Whois policy published without life-saving disclosure rule

ICANN has updated its Registration Data Policy, the rules that govern what data registries and registrars need to collect from registrants and when to publish or supply it through Whois lookups or disclosure requests.

When it becomes enforceable in August next year, the new RDP will make full-fat ICANN Whois policy compliant with EU privacy law for the first time since the General Data Protection Regulation came into effect in May 2018.

But the new policy, which replaces a functionally very similar temporary policy, is notable not only for the extraordinary amount of time it took to produce, but also for not containing a disputed requirement for registrars and registries to quickly turn over private Whois data when human life is at risk.

The policy dictates what contact information registrars must collect from their customers, what they must share with their registries, escrow agents and others, and what they must redact in the public Whois (or Registration Data Directory Services, as it will become known when Whois is retired next January).

It also says that registries and registrars must acknowledge private data disclosure requests no more than two business days after receipt and respond to the requests in full less than 30 calendar days after that, barring delays caused by “exceptional circumstances”.

But, due purely to ICANN community politicking, the policy for now omits previously considered language on “urgent” disclosure requests for use in “circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation”.

I’d like to think such circumstances are incredibly rare, but if there’s a situation where a Whois disclosure could help prevent a bomb going off at a major internet exchange, a trans rights activist being hounded into suicide, or a little kid getting raped on a livestream, the new ICANN policy does not account for that.

The version of the policy published in July last year (pdf) did include an urgent requests provision, requiring contracted parties to either turn over the data or tell the requester to get lost within 24 hours of receipt.

But it also contained a bunch of exceptions that could allow registrars to extend that deadline by up to three business days. When weekends and public holidays are taken into account, this could mean as much as a full calendar week to process an “urgent”, potentially life-saving request.

For that reason, the Governmental Advisory Committee wrote to ICANN (pdf) last August to ask it to revisit the policy language, chuck out the reference to “business” days, and stick to a 24-hour response window

The original Expedited Policy Development Process Working Group that came up with the policy recommendations had not specified how long registrars and registries should have to respond to urgent disclosure requests, punting that decision to the Implementation Review Team that drafted the final language.

An August 2022 draft (pdf) put out for public comment made the response window two business days, with a possible one-day extension, but this was reduced to 24 hours last year in what registrars describe as a “significant compromise” given the operational reality of responding to disclosure requests.

In August last year, the Registrars Stakeholder Group told ICANN (pdf) that its members “are committed to responding to Urgent requests in the most swift and expeditious manner possible” but said it objected to the GAC’s last-minute demands for the urgent disclosures policy to be rewritten.

From the registrars’ perspective, handling disclosure requests for personal data is not a simple ask. It’s a legal decision, balancing the privacy rights of the registrant with the rights of others to access that information.

Get it wrong, and you’re open to litigation and fines substantial enough to be expressed as a percentage of your revenue. And, money aside, who wants to be the guy who, for example, accidentally helps the Iranian morality police murder a bunch of schoolgirls for wearing the wrong type of hat?

But the argument between the registrars and the governments comes down to issues of ICANN process. Both the GAC and the RrSG claimed the urgent disclosures bunfight highlights deficiencies in ICANN multistakeholderism, but for different reasons.

ICANN’s response to this disagreement was to remove the urgent requests clauses from the policy altogether, in the hope that further talks can find a solution. Chair Tripti Sinha wrote to the RrSG and GAC a couple weeks ago to tell them:

the Board concluded that it is necessary to revisit Policy Recommendation 18 concerning urgent requests in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation, and the manner in which such emergencies are currently handled. For this, we believe that consultation with the GNSO Council is required.

ICANN has essentially kicked the can, which was what the GAC had asked for. The RrSG wanted the July 2023 language (one-plus-three days) or August 2022 language (two-plus-one days) published in the final policy.

It’s stuff like this that makes one scratch one’s head, stroke one’s chin, and wonder whether ICANN really is fit for purpose.

There were 2,312 days between the day the European Commission first proposed the GDPR to the day it became effective in all EU member states.

But 2,590 days will have passed between the day the GNSO Council initiated the EPDP and the day the new Registration Data Policy will become effective on all contracted parties, next August.

The lumbering, then-28-state European Union was faster at passing policy than ICANN, even when ICANN was using an “expedited” process.

