Home / Blogs

The End of the Road: ICANN, Whois, and Regulation

There’s a well-documented crisis facing the domain name system: very few who rely on domain name registration data from the Whois database to perform vital functions can do so any longer, which is escalating consumer harm and abuse on the internet worldwide. And the problems, thanks to ICANN’s overly restrictive policy post-GDPR and a failing policy process, are piling up. The practical solution here is that ICANN Org now must step forward with meaningful Whois requirements (embodied in contracts and enforced by ICANN Compliance) that includes a workable data access model—and soon—or the rest of the world might do ICANN’s job for it and move legislative and regulatory solutions.

This is because ICANN’s current solution—the ongoing expedited policy development process (EPDP)—has failed to make progress and is unlikely to be the answer. Mired in minutia, the EPDP working group is progressing much slower than expected and governments (including the European Commission itself) are increasingly signaling their growing impatience with no access solution. The latest salvo, from the G7 Lyon-Roma Group’s 21 June letter, called on ICANN to act quickly to implement a unified access solution for third parties with legitimate purposes. ICANN should be prepared to act quickly when, by its Montreal meeting in November, its EPDP working group doesn’t produce a model—or be prepared to be rendered moot by legislation that, in some cases, is already being proposed.

Specifically, ICANN left to its EPDP working group the public interest issues the G7 Lyon-Roma Group and many others raised over the last few years—repeatedly turning away opportunities to address these issues head on. The EPDP’s first phase of policy development on Whois and GDPR failed to address this public interest, and the current phase of policy development work that’s under way—ostensibly to establish a predictable access and disclosure system for Whois data—has made no real progress over the past several months.

Meanwhile, the law enforcement, cybersecurity, consumer protection, intellectual property and other communities who rely on access to Whois for legitimate work continue to suffer in their efforts to protect users and combat bad actors. This is met with much indifference from registrars and registries who, during recent three day in person meetings in Los Angeles, seemed to ignore facts to the contrary and confuse a perception of not receiving reveal requests with no demand—when the fact is that there’s no productive or standard path for submitting those requests today.

The truth is, the situation is very dire for those seeking access to non-public WHOIS data for legitimate purposes that are entirely consistent with GDPR. I have spoken to several companies and attorneys who submit legitimate Whois requests (both in the EU and abroad). The commonly shared experience in frustratingly slow or non-existent replies is backed by data from numerous companies that have continually made data requests of registrars and registries for such purposes and are hearing (largely) silence in return. Whois requests for obviously infringing domain names (including those used for phishing attacks against consumers) for globally recognized brands have been unnecessarily denied.

The stats speak for themselves. From June 2018 to June 2019, brand protection providers made on behalf of numerous clients thousands of requests under lawful bases. The resulting numbers are disappointing:

  • 13,904 requests were made of 413 registrars and 35 registries.
  • Of those requests, the compliance rate hovered between 4% and 14%.
  • Further, of reported percentages by one provider:
    • 49.5%—nearly HALF—were outright ignored, with no response at all.
    • 5.75% generated an automatic reply, with no resulting follow-up.
    • A fifth—20.4%—were sent back with a legal citation for not providing the data.
    • 14.36% were returned with a requirement for additional action (e.g., send by snail mail).
    • 3.68% took irrelevant action (e.g., simply forwarded to the registrant without action).
    • A smattering, less than 1%, demanded payment for the data.

A learning curve might be expected from contracted parties when coming up to speed on GDPR compliance, but we’ve been in the post-GDPR world now for over a year, and one can’t excuse a real issue when requests are outright ignored. Requestors are met often with replies such as: “Send a subpoena” or “File a UDRP” or even “Don’t contact us again.” A learning curve is one thing—outright antipathy is another.

As predicted by experts, investigatory capability immediately waned the moment ICANN and contracted parties threw the Whois “off switch” in May 2018—something confirmed by law enforcement officials, who warn that “the internet has become less safe because of an overly conservative interpretation of the GDPR by the ICANN community.” This as cybersecurity experts around the world document the rapid increase in cybercrime:

It is clear then that the longer ICANN dawdles the more damage will ensue and the more impatient everyone will get. On the governmental side the United States, including the U.S. Congress, is paying attention. In a strongly worded May 2019 letter to then NTIA administrator David Redl, Senate Commerce Committee chairman Roger Wicker wrote: Absent a meaningful resolution to [these] issues, Federal legislation guaranteeing access to WHOIS data may be warranted.

