. Contracted parties who are presented clear-cut evidence of illegality yet deny demands to reveal registrants can quickly lead to potential contributory liability. Worse yet, denial of bulk WHOIS access would immediately grind to a halt vitally important cybersecurity efforts, upon which all major social media platforms, online marketplaces, and other websites depend to identify and remove malicious content, false narratives which threaten democracy, and the sale of counterfeit or pirated goods, among other harmful activity. Overbroad removal of WHOIS service could also potentially fuel further political or even legal challenges to the IANA transition and even embolden possible new legislation aimed at intermediary accountability and liability for contracted parties and ICANN itself.

It is not too late for ICANN to make the necessary changes to its proposed interim model to address these concerns. Work on an accreditation system work must start right away, and in the absence of such a system by May 25, some form of self-certification must be recognized as an acceptable interim approach. Ultimately, ICANN’s model needs to ensure that accredited users, like fully licensed drivers, get to drive easily and quickly across all WHOIS roads instead of being presented with unexpected roadblocks. There is also the risk that registries and registrars might ignore ICANN, go their own route on compliance and decide that the easiest solution is to make WHOIS “go dark.” We are already starting to witness this with bulk access, where certain registrars are already unilaterally masking data and throttling the service, disrupting critical tools that promote the public interest in a safe, stable, and secure Internet. This could just be the beginning as contracted parties systematically choke off access to this vital database.

Thus, we urge all WHOIS users to immediately:

  • Contact ICANN (you can send comments by email to [email protected]) and participate in ongoing community discussions to reiterate these serious concerns, identify these and other critical uses of WHOIS, and explain the dire consequences from shutting off or significantly limiting access (there will be many opportunities to weigh in during the upcoming ICANN 61 meeting in Puerto Rico—the meeting schedule with participation details is available here);
  • Contact European DPAs to voice these concerns and ask for guidance regarding the appropriate balance between the privacy interests of domain name registrants and the critical needs of WHOIS users (a list of individual European DPAs and how to contact them is available here); and
  • Speak to GAC representatives and other governmental officials outside the ICANN community to raise awareness of these issues and make a call to action for political leaders, policymakers, and regulators to weigh in.

Detailed Concerns about ICANN’s Proposed Model

Under ICANN’s proposed model, those who query the public WHOIS would now only see a very limited subset of data, including the domain name registered, its creation and expiration data, the registrar, and name server. While these data elements are useful, critically important public WHOIS elements such as the registrant’s email address, city, or postal code would no longer be visible to users. Current bulk access also would no longer be supported. Many WHOIS users, including IP owners, anti-abuse teams and others, rely on bulk access and critical data to combat malware, phishing, consumer frauds, infringements and other online abuses. The data serves as a viable means for contactability, for service of process, and, perhaps most importantly, as unique identifiers through which domain name portfolios and other vital evidence of systematic abuse or bad faith can be ascertained.

ICANN proposes that the registrant’s email address would be replaced with either a public anonymized email address or a web form for contacting the registrant. The model also proposes possible publication of the Registry Registrant ID—a globally unique identifier assigned to all registrations made by a single registrant—but details on this are too minimal to fully understand its utility. These replacements for email address would just make it more difficult for WHOIS users to research, enforce and protect the public. Someone trying to contact the registrant using an anonymized email would not know if their email went through and would have no way of using the email address field to correlate infringements, frauds or crimes across different domain names. ICANN’s model also proposes stripping away the registrant’s city and postal code from the publicly accessible WHOIS data elements. City and postal code are vital pieces of information to identify the geographic location of the registrant and are need to identify an appropriate venue when filing a lawsuit.

Moreover, although ICANN says it will continue to require that registrars and registries ensure WHOIS data remains accurate, this requirement is essentially meaningless because the current WHOIS database is filled with large amounts of inaccurate data. In addition, publication of WHOIS data facilitates data accuracy by enabling third parties (parties other than the registrar and registrant) to identify inaccurate data and alert the registrar and/or ICANN, which in turn enables corrective measures to be taken. The more data that is non-public (i.e. behind ICANN’s proposed gate) the harder it will be to ensure data accuracy, as a greater burden falls to registrars to validate and verify data up front. The GDPR does not generally apply to data that is false, inaccurate or fictitious, and such data should be thoroughly screened out. Nonetheless, contracted parties appear to have no plans to change their practices with respect to improving the accuracy of registration data. Participants at a recent GDPR discussion hosted by the IPC and BC, however, heard that data controllers will be held responsible under the GDRP for the accuracy of their data. If registrars do not change their practices, we can expect to see a flood of complaints and challenges relating to inaccurate WHOIS data.

