After years of work on a proposed standardized system of WHOIS data disclosures (referred to as SSAD), and over a year of operational assessment of the proposal by ICANN itself, the ICANN Board seems poised to reject the proposal. And rightly so. The proposed SSAD is entirely watered down, fractured, and affords no oversight powers to ICANN regarding disclosure decisions that would continue to be left to the complete discretion of individual registrars (the very parties ICANN oversees). As we said before, the Board must reject this initial effort and remand back to the community for additional work.

Background

ICANN itself created the need for an SSAD when it passed policy that significantly over-complies with the requirements of GDPR to the detriment of Internet security. For instance, basic tenets of the GDPR were ignored in ICANN’s policies, such as the distinction between personal data and non-personal data, allowing registrars to treat all data the same and redact nearly everything once found in the ownership records for domain names. ICANN has refused to give due consideration to less restrictive measures to strike a better balance between registrant rights and anti-abuse efforts.

Nonetheless, the damage was done, and the community had the task of developing an access system for non-public data. It failed. The current proposal utterly ignored calls from governments and law enforcement, cybersecurity experts, IP owners and other business stakeholders for a more balanced and unified system. Whois users critical to maintaining a safe Internet ecosystem were simply overruled by registry and registrar interests, with ICANN playing a hands off approach rather than the oversight role it is chartered with in the first instance.

Shortcomings of SSAD

The proposed SSAD falls short in numerous ways, which have been recounted at length in the seven minority statements filed on the final report and in various commentary since its release. These include:

• No harmonized disclosure system resulting in no uniformity or predictability of disclosure decisions;
• No enforceable standards or oversight mechanisms afforded to ICANN;
• No adequate mechanisms to address consumer protection and consumer trust concerns;
• No mechanism to evolve the system in response to increased legal clarity on GDPR and other privacy regulations over time; and
• Disproportionate costs allayed on users of the system, which may include public interest and municipal organizations.

Next Steps for ICANN

In December 2021, ICANN announced that it had finished its assessment and potential design for the proposed SSAD, which it recently delivered to the Board earlier this month. Unsurprisingly, the bottom line of the assessment is that the costs and level of effort required to implement the SSAD in its current form would outweigh its benefits to intended users. Specifically, this assessment estimated an absurd cost of $20-$27 million to develop the SSAD over a 3-4 year timeline, and an effectively useless “estimate” of $14-$107 million for annual ongoing operations thereafter with a variety of variables impacting the estimate (notably, the expected number of SSAD users). This for a system that ICANN’s own CEO recently confirmed was no more than a ticketing system—which we all recognize would do little to change the likelihood of access to data needed for thwarting DNS abuse issues.

After all of this, it’s hard to argue that the SSAD is fit for purpose. As we’ve been saying since this proposal was first delivered, the Board must reject it and send it back to the community for further work—the Board would surely be violating its fiduciary obligations and its obligations to act in the global public interest were it to approve the current proposal. Any other outcome would make clear that the ICANN multi-stakeholder model has failed on this fundamental issue.