|
The recent adoption at the end of December of the new EU Directive for a high level of cybersecurity across the Union—commonly referred to as “NIS2”—paved the way for important updates to the domain name system (DNS). Most significantly, Article 28 of NIS2 and its related recitals resolved any ambiguities about the public interest served by a robust and objectively accurate WHOIS system that permits legitimate access by third parties to data, including personal data, and the legal basis under the EU General Data Protection Regulation (“GDPR”) that supports such a system.
By mandating that all registrars AND registries hold complete and accurate databases of domain name registration information (known as “thick WHOIS”), NIS2 requires ICANN finally to complete implementation of the long-delayed Thick WHOIS Transition Policy. ICANN should recognize the importance of the consensus thick WHOIS policy, acknowledge that no legitimate obstacles prevent its complete implementation and move immediately to implement and require thick WHOIS for all gTLD domain name registries.
For many months, European Union (EU) authorities have labored on NIS2 not only to bolster cybersecurity, but also to make important clarifications to the now more than four-year-old GDPR as it applies to WHOIS.
In addition to requiring verification and accuracy of WHOIS data and creating a mandate for timely responses to access requests, NIS2 clearly obliges both domain name registries and registrars to maintain thick sets of WHOIS data. When implementation of the GDPR darkened the WHOIS system in 2018, it not only left security authorities scrambling, but also prompted some to make the argument that thick data was no longer necessary or possibly even permitted. But EU policy makers have clearly recognized the importance of thick WHOIS and the ability of legitimate access seekers to obtain full WHOIS data from registries—a much smaller number of entities—as well as from registrars. As just one example, the .COM gTLD is administered by a single registry (as are all TLDs), but is serviced by over 2,000 accredited registrars around the world.
Thick WHOIS is a consensus policy developed by the ICANN community and adopted by the ICANN Board of Directors in 2014. Nevertheless, the ICANN Board of Directors adopted resolutions permitting five deferrals of enforcement of thick WHOIS with respect to .COM, .NET and .JOBS. The last resolution, adopted in November 2019, set no specific timeline for ending the deferral.
In light of the GDPR, ICANN adopted a Temporary Specification on WHOIS in 2018 and launched an expedited policy development process (“EPDP”). When Phase 1 of the EPDP concluded, the ICANN Board resolved to confirm thick WHOIS as a policy, and specifically called for the EPDP Phase 2 work to determine whether that policy should be altered. Phase 2 results, though, in fact did not identify thick WHOIS policy as one requiring modification.
Unfortunately, this didn’t stop some from pursuing a back door elimination of thick WHOIS, in contravention of standing policy, by trying to get the EPDP implementation team to say thick WHOIS policy had been “superseded” by the subsequent Registration Data Policy.
It appears that these delays and machinations encouraged EU policy makers to step in and require thick WHOIS via government regulation, which is precisely what NIS2, in part, was designed to do.
Within the sprawling context of the NIS2 directive, EU policymakers carefully crafted detailed language to set forth requirements for an accurate and robust WHOIS system to contribute to the safety and security of the DNS and the internet overall. The final NIS2 text, officially published on December 27, 2022, requires thick WHOIS.
Specifically, Article 28 says (emphasis added):
“For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.”
Further refining the WHOIS requirement, Recital 109 states (emphasis added):
“Maintaining accurate and complete databases of domain name registration data (WHOIS data) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity across the Union. For that specific purpose, TLD name registries and entities providing domain name registration services should be required to process certain data necessary to achieve that purpose.”
While Article 28 clarifies that registries and registrars do not each need to independently collect WHOIS data from registrants, it is clear that both must maintain complete and independent databases of thick WHOIS data. A prior version of NIS2 from June 2022 had confusingly stated that compliance with the relevant obligations “shall not result in a duplication of collecting and maintaining domain name registration data.” This confusion was eliminated in the final NIS2 language of Article 28 that states only that compliance with the relevant obligations “shall not result in a duplication of collecting domain name registration data.”
As EU member states begin transposing NIS2 into law in their individual jurisdictions, applicable law will require registrant data to be transferred to and maintained by registries.
In addition to the thick WHOIS requirements, various recitals preceding Article 28 as well as that article’s provisions clarify and strengthen requirements for registries and registrars to: (i) ensure accuracy and completeness of WHOIS data, (ii) make publicly available all WHOIS data that is not personal data, including the data of legal persons, (iii) respond without delay to WHOIS data access requests and provide access upon lawful requests, and (iv) provide legitimate access to WHOIS data free of charge. See for example (emphasis added):
Obviously, NIS2, which now carries the effect of binding law, imposes clear obligations on registries that can be met only through the maintenance of thick WHOIS records. Therefore, the time has come for the ICANN Board of Directors to put an end to procedural gyrations with respect to thick WHOIS and complete the Thick WHOIS Transition Policy for .COM, .NET and .JOBS as soon as possible. Indeed, failure to do so will result in ICANN policies that are contrary to clear legal and regulatory requirements of the EU.
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
A comprehensive analysis. Thank you, Dean. Would it be helpful for the US to adopt similar legislation? And perhaps we will see a greater emphasis on security and consumer protection with this and the promise of new leadership at ICANN.