And what ICANN eventually came up with couldn’t even agree on ways to help tackle murder, economic catastrophes, and the rape of kids.

ICANN hasn’t implemented a policy since 2016

It’s been over five years since ICANN last implemented a policy, and many of its ongoing projects are in limbo.

Beggars belief, doesn’t it?

The ongoing delays to new gTLD program policy and the push-back from ICANN on Whois policy recently got me thinking: when was the last time ICANN actually did anything in the policy arena apart from contemplate its own navel?

The Org’s raison d’être, or at least one of them, is to help the internet community build consensus policies about domain names and then implement them, but it turns out the last time it actually did that was in December 2016.

And the implementation projects that have come about since then are almost all frozen in states of uncertainty.

ICANN policies covering gTLD domains are usually initiated by the Generic Names Supporting Organizations. Sometimes, the ICANN board of directors asks the GNSO Council for a policy, but generally it’s a bottom-up, grass-roots process.

The GNSO Council kicks it off by starting a Policy Development Process, managed by working group stocked with volunteers from different and often divergent special interest groups.

After a few years of meetings and mailing list conversations, the working group produces a Final Report, which is submitted to the Council, and then the ICANN board, for approval. There may be one or more public comment periods along the way.

After the board gives the nod, the work is handed over to an Implementation Review Team, made up of ICANN staff and working group volunteers, which converts the policy into implementation, such as enforceable contract language.

The last time an IRT actually led to a GNSO policy coming into force, was on December 1, 2016. Two GNSO consensus policies became active that day, their IRTs having concluded earlier that year.

One was the Thick WHOIS Transition Policy, which was to force the .com, .net and .jobs registries to transition to a “thick” Whois model by February 2019.

This policy was never actually enforced, and may never be. The General Data Protection Regulation emerged, raising complex privacy questions, and the transition to thick Whois never happened. Verisign requested and obtain multiple deferrals and the board formally put the policy on hold in November 2019.

The other IRT to conclude that day was the Inter-Registrar Transfer Policy Part D, which tweaked the longstanding Transfer Dispute Resolution Policy and IRTP to streamline domain transfers.

That was the last time ICANN actually did anything in terms of enforceable, community-driven gTLD policy.

You may be thinking “So what? If the domain industry is ticking over nicely, who cares whether ICANN is making new policies or not?”, which would be a fair point.

But the ICANN community hasn’t stopped trying to make policy, its work just never seems to make the transition from recommendation to reality.

According to reports compiled by ICANN staff, there are 12 currently active PDP projects. Three are in the working group stage, five are awaiting board attention, one has just this month been approved by the board, and three are in the IRT phase.

Of the five PDPs awaiting board action, the average time these projects have been underway, counted since the start of the GNSO working group, is over 1,640 days (median: 2,191 days). That’s about four and a half years.

Counting since final policy approval by the GNSO Council, these five projects have been waiting an average of 825 days (median: 494 days) for final board action.

Of the five, two are considered “on hold”, meaning no board action is in sight. Two others are on a “revised schedule”. The one project considered “on schedule” was submitted to the board barely a month ago.

The three active projects that have made it past the board, as far as the IRT phase, have been there for an average of 1,770 days (median: 2,001 days), or almost five years, counted from the date of ICANN board approval.

So why the delays?

Five of the nine GNSO-completed PDPs, including all three at the IRT stage, relate to Whois policy, which was thrown into confusion by the introduction of the European Union’s introduction of the GDPR legislation in May 2018.

Two of them pre-date the introduction of GDPR in May 2018, and have been frozen by ICANN staff as a result of it, while three others came out of the Whois EPDP that was specifically designed to bring ICANN policy into line with GDPR.

All five appear to be intertwined and dependent on the outcome of the ICANN board’s consideration of the EPDP recommendations and the subsequent Operational Design Assessment.

As we’ve been reporting, these recommendations could take until 2028 to implement, by which time they’ll likely be obsolete, if indeed they get approved at all.

Unrelated to Whois, two PDPs relate to the protection of the names and acronyms of international governmental and non-governmental organizations (IGOs/INGOs).

Despite being almost 10 years old, these projects are on-hold because they ran into resistance from the Governmental Advisory Committee and ICANN board. A separate PDP has been created to try to untangle the problem that hopes to provide its final report to the board in June.