We are also concerned about the scope and timing of ICANN’s plan to figure out an accreditation model. ICANN has not taken ownership of figuring out accreditation but instead has punted the vast majority of the development process onto the Governmental Advisory Committee (GAC). It is not clear whether the GAC will agree to accept this significant responsibility, especially since its role at ICANN is largely advisory in nature. If the GAC refuses this responsibility, what will the backup plan be to develop an accreditation model? This obviously needs to be done quickly and developing any workable accreditation program will not be easy. As a starting point, ICANN proposes that individual GAC members provide a list of law enforcement authorities in their respective jurisdictions, and that such authorities would be given global access to all WHOIS data. It’s hard to imagine that this list could be developed quickly.

ICANN would also need to work with the GAC to identify which other third-party user groups would be eligible to access to the full WHOIS data (such as licensed attorneys representing intellectual property rights holders or cybersecurity professionals). The GAC would also need to assist or advise on developing codes of conduct for these user groups, and we would argue that codes of conduct should also apply to registries and registrars, as well as ICANN itself. Because it is unlikely that such a program would be ready by May 25 (the day GDPR enforcement kicks in), some have suggested the notion of “self-certification” as a temporary solution. Although businesses, IP owners and many other users of WHOIS strongly believe self-certification is a reasonable approach, other ICANN stakeholders have pushed back. European DPAs and global policymakers will need to clarify to ICANN that that self-certification is legal under the GDPR. Certain of the community proposed compliance models noted above also suggested self-certification approaches that should be examined more carefully. In addition, contracted party and IP and business stakeholders have previously discussed a possible hybrid that combines self-certification with some lightweight third-party credentialing as another possible interim approach until the community can devise a full accreditation scheme. Ultimately, any interim solution must ensure that everyone who needs robust WHOIS data has continued access without interruption.

We are also very concerned that bulk WHOIS access, currently provided through the port 43 protocol, may be going away entirely under the proposed compliance model. Bulk access is an essential tool that allows users to access and aggregate data in an automated fashion, then search across large data sets to enforce IP rights, fight against online fraud and abuses and perform important research, among other important purposes. Inexplicably, ICANN does not seem to recognize the vital importance of bulk access or require that its contracted parties continue to provide this service as part of the proposed compliance model. It is quite alarming that some registrars are already inappropriately masking port 43 data elements and throttling or shutting off access to these critical bulk access search services. With respect to the ICANN-proposed model to comply with the GDPR, this means that even for those who overcome every hurdle to become accredited, the WHOIS data they receive after passing through the gate will neither be quick, easy or effectively searchable as it is today. At a minimum, ICANN must clarify that registrars will still be required to provide bulk access to accredited third parties for all WHOIS data, and that third party service providers will be able to provide searchable and historical WHOIS data even if registries and registrars do not provide such services directly.

The proposed territorial and material scope of ICANN’s model raises additional red flags. Although the GDPR comes out of the EU and arguably only applies to registries and registrars with a data processing nexus to the European Economic Area (EEA) (and only to data of natural vs. legal persons), ICANN leaves the door open to every registrar and registry adopting its model and applying it across the board to all domain name registrations. ICANN’s approach invites over-compliance with the GDPR. As a result, each registrar and registry could well be in a race to the bottom to shut off access to WHOIS in order to avoid putting itself at a perceived competitive disadvantage.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Brian Winterfeldt, Founder and Principal at Winterfeldt IP Group

Filed Under

Comments

Registrant ID's: This is actually how the Charles Christopher  –  Mar 7, 2018 3:13 AM

Registrant ID’s:

This is actually how the thick EPP registry backend is designed, however many registrars do not use “contact objects” this way and thus the concept does not work. In fact one registry recently cleaned up their backend database to rid itself of all the unused objects (think “unique IDs”). ICANN could try to force registrars to use the contact objects in this way, but if I as a registrant want say a home address on a personal domain and a business address on a business domain then there will be two contact objects and thus two unique IDs even though I am the same person. In another example I help manage the domains of a couple of not-for-profits who’s employees have little clue about domain names, so I am listed even though I have no legal involvement in those organizations (I have strong friendships with those who manage them) - Does this mean their whois is wrong or right? ..... Perhaps this is why ICANN’s description is vague, the pieces are in fact there right now, and are technically seductive, but in the real world it just doesn’t not work.