Discussions also are under way within the European Commission with far reaching implications for the domain name industry. For example, a leaked concept paper of a proposed Digital Service Act to revamp the eCommerce Directive shows that the European Commission is exploring intermediary liability concepts for registries and registrars, and rules for public interest data sets.

ICANN is now faced with the political reality that it has failed to protect the public interest, failed to coordinate this aspect of the DNS, and needs to act swiftly or face further regulation. Governments in particular—advocates of some level of Whois access—have shown that they are not in the mood for games and may soon pass regulation if they don’t see results. This frustration was on full display in ICANN’s recent L.A. EPDP meeting, where a government representative made clear her constituents in Washington are looking for answers and expect them by the Montreal ICANN meeting.

Frustration is boiling over. ICANN Org simply must step up to the plate and establish workable registration data access requirements. If not, based on the continued heel-dragging within ICANN policy work on Whois, this road ends at the imposing doors of discontented governments, who are watching carefully—and with pens in hand.

By Fabricio Vayra, Partner at Perkins Coie LLP

Filed Under


Progress is being made Volker Greimann  –  Sep 26, 2019 8:21 AM

You conveniently seem to ignore the progress that is being made by the EPDP that is working on just such a solution and progress would have been much faster if all sides had concentrated from the start on developing a workable, legal and feasible disclosure regime instead of continuing to fight battles over worthless hills.
I daresay that we might even be much further along if certain issues that had been known by all parties that they would never find consensus had not been endlessly argued, wasting everyones time and making you wait longer for a disclosure system that serves everyone.
Attempts to first agree on the low-hanging fruit of lawful access by law enforcement agencies have been blocked by FOMO of other parties desiring such access. Otherwise access models for law enforcement of appropriate jurisdiction could already be up and running.
As for the volumes of unanswered or denied disclosure requests, 80-90% of the above disclosure requests came from one requestor, who coincidentally tends to send its sorely deficient requests in bulk just before ICANN meetings and who then tends to present its statistics at the meetings to make a point.
The current environment is a learning curve for all involved parties and some requesters need to recognize that their requests also need to meet certain standards. Automatically generated requests that do not specifically point to a specific violation by the generation and instead relies on general statements that are the same for every request tend not to meet the balancing test the data controller needs to make. Simply claiming that parts of a domain name are similar to one trademark from a list of ten or ask the controller to make further investigations to check whether a violation is present are not sufficient evidence of a concrete legitimate interest of the requester. And no, “Instax” is not in and of itself a violation of the trademark rights in “Instagram”, “Whatsapp”, “Facebook”, etc, so just sending a request that is solely based on the similarity in words is not usually going to cut it unless the violation is obvious.
We want to be able to help and provide disclosure to legitimate requestorsad we want to conclude the work on the EPDP as fast as possible to ensure a reliable disclosure framework that works for all affected parties, but it is time to put away the spin and the wishlists and get to work on the essentials.

"Legitimate access" Karl Auerbach  –  Oct 1, 2019 9:28 PM

I would challenge the assertion that “Meanwhile, the law enforcement, cybersecurity, consumer protection, intellectual property and other communities who rely on access to Whois for legitimate work”

In order to be “legitimate” one must first make an accusation that some wrong has occurred.  And to make a valid accusation one must have at least some concrete evidence to support a belief that the accused has done a specific, identifiable wrong and that the accused is the likely perpetrator.

I use the word “accusation” here intentionally.  Mere curiosity ought insufficient to allow access to whois data.  The communities that you mention - law enforcement, cybersecurity, consumer protection, intellectual property, etc - are all acting on the basis that they believe that someone has done something wrong, which is an accusation.

Law enforcement bodies (in the US at least) have long been required to be able to articulate concrete facts to support their accusations.  Why should they be absolved of that standard when digging into what is otherwise private information?  Why should they not have to go through same procedures of warrant or subpoena that they would have to go through to invade any other form of records?

Same for the self-appointed people who go after the evils of spam (and worse).

If someone who wants whois access can not even come up with the basic information needed to support an accusation then that person ought to not have access.

