My last blog emphasized the importance of defining a purpose for Whois consistent with ICANN’s mission. It is impossible for ICANN to comply with GDPR unless this is done.
Why doesn’t ICANN already have a defined purpose for Whois? Therein lies an interesting story – a story with a hero, a villain, a betrayal and an unhappy ending. A tragedy according to the Greek definition.
Way back in 2003 – 15 years ago – ICANN formed a Whois Privacy Steering Group. That was its first response to growing concern about the tensions between its newly-implemented Whois policies and privacy law concerns. The Steering Group eventually came to the same conclusion that ICANN seems to be reaching now: before it could decide what data to make public or nonpublic, it had to define the purpose of Whois. So on 2 June 2005 it created a GNSO Task Force on The Purpose of Whois and the Whois Contacts. The task force was mandated to:
(1) Define the purpose of the WHOIS service in the context of ICANN’s mission and relevant core values, international and national laws protecting privacy of natural persons, international and national laws that relate specifically to the WHOIS service, and the changing nature of Registered Name Holders.
(2) Define the purpose of the Registered Name Holder, technical, and administrative contacts, in the context of the purpose of WHOIS, and the purpose for which the data was collected.
By January 2006, the task force had produced a Preliminary Report. Reflecting the divisions in the community, the report offered two competing definitions of the purpose of Whois, and asked for public comment. The two definitions were:
“The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a DNS nameserver.”
“The purpose of the gTLD Whois service is to provide information sufficient to contact a responsible party or parties for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, technical, legal or other issues related to the registration or use of a domain name.”
As one of the participants in the work noted, “everyone in the task force agrees the purpose of Whois is to provide a system for a given domain name to be looked up and produce a set of contact information. The crux of the differences relates to the types of problems the constituencies believe ought to be resolved using the Whois system. (e.g. technical, legal, etc.)” Formulation 1 emphasized the technical problems that could be resolved, as being more suited to ICANN’s mission. Advocates of Formulation 1 claimed that it was the only definition consistent with the narrow technical mission of ICANN, with ICANN’s Core Values regarding security and stability, and with national data protection laws worldwide.
Formulation 2 on the other hand opened the door to literally any use of Whois. By saying that Whois data could be used to resolve “technical, legal or other issues” related to the either the registration or use of a domain name it essentially opened the door to any purpose under the sun, with the exception of spamming.
ICANN put the task force report up for public comment. Comments closed February 9, 2006. Between February and March there were attempts to resolve the difference by bringing the matter to a vote on the GNSO Council. In April 2006, the Task Force’s work was successfully concluded: after months of discussion and debate and public comment, the GNSO Council passed Formulation 1 with the required two-thirds majority to deem it a “consensus” under GNSO operating rules.
What happened next? Something that happened several times during the bad old days before ICANN’s reform. The trademark and business interests refused to accept the consensus policy and urged the U.S. government to use its power over ICANN and its influence in GAC to veto this definition and bury it. The U.S., which had made its preference for Formulation 2 known, was more than willing to do this. As the vote was held, Suzanne Sene, the US Commerce Department official who represents the US on the GAC, complained that “GAC didn’t know how close to a vote we were” and said she didn’t think GNSO should vote so “soon.” She made this absurd claim despite the 3 years that had passed since the formation of the Whois-Privacy Steering Group and the 9 months that had passed since the formation of the Whois purpose task force.
Next, enormous pressure was placed on the chair of the GNSO Council, Bruce Tonkin, to reverse the vote. Even the Australian GAC representative – whose own national privacy laws clearly made the existing Whois illegal – pressured Tonkin (an Australian national) to abandon it. Eventually, Tonkin caved. He unilaterally short-circuited the work of the GNSO Task Force and kept the issue of Whois purpose unchanged and the issues about its consistency with privacy law unresolved. There was never another vote. The matter was just dropped. Because the consensus was ignored, the work of the Task Force was truncated and the status quo (which was the option favored by the trademark interests and the USG) has remained in place to this day.
Back then, when the stakes were high enough and ICANN’s policy development process didn’t do what the U.S. government wanted it to do, the U.S. just didn’t allow it to happen. It started doing this fairly overtly in the 2005-6 time frame, when it decided to veto ICANN’s approval of the .XXX top level domain based on domestic political pressure. Like the XXX incident, the Whois purpose veto should remind everyone that US control over the pre-transition ICANN was much more than “ceremonial;” it was deeply political and directly affected policy. ICANN as an organization simply could not afford to run counter to U.S. interests.
But more important than the historical precedent, it is important to keep this incident in mind as we enter into the new effort to define a purpose of Whois. We have already debated many of the issues and problems related to Whois purpose. We can easily predict which constituencies will be on which side of the issue as we settle on a purpose. We need to remember that there are powerful interests at stake, and some of them have no qualms about playing dirty to keep the status quo in place. There are key differences now, however. One is that the legal situation is changing in ways that make it difficult, if not impossible, to keep evading the issue. Secondly, European governments have stopped viewing Whois as a convenient escape valve from their own privacy laws and seem to be insisting on compliance. Finally, ICANN itself has changed, it is no longer under the thumb of the US government. It is now more accountable and its staff shows more respect for its own process and limited mission. Let’s hope there is a better outcome this time.