This article originally appeared in Dot Nxt in 2013 (PDF: dotnxt_whois_review_article). It has been edited for republication.
In May 2012, the ICANN Whois Review Team delivered its final report to the ICANN board with a real sense of achievement.
As the system for providing details about who is in charge of any given Internet domain name, the Whois is critical to the proper functioning the domain name system. As such, it is one of four issues highlighted for independent review under ICANN’s deal with the US Government, the Affirmation of Commitments. Thus in October 2010, ICANN’s WHOIS Review Team was drawn from across the community to perform this important task.
Despite being an apparently inoffensive directory of contact details, Whois has proved one of the most intractable and divisive issues within the ICANN community for more than a decade. The ICANN WHOIS Review had to understand the different interests rolled up within Whois, and how these interact with ICANN’s power dynamics.
ICANN WHOIS Review: availability of data for law enforcement
The ICANN WHOIS Review Team was tasked to look at the extent to which ICANN’s Whois policy and implementation are effective, meet the legitimate needs of law enforcement and promote consumer trust.
There is a clear, legitimate need for authoritative data on who owns domain names. This information should be readily accessible by those who have a legitimate need for it, whether that be law enforcement, or those enforcing private law rights, even those who just want to contact the registrant.
ICANN WHOIS Review: Privacy concerns
At the same time, and no less legitimate, are the expectations of individual domain owners to have a measure of privacy for the personal contact details. Within the European Union, personal information is subject to Data Protection laws.
But ICANN’s WHOIS Review realised that concerns over privacy are not confined to the EU. Privacy advocates cite the lack of proportionality in publishing names and addresses worldwide through the Whois database. When an individual’s name and address are published, there is a potential for disproportionate harm, for example to political dissidents, religious or cultural minorities.
Then there is ICANN itself, the corporation, and the difficult spot it finds itself in. The ICANN WHOIS Review found that there is a legitimate need for law enforcement and others to have data on domain name owners, and therefore it follows that Whois data should be both readily accessible and accurate. Who is responsible for enforcing the contracts that require registrars and registries to keep accurate Whois data? ICANN. And who are the main funding parties for ICANN? Why, the registries and registrars of course.
This was the background for the first ICANN Whois Review Team, which I chaired. At the beginning of our work, the tension – even mistrust amongst the participants was palpable. But we managed to build trust and a constructive working environment, and the project thrived.
In spite of these complexities, both substantive and political, the ICANN Whois Review Team comprising representatives of law enforcement, privacy experts, non-commercial and business users, registries and registrars, government and other ICANN constituencies managed to come up with consensus recommendations. Key among them were:
- ICANN’s compliance team should be properly resourced to ensure that it has the processes and technical tools needed to efficiently manage and scale its activities. There should be full accountability and transparency over its budget, publication of annual reports on its activities, clear lines of reporting.
- Five recommendations on data accuracy, an area which needs improvement. These included that the number of domain names with hopelessly inaccurate Whois data should be reduced by 50 percent within 12 months, and 50 percent again over the following 12 months.
- Privacy and proxy services need a policy framework, as none exists at the moment.
- Urgent action to standardize the format of internationalized registration data in the Whois.
The ICANN WHOIS Review Team felt a profound sense of achievement in delivering the report, which was hard hitting in places, but it was evidence based and had the unanimous support of a cross-community team representing different interests. It represented an excellent realworld example of ICANN’s multistakeholder approach and real accountability.
If this wasn’t interesting enough, the structure of ICANN’s policy development forum, the GNSO, effectively hands the domain name industry a veto on policy. This is a relevant force in Whois, because although pretty much everyone agrees that Whois is broken and needs fixing, the “fixing” will require the industry to spend money. For players at the registrar level, in an intensively price-competitive playing field where margins are already squeezed, this is to be resisted. Especially as the industry does not really need or use Whois for its own purposes.
During the eighteen months of the ICANN WHOIS Review, we found it surprisingly difficult to get basic information from ICANN about its compliance function. Things like the number of staff, and budget versus actual spend on compliance activities were shrouded in mystery. We were given conflicting information. The budget seemed to be built up on a contribution cost basis, with a contribution from the legal department representing a significant percentage of the spend. It was also very difficult to tell what the compliance team had achieved. It was strange that an independent report which made damning findings about the poor level of data accuracy in Whois records was left to languish for years, and that the head of compliance seemed unaware of its existence.
The Board’s response was both slow, and unusually muted. The final report was published in May 2012 (a draft report and recommendations having been published in December 2011).
The Board went out for public comment on the final report: the third public comment on the ICANN Whois Review Team’s report in less than a year. Even by ICANN standards, that’s a lot of consultation. It was as if the Board were looking for a different answer.
That different answer eventually arrived four months later in September.
Entitled “WHOIS: Blind Men and an Elephant”, ICANN’s respected Security and Stability Advisory Committee’s (SSAC) response to the Whois consultation seems to have captured the Board’s imagination. It proposed a root and branch re-evaluation of Whois and became the lens through the Board evaluated the ICANN WhoisReview Team’s report.
Commonsense tells us that reviews of the same policy issue are not mutually exclusive, nor “either/or” and the Chair of SSAC confirmed this to me. What’s telling is the way the Board used the SSAC report to blur the lines in its response to the Whois Review.
A casual reader could not fail to conclude that the Board does not intend to implement the ICANN Whois Review Team’s recommendations. One commentator called the Board’s approach “a model of non-communication…replete with Orwellian gaps in the texts“, and said its decision to form an expert group as “suspiciously like a pretext for further unwarranted, inordinate delay”.
By quick comparison, another Affirmation of Commitments report had been delivered in June, the month after the Whois Review Team’s. That SSR team were thanked by the Board in September, and by October, the Board directed its CEO and staff to implement all 28 recommendations in the report.
Board members are adamant ICANN could not be more supportive of the ICANN WHOIS Review Team’s report (“the strongest test will be in our actions,” ICANN’s chair assured me in my position as chair). To that end, the recent recruitment of a senior executive to focus exclusively on Whois is welcome, as is the CEO’s public statements that he intends to sort out Whois.
It will be difficult for the community to assess ICANN’s progress in implementing the ICANN WHOIS Review’s recommendations. The response to a forward-looking review had been to turn the clock back and start again.
Other commentators have reached the same conclusion. Steve Metalitz of Mitchell Silberberg & Knupp LLP (and ICANN’s intellectual property constituency) described (to Bloomberg’s Electronic Commerce & Law Report ) the Board’s response as wanting to “tear up, start over”.
Most poignant was this from longtime ICANN participant, Public Interest Registry’s David Maher:
Déjà vu Whois privacy and rights protection mechanisms has there been progress since 1996? Sometimes, it doesn’t seem that way.