The “registrant ID” is to the contact object as the “domain registration ID” is to the domain name.

self-certification:

I have always wondered why companies with enormously valuable domain assists, and their own internal legal department, don’t bother to become registrars themselves. Here is one more reason to do so. Move your domains into your own registrar which is the safest way to control them, and then “pierce the gates” and have full access to everything you need.

Likewise those law firms serving the industry. Become a registrar and become that for which the entire system and its data must flow freely.

Law Enforcement, get together, setup a registrar, and share its access. A “self registrar”, especially one with no domains, is pretty trivial to manage, just have to pay ICANN its quarterly indulgences ... Hmmmm, I think there is a business opportunity here ...

Actually, that will not work. Greg Aaron  –  Mar 7, 2018 2:58 PM

Hello, Christopher. You suggested that law enforcement, IP attorneys, etc. simply become registrars and then they would have access to "everything they need" (e.g. contact data) via EPP. Unfortunately that will not work due to some technical and policy decisions. First, many registries have chosen to show contact data to registrars via EPP only in two circumstances: if you are the sponsoring registrar of the domain or contact object being looked up, or if you have the auth code for the domains (so you can make a registrar-to-registrar transfer). If you're not the sponsoring registrar, you usually can't see contact data for EPP objects you don't already control. The second problem is that .COM and .NET are still thin registries. This means that for about 78% of gTLD domain names, the contact data's held at the registrars, where other registrars cannot query it via EPP. You are correct that currently, EPP contact IDs are useless for certain purposes because they are not re-used, and registrars tend to create new contact IDs for every domain. EPP was designed to allow that. Imposing a "one registrant, one EPP contact object" would be theoretically possible but a big policy and implementation job to move to.

>First, many registries have chosen to show Charles Christopher  –  Mar 7, 2018 5:07 PM

>First, many registries have chosen to show contact data >to registrars via EPP only in two circumstances: Would you mind sharing a list of a couple example TLDs? Also, Verisign is moving to thick registry implementation. If they implement sponsor/auth code access then yes, the door is blocked here. But not yet. When certain registries told registrars to stop using their public whois servers to obtain contact info and only use EPP, they started metering even registrar access to public who. As a registrar I pushed the registries on this pointing out examples of whois server data not matching EPP data and since the public uses the whois server this is more "authoritative" and thus a registrar MUST have unimpeded access to both. The registries removed registrar public whois metering. The inconstancies between these two sources remain, its not common, but it is there for many different reasons. The law of "Unintended Consequences", and lack of current certification process so close to the law, leaves me wondering if the registrar/registry community will sort this out on its own. For many years I have been vocally supporting PAID registry WHOWAS services, and that such services would likely bring them more revenue that domain registrations. Verisign does provide such a service, lacking contact info. A GDPR business case can easily be made that registry WHOWAS can be used to detect domain theft and a a tool supporting contact object verification details. Verisign is very clear about their current WHOWAS service being a PAID service, although the price remains $0.00 ... With GDPR you would need to be a registrar to have access to such a service, which you could in turn offer to law enforcement etc, thus creating a profitable service for registrars. I would also like to add that I to think whois should be unimpeded like the records of my home ownership /property records, without which I could not demonstrate ownership of my own home and thus protect myself. But the moment we allowed proxy whois, we all shot ourselves in the collective foot on this point. If proxy whois had not been allowed, and useless proxy contact data is what EPP contains as well as ICANN data escrow, then we'd all be an a much better position to fight this. Domain theft, for example, is going to increase dramatically from here on .... Which would in turn will support the offering of registry WHOWAS paid services, at a rate not equal $0.00. >where other registrars cannot query it via EPP. Internal to the ICANN RADAR system is the publishing of IPs a registrar uses to access other registrar's whois servers. This list is used to white list whois accesses within the registrar community to support domain transfers. With out it COM/NET transfer verification policy would be impossible to satisfy.