The first line of Kafka’s book “The Trial” begins with the sentence “Someone must have been telling lies about Josef K., he knew he had done nothing wrong but, one morning, he was arrested.”

In other words his accusers and accusation were secret.

We all know that that that kind of secret proceeding is wrong.

But in the case of WHOIS data, this kind of secret and anonymous accusation is the norm.  And with WHOIS it is worse because the private data is instantly revealed without limitation, potentially harming the data subject, without that person ever learning of the accusation, the identity of the accuser.  Nor is that person given an opportunity to rebut or even know what data was taken.

It is no wonder that privacy protecting registrations are now very popular.  I know that a large portion of the email and telephone junk that I receive is the result of data mining of the Whois data.

So it seems right and proper to require that those who wish to inspect whois data should have to reveal their identity, their purpose, and the evidence to indicate that they have a real foundation for violating privacy.

In addition, a record of whois access, and the supporting reasons and identities of the accessors, should be recorded and periodically published to the world so that we can see who are potential abusers of whois access.

As one of the largest registrars in Reg Levy  –  Oct 2, 2019 5:04 PM

As one of the largest registrars in the world, Tucows is uniquely positioned to identify trends in requests for disclosure of non-public personal data associated with gTLD domains. We have posted these data and obvious trends, which speak for themselves, and will provide an update in advance of ICANN 66.

Since August, more than a year after the initial barrage of demands for open access to personal data, when we began to reasonably request information sufficient to perform an evaluation of the legitimacy of the requests, we have finally begun to see some of the high-volume requesters submit correctly-formulated requests for exposure of personal data. (Smaller requestors were faster to adjust and have been successfully requesting and receiving personal data for some time.)

We continue to see a high volume of duplicate requests, including requests for data we have already disclosed or have disclosed to another party purporting to represent the same interest.

We have seen a recent increase in requests for access to our entire registration database without any attempt to demonstrate legitimate interest.

We note that some high-volume requestors still fail to provide sufficient information to allow us to expose personal data to them; others provide sufficient information for some requests but not for others.

These trends in the requests we have received speak to a pervasive culture of entitlement to disclosure of personal data, in stark contrast to worldwide regulatory advances to data privacy.

We invite anyone who shares Mr. Vayra’s views to ensure that their requests for access to personal data follow the RrSG’s recommended Minimum Required Information for a Whois Data Request. This is a voluntary format, meaning that some registrars may request additional information, but it is a good starting point for a party seeking disclosure of personal data.

Reg, with all due respect, Tucows has Derek  –  Oct 3, 2019 10:12 PM

Reg, with all due respect, Tucows has become part of a problem in various types of fraud, much of it preventable. We cheered when Enom became part of Tucows, however it was premature. While I'm the first one to respect privacy, I'm also the first one to call out BS when fake domain registrations are abused in orchestrated online fraud to deprive consumers of such privacy, even set them up for blackmail. Or impersonate governments or corporations while shutting down small businesses in procurement fraud etc. Ex: AFPUMSNVALVES[.]COM - follows back on a spate of fraud of which UDRP D2017-1963 formed part. Incidentally this bigger issue is now hitting the EU. It's easy saying these things, proving it is core. I can prove it. However Tucows adopted an obvious self-blinding attitude and gaming to these issues, which them unapproachable. Likewise saying get a court order when a victim is left penniless in a remote country. Who pays for it? Get the cops involved? Cops don't take instructions from ordinary people. Some countries don't even have a cyber security policy. Much less cyber crime stats. In fact I know some cops rather spend time drinking wine than talking about things they should be when talking with their international peers. It's easy passing the privacy buck while consumers pay the price. Why does Tucows not adhere to the ICANN WHOIS Accuracy Spec? Why does Tucows now use the GDPR to absolve themselves from responsibility for fake registrations now hidden. Consider the "legality" of selling forged Canadian passports and currency, since Tucows is Canadian, vs fastdocuments24hrs[.]com and it's sponsoring registrar. Just one of many: https://blog.aa419.org/2019/02/04/what-protection-does-icann-offer-the-consumer/ I'm sorry if I sincerely say I see all this ICANN GDPR talk as grandstanding to evade responsibility while profiting, but that's the way it's panning out. I even had to drag somebody senior from ICANN into communications with Tucows at a stage, who had to explain your WHOIS accuracy commitments. Ironically that is also what was communicated to the EU regulators, ICANN requires and adhere to the accuracy principals, a myth at Tucows. Once again saying stuff is easy. I have evidence. As for saying "... report to ICANN" if we feel strongly about it? ICANN protects registrars. Even now we are waiting more than a year on obvious issues of policy violation. Why does ibbtb[.]com play into DNS abuse? How does it play into BEC as described the last few years, the romance scam victim part. In fact, why is it being used for a website that is stolen from Bank of Ireland ~ 10 years ago? Why would a "French Bank" suddenly use a South African reseller? Is it only the right of the Bank of Ireland to complain about it? But it's not a UDRP issue. Report it to the authorities? Why, even the authorities are being spoofed to give it credibility. sa-ncrauthority[.]co[.]za - Ouch! Incidentally I presented on this little associated "nest" to parties in the ITSec community. For the meaning of "nest", contact LE at the Edmonton Police Service. They also published an article on it somewhere. There is an old saying: You can lead a horse to the water but you can't make it drink. What is GAC saying? Atm many registrars are undermining the original spirit of the internet, opening the door for regulatory action. This will not bode well for the internet. You have my email on record if you want to take this issue offline.

