The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. As a result, ICANN allowed registries and registrars to cloak the personal information of domain name registrants in WHOIS, with a caveat that those who had legitimate and proportionate purpose should be allowed access to this cloaked, nonpublic WHOIS data on an individual request basis.
Despite some attempts to portray GDPR as the ultimate evil, the Internet is not dead; cyber doomsday did not arrive. But there are discussions about developing an accreditation model to allow those with a legitimate purpose to have access to the personal data in WHOIS. The sense of urgency comes mainly from the Intellectual Property and Business constituencies. Law enforcement and security researchers would like to talk about the accreditation model as well. So how should we go about developing an accreditation and access process at ICANN? What is the best strategy?
ICANN’s IPC/BC and the false sense of urgency
ICANN’s Intellectual Property and Business Constituencies are vesting this issue with an unwarranted sense of urgency. Relying on the cyber doomsday argument, they have taken the matter into their own hands and have proposed an accreditation process and criteria that are not GDPR compliant. They are now pushing hard to convince the ICANN Board to adopt it, unilaterally and without community consensus. Such adoption should not happen. Any accreditation model must be developed by the ICANN community as a whole, using ICANN’s bottom-up processes. No single stakeholder should be running the process.
An accreditation model is not the top priority when it comes to WHOIS. Compliance with GDPR is. Whatever accreditation process is developed must be carefully designed to be compliant with the GDPR and to satisfy the interests and needs of all stakeholder groups in ICANN. Despite these facts, there is a risk that the ICANN Board will cave under the pressure of powerful interest groups and adopt an accreditation model that is not GDPR compliant. And as we have seen many times, ICANN is very sensitive to IP interests, so much so that in its recent legal argument ICANN states that WHOIS is an international trademark registry for domain names!
Yet a one-sided, noncompliant accreditation process will result in major costs to registries and registrars, litigation and further delays. We cannot ignore this risk. We must come up with a strategy to ensure that ICANN adopts an accreditation model that is community led and GDPR compliant.
The GNSO and accreditation model development
ICANN enforces its policies through contracts. Policies related to generic domain names are made in policy development processes formed by the Generic Names Supporting Organization (GNSO) and open to the public. In urgent matters, such as when ICANN wanted registries and registrars to comply with GDPR but also keep WHOIS service functioning, the corporation can take top-down action. ICANN came up with a Temporary Specification passed by Board that became a part of the contract between ICANN and the registries/registrars. We have a Temporary Specification in place now that addresses GDPR compliance. The temp-spec is far from complete, and some of its clauses about data collection might conflict with data protection laws. The GNSO has decided to establish an Expedited Policy Development Process (known as EPDP) to address the issues in the temporary specification.
The IPC/BC would very much like to discuss the accreditation model in the EPDP as an urgent matter. Most registries and registrars have not expressed urgency about accreditation. They seem to believe that there are other priorities. We at IGP believe that accreditation is not an urgent matter either. Politically, however, the risk of unilateral action by ICANN is too high to delay discussions about it.
What should we do?
Registries and Registrars already comply with the temporary spec and provide gated access to non-public personal data to legitimate users with legitimate and proportionate purpose. As stated in the Temporary Spec: “Users with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators.”
But we need to work on a more harmonized approach that is supported by the whole community, including privacy advocates, registries, and registrars. While acknowledging that there is no need for hasty action, we need to be proactive and inform the ICANN board that we are focusing on the issue.
The arguments against hasty and unilateral actions are as follows:
- Those in need of personal data in WHOIS are not barred from accessing it if they have a legitimate purpose. No registrars or registries are complaining publicly about being flooded with requests for revealing Whois data that they cannot handle. If registries and registrars don’t give access to personal information, then ICANN which has been proactive in taking them to court can seek clarifications from European courts.
- Cyber doomsday has not happened. Any interest group arguing that an accreditation model has to be implemented soon because the safety and stability of DNS have been endangered or consumers are at risk need to bring evidence.
- WHOIS has not gone dark. The contactibility of domain name registrants has been preserved in the new WHOIS.
- We still don’t have enough legal clarity on how such an accreditation model should be implemented. So any accreditation model that ICANN comes up with might contradict the law. We need time to do this right.
Despite these good reasons, convincing ICANN not to act unilaterally will be a difficult task. ICANN has thus far shown us that they want to keep WHOIS as open as possible and protect the interest of intellectual property constituency. They are under pressure by governments and powerful groups. Therefore, we need to start the discussion about accreditation and reduce the pressure on ICANN.
One approach is to formulate a Cross Community Working Group, which all the ICANN Supporting Organizations and Advisory Committees charter. This approach gives all stakeholder groups a say in the goals, timeline, and modes of operation. CCWG includes all groups from the beginning and might produce an outcome that generates less resistance. The CCWGs formulated during IANA Transition and for ICANN accountability, not easy issues to deal with, were timely and successful. However, CCWG outcomes might not be binding on Contracted Parties, which is a severe shortfall.
Another possible approach is to accept discussions about an accreditation model in the EPDP, with the participation of various ICANN community members, but not treat the issue as the top priority. GNSO has suggested an EPDP team composition that is similar to CCWG, called CCWG Minus. An EPDP with a team composition of CCWG minus allows all Supporting Organizations and Advisory Committees to appoint members to the group. The outcome of EPDP would be binding on Registries and Registrars, other community members will be participating in formulating the accreditation model, and it will also be a manageable group that can come up with consensus outcome.
But this approach has some drawbacks, too. The scope of the EPDP is still undefined, and accreditation might not be included within its scope. Moreover, interested parties that want accreditation to be its top priority might succeed in distracting it from the more critical issues. We should start a discussion about the scope of EPDP, and decide on priorities that are identified by the community. Accreditation criteria could be dealt with after the top priorities have been identified and worked on, with a clear timeline.
We should also distinguish between the different parties that want access to personal information in WHOIS. Inquiries from law enforcement are quite different from IP lawyers access to WHOIS. We should not allow IPC/BC to conflate their interests in intellectual property and brand protection with governments’ interest in law enforcement and combating cybercrime. ICANN’s Governmental Advisory Committee (GAC) has explicitly said in its Communique that it would not get involved with the operationalization of an accreditation model. Perhaps GAC can discuss an accreditation model for access of law enforcement to WHOIS with consultation with Data Protection Authorities, and the EPDP can help them with that process.
Also, we need to enter into a dialogue with ICANN’s Security and Stability Advisory Committee (SSAC). They are, after all, the committee that advises on the stability and resiliency of DNS. SSAC members are either cybersecurity researchers or in touch with cybersecurity researchers with interest in WHOIS data necessary for combating cybersecurity threats.
In conclusion, we should not shy away from discussing an accreditation model. But we must inform the Board that there is no urgency, and denounce any accreditation model that is not developed by the entire ICANN community. We must reassure the Board that the registries and registrars will comply with the temporary spec as long as it is not in violation of the law and the contactibility of domain name registrants is not hampered. We need to come up with an accreditation model that is community led and provide a timeline for completion. We should not forget that we can make allies by distinguishing between the different interests. We, the ICANN community, need to start the conversation now before it is too late.