Now that Whois has been changed to become compliant with the GDPR, the battleground over Whois and privacy has shifted to the question of how people can get past the restrictions and gain access to all the personal information about domain name registrants that used to be there. This process is called “access and accreditation.” As one might suspect, the interest groups who loved completely open whois are pushing for access and accreditation models that will restore unlimited, anonymous all you can eat access to them. It is important that all the data protection gained from GDPR is not lost through a poorly designed access and accreditation process.
In this post, IGP proposes a model that allows those with a legitimate interest in the data to gain access. We have considered other models which have been put forward for the past couple of months and believe this model overcomes the shortcoming of other models. It is a proportionate, GDPR-compliant model that respects the rights of both parties: those who need access and those whose data is accessed. It can also be easily operationalized. We submit this model for community discussion at the ICANN 62 meeting in Panama.
A caveat – this model does not deal with accreditation standards. We believe that accreditation – the matter of who should have access to the personal information of WHOIS registrants – is actually a secondary issue. What’s more important is how access is granted; i.e., what procedures and safeguards are in place. The issue of accreditation, we suspect, is going to prove to be a vexed one. Defining what categories of requestor should or should not get to see private information will not be easy to do. (Example: someone who’s really a stalker claims to be a trademark lawyer).
Access to personal information of domain name registration WHOIS directory should take place under the following conditions:
A confederated RDAP
ICANN’s Temporary Specification requires registries implement RDAP. We think that is good. We also believe that the RDAP servers should be confederated so that queries can go to one source, which can hand it off to the Registrar that handles the domain.
No thick registries
All Registries should be thin registries. There is no justification to require registries to hold the personal data of domain name registrants. Registries do not need that information to perform their function, and therefore thick registries are presumptively noncompliant with GDPR and data protection/privacy principles more generally.
Registrars in charge of granting access
Registrars, not registries, should be the parties to whom requests are made and who provide the private data to requestors. Registrars are the organizations who have the direct relationship with the registrant. No other agency should be able to authorize or deliver access nor there should be any other organization that can approve third parties as legitimate interest holders except Law Enforcement. Registrars will not be held liable for not granting access based on valid reasons.
Law Enforcement Agencies develop their own accreditation
Criteria and methods for accrediting entities as bona fide law enforcement agencies (LEAs) should be developed by LEAs themselves. It can be done through GAC, Interpol, or any other LEA nexus. The ICANN community should be able to comment on it before it is adopted.
Narrow legitimate interest in line with ICANN’s mission
As long as access procedures are being led by ICANN, it has to be in line with ICANN’s mission. There are various interpretations of ICANN mission and some prefer to interpret them broadly. ICANN mission should be interpreted narrowly by ICANN, if registrars recognize that there are other legitimate interests and third parties, they can in accordance with GDPR and their local laws allow for access on a case by case basis. We believe that legitimate interest must be defined in a narrow way consistent with ICANN’s mission. The release of the data must be needed to:
- Solve a crime or track down a criminal using the domain
- Respond to threats to DNS operations
- Respond to attacks on the confidentiality, integrity or availability of Internet services that use the DNS as part of the attack infrastructure
Access restricted to individual queries
Access must be granted on an individual query basis, and based on a specific incident. Requests must be made for a particular domain – not a general license to search registration records. There is no need to ask for clarification on this point from the European Data Protection Board. ICANN has to apply this principle because it must respect the privacy of domain name registrants and also not interfere with the technical operation of DNS. Moreover, it can shield itself from liability, should access to the full database not be in compliance with GDPR.
Secondary queries
There should be an ability to run secondary queries based on identity characteristics uncovered in an initial query, but such queries must be limited to legitimate interests listed above.
Requestor’s accountability
Requestors must be held accountable for their use of special access. Requestor’s identity must be known and recorded. Requestors must provide a specific legitimate reason for the query, which shall be recorded at the time of the query. Domain name registrants should have recourse against abuse in queries. If the requestor exceeds the scope of access, domain name registrants should be able to file a complaint against requestors who abuse access on the grounds laid out by law and policy.
- There should be an Alternative Dispute Resolution mechanism in place to file the complaint.
- The outcome will be binding on the defendant
- Those who abuse their access can be held accountable by having to pay a fine.
- The fine can be enforced by having an escrow mechanism in place, which requires the requestor to deposit an amount in the escrow prior to access
- Domain registrants shall not surrender their right to go to court for privacy violations
On thin x thick registries, there are registries with eligibility requirements that actually have a cause for having registrant data. But even in that case, I like the idea of those registries (like some Geo and Community TLDs) not supplying the data forward to 3rd parties.