ICANN’s expedited policy development working group (EPDP), tasked with creating future policy for the collection, storage, transfer and disclosure of domain name registration data (commonly referred to as “WHOIS data”), concluded Phase 1 of its work in February, with the GNSO Council voting to approve and send the report to the ICANN Board with a recommendation to approve as the new policy for domain name registration data.
While the EPDP did a phenomenal job in identifying the lawful basis and purpose for processing each data element in WHOIS (a mind-numbing exercise required by GDPR), from the perspective of IP rights holders, law enforcement agents, child protection advocates and cybersecurity experts, the EPDP fell far short of developing policy that conformed to the actual scope of GDPR and that balanced the rights of domain registrants with the global public interest.
In its 152-page, Final Report for Phase 1, the EPDP issued twenty-nine separate policy recommendations including which “data elements” (WHOIS data fields) should be collected and stored by registrars (Recommendations #5 and #6) and which of those data elements should be displayed publicly versus redacted (Recommendation #10).
Contravening ICANN’s stated intent of retaining existing WHOIS to the extent possible, the EPDP declined to restrain this new policy to GDPR’s jurisdictional limits. In favor of global applicability of the new policy and convenience to registries and registrars, the EPDP allows for the redaction of all registrants’ WHOIS data. This policy allows registries and registrars to apply European law outside of its jurisdiction (Recommendation #16) and extends the law to corporate and legal entities (Recommendation #17) for which GDPR explicitly disclaims that it does not apply.
What is further troubling is the fact that the policy recommendations from Phase 1 actually weaken the original requirements contained in the initial Temporary Specification. For example, under the Temporary Specification, the registrant’s Organization (“Org”) field was required to be published. In the Final Report, the Org field can be redacted until the registrar or registry develops procedures for getting the registrant to confirm and/or correct the data in the Org field.
Other lowlights include the fact that registrars are now only required to collect a single Registrant contact (administrative and technical contacts are no longer required), and may, at the registrar’s option, offer their customers the ability to designate a technical contact (Recommendation #5). Should they choose to do so, the only supported technical contact data fields will be name, phone, and email. Like the Temporary Specification, the new policy prohibits registrars from publishing the contact’s actual email address, absent consent, retaining the requirement for registrars to provide either an anonymized email forwarding address or a registrar-hosted web form to facilitate communication with the contact (Recommendation #13). The policy does not require registrars to indicate which method they use, nor prominently post the web form’s URL anywhere, which will result in continued WHOIS output devoid of any clue as to how to contact the domain owner.
The Temporary Specification specifically recognized consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection as legitimate purposes for the lawful processing of registrant data. In the EPDP’s Final Report, however, there is no specific mention of any of these legitimate purposes, only a reference to processing for the purpose of “security, stability, and resiliency of the Domain Name System in accordance with ICANN’s mission” with a mere footnote adding that this purpose “should not preclude disclosure in the course of investigating intellectual property infringement.” While this language intends to include the purposes explicitly enumerated in the Temporary Specification among other purposes within ICANN’s remit, it lacks the specificity desired by those who may come to rely on it in our consumer protection, cybercrime investigation, DNS abuse, and IP protection work.
On the other hand, the EPDP did make valuable progress related to the obligation of registrars and registries to provide access to non-public registrant data after receiving a reasonable request from a third party. Recommendation #18 lays out specific criteria for making a request for lawful disclosure of the redacted registrant data. This clarity helps brand protection advocates, cybersecurity analysts and law enforcement agencies draft a request that allows registrars to perform the reasonableness test and ultimately decide whether to provide the requested data.
Registrars must also publish, in a publicly accessible section of their website, the mechanism and process for submitting these requests. Despite the useful clarity regarding the format for making a request, the recommendation does NOT require registrars or registries actually to disclose this information but instead allows registrars and registries to respond based on a subjective assessment of the request on its merits. Further work on defining registrar and registry response criteria will continue in Phase 2 of the EPDP.
Phase 1 did not address policies for future third party accreditation and access to the non-public, redacted, registrant data. That work will commence in the second phase, Phase 2 which is expected to begin next week at the ICANN meeting in Kobe, Japan.
Members of the MarkMonitor GRM team will be participating in this next phase with the hopes of creating consensus on an access model that will enable law enforcement, cybersecurity experts, child protection advocates, and brand holders, to gain key information to prevent online abuse and criminal activities.