ICANN has once again acceded to the wants of contracted parties and is at risk of abdicating its duty to act in the global public interest when it comes to WHOIS policy. Its inability or unwillingness to date to reign in bad WHOIS policy, driven by contracted party interests, flies in the face of its previously-expressed policy goal “to ensure the continued availability of WHOIS to the greatest extent possible while maintaining the security and stability of the Internet’s system of unique identifiers.” The latest WHOIS policy outcomes should be rejected because they fail to achieve this goal, to the detriment of public safety.

This failure is evident from the latest recommendations from the “Expedited” Policy Development Process (EPDP) on WHOIS—which contain no changes to the ineffectual status quo, and do not require registries and registrars to do anything. Instead, they merely propose the development of a new WHOIS data field to flag whether a domain registrant is a natural or legal person. The flag, even if developed, would be completely voluntary to implement by registries and registrars—and they have no incentive to do so.

Unfortunately, there is no recommendation mandating a distinction between natural and legal person data in the processing of domain registration data (including requiring publication of non-personal legal entity data in WHOIS), even though GDPR only applies to natural person data. There is also no recommendation to publish a pseudonymized registrant email address in WHOIS, which would hugely aid anti-abuse efforts that serve the public interest in maintaining a secure and healthy DNS by improving registrant contactability. Having a pseudonymized email field would also enable the correlation of multiple domains tied to the same registrant email—for instance, to identify large networks of domains used for phishing or other malicious attacks. The benefits of these changes would far outweigh the risk to registries and registrars. And yet, we get nothing.

The only other recommendations are for entirely voluntary measures and guidance on how a contracted party could distinguish between natural and legal persons if they wanted to. Again, they have no incentive to voluntarily distinguish. The impotent report ultimately misses the entire point of ICANN policy development—to create binding, enforceable, and uniform standards for registries and registrars to ensure the security and stability of the global DNS, including through a robust WHOIS system that is critical for law enforcement and cybersecurity efforts. This is not an outcome that ICANN stakeholders should accept.

It’s no wonder, then, that nearly every participant in the process filed minority statements (remind me how this is a “minority”) objecting to the outcome: see Annex D. This continues a long line of opposition to WHOIS policy development at ICANN dating back to 2018 when ICANN scrambled to drastically minimize available WHOIS data ostensibly to comply (really overcomply) with the GDPR, which went into effect at the time (see the minority statements included here and here as part of earlier phases of work).

Instead, the efforts within ICANN by businesses, IP owners, government and law enforcement representatives, and cybersecurity professionals to restore the public availability of key WHOIS data and develop a meaningful system of access to non-public data have been overwhelmingly ignored. While we completely appreciate the need for compromise within the multi-stakeholder model, when nearly every group of stakeholders aside from contracted parties is not on board, it is farcical to call the outcomes “consensus.” Yet this is precisely what has been done at each stage of WHOIS policy development since 2018—including with respect to the most recent recommendations from the EPDP.

We want the ICANN process to work—but right now, at least where WHOIS is concerned, it is not working for a vast swath of the community. ICANN must acknowledge that it is not a trade association for contracted parties and remember its responsibility to act in the global public interest. It still has a chance to right the ship. The security and well-being of the DNS—and the billions of users that depend on it—is at stake.