Finally, there’s the New gTLD Subsequent Procedures PDP, which is in its Operational Design Phase and is expected to come before the board early next year, some 2,500 days (almost seven years) after the PDP was initiated.

I’m not sure what conclusions to draw from all this, other than that ICANN has turned into a convoluted mess of bureaucracy and I thoroughly understand why some community volunteers believe their patience is being tested.

“GDPR is not my fault!” — ICANN fears reputational damage from Whois reform

Damned if we do, damned if we don’t.

That seems to an uncomfortable message emerging from ICANN’s ongoing discussions about SSAD, the proposed Standardized System for Access and Disclosure, which promises to bring some costly and potentially useless reform to the global Whois system.

ICANN’s board of directors and the GNSO Council met via Zoom last night to share their initial reactions to the ICANN staff’s SSAD Operational Design Assessment, which had been published just 48 hours earlier.

I think it’s fair to say that while there’s still some community enthusiasm for getting SSAD done in one form or another, there’s much more skepticism, accompanied by a fear that the whole sorry mess is going to make ICANN and its vaunted multistakeholder model look bad/worse.

Some say that implementing SSAD, which could take six more years and cost tens of millions of dollars, would harm ICANN’s reputation if, as seems quite possible, hardly anyone ends up using it. Others say the risk comes from pissing away years of building community consensus on a set of policy recommendations that ultimately don’t get implemented.

GNSO councillor Thomas Rickert said during yesterday’s conference call:

One risk at this stage that I think we need to discuss is the risk to the credibility of the functionality of the multi-stakeholder model. Because if we give up on the SSAD too soon, if we don’t come up with a way forward on how to operationalize it, then we will be seen as an organization that takes a few years to come up with policy recommendations that never get operationalized and that will certainly play into the hands of those who applaud the European Commission for coming up with ideas in NIS2, because obviously they see that the legislative process at the European and then at the national state level is still faster than ICANN coming up with policies.

NIS2 is a formative EU Directive that is likely to shake up the privacy-related legal landscape yet again, almost certainly before ICANN’s contractors even type the first line of SSAD code.

While agreeing with Rickert’s concerns, director Becky Burr put forward the opposing view:

The flip side of that is that we build it, we don’t have the volume to support it at a reasonable cost basis and it does not change the outcome of a request for access to the Whois data… We build it, with all its complexity and glory, no one uses it, no one’s happy with it and that puts pressure on the multi-stakeholder model. I’m not saying where I come out on this, but I feel very torn about both of those problems.

The ODA estimates the cost of building SSAD at up to $27 million, with the system not going live until 2027 or 2028. Ongoing annual operating costs, funded by fees collected from the people requesting private Whois data, could range from $14 million to $107 million, depending on how many people use it and how frequently.

These calculations are based on an estimated user base of 25,000 and three million, with annual queries of 100,000 and 12 million. The less use the system gets, the higher the per-query cost.

But some think the low end of these assumptions may still be too high, and that ultimately usage would be low enough to make the query fees so high that users will abandon the system.

Councillor Kurt Pritz said:

I think there’s a material risk that the costs are going to be substantially greater than what’s forecast and the payback and uptake is going to be substantially lower… I think there’s reputational risk to ICANN. We could build this very expensive tool and have little or no uptake, or we could build a tool that becomes obsolete before it becomes operational.

The low-end estimates of 25,000 users asking for 100,000 records may be “overly optimistic”, Pritz said, given that only 1,500 people are currently asking registrars for unredacted Whois records. Similarly, there are only 25,000 requests per year right now, some way off the 100,000 low-end ODA assumption, he said.

If SSAD doesn’t even hit its low-end usage targets, the fee for a single Whois query could be even larger than the $40 high-end ODA prediction, creating a vicious cycle in which usage drops further, further increasing fees.

SSAD doesn’t guarantee people requesting Whois data actually get it, and bypassing SSAD entirely and requesting private data directly from a registrar would still be an option.

There seems to be a consensus now that GDPR always requires registries and registrars to ultimately make the decision as to whether to release private data, and there’s nothing ICANN can do about it, whether with SSAD or anything else.

CEO Göran Marby jokingly said he’s thinking about getting a T-shirt printed that says “GDPR was not my fault”.

“The consequences of GDPR on the whole system is not something that ICANN can fix, that’s something for the legislative, European Commission and other ones to fix,” he said. “We can’t fix the law.”

