On the day before the American Thanksgiving holiday, ICANN released the initial report of the policy development process that is trying to reform Whois. Jokes about turkeys were probably inevitable, but to the EPDP members who have spent months of practically non-stop work on it (including two IGP partners), that sign of progress was something to be thankful for.
The initial report is now open for public comment. The report accurately reflects where there is agreement, and where there is a lack of consensus in the group. Public comment, especially from those with expertise in data protection law, may help resolve some of those conflicts.
At 130 pages, the report may seem overwhelming, but all one really needs to review is the 24-page Executive Summary, which lays out the EPDP’s 22 recommendations and the 11 questions the group wants the public to comment upon.
If you want to see the privacy rights of domain name registrants respected, you need to weigh in. And if you don’t weigh in, you can be sure that Facebook, the MPAA, the trademark interests, cybersecurity firms who monetize Whois data, and other anti-privacy rights interests will be out in force.
Below, we outline the key issues that require comment.
Natural vs. Legal Persons
Probably the most important battle waged in the EPDP concerns the status of natural persons (that is, real individuals like you and me) and legal persons or corporations. Currently, the data collection process for domain name registration does not differentiate the two. The surveillance advocates want registrars to be required to distinguish between the two when they register names. This is a critical part of their battle to recreate as much of the old Whois as possible. At least 70% of domain name registrations are by organizations. If they succeed in sorting registrants on those grounds, their next move, obviously, will be to oppose any redaction of their contact details and voila!, they will have a big chunk of the old Whois back to data-mine and surveill as they please. This is Question #7 in the initial report.
The privacy advocates, registries and registrars oppose any attempt to differentiate natural and legal persons. While they recognize that corporate entities don’t have the same privacy protections as individuals, they believe that any attempt to sort out who is an organization and who is a natural person at the point of registration will pose major risks to data protection and impose major cost burdens and risks on the contracted parties. Many registrants will not understand the distinction and will end up being misclassified as organizations and thus lose their data protection. (To demonstrate this point, try a simple experiment: go out on the street and ask passersby “are you a natural person or a legal person?” See how many people understand what you are saying.)
Compounding the problem, the contact information for many small, single-person organizations will be the same as their personal contact data. And even when a larger organization is involved, contact data may need to be shielded from indiscriminate public access. The European Data Protection Board has stated that “personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the context of WHOIS.”
The effectiveness of such a requirement is also open to question. It’s likely that bad actors who want to shield their data from public scrutiny will self-classify as natural persons when registering a domain. How will we know whether they are lying? So, in addition to inadvertently misclassifying innocent individuals as legal persons, the requirement would be unlikely to classify intentional bad actors correctly. If you’re going to require verification of those claims, how does that scale? And what about the tens of millions of domains that have already been registered and have no such differentiation?
To registrars and registries, the natural-legal distinction requires expensive new procedures and programming, as well as potential legal liabilities if natural persons get misclassified. To the noncommercial stakeholder group privacy advocates, it’s a bald attempt to do an end-run around the GDPR for most registrants.
The second most important issue, in our view, is what data will be collected but redacted in the public Whois. This shows up in the report as Question #5, referring to Recommendation 8.
Everyone agrees that some basic information about domain name registrations should be published for all to see: e.g., the domain name itself, the registrar responsible for the registration, the name servers and their IP address, the registrar’s abuse email and phone. Quite a lot can be known about, and done with, a domain from this information alone. But the sensitive personal contact information of registrants clearly should not be published.
In this area, concerns about compliance with GDPR must guide the policy. Based on legal advice it received last year, ICANN org pre-emptively (and correctly) redacted most of the data fields regarding the registrant’s contact information in its Temporary Specification. The EPDP recommended the same set of redactions as the Temp Spec. Disagreements are at the margins. Privacy advocates would like to see the State/Province field redacted. The Intellectual Property interests would like to see both the State/Province and the City fields published. We recommend adding State/Province to the list of redacted fields. It is not needed for public display.
Relatedly, the EPDP has agreed that the Administrative and Technical Contacts will no longer be required data elements to collect. These ancient data fields go back to the origins of Whois before ICANN existed, and serve little purpose, yet for some reason they were required elements in registrar contracts. In a very large portion of domain name registrations, the Admin-C and Tech-C are the same as the registrant. Based on the principle of data minimization, Admin-C will no longer be required, and it will be optional for a registrant to provide a technical contact. The EPDP is still considering whether registrars should be required to offer a Technical Contact field. We think they shouldn’t be. The Tech-C field Is obsolete. It predates the ICANN policy of separating registries and registrars. For all practical purposes, the technical contact for any registrant is the registrar, and registrar contact info is already automatically included in the public Whois.
Purpose #2: Collecting to disclose?
We believe that questions need to be raised about Purpose 2, which reads as follows:
“Maintaining the security, stability and resiliency of the Domain Name System In accordance with ICANN’s mission through the enabling of lawful access for legitimate third-party interests to data elements collected for the other purposes identified herein.”