Verisign WHOWAS service:https://www.icann.org/en/system/files/files/verisign-whowas-01jul09-en.pdfht Charles Christopher  –  Mar 7, 2018 5:13 PM

Verisign WHOWAS service: https://www.icann.org/en/system/files/files/verisign-whowas-01jul09-en.pdf https://www.thedomains.com/2010/10/01/verisign-launches-its-who-was-historical-whois-service-domaintools-com-killer/ Trivial to add the contact objects as they move to a thick registry: https://www.icann.org/news/blog/thick-whois-transition-update

becoming their own registrar.... Frederick Felman  –  Mar 7, 2018 3:25 PM

Christopher - The idea of large companies becoming their own registrar is an interesting one and there are some brands executing on that idea. Companies like AppDetex have technologies and services that support companies that want to become their own registrar. - f

Every .Brand registry having its own registrar Phil Buckingham  –  Mar 9, 2018 12:50 AM

I agree Christopher , Fred. Surely this could work for each closed .brand Registry, since by its very nature second level registrations are internally generated and owned by that particular .brand company and its affiliates. Owning & controlling its own fully integrated registrar ,would enable the .brand to lock away its own registrant whois data. Am I missing some technical flaw here to stop this ?

>Am I missing some technical flaw here Charles Christopher  –  Mar 9, 2018 1:42 AM

>Am I missing some technical flaw here to stop this ? Nope :) As a registrar I would also point out some other details. Most problems with domain name registration involves the email account used to allow access to an admin account used to manage the domain name. Registries have a manual backend that in effect looks like an admin panel at a registrar. So there is no need for an EPP backend to manage a small number of domain names, you can just use the registry admin panel to mange your domains. Thus, there is no email account that can be exploited to gain access to a domain management account at a registrar. To the extent you secure your REGISTRY access your domain will be safe, and as a registrar you actually have many more options to do this than if you were a registrant of a registrar. Remember, as a registrar you have a direct contract with the registry, not some registrant TOS that says your registrar can do anything they want, at any time, without notice to you. The level of service, and contractual obligation, is orders of magnitude beyond that of being a registrar customer. The domain registrar industry makes it appear that domains require some special step at the registry to be renewed. This is not true. Registrars do not delete domains, only registrars do. Thus registrar never "renew" domains, they only delete them. This is an esoteric point, but is it important to understand. Lets say .COM renewal fee is $10 at Verisign and does not change. If you fund your account with $1000 then, so long as you pay your ICANN fees, you could walk away from your relationship with Verisign for 100 years and the domain will still be there when your return. There are no EPP or human truncations required to maintain the registration in the registry, only an account balance to debit against. For a large corp funding that account for decades likely cost less that the paperwork to have someone actually do it. ICANN fees these days are about $6000 per year, or $500 per month. Very cheap insurance. Without going into details, speak to your favorite domain name lawyer for details such as Stevan Lieberman or John Berryhill, being a self registrar renders many requirements of ICANN accreditation meaningless. In other words you are unlikely to ever sue yourself over your own domain registrations. And yet sometimes ICANN will demand documentation stating you promise not to sue yourself, or lie to yourself ... Their contract is just not written for self registrars, and fortunately does not impede doing so, much of it very nicely just falls away when you do. Except they parts where you have to declare you will treat yourself right! Perhaps the biggest tech hurdle is that a registry will require you to demonstrate EPP backend competency via an EPP on boarding test. So you have to have to actually interact with the registry through EPP to have and account setup, even though you will never use that access again. There are plenty of people in the industry, and I am one, who have done this for others to help them setup new registrars. John and Stevan can help with this, as they would just call on one of us for this step. And I think I would generally suggest using them to setup the registrar contracts as well, its such a bureaucratic process that its worth paying someone with the battle scars of having done it. Talk to them about pricing. People forget the days when most registrars were literally mom and pops working out of their homes. It is very sad that has been lost, it was very different to have a support call with the person who fed themselves and put the roof over the head with your reg fee. That was service! There are many self registrars like me doing the same today. But now when you open yourself up for retail registrations, the ICANN bureaucratic hell rains down on you. This is not an issue for a brand self registrar. Piece of cake, yum! :) - Charles

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix