The expedited policy development group that is trying to reform ICANN’s Whois system post-GDPR met face to face in ICANN’s Los Angeles headquarters September 24 – 26. The same old conflicts of interest underlying Whois policy for the last 18 years resurfaced repeatedly, but this time important progress was made. This report is intended to document and clarify the process. We are deliberately giving the reader a deep dive into the details to promote better understanding of the issues and to keep the process accountable.
Two fundamentally different ideas about data collection and disclosure coexist in the working group.
To the contracted parties who supply domains – and to the individual rights advocates in the noncommercial stakeholders group – Whois data is just a byproduct of a service provided to domain name registrants. To be compliant with GDPR (and other data protection laws), data collection about registrants should be limited to that which is necessary to fulfill the functions of ICANN, the registry providing the domain, and the registrar servicing it. Data subjects need to be informed what those purposes are, and all uses of data restricted to them. Purposes should be guided by and consistent with ICANN’s limited mission, which is the coordination of the global domain name system. Registration data should be disclosed to third parties only if they have a legitimate interest, and only under conditions that protect the rights of registrants. Let’s call the group that believes this the privacy caucus. (OK, registries and registrars are not really privacy advocates, but they don’t want to be fined for privacy law violations and have a duty to their customers to protect their privacy, which is almost as good).
The other group consists of intellectual property, government and law enforcement interests, and commercial cybersecurity services. To them, GDPR compliance is a secondary matter; they see the primary purpose of Whois as data mining, surveillance and identification of bad actors on the Internet by third parties (i.e., them). The temporary specification, which redacted much of that Whois data, means that their main concern now is gaining access to the non-public data. They have, after all, become habituated to unlimited, indiscriminate access to that data for 20 years. Let’s call this group the surveillance caucus.
Purpose and Access
The biggest problem the ePDP faces is to disentangle access issues from purposes for collecting data. Under its charter, the ePDP is not supposed to talk about access to non-public data until it settles the issue of making Whois compliant with GDPR. But that’s hard to do when one caucus is only interested in access.
After spinning its wheels for a month, the ePDP finally recognized a clear distinction between purposes for data collection and third party legitimate interests in gaining access to that data. Since purposes control what data is collected and how it is used by controllers and processors, this was a big step forward. Previous ICANN discussions of this topic repeatedly confused “use cases” (i.e., third party interests in Whois data) with ICANN’s “purposes” for data collection. Clear guidance from the GDPR and from the European Data Protection Board helped the privacy caucus to establish this distinction. Indeed, key members of the ePDP, such as the US GAC representative, understood and accepted this distinction, opening up the door to progress.
Next, two ePDP members, Thomas Rickert and Farzaneh Badiei, developed a matrix that facilitated the systematic identification of purposes, the data required for them, and the application of GDPR requirements to the data processed. The matrix allowed the group to identify data controllers and processors of Whois data, define their purposes, and check their legality under GDPR as well as their consistency with ICANN’s bylaws. The group headed to Los Angeles with a new and systematic methodology.
The Matrix: Red pill, blue pill, painkiller?
ICANN’s staff and co-chairs of the ePDP (Kurt Pritz and Rafik Dammak) adopted a modified matrix as the basis for discussions in Los Angeles. Professional mediators from CBI worked very hard to keep the group focused on accomplishing specific objectives. Although it was tedious at times, the group worked its way through the 5 basic purposes listed here without too much trouble. (The purposes were identified alphabetically; if letters are skipped it means a purpose was discarded or merged with others.)
A. Establishing the rights of a Registered Name Holder in a Registered Name and ensuring that the Registered Name Holder may exercise its rights in respect of the Registered Name
C. Enable communication or notification of the registered name holder and/or their delegated parties of technical and administrative issues with a registered name
E. Provide mechanisms for safeguarding registered name holders’ registration data in the event of a business of technical failure, or other unavailability of a registrar or registry operator.
F. Handle contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Registrars, Registered Name Holders, and other Internet users.
M. Coordinate, operationalize and facilitate ICANN’s TLD and domain names dispute resolution policies, namely URS, UDRP, RDDRP, PDDRP and PICDRP
None of these purposes introduced radical changes in what data elements would actually be collected. The only significant change agreed was that Technical and Administrative Contact data (collected under purpose C) would be optional.
Progress almost broke down over what came to be known as Purpose B. B was a consolidated version of 5 or 6 different proposals advanced by various surveillance caucus members. It basically said that one of the key purposes of the Whois system was to enable third party access to registrant data. This idea took several forms, such as:
- Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection (the language in section 4.4.8 of the temp spec);
- Providing access to accurate, reliable, and uniform Registration Data based on legitimate interests not outweighed by the fundamental rights of relevant data subjects
- Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to address specific issues involving domain name registrations related to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection.
Clearly, the main motivation behind each of these “purposes” was to allow third parties to gain access to non-public Whois data. In discussing these proposals, the group was repeatedly plunged back into a premature discussion of access.
The privacy caucus argued, correctly in our view, that it is illogical to claim that one’s purpose in collecting and processing data is to disclose it to third parties. Disclosure is an objective of third parties, not ICANN, and defining access for third parties as a purpose does not provide any guidance as to which data needs to be collected. Would it justify collecting whatever the third parties want? But the surveillance caucus feared that unless providing access to third parties was defined as one of the “purposes” of Whois, they would not be guaranteed access by decisions made later on in the process. They claimed, plausibly, that they had no intention of justifying the collection of additional data elements – but what about two years down the road?
With debate over this problem threatening to blow up the meeting, a compromise was proposed which formulated purpose B like this:
B. Provide lawful access for legitimate third party interests to registration data that is already collected and identified herein.
This formulation recognized the provision of access to registrant data as an ICANN purpose but limited it to the disclosure of data already collected for other purposes. It was a compromise in which both caucuses got something, but gave up something. The surveillance caucus got access defined as a purpose, which they seemed to want very badly. The privacy caucus agreed to recognize this as a purpose of ICANN, which they didn’t want to do, but the wording was intended to foreclose any additional data collection based on that purpose. It also finessed the issue of which third parties’ interests are legitimate, deferring access criteria to a later date, as the ePDP charter calls for. There are problems with this formulation, but it seems to have prevented worse formulations from being debated, and it paved the way for a consensus among the ePDP members.
Defining disclosure as a purpose of ICANN was vehemently opposed by some contracted parties. A final agreement was reached when B was redefined as a registry/registrar purpose rather than an ICANN purpose. The policy for granting access would be consensus policy decided by ICANN stakeholder groups. This is still under discussion but the text reads:
- Registrar/Registry Purpose B – Facilitate lawful access for legitimate 3rd party interests to data that is already collected and identified herein
The rest of the purposes were proposed as:
- ICANN Purpose A – Establish the rights of a Registered Name Holder in a Registered Name and ensuring that the Registered Name Holder may exercise its rights in respect of the Registered Name
- ICANN Purpose C – Enable communication or notification to the Registered Name Holder and/or their delegated parties of technical and/or administrative issues with a Registered Name
- ICANN Purpose E (Registrar and Registry Escrow) – Provide mechanisms for safeguarding Registered Name Holders’ Registration Data in the event of a business or technical failure, or other unavailability of a Registrar or Registry Operator
- ICANN Purpose F – Handle contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Registrars, Registered Name Holders, and other Internet users.
- ICANN Purpose M – Coordinate the development and implementation of policies for resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names).
- ICANN Purpose N – Enabling validation of Registered Name Holder satisfaction (fulfillment) of registration policy eligibility criteria.
These are not yet finalized and there are additional issues to be addressed. Basically, this wording is just a placeholder until the different stakeholders can confer with their groups.
The ePDP has now been working for two months. It has only three more weeks to prepare an initial report that can be reviewed in time for consideration at ICANN’s Barcelona meeting October 20 – 27. If you’ve read this all the way to the end, congratulations! You are a true Whois junkie.