In 2020, the ICANN Generic Name Supporting Organization (GNSO) Council approved a plan to revamp the WHOIS system as per the recommendations given by the ICANN Expedited Policy Development Process (EPDP). This plan directed ICANN to develop a centralized System for Standardized Access/Disclosure (SSAD) for WHOIS records.

After much debate regarding the suitability and cost of such a system, ICANN brought together a group, the EPDP Phase 2 Small Team, to review the SSAD ODA and recommend how to proceed with a more tightly focused project. This has resulted in an effort called the WHOIS Disclosure System.

While ICANN has offered several updates regarding the goals, status, and aggressive timeline for the WHOIS Disclosure System, there are still concerns regarding critical details that will influence whether this revised system will meet the needs of the community. Edgemoor Research Institute, a non-profit led by Dr. Stephen Crocker, has submitted the following questions to ICANN in advance of ICANN 75 in the hopes of improving the understanding and transparency around this project for potential users of this system.

A more detailed paper on the project and background is available here.

We appreciated the 2022-08-10 EPDP Phase 2 Small Team review of the SSAD ODA - Meeting #11.¹ We look forward to the presentations during the week of 12 Sept and on 17 Sept, as noted on slide 3 of the presentation.

Here are the assumptions and questions we have regarding the WHOIS Disclosure System. If any of the assumptions included here are wrong, we apologize and look forward to clarification.

1. The 17 Sept presentation will include “key features and system mockups.”

Will this information be sufficient for prospective requesters and responders to begin building their interfaces? If not, when will the details become available?

2. When will the system become available for use? In the transcript at 29:51, Chris Gift offered an estimate of the development time “between seven to nine months total time from when we get the green light to when it’s deployed and operational, including any testing that would happen in between.” Gift commented further that this assumes the feature set stays the same and that it also depends “on we’re given the green light to go.” Yuko Yokoyama then added “obviously resourcing is another [caveat]. [O]rg always [has] competing projects, so what Chris has mentioned, is that ... if this project were to be given 100% priority, so that the resources are dedicated.”

ICANN Org has put a great deal of energy into managing its priorities and allocating its development resources. We understand the plans are reviewed on a six-month cycle, and that this project will be considered in comparison with the other projects competing for resources. Based on this, can staff provide a best guess as to when work on this project will be initiated? (Presumably, the project will complete 7-9 months after initiation as described in previous reports.)

3. A key feature of the system will be the registration of both requesters and registrars. Presumably, the registration process will require both requesters and registrars to agree to various terms and conditions. A positive benefit of the registration is that registrars will know that all requesters have agreed to the terms and conditions. This may help the registrars decide which requests to respond to with the data requested.

When will these terms and conditions be available for the prospective requesters and registrars to review?

4. Slide 5 indicates the system will be modeled “off of CZDS.” The CZDS system not only accepts requests for access to zone data, it also delivers access to the zone data. However, we understand the WHOIS Disclosure System will not include delivery of the requested data or any other responses.

What is/are the intended method(s) for the registrars to deliver responses to the requesters?

5. One of the lessons learned from CZDS has been that the lack of response guidelines or requirements imposed on the data providers has resulted in community frustration when the data providers take longer to respond substantively than requesters anticipate. What should the community expectations be with regards to the responsiveness of data providers to provide a response either with data or a reason the data cannot be provided with this project? Will there be an effort to come up with community-agreed service level expectations for substantive responses?

6. As requesters and registrars gain experience with this system, they will naturally desire to share their experiences. Are there any mechanisms, forums, etc. anticipated to facilitate such sharing?

7. We understand under existing rules, requesters are permitted to make direct requests of registrars and that registrars are contractually required to accept and respond to such requests. What are the benefits to both requesters and registrars in using the WHOIS Disclosure system instead of making direct requests?

8. Will registrars be under the same obligation to review all requests directed to them through this system and provide some type of response?

9. Will registrars participating in the system receive email notifications, or will they have to log into the system to see requests in their queue? If the latter, how frequently will registrars be required to check for pending requests?

10. You’ve stated that registrars will have the option to dispose of those incoming requests within the system. Is that intended to be an optional feature?

11. What data retention period will be used for requests?

12. What data will be retained for requests?

13. As you’ve indicated that inconsistencies between what a registrar reports in the system and what they tell requesters are out of scope for this project, would those inconsistencies be considered contractual compliance concerns? If so, how will requesters be informed of potential remedies, e.g., failing complaints with contractual compliance?