Ever since ICANN’s creation, there has been a clash between the protection of personal data and its contractually-required Whois service. Under ICANN contracts, registrars were required to publish sensitive information about domain name registrants. The email addresses, names and other contact information of domain holders was available to anyone in the world who requested it. This indiscriminate access to sensitive data was proven to exacerbate spam problems, aid domain name hijackers and in a few cases facilitate stalkers.
The implementation of Europe’s General Data Protection Regulation this year finally knocked some sense into the ICANN regime. In an emergency temporary specification issued in May, the ICANN board authorized its contracted registries and registrars to redact sensitive data from their Whois output.
Under the temporary specification, Whois still delivers the basic data about domain names needed to support ICANN’s mission of coordinating the domain name system (DNS). One can see who the registrar is, the nameserver data, the date the domain was created, etc. You can also see all the other information if the domain registrant is willing to publish it. If there is a trademark dispute over the domain, the registrar still must provide the dispute resolution provider with the full registration data for each of the specified domain names. Registrars and Registries must still provide reasonable access to personal data to third parties with legitimate interests that are not overridden by privacy rights, such as law enforcement agencies pursuing criminals.
Privacy opponents who cried doom and gloom when this change was enacted, embarrassingly enough, are now looking like religious nuts whose predicted date for the end of the world has come and gone. The Internet still functions as before. There is no discernable change in internet security. And there are some clear security gains, for example registrars are seeing fewer attempts to hijack domains because would-be hijackers cannot spoof a name, email address, and street address if they cannot see it.
The temporary specification was just that – a temporary fix meant to prevent ICANN and its contracted registries and registrars from being sued after the implementation of the GDPR. Recognizing the need for a more formal policy process, ICANN put into motion an expedited policy development process (ePDP) to review the temporary specification and allow all the stakeholders involved in ICANN to accept or alter its terms in ways that would make it a consensus policy. In this policy process, all sides are represented: registries, registrars, privacy advocates, intellectual property interests, commercial users, and governments via ICANN’s Governmental Advisory Committee. The ePDP commenced in August and is now headed into its 8th meeting. The goal is to have a proposal ready by ICANN’s Barcelona meeting in late October.
But now the special interests who oppose privacy are circulating draft legislation to cut short this process. They want to substitute U.S. law for the ICANN process. We have a draft of the proposed law available here. The people pushing this legislation are the same folks who are always trying to regulate and control the Internet. Copyright maximalists, big pharma, and the like. Economic interests are also at play. To companies like Domain Tools, Whois data is raw material for commercial services that they offer to brand protection firms and others. By negating domain registrants’ privacy rights, they are able to monetize the sale of their personal information – and unlike Google, Facebook and others who monetize personal information, there is no service offered in exchange, no contract, no ability to opt out. It’s like the government allowing a cereal producer to harvest its raw materials for free; to go into a farmer’s field of wheat or oats and grab what they want. Obviously, Domain Tools doesn’t want that sweet deal to end. But keep that subsidy in mind when you hear them wrap themselves up in the mantle of cybersecurity.
There are clearly conflicting rights and interests and this all has to be sorted out at the global level. ICANN, not the US Congress, is the right place to settle this issue. A U.S. intervention here would be a fateful step toward increased jurisdictional fragmentation of the global domain name system. Maintaining the global scope of DNS policy was the reason ICANN was created in the first place. If the U.S. can pass a law that compels ICANN to adopt a certain policy regarding Whois data, any other government can pass a law that goes in a different or even opposite direction. There are some powerful centrifugal forces pulling at the internet right now, in a variety of contexts. Those concerned with the global connectivity of the Internet – not to mention individual rights to privacy and Internet freedom – need to push back against this intervention by a national government in global internet governance.