The 62nd ICANN public meeting will be starting this weekend. The location? Panama City, Panama. I’ll be there both representing Blacknight, as well as in my role as Chair of the Internet Infrastructure Coalition, as well as an elected representative of the Registrar Stakeholder Group to the GNSO Council. Translation? I’ll be wearing more than one hat!
ICANN meets three times a year for its public meetings, but there are also other activities which go on in between.
What is ICANN’s role?
Officially ICANN is meant to be a technical organisation that co-ordinates “names and numbers” ie. domain names and IP addresses. In reality what it’s ended up doing and covering is probably quite a bit broader, both officially and realistically. ICANN has ended up becoming a fulcrum for many discussions and debates around internet governance in general.
Blacknight, for example, is one of several hundred companies around the world that is officially accredited by ICANN to be a registrar. Put more simply ICANN has given us a “license” to sell domain names. The “license” is a mixture of a written contract and a miso-mash of policies. And to add to the complexity not only do we have a contract with ICANN, but we also have one with each domain name registry we deal with. So in order for us to be able to sell you a .com domain name we’ve got a contract with ICANN AND a contract with Versign.
Why does this matter?
ICANN was initially setup in the United States, in California to be precise. It came into being when the internet was already up and running and people had been doing things online for quite a number of years. Sure the overall penetration of internet usage back then was nowhere near to what we have now, but the point is that ICANN in many respects inherited a lot of stuff that was already there. Some of these things and the way they were handled were simply accepted “as is” and never really questioned.
The one that’s caused many of us headaches for years is whois.
Whois is the directory or database of domain names. In reality it’s not a single database, but actually a number of different ones. However when you do a lookup on a domain name the software knows which particular database to check before it gives you the information you’re looking for.
We’ve been quite vocal about our issues with how ICANN handles whois for years. However it’s only in light of GDPR (the General Data Protection Regulation) that ICANN has started to take the issue more seriously.
GDPR is not entirely new. It’s an evolution of pre-existing privacy legislation. The key difference is that under GDPR data protection authorities will now have real teeth and data subjects ie., you, me and anyone else, can demand that companies handle personal data properly.
So what’s going to be on the menu for discussion in Panama?
GDPR. GDPR and more GDPR.
As of the end of May ICANN has changed the rules for registrars and registries quite dramatically, but the rule change is temporary while we all work on a more permanent solution. Think of it as a big band-aid, it won’t fix the deep wound, but it’ll stem the flow of blood for a while.
Of course the changes mean that the amount of data being made public has been significantly reduced. And for some people this change is forcing them to go cold turkey.
For years people and organisations have had access to a LOT of data. They had unrestricted and complete access to everything. And in some respects they got addicted to that data
It’s not easy weaning addicts off their drug of choice!
So what are people looking for?
As a registrar we want the best for our clients and ourselves. We want to be compliant with the law, both Irish and European.
As I mentioned a couple of weeks ago, we’ve made changes to how we handle certain aspects of domain registration data. The email addresses that were in whois have all been replaced by a web form. What that means is two fold. Not only do we protect our registrants’ details from being exposed to the world, but as all contact has to go via a form we control we’re able to gather data about the volume of requests we’re getting.
The volume is tiny.
What about abuse?
We track abuse reports and we also have data on the volume of email (legitimate or not) that hits our mail servers.
Blacknight is not a big registrar. However we have consulted with other registrars who vary in size and their experiences have, to date, been very similar..
But more fundamentally why should we be obliged to abuse our clients’ trust?
What is there to be gained?
What have our clients done to deserve this?
Are our clients criminals?
Should “big brother” be allowed run amok with their data?
Our clients are as legitimate as any other conpany’s clients.
Some are unscrupulous, some are probably criminal. But the vast majority of our clients are simply interested in getting an online presence of some kind, sending email and doing business online in some way. Why should they all be made to suffer to satisfy the data addiction of some?
Access to the personal information of registrants should only be granted under limited circumstances.
There’s this lovely concept out there called “due process”.
Any access to data needs to be narrowly scoped and specific. If, for example, a domain is subject to a UDRP or URS (a formal arbitration process for trademark issues) then there’s a good reason to give the UDRP / URS providers access to data.
Beyond that, unless there is a very specific, narrow and clearly identified need then why should that data be made public?
Does that mean we’ll protect criminals?
No, but what it does mean is that we want our clients to feel confident that their data is NOT being shipped around the place and (ab)used by data addicts.
In the country code world, be that for co.uk or .fr registrant information isn’t shared widely and there are literally millions of names registered. Are those namespaces cesspools of “badness”? No. Can people can get access to data when they follow due process? Yes they can.
So why should ICANN do things differently?
I guess we’ll find out more over the course of the meeting next week here in Panama.