For the big legacy top level domains like .COM, the registry holds a minimal amount of mainly technical information. But for some time ICANN has been trying to amend its policy to require registries to hold the contact information about the registrant as well. This compromises registrant privacy and is a costly process for the registries. As we explain in this blog, the transition process should not be implemented, otherwise, ICANN, Registrars and the Registries might have to face hefty fines from the new General Data Protection Regulations.
WHOIS is a service that provides data on who has registered a domain name and what registrar they are using. The Internet Corporation for Assigned Names and Numbers (ICANN) inherited the service when it was established in 1998.
Since then, ICANN has created WHOIS-related obligations for the registries and the registrars through contracts. These policies and obligations have led to the creation of two WHOIS registry models: thin registry and thick registry. Up to now, thin registries only maintain data related to the domain names and do not maintain data associated with the registrants. Thick registries maintain the registrants’ contact information as well.
The thin registry model makes much more sense when it comes to protection of personal data of domain name registrants. The less data available to maintain, the better registrants’ privacy is protected. But ICANN policy is changing in regards to thin registries. Rather than continuing to use thin data registries, all existing registries (for example .COM and NET) and all new gTLD registries are supposed to transition to thick data. This thin to thick registry policy transition further comprises registrant data privacy.
ICANN and some stakeholders justify this transition in terms of efficiency. In order to encourage more competition between registries and registrars, ICANN makes domain names “portable” across registrars. Consumers moving from one domain name service provider to another needs to transfer their contact information. When thin registries transfer registrant contact information, there must be deliberation and approval between the registrant, admin contact, and the registrar. The ICANN Expert Working Group claims this is an inefficient process. Thick data registries cut out the admin contact and allow for registrars to directly coordinate with registrants in order to transfer the registrant’s data. According to their public comments “The business constituency proposes that the most efficient and effective way to develop an approach on authenticated access, data accuracy, improved centralized access and easier searching through Thick WHOIS, (Public Comment, 2017). The business constituency favors this transition because it makes it easier for them to conduct ongoing surveillance of domain name registrants for alleged trademark infringements and consumer information, such as credit card verification.
A thick registry also offers more advanced archives and restoration for data. If a registrar were to go out of business or experience consistent technical errors that inhibited them from providing service, registries with thick Whois maintain registrant information at hand and could transfer the registrations to a different or temporary register. This would allow registrants to continue to manage their domain names, (FINAL REPORT 2013). However, the price of these benefits come at the expense of registrant privacy protection, and consumer choices. Registries that do not have to worry about customers being stolen may have lower customer acquisition costs and be able to offer cheaper registration services overall.
The transition will not be as nice and smooth as it sounds. By going ahead with this transition, ICANN is ignoring a fundamental principle of internationally-recognized data protection laws, namely data minimization: collect only so much data as you need to perform a task. Rather than approaching data from a minimalist perspective, they have decided to transition all data registries from thin to thick.
Unfortunately, ICANN’s general approach to addressing issues of privacy and security is to refer to local law. However, in many cases local laws conflict with ICANN policy, especially if data is being transferred from one region to another. In the past, if local law conflicted with ICANN’s policies, they referred to the ICANN procedure for handling WHOIS conflicts with privacy law. According to their procedure, a registry operator or ICANN-accredited registrar may invoke the procedure by providing ICANN with a written statement from the applicable government agency responsible for enforcing its data privacy laws indicating that a WHOIS obligation in an ICANN contract conflicts with such applicable national law.
This may seem like a simple solution, but in reality it doesn’t solve the problem at all. This procedure is unrealistic because it requires registries and registrars to approach a government agency with a form stating that they have broken their local laws. It further places a burden on the government to police compromised data privacy, yet some governments do not have agencies to enforce their own data privacy laws. The working group has not been able to effectively address the potential for registrars to transfer registrant data from one jurisdiction to another.
The upcoming adoption of the European Union’s General Data Protection Regulation (GDPR) will further complicate the thin to thick data transition. GDPR is an upcoming regulation put forth by European Commission that seeks to ensure the privacy of the European Union at company’s’ expense. This initiative not only affects the European Union but every entity that shares data of anyone who is within the borders of one of the member states, and citizens of European Union residing in any other region of the world. For ICANN’s purposes, this makes the transition from a thin data registry to a thick one more difficult. GDPR will affect ICANN in two ways. One, it will apply to all the personal data that participants in the domain name ecosystem collect, display and process, including registries and registrars pursuant to ICANN contracts. Secondly, it will apply to personal data that ICANN obliges the registrars to transfer to the registries.
In order to protect citizens’ data and privacy when GDPR finds a company in violation of their regulations they may be fined two percent or up to 20 million euros of their global gross revenue. As it is related to the thin to thick transition, if a registrar holds the data of a registrant and does not secure it properly and/or does not transfer that data properly, the registrar could be fined 2% of their revenues. The Thick Data Final Report admits to risks associated with the transition. It states, “Risks include unauthorized disclosure in a security sense and issues related to information disclosure in violation of local law and regulations. They also include the possibility that information could be deleted or altered inadvertently or deliberately, possibly a more significant consideration for those individuals who believe that Whois information is public and therefore cannot be “disclosed” in an unauthorized manner.” These risks not only create a personal threat to registrants, but under GDPR would violate their data rights, and thus registries and registrars could incur fines.
Although a transition from thin registries to thick registries seems like a simple procedure and beneficial in some respects, it has many implications that do not immediately meet the eye. The transition was supposed to have been finalized by August 2017, but Verisign has been repeatedly asking for extension of the deadline. At the recent ICANN 60 meeting, the board passed a resolution that deferred compliance with the thin to thick data transition for 180 days. There are still many unresolved questions about data security and privacy. It is puzzling why the businesses pushed for the transition of thin to thick data. The transition has been deemed necessary to create a centralized system for access to registrants’ contact information. Such access already exists on ICANN’s website. So it does not reduce transactions cost of trademark enforcement. Although many businesses are in favor of this transition, they would support the policy change at the expense of their own customer’s privacy and security. Therefore, we do not believe that ICANN should implement the thin to thick transition. ICANN community should re-convene on this matter and look into scrapping this bad recommendation.