|
ICANN must act now to harmonize its domain name registration data (commonly known as WHOIS) policies with Article 28 of the European Union’s Network and Information Security (NIS2) directive, first to adhere to applicable laws as it fulfills its oversight responsibilities and, second, to keep its word to the community to preserve WHOIS to the fullest extent possible under law.
Despite recent developments, ICANN continues to maintain an out-of-date policy driven by registries and registrars—the very parties ICANN is meant to oversee—adopted as a result of the uncertainty created by GDPR in 2018. In fact, ICANN’s failure to update its WHOIS policy in response to the legal clarity provided by NIS2’s Article 28 will only lead to more NIS2-like legislation targeting TLD name registries and entities providing domain name registration services, and possibly even ICANN itself. All on the eve of worldwide governmental deliberations on the fate of DNS governance.
In 2019, five years ago, I posted an article warning that if ICANN didn’t “step up to the plate and establish workable registration data access requirements” discontented governments would take pen to paper and force the issue. I later noted that “ICANN’s failed effort to achieve its goal of preserving the WHOIS domain name registration directory to the fullest extent possible” would mean that “governments would take up the legislative pen in order to fulfill the long-ignored needs of those combating domain name system harms.”
This was all prior to NIS2 and, at the time, my articles on this subject received plenty of comment (mostly negative). But now we’re staring down a fast-approaching October 18 deadline to comply with NIS2 Article 28 requirements on WHOIS laid down by governments who took pen to paper when ICANN dragged its heels.
More specifically, on October 18, the provisions of Article 28 of NIS2 will come into force in most EU member state jurisdictions and, with only weeks left before that date, somehow there remains debate about what Article 28 language actually requires of TLD name registries and entities providing domain name registration services. To date, ICANN has not served as a responsible oversight authority to update its global policy to benefit all stakeholders affected by WHOIS.
WHOIS remains important to anyone impacted by or involved with attempts to thwart the still-growing problem of fraud and abuse perpetrated through the domain name system (DNS)1. To effectively stop and prevent these types of frauds and abuses, one first needs to know the perpetrators behind the domain name registration.
Article 28 addresses this very issue by requiring the “collect[tion] and maintain[ance] [of] accurate and complete domain name registration data” and requiring “TLD name registries and entities providing domain name registration services to provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers”. This is no longer an issue of permissibility to collect—it’s a legal requirement to ensure Whois data contains the necessary and accurate information to identify domain name registrants. NIS2 bases this requirement on GDPR Art. 6(1)(c) as a legal basis for processing registration data. This is much different from ICANN’s current compliance posture that defers entirely to registries and registrars to decide (especially when it comes to data that is not personal data or of legal persons) whether to disclose WHOIS in response to legitimate access seekers.
NIS2’s Article 28 obligations are clear, requiring that “for the purpose of contributing to the security, stability and resilience of the DNS” (the very mission of ICANN) TLD name registries and entities providing domain name registration services must:
Yet ICANN Org’s response to date continues to be something akin to: “Hey, it’s up to our contracted parties (the very TLD name registries and entities providing domain name registration services named in Article 28) to decide whether to disclose.” This is consistent with its operation of the Registration Data Request System (RDRS), which creates no obligation to participate, let alone disclose. It’s no wonder that the RDRS is experiencing minimal participation by the requester community, who are deterred by the low rates of registrar participation, compliance, and meaningful disclosures.
As the saying goes, the rubber is about to meet the road. When October 18 arrives, so will the Article 28 requirements for ICANN’s contracted parties to collect, maintain, verify, create and publish policies around—and disclose to legitimate access seekers records from—a database of accurate domain name registration data. This will help combat cybercrime that in turn will help everyday consumers targeted by criminals who abuse the DNS to perpetrate their crimes.
Now is the time to address Article 28 implementation with the same fervor that the ICANN put into the GDPR-WHOIS policy harmonization in 2018, when ICANN interpreted that pending policy to mean WHOIS access should be fully redacted, and immediately suspended all its register contract obligations around WHOIS and replaced those obligations with a temporary specification all but eviscerating access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers. For ICANN to now treat harmonization of its WHOIS policies with NIS2 Article 28 any differently is for ICANN to ignore its DNS oversight mission and responsibilities.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Let’s assume that registrars will publish non-personal data and make that available through WHOIS/RDAP.
Now the good guys can do good things again. At least that is the assumption.
Now from all my years doing cybercrime research, and as a registrar having access to the full registrant data, the reality is that there will be little data available for the good guys.
But let us ignore the above reality I pointed out. The moment non-personal data is published, the criminals will switch. It is not 2009 anymore.
https://www.infoblox.com/company/news-events/press-releases/infoblox-exposes-chinese-cybercrime-syndicate-linking-european-football-sponsors-human-trafficking-and-a-trillion-dollar-illegal-gambling-economy/
When you are dealing with criminal groups with that kind of money you can be sure their OPSEC is tight, and they will be watching anything and everything when it comes to new policies, regulations, and laws because they have a ton of money to spend.
But good luck.