One idea to rescue SSAD, which has been floated before and was raised again last night, is to cut away the accreditation component of the system, which Marby reckons accounts for about two thirds of the costs, and basically turn SSAD into a simplified, centralized “ticketing system” (ironically, that’s the term already used derisively to describe it) for handling data requests.

But the opposing view — that the accreditation component is actually the most important part of bringing Whois into GDPR compliance — was also put forward.

Last night’s Zoom call barely moved the conversation forward, perhaps not surprisingly given the limited amount of time both sides had to digest the ODA, but it seems there may be future conversations along the same lines.

ICANN’s board, which was in “listening mode” and therefore pretty quiet last night, is due to consider the SSAD recommendations, in light of the ODA, at some point in February.

I would be absolutely flabberghasted if they were approved in full. I think it’s far more likely that the policy will be thrown back to the GNSO for additional work to make it more palatable.

No SSAD before 2028? ICANN publishes its brutal review of Whois policy

Emergency measures introduced by ICANN to reform Whois in light of new privacy laws could wind up taking a full decade, or even longer, to bear dead-on-the-vine fruit.

That’s arguably the humiliating key takeaway from ICANN’s review of community-created policy recommendations to create a Standardized System for Access and Disclosure (SSAD), published this evening.

The Org has released its Operational Design Assessment (pdf) of SSAD, the first-ever ODA, almost nine months after the Operational Design Phase was launched last April.

It’s a 122-page document, about half of which is appendices, that goes into some detail about how SSAD and its myriad components would be built and by whom, how long it would take and how much it would cost.

It’s going to take a while for the community (and me) to digest, and while it generally veers away from editorializing it does gift opponents of SSAD (which may include ICANN itself) with plenty of ammunition, in the form of enumerated risk factors and generally impenetrable descriptions of complex systems, to strangle the project in the crib.

Today I’m just going to look at the timing.

Regular DI readers will find little to surprise them among the headline cost and timeline predictions — they’ve been heavily teased by ICANN in webinars for over a month — but the ODA goes into a much more detailed breakdown.

SSAD, ICANN predicts, could cost as much as $27 million to build and over $100 million a year to operate, depending on adoption, the ODA says. We knew this already.

But the ODA contains a more detailed breakdown of the timeline to launch, and it reveals that SSAD, at the most-optimistic projections, would be unlikely to see the light of day until 2028.

That’s a decade after the European Union introduced the GDPR privacy law in May 2018.

Simply stated, the GDPR told registries and registrars that the days of unfettered access to Whois records was over — the records contain personal information that should be treated with respect. Abusers could be fined big.

ICANN had been taken off-guard by the law. GDPR wasn’t really designed for Whois and ICANN had not been consulted during its drafting. The Org started to plan for its impact on Whois barely a year before it became effective.

It used the unprecedented top-down emergency measure of the Temporary Specification to force contracted parties to start to redact Whois data, and the GNSO Council approved an equally unprecedented Expedited Policy Development Process, so the community could create some bottom-up policy.

The EPDP was essentially tasked with creating a way for the people who found Old Whois made their jobs easier, such as intellectual property lawyers and the police, to request access to the now-private personal data.

It came up with SSAD, which would be a system where approved, accredited users could funnel their data requests through a centralized gateway and have some measure of assurance that they would at least be looked at in a standardized way.

But, considering the fact that they would not be guaranteed to have their requests approved, the system would be wildly complex, potentially very expensive, and easily circumvented, the ODP found.

It’s so complex that ICANN reckons it will take between 31.5 and 42 months for an outsourced vendor to build, and that’s after the Org has spent two years on its Implementation Review Team activities.

That’s up to almost six years from the moment ICANN’s board of directors approves the GNSO’s SSAD recommendations. That could come as early as next month (but as I reported earlier today, that seems increasingly unlikely).

The ODA points out that this timetable could be extended due to factors such as new legislation being introduced around the world that would affect the underlying privacy assumptions with which SSAD was conceived.

And this is an “expedited” process, remember?

Ten years ago, under different management and a different set of bylaws, ICANN published some research into the average duration of a Policy Development Process.

The average PDP took 620 days back then, from the GNSO Council kicking off the process to the ICANN board voting to approve or reject the policy. I compared it to an elephant pregnancy, the longest gestation period of all the mammals, to emphasize how slow ICANN had become.

