Home / Blogs

ICANN SSAD Proposal Poised to Fail?

After years of work on a proposed standardized system of WHOIS data disclosures (referred to as SSAD), and over a year of operational assessment of the proposal by ICANN itself, the ICANN Board seems poised to reject the proposal. And rightly so. The proposed SSAD is entirely watered down, fractured, and affords no oversight powers to ICANN regarding disclosure decisions that would continue to be left to the complete discretion of individual registrars (the very parties ICANN oversees). As we said before, the Board must reject this initial effort and remand back to the community for additional work.


ICANN itself created the need for an SSAD when it passed policy that significantly over-complies with the requirements of GDPR to the detriment of Internet security. For instance, basic tenets of the GDPR were ignored in ICANN’s policies, such as the distinction between personal data and non-personal data, allowing registrars to treat all data the same and redact nearly everything once found in the ownership records for domain names. ICANN has refused to give due consideration to less restrictive measures to strike a better balance between registrant rights and anti-abuse efforts.

Nonetheless, the damage was done, and the community had the task of developing an access system for non-public data. It failed. The current proposal utterly ignored calls from governments and law enforcement, cybersecurity experts, IP owners and other business stakeholders for a more balanced and unified system. Whois users critical to maintaining a safe Internet ecosystem were simply overruled by registry and registrar interests, with ICANN playing a hands off approach rather than the oversight role it is chartered with in the first instance.

Shortcomings of SSAD

The proposed SSAD falls short in numerous ways, which have been recounted at length in the seven minority statements filed on the final report and in various commentary since its release. These include:

  • No harmonized disclosure system resulting in no uniformity or predictability of disclosure decisions;
  • No enforceable standards or oversight mechanisms afforded to ICANN;
  • No adequate mechanisms to address consumer protection and consumer trust concerns;
  • No mechanism to evolve the system in response to increased legal clarity on GDPR and other privacy regulations over time; and
  • Disproportionate costs allayed on users of the system, which may include public interest and municipal organizations.

Next Steps for ICANN

In December 2021, ICANN announced that it had finished its assessment and potential design for the proposed SSAD, which it recently delivered to the Board earlier this month. Unsurprisingly, the bottom line of the assessment is that the costs and level of effort required to implement the SSAD in its current form would outweigh its benefits to intended users. Specifically, this assessment estimated an absurd cost of $20-$27 million to develop the SSAD over a 3-4 year timeline, and an effectively useless “estimate” of $14-$107 million for annual ongoing operations thereafter with a variety of variables impacting the estimate (notably, the expected number of SSAD users). This for a system that ICANN’s own CEO recently confirmed was no more than a ticketing system—which we all recognize would do little to change the likelihood of access to data needed for thwarting DNS abuse issues.

After all of this, it’s hard to argue that the SSAD is fit for purpose. As we’ve been saying since this proposal was first delivered, the Board must reject it and send it back to the community for further work—the Board would surely be violating its fiduciary obligations and its obligations to act in the global public interest were it to approve the current proposal. Any other outcome would make clear that the ICANN multi-stakeholder model has failed on this fundamental issue.

By Fabricio Vayra, Partner at Perkins Coie LLP

Filed Under


So sad… but an appropriate acronym Frederick Felman  –  Mar 1, 2022 2:22 PM

It’s an appropriate acronym for a system that’s taken this long to be conceived, is still not implemented, and even when it is, it will be useless.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC