March 4 was a landmark day in the history of Whois. The final report of ICANN’s Expedited Policy Development Process (EPDP), setting out a new, more or less privacy-compliant Whois policy, was approved by the GNSO Council, ICANN’s policy development organ for domain names. The policy recommendations in that report, which enjoyed overwhelming approval but not quite full consensus, now moves to approval by the ICANN Board. This is not just a big victory for Internet privacy advocates; it is a victory for common sense and fair process.
This blog covers two related themes: first, it explains and describes the new, reformed Whois policy; second, it discusses the emergence of more data showing how cybersecurity has NOT been affected by the redaction of Whois data over the last 9 months.
The EPDP final report concludes a hard-fought, years-long effort to define the purpose of Whois in a way that is based not on how third parties want to use data, but upon what data actually needs to be collected and transferred to make the DNS work.
Discussion of this issue has been distorted for years by ICANN’s propensity to cater to special interest groups (mainly trademark interests but also law enforcement agencies) who conflate their interest in getting access to Whois data with the actual purpose for collecting it. The temporary specification‘s discussion of Whois purpose was especially awful (See section 4, page 5). It is amazing how much progress was made having started from that baseline. The need to comply with GDPR, however, gave privacy advocates and the contracted parties a hammer with which to pound away illegitimate constructions of Whois purposes.
After months of intensive debate, the EPDP ended up with 5 or 6 legitimate purposes, and one stinker that was inserted at the insistence of the surveillance interests. What follows are quick summaries of these purposes. These summaries are meant to be comprehensible to humans, rather than verbatim quotes suitable for lawyers:
- Purpose 1: to activate a registered name, allocate it to a name holder, and establish the rights of the holder in a registered name;
- Purpose 2: Enabling responses to lawful data disclosure requests, to maintain the security, stability, and resiliency of the Domain Name System in accordance with ICANN’s mission.
- Purpose 3: To enable communication with the registered name holder on matters relating to the registered name
- Purpose 4: To provide mechanisms for safeguarding Registered Name Holders’ Registration Data in the event of a business or technical failure
- Purpose 5: To enable contractual compliance monitoring requests and audit activities
- Purpose 6: To operationalize policies for the resolution of domain name disputes
- Purpose 7: To enable registries to validate that a registrant meets the registry’s eligibility criteria
The final report also identified the specific data elements that need to be collected and transferred to fulfill the identified purposes.
Background on the process
If you haven’t already guessed, Purpose 2 was the stinker. It is not actually a purpose for collecting or processing registrant data. Enabling disclosures of registrant data to third parties has nothing to do with making domain names work. All the contracted parties, all members of the Noncommercial Stakeholder Group, and many public comments opposed this purpose for that reason. Collecting data for the purpose of disclosure to third parties who want it is an open ended mandate that flies in the face of any notion of data protection or data minimization. But the Intellectual Property Constituency (IPC), Business Constituency (BC) and Governmental Advisory Committee (GAC) representatives wanted desperately to define this as a “purpose” of Whois. They ignored the fact that under GDPR third parties with a legitimate interest can legally request disclosure of redacted data. They ignored the fact that the EPDP made specific commitments that they would define such a disclosure process as a next step. (See recommendations 3 and 18). This pseudo-purpose was simply not needed, and in fact the report says in a footnote “The proposed Purpose 2 in this report is a placeholder, pending further legal analysis of the controller/joint controller relationship, and consultation with the European Data Protection Board.”
Nevertheless, after months of debate and wordsmithing, the EPDP came up with a wording of this “purpose” designed to minimize any damage it might do. A compromise was made in order to pave the way for a broad consensus on the reforms. Yet, in a display of petulance that will live in infamy, IPC and BC did not vote for this purpose as worded, nor did they vote for the final report as a whole in the final consensus call. (The GAC, to its credit, did join in the consensus in the EPDP.) Led, appropriately enough, by a Facebook representative, the IPC/BC stance revealed that their commitment to the open-access Whois of old hasn’t changed; it also showed how deeply out of touch with the legalities they are.
In addition to defining purposes properly, the reforms basically ratified the redactions of Whois data that are already part of the temporary specification. In the reformed public Whois, lots of data about the domain will still be published for anyone to see. This includes the registrar and its abuse contact email and phone number, the creation and last update dates of the domain, the country and state/province in which the registrant resides, the nameservers and their IP addresses.
The data that will be redacted:
- Registrant name
- Registrant organization (but see qualification below)
- Registrant street address and city
- Phone number
- Email address
In other words, only the most sensitive personally identifiable information will be redacted in the public Whois. Furthermore, registrants can reveal this data if they want: according to Recommendation 6, registrars must allow their customers to request open publication of their registration data “as soon as commercially reasonable.”
As part of the furious battle by the surveillance caucus to preserve as much of the old Whois as possible, the issues of legal vs. natural persons, the organization field, and geographic differentiation were debated extensively. These issues were resolved in ways that gave registrars discretion, because they are on the hook legally if publication of the relevant data violates GDPR or other privacy laws.
According to Recommendation 12, the Organization field can be published if registrars can gain the consent of the registrant. If the registered name holder does not confirm the publication, registrars can decide whether to redact the Organization field or delete its content. Hence, registrars must set in motion a process to let registrants “opt in” to publication.
Geographic differentiation also led to a standoff that will be resolved through registrar option. According to Recommendation 16, Registrars and Registry Operators are permitted to differentiate between registrants on a geographic basis, but are not obligated to do so. Geographic differentiation creates major risks for registrars. If they publish the data of someone or use a processor who happens to be subject to GDPR, they are in trouble. For them it is better to have a uniform standard. As many of us argued in the EPDP, ICANN should be administering a uniform global standard anyway; that was the reason to create it.
Likewise, according to Recommendation 17, Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so. The surveillance caucus fought hard to force registrars to publish all data about legal persons. The problem with this requirement, however, is that most ordinary people don’t understand the distinction between a legal and natural person; and with many small organizations, the line between organizational and personal contact information can be blurry. So any mandate to differentiate legal and natural persons would risk sweeping up many natural persons in its net. Giving registrants the right to opt in to publication is a much better, more privacy-respecting solution. Not willing to give up, however, the surveillance caucus insisted on including in this recommendation a call for ICANN Org to do “a study” about the feasibility of making these distinctions.
In the meantime, the redaction of Whois data has corresponded to a general decline in certain forms of Internet and domain name-related abuse. Cisco’s Talos measure says that spam volume is down by more than 50% in the last year. The Anti-phishing working Group (APWG) released data saying that phishing levels are also down. “The number of confirmed phishing sites declined as 2018 proceeded.” While there are concerns that phishers may be shifting to new tactics not captured by statistics, that is merely informed speculation. The truth is, scare-talk claims that redacting Whois data would facilitate or increase cyber crime are simply not supported by any facts. We do not claim that the redaction of Whois for privacy purposes caused the declines, but we can certainly see that it didn’t cause an increase, either.
The ball is now in the ICANN board’s court. It should be ratified at the ICANN Kobe meeting next week. It is inconceivable that they would mess with such a difficult, rapidly developed and overwhelmingly supported new policy. But we will see.