Slow-forward to today, when the “expedited” PDP leading to SSAD has so far lasted 1,059 days, if we’re counting from when Phase 2 began in March 2019. It’s taken 1,287 days if we’re being less generous and counting from the original EPDP kicking off.

Nelly could have squeezed out two ankle-nibblers in that time. Two little elephants, one of which would most assuredly be white.

ICANN board not happy with $100 million Whois reform proposals

ICANN’s board of directors has given its clearest indication yet that it’s likely to shoot down community proposals for a new system for handling requests for private Whois data.

Referring to the proposed System for Standardized Access and Disclosure, ICANN chair Maarten Botterman said “the Board has indicated it may not be able to support the SSAD recommendations as a whole”.

In a letter (pdf) to the GNSO Council last night, Botterman wrote:

the complexity and resources required to implement all or some of the recommendations may outweigh the benefits of an SSAD, and thus may not be in the best interests of ICANN nor the ICANN community.

The SSAD would be a centralized way for accredited users such as trademark lawyers, security researchers and law enforcement officers to request access to Whois data that is currently redacted due to privacy laws such as GDRP.

The system was the key recommendation of a GNSO Expedited Policy Development Process working group, but an ICANN staff analysis last year, the Operational Design Phase, concluded that it could be incredibly expensive to build and operate while not providing the functionality the trademark lawyers et al require of it.

ICANN was unable to predict with any accuracy how many people would likely use SSAD. It will this week present its final ODP findings, estimating running costs of between $14 million and $107 million per year and a user base of 25,000 to three million.

At the same time, ICANN has pointed out that its own policies cannot overrule GDPR. Registries and registrars still would bear the legal responsibility to decide whether to supply private data to requestors, and requestors could go to them directly to bypass the cost of SSAD altogether. Botterman wrote:

This significant investment in time and resources would not fundamentally change what many in the community see as the underlying problem with the current process for requesting non-public gTLD registration data: There is no guarantee that SSAD users would receive the registration data they request via this system.

ICANN management and board seem to be teasing the GNSO towards revising and scaling back its recommendations to make SSAD simpler and less costly, perhaps by eliminating some of its more expensive elements.

This moves ICANN into the perennially tricky territory of opening itself up to allegations of top-down policy-making.

Botterman wrote:

Previously, the Board highlighted its perspective on the importance of a single, unified model to ensure a common framework for requesting non-public gTLD registration data. However, in light of what we’ve learned to date from the ODP, the Board has indicated it may not be able to support the SSAD recommendations as a whole as envisioned by the EPDP. The Board is eager to discuss next steps with the Council, as well as possible alternatives to design a system that meets the benefits envisioned by the EPDP

The board wants to know whether the GNSO Council shares its concerns. The two parties will meet via teleconference on Thursday to discuss the matter. The ODP’s final report may be published before then.

ICANN trying to strangle SSAD in the crib?

ICANN is trying to kill off or severely cripple Whois reform because it thinks the project stands to be too expensive, too time-consuming, and not fit for purpose.

That’s what many long-time community members are inferring from recent discussions with ICANN management about the Standardized System for Access and Disclosure (SSAD), a proposed method of normalizing how people request access to private, redacted Whois data.

The community has been left trying to read the tea leaves following a December 20 briefing in which ICANN staff admitted they have failed to even approximately estimate how well-used SSAD, which has been criticized by potential users as pointless, might be.

During the briefing, staff gave a broad range of implementation times and cost estimates, saying SSAD could take up to four years and $27 million to build and over $100 million a year to operate, depending on adoption.

The SSAD idea was thrown together in, by ICANN standards, super-fast time with a super-tenuous degree of eventual consensus by a cross-community Expedited Policy Development Process working group.

One of the EPDP’s three former chairs, Kurt Pritz, a former senior ICANN staffer who’s been heavily involved in community work since his departure from the Org in 2012, provided his read of the December webinar on a GNSO Council discussion this week.

“I’ve sat through a number of cost justification or cost benefit analyses in my life and got a lot of reports, and I’ve never sat through one that more clearly said ‘Don’t do this’,” Pritz said.

GNSO liaison to the Governmental Advisory Committee Jeff Neuman concurred moments later: “It seemed that we could imply from the presentation that that staff was saying ‘Don’t do it’… we should require them to put that in writing.”