DNS is not the issue - rather there is a gap in the internet architecture Karl Auerbach  –  Oct 3, 2019 11:22 PM

I (and I think everyone) does not disagree that there is a lot of evil gunk on the net. However, because we are familiar with DNS via ICANN, we tend to fall into the old "when all you have is a hammer everything looks like a nail" situation. I believe that DNS is the wrong nail in this situation. Way back in the 1970s I did a lot of network and operating system security work for one of those unmentionable three letter agencies. Unfortunately, we were constrained from publishing our work. One thing that we did note was that there is a gap in the internet architecture - there is no coherent system of doing mutual identification *and* authentication. Logically that layer would go between IP and TCP/UDP. Such a layer would allow communication only after *both* sides had identified themselves and those identities had been proven to the other side's satisfaction. (Of course that kind of thing tends to imply singular system of identities and authenticators, a thing that runs against the instincts of many in the tech community who lean towards libertarian principles.) DNS has gotten the wrong reputation that it is somehow an "authoritative" directory system when it is merely a hinting system. DNS responses ought to be viewed as hints that say "I think you should try this location, but I'm not making any guarantees that it is what you think it is." That latter would be left to a mutual identification/authentication layer, but in today's internet there is no such layer or, at most, a one-way check of TLS certificates (mostly leading back to EFF's Let's Encrypt.) Burdening DNS would be a short term band-aide. DNS is slowly sinking out of the view of most internet users. In the internet of the future there will be a decrease in the times that users utter DNS names and an increase in the times that users utter application-context sensitive names, like Twitter or Facebook names. DNS will still be there, but it will become internal machinery, unseen by many human users. I have a note on this topic at Domain Names Are Fading From User View

That RrSG recommendation looks pretty good Karl Auerbach  –  Oct 2, 2019 7:47 PM

@Reg Levy - I appreciate TuCows analysis of “data and obvious trends”.  It is an interesting contrast to some of the possibly hyperbolic claims made by those who demand unfettered access.

And that RrSG recommendation looks pretty good.  I think it could use some re-writing (some of the sentences are a bit odd) and that some of the requirements could be expanded (such as requiring that data revealed be used only in relation to the accusations being made, and not further transferred or retained.)  In all, it is a significant improvement over the status quo ante.

One question: Is there any revelation to the data subject of these requests either when the request is made or if access is granted?

Disclosure to the data subject is not Reg Levy  –  Oct 3, 2019 9:43 PM

Disclosure to the data subject is not currently automatic and some requests include a request not to inform; these requests must be evaluated separately.

"watching carefully — and with pens in hand..." John Berryhill  –  Nov 8, 2019 2:21 PM

...to sign employment contracts with registrars and registries, like the NTIA representative un-named in your exaggerated description of what she said during the meeting in question (Ms. Heineman) who is now working for GoDaddy.

The “government will do our bidding” battle cry is one of the oldest ICANN tropes.  You can pretend that GDPR did not emerge from “the imposing doors of government” all you would like, but people who urge “trust me instead of democratic processes” are generally ones who need watching.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix