ICANN’s expedited policy development process (EPDP) to make Whois compatible with GDPR is making progress, albeit very slowly. Another round of face to face meetings will be held at ICANN 63 in Barcelona, Spain beginning Saturday October 20.
But some participants in the group are becoming uneasy about ICANN CEO Goran Marby’s relentless promotion of a “Unified Access Model.” They fear that the CEO’s “discussion papers” and calls for public comment are turning into a parallel policy development process that will pre-empt or circumvent the decisions made by the EPDP and other normal ICANN processes.
Yesterday the Noncommercial Stakeholders Group (NCSG) published a blistering set of comments on Marby’s UAM. NCSG represents about 200 civil society organizations and individuals in ICANN’s policy development process. We highlight some of its key points here.
The comment begins by noting that “the question of access [to redacted Whois data] is meant to be taken up only after the EPDP team finishes its revision of the Temporary Specification, as these deliberations will inform community decisions about the nature of data access and whether or not there is an underlying need for a framework or implementation scheme.” The comment charges that “ICANN org’s preparation and circulation of a “possible” unified framework is not only an inappropriate use of scarce resources, but most troublingly of all, a circumvention of established consensus-based multistakeholder processes.” It says that “the community should first assess the need for and feasibility of a “unified access model” before trying to build one. This document should not be developed any further until such a community mandate has been conferred.”
The very title of the document, “Draft Framework for a Possible Unified Access Model for Continued Access to Full WHOIS Data,” reflects disturbing biases and assumptions that are inimical to data protection rights, according to the NCSG. The CEO’s document sets as its goal a “Unified” access model when there is still an active debate within the community on whether or not a unified model is the best approach. (Some believe it must vary by jurisdiction.) The term “Continued Access to Full WHOIS Data” implies that ICANN’s goal is to deliver the same kind of access to Whois data that was deemed illegal under the GDPR. While this is certainly what some stakeholders want, it is definitely not what civil society, registrars or registries want and it is not likely to be legal. The NCSG also questions why ICANN exaggerates the urgency of the matter. Currently, registrars can and do respond to legitimate requests for access to the redacted data on a case by case basis.
After questioning the rationale for the entire UAM “discussion paper,” the comment then turns to the substance of the proposed model, which it finds wanting:
The NCSG objects to an access model based on eligible user groups. The CEO’s proposed model would “accredit” broad categories of users and then give them free rein to mine the Whois data. NCSG contends that user groups are too broad a categorization and do not allow for a narrow interpretation of legitimate interest. Requests for access should be done in an individualized basis.
The NCSG objects to the Governmental Advisory Committee (GAC) being responsible for defining the eligible parties with legitimate interest. GAC has neither the resources nor the expertise to fulfill this role, and as an organization with no representation from data protection authorities it has proven to be biased when considering Whois issues.
The NCSG objects to parties with legitimate interests establishing their own requirements for authentication. This approach, NCSG notes, is a fox guarding the chicken coop arrangement. It contravenes the principles of data minimization and elevates the interests of third parties above the rights of the data subjects.
The NCSG objects to granting unlimited access to third parties based on self-described, pre-defined legitimate interests. Third parties should be granted access only to individual records, in accordance with the legitimate purpose of the request, and should not have bulk access to registration data.
The NCSG believes disclosure of domain name registrants data should be done by registrars only. In line with the principle of data minimization, NCSG opposes the concept of thick registries. It also thinks that registrars, who have a direct relationship to the customer, are the best stewards of their data.
Although CEO Marby repeatedly denies that he is pre-empting the community’s Whois policy development process, actions speak louder than words. It has little credibility to claim that Whois reform is in the hands of “the community” when ICANN’s staff is unilaterally setting out a policy proposal that is heavily biased toward one set of stakeholders and insisting that the rest of us discuss it.