“It was pretty clear from the meeting that ICANN Org does not want to build the SSAD. Many people in the community think its estimates are absurdly inflated in order to justify that conclusion,” Milton Mueller of the Internet Governance Project recently wrote of the same webinar.

These assessments seem fair, to the extent that ICANN appears seriously averse to implementing SSAD as the recommendations are currently written.

ICANN repeated the December 20 cost-benefit analysis in a meeting with the GAC this week, during which CEO Göran Marby described the limitations of SSAD, and how it cannot override privacy laws such as the GDPR:

It’s not a bug, it’s a feature of GDPR to limit access to data…

The SSAD is a recommended system to streamline the process of requesting data access. It cannot itself increase access to the data, as this is actually determined by the law. And so, in practice, the SSAD is expected to have little to no impact on the contracted parties’ ultimate disclosure or nondisclosure response to requests… it’s a ticketing system with added functionality.

While Marby stressed he was not criticizing the EPDP working group, that’s still a pretty damning assessment of its output.

Marby went on to reiterate that even if SSAD came into existence, people wanting private Whois data could still request it directly from registries and registrars, entirely bypassing SSAD and its potentially expensive (estimated at up to $45) per-query fees.

It seems pretty clear that ICANN staff is not enthused about SSAD in its current form and there’s a strong possibility the board of directors will concur.

So what does the policy-making community do?

There seems to be an emerging general acceptance among members of the GNSO Council that the SSAD proposals are going to have to be modified in some way in order for them to be approved by the board.

The question is whether these modifications are made preemptively, or whether the GNSO waits for more concrete feedback from Org and board before breaking out the blue pen.

Today, all the GNSO has seen is a few PowerPoint pages outlining the top-line findings of ICANN’s Operational Design Assessment, which is not due to be published in full until the board sees it next month.

Some Council members believe they should at least wait until the full report is out, and for the board to put something on the record detailing its reservations about SSAD, before any changes are made.

The next update on SSAD is an open community session, likely to cover much of the same ground as the GAC and GNSO meetings, scheduled for 1500 UTC on January 18. Details here.

The GNSO Council is then scheduled to meet January 20 for its regular monthly meeting, during which next steps will be discussed. It will also meet with the ICANN board later in the month to discuss its concerns.

Whois reform to take four years, cost up to $107 million A YEAR, and may still be pointless

ICANN’s proposed post-GDPR Whois system could cost over $100 million a year to run and take up to four years to build, but the Org still has no idea whether anyone will use it.

That appears to be the emerging conclusion of ICANN’s very first Operational Design Phase, which sought to translate community recommendations for a Standardized System for Access and Disclosure (SSAD) into a practical implementation plan.

SSAD is supposed to make it easier for people like trademark owners and law enforcement to request personal information from Whois records that is currently redacted due to privacy laws such as GDPR.

The ODP, which was originally meant to conclude in September but will now formally wrap up in February, has decided so far that SSAD will take “three to four years” to design and build, costing between $20 million and $27 million.

It’s calculated the annual running costs at between $14 million and $107 million, an eye-wateringly imprecise estimate arrived at because ICANN has pretty much no idea how many people will want to use SSAD, how much they’d be prepared to pay, and how many Whois requests they will likely make.

ICANN had previously guesstimated startup costs of $9 million and ongoing annual costs around the same level.

The new cost estimates are based on the number of users being anywhere between 25,000 and three million, with the number of annual queries coming in at between 100,000 and 12 million.

And ICANN admits that the actual demand “may be lower” than even the low-end estimate.

“We haven’t been able to figure out how big the demand is,” ICANN CEO Göran Marby told the GNSO Council during a conference call last month.

“Actual demand is unknowable until well after the launch of the SSAD,” an ICANN presentation (pdf) states. The Org contacted 11 research firms to try to get a better handle on likely demand, but most turned down the work for this reason.

On pricing, the ODP decided that it would cost a few hundred bucks for requestors to get accredited into the system, and then anywhere between $0.45 and $40 for every Whois request they make.

Again, the range is so laughably broad because the likely level of demand is unknown. A smaller number of requests would lead to a higher price and vice versa.

Even if there’s an initial flurry of SSAD activity, that could decline over time, the ODP concluded. In part that’s because registries and registrars would be under no obligation to turn over records, even if requestors are paying $40 a pop for their queries.

