|
Last fall, I wrote about ICANN’s failed effort to achieve its goal of preserving the Whois domain name registration directory to the fullest extent possible. I predicted that if the policy effort failed, governments would take up the legislative pen in order to fulfill the long-ignored needs of those combating domain name system harms. That forecast has now come true through significant regulatory actions in the United States and the European Union in the form of a proposed directive from the European Commission (EC) and instruction from the US Congress to the National Telecommunications and Information Administration (NTIA).
ICANN Org now faces a stark choice: recoil and be a standby witness to what unfolds, or recognize that these further shots across its bow require it to boldly act. This means replacing the weak expedited policy development process (EPDP) team proposals and related implementation with robust requirements that track the EU’s proposed 2.0 version of its Directive on Security of Network and Information Systems (“NIS2 Directive”), redirecting community efforts toward a centralized global access model for Whois that so many have been asking ICANN to develop, and revamping the accuracy requirements for Whois.
The alternative is that ICANN will find itself in the back seat in terms of who really gets to make Whois policy.
The developments have come quickly on both sides of the Atlantic.
Starting in Europe, the EC, following a re-examination of critical components of the General Data Protection Regulation (GDPR), now demands continued public access to Whois through a portion of the proposed NIS2 Directive. Specifically, the NIS2 Directive confirms the validity of the Whois database for legitimate purposes, ensures the ongoing collection of data, and mandates its accuracy.
The proposed directive further contains a very detailed set of instructions that deal almost exclusively with the areas of ICANN policymaking failure. In fact, it demands action in the areas all but ignored by the EPDP team output but flagged by the broader ICANN community as woefully inadequate. Specifically:
The directive prescribes, in particular, that registries and registrars publish non-personal registration data and provide expeditious access for legitimate purposes.
It’s clear that these legislative proposals are intended to resolve the problems created by misapplication of the GDPR by the ICANN community.
In the United States, end-of-year congressional action brought similar emphasis on Whois.
Specifically, as part of a governmental funding bill, US lawmakers set their sights on fixing the Whois issue, at least in their jurisdiction. Providing reasoning for their requests in a joint explanatory statement, members of Congress tell the NTIA (which sends the US representative to ICANN’s Governmental Advisory Committee) how they expect them to act in exchange for departmental funding—namely, NTIA is directed to work with the GAC to expedite a Whois access model, and is encouraged to require US-based registries and registrars to collect and make public accurate registration data.
ICANN observer Greg Thomas, in a recent blog posting, reinforces the importance and possible impact of this congressional language, writing:
With this report language, Congress is clearly signaling that it is running out of patience with the lack of a mechanism for law enforcement, IP owners and others needing access to registrant identifier information for legitimate purposes such as criminal investigations and protecting rights online.
Even the author of ICANN’s blog post, compliance chief Jamie Hedlund, acknowledges that Congress may look to more aggressive measures if the community can’t produce more effectively than it has. Lack of a credible access model from ICANN means that NTIA will have a hard time defending the ICANN model before Congress when it’s time to decide who ultimately makes domain name policy.
Thus far, ICANN Org has not yet taken this move from Congress as a positive and empowering call to action but has instead made an attempt to explain away at least part of this request, saying that the word encouraged is aspirational and not a mandate in terms of what might be required of registries and registrars. It’s wishful thinking on ICANN’s part. However, ICANN Org would be wise not to bank on semantics in the face of growing governmental frustration from both the US and Europe, which may lead to even stricter regulatory requirements should ICANN ignore these warnings.
ICANN and its policymaking apparatus very much need a course correction on the issue of Whois. “Sooner or later” seems to be finally here, as the warning shots are beginning to look increasingly like governments taking up pen in very specific ways that will direct Whois policy.
This leaves the ICANN Board with no option other than to clearly reject the currently proposed access model—it’s wholly insufficient, anyway—and direct ICANN Org to cease implementation on EPDP team recommendations while it better understands the potential impact of these EC and US Congressional developments. Doing otherwise is to blindly careen down paths that likely lead to conflict with US and EC directives on Whois, and further stretches an already stressed and exhausted ICANN community.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
For .COM domain names, we already have a working, free and fully accessible to everyone in the world (via internet connection and web browser), GDPR-compliant centralized model for accessing .COM domain name registration data:
Step 1: go to https://lookup.icann.org/ and enter the .COM domain name (e.g., “eff.com”) and click “LOOKUP”
Step 2: Read the information given. Need more information? Contact the registrar whose name and contact information was given as a result of completing Step 1 above.
If it ain’t broke, don’t fix it. More info here.
A simple search for domain names like verisign.com or icann.org or go daddy.com (and others) make it plain how broken and useless the lookup tool is. IMO whoever decided lookup.icann.org was was ready for general availability and in a state to replace the old whois.icann.org (and whois.internic.net) should be fired. It is clear that not even the basic level of manual testing has taken place by ICANN and many registrars and registries. Sad....but par for the course.
The lookup tool is not
broken Alex. It does the one thing that ICANN is competent to do, it provides the world with the key contact information for every registered gTLD domain name (including .COM domain names) in existence: the name and contact information of the respective ICANN-accredited Registrar which holds ALL of the registration data (including information NOT required by ICANN). It may be better for each Registrar to have a URL listed e.g., lookup.godaddy.com, in addition to, or instead of a telephone number and email address, in order to cope with a large volume of inquiries in this new era of data privacy. I expect large registrars such as GoDaddy will quickly adapt and build batch tools to quickly process, in different ways, inquiries which originate from law enforcement and other governmental entities, trademark counsel and other attorneys, and the general public.
Understood. But we (well I at least) do not live in some alternate reality where some Bizarro-ICANN has set policy for their Bizarro-WHOIS system that only requires the contact info for the registrar to be returned in response to a query. The "real-world" ICANN requires registrant data to be collected and returned per policy defined in the Temp Spec, Phase 1 Policy and others. A very simple review of responses returned by lookup.icann.org confirms it is broken and thus useless as a RDS lookup tool.