We’ve talked about the conflicts between our ICANN contract and privacy law in the past. Not once, not twice, but multiple times. We refused to sign the 2013 Registrar Accreditation Agreement (RAA) with ICANN until we’d received a data retention waiver. That decision probably cost us money, but if we have to choose between operating legally or illegally our path is clear.
We’ve also been talking a bit about GDPR, and how WHOIS and various other obligations imposed on us, either directly by ICANN or indirectly through its contracts with the domain name registries, are problematic.
So who decides what is permissible when it comes to privacy rules? Short answer: the data protection authorities.
If you want to know what the general view of something is then you need to talk to all the EU DPAs at once, which is where the Article 29 Working Party comes into play. They’re the body where all the DPAs in the EU go and they often issue advice as a collective group. If the Article 29 WP make a formal statement on something (and they regularly do) then that statement carries the weight of all 28 data protection authorities of the European Union member states. So you need to take it very seriously.
So ICANN decided to ask Article 29 for some specific guidance about WHOIS and how ICANN plans to deal with it in light of GDPR. You can read the original letter here. Article 29 were meeting in Brussels this week and they not only discussed the ICANN request, but issued formal advice in response to ICANN’s letters.
The advice is pretty damn clear and isn’t exactly “news” for those of us who’ve been reading Article 29’s missives to ICANN over the past decade (and more).
There are a few bits in the response that are worth highlighting, but this one in particular struck me as being worthy of attention (emphasis added):
ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet’s unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case
Basically what they’re saying is that ICANN’s attempts to retrofit current usage of WHOIS data to data protection law is fundamentally flawed. ICANN’s mandate is narrow and if 3rd parties want access to data for reasons outside that narrow mandate ICANN should not be acting as their proxy.
Over the past couple of months we’ve had notifications from multiple country code domain name registries (ccTLDs) about how they’re changing the collection, processing and publication of domain name registration data (I’ve a separate blog post in the works that will cover a lot of this!) and it’s very clear that the current “status quo” is simply not viable.
So what does all of this mean?
Come the end of May public whois as we know it will be dead.
This does not come as a surprise to many of us – we’ve been raising issues with it going back years. However the upcoming changes to public whois will upset some people.
What will ICANN do?
It’s not yet 100% clear, but it’s pretty clear that they’ll have to follow the advice that they requested. (Be careful what you ask for!!)
Registrars and registries, including ourselves, are not interested in operating outside the law.
It’s the law.
(Sorry – I couldn’t resist the Judge Dredd reference!)
ICANN’s “interim model” may not be 100% perfect in every way, but with some tweaks many of us believe it could be viable.
Will the “death” of public whois lead to problems?
Sure, but let’s be realistic and not hysterical about it.
There will be some issues that will definitely arise, but if public whois data was as important as some would have us believe then many big ccTLDs would have massive headaches.
That doesn’t mean that we don’t see a “value” in WHOIS data. We do, but the last 10+ years of circular conversations, task forces and work groups within ICANN have never resolved anything. Privacy extremists want completely anonymity, while IP lawyers and anti-abuse types want all the data. And, unfortunately, the number of informed people from those groups who were willing to either compromise, think outside the box a little or come up with different ways to achieve similar results has been tiny.
And what of the ICANN response?
Their formal letter might go out in the next few days and whatever it says will have been carefully vetted by their legal team.
You can read their initial reaction here.
UPDATE: Since originally publishing this article earlier today I’ve spoken to senior ICANN Staff who have clarified a couple of things in the ICANN response (linked to above).
ICANN had asked for “forbearance” of enforcement in their communication to Article 29. They didn’t receive it, so they are going to explore other legal routes to get that moratorium. The “delay” in enforcement is to allow registrars and registries to implement the changes necessary to operate a compliant suite of systems and processes. Also interestingly ICANN is asking to be included in ANY proceedings taken against a registrar or registry in relation to WHOIS anywhere in the EU.