It’s also because SSAD would not be mandatory — requestors could still approach contracted parties directly for the info they want, for low or no cost, if they think the price of SSAD is too high or accreditation requirements too onerous.

“There’ll always be a free version of this for everybody,” Marby said on the conference call.

In short, it’s a hell of a lot of money for not much functionality. There’s a better than even chance it could be a huge waste of time and money.

An added complication is that the laws that SSAD is supposed to address, mainly GDPR, are likely to change while it’s being implemented. The European Union’s NIS2 Directive stands to move the goalposts on Whois privacy substantially, and not uniformly, in the not-too-distant future, for example.

This is profoundly embarrassing for ICANN as an organization. Created in the 1990s to operate at “internet speed”, it’s now so bloated, so twisted up it its own knickers, that it’s getting lapped by the lumbering EU legislative process.

The ODP is set to submit its final report to ICANN’s board of directors in February. The board could theoretically decide that it’s not in the interest of ICANN or the public to go ahead with it.

Marby, for his part, seems to be thinking that there could be some benefit from a centralized hub for submitting Whois requests, but that it should be simpler than the current “too complex” proposal, and funded by ICANN.

My take is that ICANN is reluctant to move ahead with SSAD as it’s currently proposed, but because top-down policy-making is frowned upon its hands are tied to make the changes it would like to see.

More non-rules proposed for Whois privacy

An ICANN working group has come up with some extra policy proposals for how registries and registrars handle Whois records, but they’re going to be entirely optional.

The ongoing Expedited Policy Development Process team has come up with a document answering two questions: whether registrars should differentiate between people and companies, and whether there should be a system of uniform, anonymized email addresses published in Whois records.

The answer to both questions is a firm “Maybe”.

The EPDP working group seems to have been split along the usual party lines when it comes to both, and has recommended that contracted parties should get to choose whether they adopt either practice.

Under privacy laws, chiefly GDPR, protections only extend to data on natural persons — people — and not to legal persons such as companies, non-profits and other amorphous entities.

Legally, registries and registrars are not obliged to fully redact the Whois records of domains belonging to companies, but many do anyway because it’s easier than putting systems in place to differentiate the two types of registrant.

There’s also the issue that, even if the owner of the domain is a company, the contact information may belong to a named, identifiable person who is protected by GDPR. So ICANN’s contracted parties may reduce their potential liability by redacting everything, no matter what type of entity the domain belongs to.

The EPDP’s has decided to stick to the status quo it agreed to in an earlier round of policy talks: “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.

Contracted parties will get the option to ask their registrants if they’re a natural person (yes/no/not saying) and capture that data, but they’ll have to redact the answer from public Whois output.

They’d have to “clearly communicate” to their customers the fact that their data will be treated differently depending on the choice they make.

On the second question, related to whether a system standardized, published, anonymized email addresses is feasible or desirable, the EPDP is also avoiding any radical changes:

The EPDP Team recognizes that it may be technically feasible to have a registrant-based email contact or a registration-based email contact. Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time.

Again, the working group is giving registries and registrars the option to implement such systems or not.

The benefit (or drawback, depending on your perspective) of giving each registrant a single anonymous email address that is published in all their Whois records is that it makes it rather easy to reverse-engineer that registrant’s entire portfolio.

If you’re a political insider running a whistle-blower blog, a bar owner who also moderates a forum for closeted gays in a repressive regime, or a domain name news blogger running a furry porn site on the side, you might not want your whole collection of domains to be easily doxxed.

But if you’re a trademark lawyer chasing cybersquatters or a security researcher tracking spammers, being able to take action against a ne’er-do-well’s entire portfolio at once could be hugely useful.

So the EPDP working group proposes to leave it up to individual registries and registrars to decide whether to implement such a system, basically telling these companies to talk to their lawyers.

The EPDP Team recommends that Contracted Parties who choose to publish a registrant- or registration-based email address in the publicly accessible RDDS should ensure appropriate safeguards for the data subject in line with relevant guidance on anonymization techniques provided by their data protection authorities and the appended legal guidance in this recommendation

An appendix to the recommendations, compiled by the law firm Bird & Bird, says there’s “a high likelihood that the publication or automated disclosure of such email addresses would be considered to be the processing of personal data”.