While this purpose is stated in a way that is a lot less troublesome than it could be, it still confuses an actual purpose for collecting registrant data with the question of how third parties with legitimate interests can get access to Whois data. In effect, Purpose 2 says that ICANN is ordering registries and registrars to collect data from domain name registrants in order to disclose that data to third parties. That is just wrong. The whole principle of collecting and processing data for the sake of unspecified third parties and unspecified uses contravenes basic privacy and data protection norms. The good guys in the EPDP tried to minimize the potential damage of this purpose by limiting it to “data elements collected for the other purposes identified herein,” but it is evident that the logic here is circular. We appeal to Data Protection Authorities and GDPR experts to confirm whether this is a legitimate purpose or not.
Our criticism of this “purpose” does not mean that there will never be third party access to the data; of course, there will be. Coming up with terms and conditions of access is step 2 in the EPDP process. We do however need to resist the notion that providing third party access is one of the purposes of Whois, as that points us backwards to the pre-GDPR system of open public Whois.
Purpose 7: A dangerous expansion
High up on the list of things to comment on is Purpose 7, an unexpected and potentially very dangerous late addition to the list of Whois purposes.
Purpose 7 states that one of the purposes of Whois data collection is to “Enabl[e] validation to confirm that Registered Name Holder meets optional gTLD registration policy eligibility criteria voluntarily adopted by Registry Operator.” What this means is that if a TLD registry has restricted eligibility requirements then the registry operator or registrar can collect data from the registrant that allows the operator to validate their eligibility.
That sounds innocent enough, but we cannot help but notice that this creates an open-ended, enormous range of new data elements that might go into the public Whois. The registries say that they will redact this data, but once it’s in the Whois (RDDS) all that data could be disclosed to third parties. Should your driver’s license, national identity card or medical credentials (if you are a doctor) be put in a global database that intelligence agencies and law enforcement agencies the world over will be able to rummage through? If a registry deems that data necessary to determine your eligibility for their TLD, Purpose 7 could definitely lead to that outcome. The problem is that there is no need for this kind of data to be in the Whois. Registry Operators can – and currently do – collect and validate this data on their own, and since each specialized registry (including brand registries) have different criteria, it is appropriate for this validation process to be limited to individual registries, and not placed in Whois. We must guard against mission creep in the Whois service, and Purpose 7 is mission creep on steroids.
We steadfastly refuse to support a purpose that has the potential to greatly expand the ability both to process data in the Whois and disclose it to third-parties. Since the eligibility validation for registered name holders in specialized gTLDs is already done outside of the Whois, this additional processing of data does not comply with GDPR article 5.1(c) and the data minimization principle. Data processing should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This purpose is in no way necessary for all of ICANN. Only a few gTLD registries find it desirable. Unfortunately, they are not thinking about the wider consequences and potential abuses that could result.
The EPDP’s charter asks it to answer the following question:
- Should Registry Operators and Registrars (“Contracted Parties”) be permitted or required to differentiate between registrants on a geographic basis?
Here we run into the tension between ICANN’s global scope and the jurisdictional fragmentation of sovereign states. IGP prefers that the rules and norms governing Internet privacy be both strong and global in scope, to be congruent with the global scope of the DNS. Domain names in the same TLDs should not have different WHOIS outputs based on the circumstances of their registration. The best policy, then, is to have a uniform output that is legal in all jurisdictions.
Needless to say, the Intellectual Property and Business Constituencies, who are pining for the old Whois, advocate requiring contracted parties to differentiate their customers based on applicable jurisdiction. They advocate this because they believe it would exempt significant portions of the DNS from the rule of the GDPR. But this requirement would be costly and impractical. As the EPDP report notes, “The actual location of the registrant is not dispositive as to whether GDPR applies due to the industry use of globally dispersed processors.” In the current environment, such differentiation will be difficult to scale, costly, and, according to the contracted parties, neither commercially reasonable nor implementable.
Roles and Responsibilities
Last but not least, we have the fundamental issue of who is the data controller, and whether ICANN and the contracted parties are joint controllers. The EPDP Recommendation #13 is that “ICANN Org negotiates and enters into a Joint Controller Agreement (JCA) with the Contracted Parties.” Question 9 asks for public comment on whether the report’s breakdown of roles and responsibilities is the right model. ICANN’s legal department seemed surprisingly unprepared to deal with these questions, and ICANN Org’s liaisons to the EPDP seemed to be missing in action through discussions of this issue until the very end. Because this issue touches on complex legalities and on the distribution of liability between ICANN org and the contracted parties, it is a sleeper issue that could blow up the whole process. Public comment on this issue from experts is most welcome.
Despite the many areas in which consensus on a new policy has not been reached, the initial EPDP report is a major step forward in the process of reforming Whois. For the first time, it has come up with a defined set of purposes and has initiated a process of defining roles and responsibilities of the various parties involved in collecting and processing registrant data. It is ratifying the data redactions of the temp spec. Although there are surely interest groups who would like to avoid it, compliance with GDPR has been a major driver of the process.
We urge GDPR experts and privacy advocates to participate in the public comment period. Because of the rapid timetable of the EPDP, there will probably not be another chance. Your gateway to the public comment process is here. Prospective commentators are forewarned that ICANN staff has created a Google form that will structure your input, and may take some getting used to.