Internet overlord ICANN has hit on an ingenious solution to the impending collision of the domain name system’s Whois service and incoming European privacy legislation: let everyone else figure it out.
Following a week of testy meetings in which domain registries and registrars complained they face business-destroying fines if they fail to comply with the General Data Protection Regulation (GDPR) due to go into force in May next year, ICANN put out a statement in which it said it wouldn’t find them in breach of contact if they promised to tell the organization what the solution was.
“During this period of uncertainty, and under the conditions noted below, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data,” ICANN magnanimously offered.
“To be eligible, a contracted party that intends to deviate from its existing obligations must share its model with ICANN Contractual Compliance and the Global Domains Division.”
In other words, ICANN won’t punish companies for breaking its soon-to-be illegal contract if they can figure out how to help it save face by coming up with a solution to the problem.
And that problem is that under the current Whois system – overseen by ICANN – a domain name registrant’s details including their name, address and telephone numbers must be supplied and published publicly. But that approach is in direct contradiction to the incoming European law that requires companies gain clear permission from people before storing or publishing their personal information.
The law also only affects European citizens so it is not necessary for, say, US citizens’ details to be protected equally.
To ICANN’s credit, the organization has tried repeatedly to address concerns over Whois for the past 15 years. But such efforts have failed miserably each time, in large part because powerful interests within the California-based non-profit prefer the flawed status quo to an updated system in which they might lose access to information or be required to introduce new systems or checks.
Any hope that the impending May deadline would lift the ICANN community out of its entrenched positions and prompt it to work collectively died almost immediately, however, as special interest groups jockeyed for position and acted as though the previous 15 years of discussions had never happened.
Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system
A representative of the US government’s Federal Trade Commission (FTC) said at one of several special meetings held over GDPR and its impact on Whois that the first step was for ICANN to carry out investigation efforts to find out who was involved in unlawful online conduct.
That comment led to despair from another respected observer, Wout de Natris, a former European regulator and cybercrime expert. “It’s 2017,” he tweeted. “Former OPTA chair Fonteijn and I presented on this topic in ICANN Marrakesh in 2006.”
Indeed, the entire decades-long debate over improving Whois has often felt like the most boring imaginable version of Groundhog Day. Seemingly endless surveys and investigative reports are produced, gradually turned into recommendations, and then shot down, only for everyone to agree that the best way forward is to start another study group.
Several years ago, the part of ICANN that covers the domain registry and registrar business, the Generic Names Supporting Organization (GNSO) actually reached agreement on what the purpose of Whois data collection was – in the hope that that would then led to a policy discussion to devise new rules. But even that effort lasted only a few months after governments and (mostly American) business groups opposed it.
Thanks for nothing
This week, the world’s governments through the Governmental Advisory Committee (GAC) also provided ICANN with its own advice on the resolving the Whois issue – by pointing to principles that it developed back in 2007.
“The 2007 GAC Whois Principles continue to reflect the important public policy issues associated with Whois services,” the governments’ communiqué [PDF] noted. “Accordingly, ICANN should take these issues into account as it moves forward with its planning to comply with the European Union’s General Data Protection Regulation (GDPR).”
Rather unhelpfully however, at the same time that the GAC asked ICANN to resolve the issue, it also listed all the requirements that have made it impossible to find a solution, and insisted they be included.
“It is urgent to address these issues and that the GAC should be fully involved in the design and implementation of any (including interim) solution and requests that ICANN practice transparency vis-à-vis the multistakeholder community in its GDPR activities,” the GAC concluded before lighting the fuse and handing over the black bomb.
ICANN’s staff know only too well that there are not going to be able to get the broader internet community to agree on a solution. At the same time, however, the organization lacks the wherewithal to find a way through the impasse while also wanting to ensure that the debacle doesn’t undermine its authority.
That authority was directly questioned earlier this month when the registry operator for .amsterdam and .frl rejected ICANN’s legal threat that it was in breach of its contract by not offering a Whois service.
The operator noted simply that the relevant part of the contract was “null and void” because it conflicted with European legislation. If ICANN loses its ability to impose contracts on the domain name system, it would not only lose its authority but also its ability to claim the tens of millions of dollars it collects through those contracts every year.
Which is what led to the brusque insistence by ICANN that it is still in charge, and that its contracts are still in force, but it will overlook people explicitly breaking those contracts if they supply it with an explanation of how on Earth it can reconcile two opposing ideas into one system.
Compromises don’t get much worse than that. ®