The EPDP recommendations are now open for public comment until July 19, and could become binding if they make it through the rest of the ICANN policy development system.

IP lobby demands halt to Whois reform

Trademark interests in the ICANN community have called on the Org to freeze implementation of the latest Whois access policy proposals, saying it’s “not yet fit for purpose”.

The Intellectual Property Constituency’s president, Heather Forrest, has written (pdf) to ICANN chair Maarten Botterman to ask that the so-called SSAD system (for Standardized System for Access and Disclosure) be put on hold.

SSAD gives interested parties such as brands a standardized pathway to get access to private Whois data, which has been redacted by registries and registrars since the EU’s Generic Data Protection Regulation came into force in 2018.

But the proposed policy, approved by the GNSO Council last September, still leaves a great deal of discretion to contracted parties when it comes to disclosure requests, falling short of the IPC’s demands for a Whois that looks a lot more like the automated pre-GDPR system.

Registries and registrars argue that they have to manually verify disclosure requests, or risk liability — and huge fines — under GDPR.

The IPC has a few reasons why it reckons ICANN should slam the brakes on SSAD before implementation begins.

First, it says the recommendations sent to the GNSO Council lacked the consensus of the working group that created them.

Intellectual property, law enforcement and security interests — the likely end users of SSAD — did not agree with big, important chucks of the working group’s report. The IPC reckons eight of the 18 recommendations lacked a sufficient degree of consensus.

Second, the IPC claims that SSAD is not in the public interest. If the entities responsible for “policing the DNS” don’t think they will use SSAD due to its limitations, then why spend millions of ICANN’s money to implement it?

Third, Forrest writes that emerging legislation out of the EU — the so-called NIS2, a draft of a revised information security directive —- puts a greater emphasis on Whois accuracy

Forrest concludes:

We respectfully request and advise that the Board and ICANN Org pause any further work relating to the SSAD recommendations in light of NIS2 and given their lack of community consensus and furtherance of the global public interest. In light of these issues, the Board should remand the SSAD recommendations to the GNSO Council for the development of modified SSAD recommendations that meet the needs of users, with the aim of integrating further EU guidance.

It seems the SSAD proposals will be getting more formal scrutiny than previous GNSO outputs.

When the GNSO Council approved the recommendations in September, it did so with a footnote asking ICANN to figure out whether it would be cost-effective to implement an expensive — $9 million to build, $9 million a year to run — system that may wind up being lightly used.

ICANN has now confirmed that SSAD and the other Whois policy recommendations will be one of the first recipients of the Operational Design Phase (pdf) treatment.

The ODP is a new, additional layer of red tape in the ICANN policy-making sausage machine that slots in between GNSO Council approval and ICANN board consideration, in which the Org, in collaboration with the community, tries to figure out how complex GNSO recommendations could be implemented and what it would cost.

ICANN said this week that the SSAD/Whois recommendations will be subject to a formal ODP in “the coming months”.

Any question about the feasibility of SSAD would be referred back to the GNSO, because ICANN Org is technically not supposed to make policy.

Public comments open on new Whois policies

It’s your last chance to comment on ICANN’s proposed revisions to Whois policy.

ICANN has opened up public comments on what it opaquely calls EPDP Phase 2 Policy Recommendations for Board Consideration.

Why it just can’t use the term “Whois access”, or announce its public comment periods in layman’s terms is beyond me. Doesn’t it want public comments? Still, translating this nonsense into English keeps me in work, so I guess I won’t complain too hard.

The main feature of the proposed policy is a multi-tiered, somewhat centralized system for requesting access to Whois data about private registrants that has been redacted since the EU’s General Data Protection Regulation came into effect in May 2018.

It’s called SSAD, for System for Standardized Access and Disclosure, which was pieced together by a working group of community volunteers over a year.

Domain companies are generally okay with the compromise it represents, but intellectual property interests and others who would actually use the system think it’s a useless waste of money.

It’s expected to cost $9 million to build and $9 million a year to run.

There’s so much uncertainty about the system that in parallel with the public comments ICANN is also consulting with the GNSO Council, which approved the proposals in September, to figure out whether it’s even workable, and with the European Commission to figure out if it’s even legal.

After the public comment period closes on March 30, the comments will be compiled by ICANN staff and burned on a big fire sent to the ICANN board for final approval.