Experts are working on the most appropriate updates to domain name registration information through ICANN’s Expedited Policy Development Process (EPDP). Finding a balance between authority access and user privacy is difficult, and policymakers and the general public need patience as the EPDP works to get it right.
Major European legislation, the General Data Protection Regulation, evoked substantial change in the way we deal with the visibility of domain name registration information, and understandably those that use that data to solve problems are concerned about these changes and some have even called for a U.S. legislative fix.
However, a more in-depth look at the issue and the policy-making surrounding it will show that there is, in fact, a process already well underway to address the situation.
While perhaps not as “quick” as some would want, the results of that process will ensure a solution that is workable, globally applicable, and in keeping with the overarching goal of maintaining a stable, secure, and resilient Internet Domain Name System.
The Internet Corporation for Assigned Names and Numbers (ICANN) is the global multistakeholder body that sets and enforces policy for domain names. Its global remit is extremely useful in making sure that the Internet Domain Name System (DNS) does not get chopped up between different constituencies, be they geographical, political or cultural. However, it also means that ICANN has to systematically address and act on the output of numerous legislative bodies, at both the national and supranational level.
One such legislative output is the General Data Protection Regulation (GDPR), which came into effect in May 2018. A wide-ranging, and consumer protection focused law, GDPR is ostensibly limited in its application to the geographic boundaries of the European Union and citizenship. However, the Internet’s global nature as well as the wording and imprecise application of the law have given the rules reach much further than Europe and its citizens, particularly since separating out different versions of the Internet would be unwieldy both politically and technologically.
GDPR’s protections of personal data affect several areas of the Internet, including WHOIS. For those not familiar with the incredibly un-sexy inner workings of the Domain Name System, WHOIS is a protocol that governs how users ask and receive information about the “registrants” of an Internet resource, such as a domain name. Most commonly, WHOIS refers to the information associated with a domain name registration. This information includes the registrant’s name and contact information, which also happens to be considered personally identifiable information – the very information protected under GDPR. ICANN, as the global body responsible for requiring registries and registrars (it’s contracted parties) and enforcing their collection, transfer, and publication of WHOIS information, found itself at the epicenter of bringing WHOIS into compliance with GDPR.
ICANN’s processes are multistakeholder, which means that input into the policy development process is sought from all its different stakeholder groups. This process is one that puts an emphasis on transparency, inclusion and collaboration in a consensus-focused environment, which means that the decision reached is one that does not blindside any constituency, on the contrary, it benefits from diverse voices in its development.
This type of inclusive, multistakeholder governance is the cornerstone of ICANN policy development. However, the urgency of GDPR compliance (and the associated fines for non-compliance) forced ICANN to act quickly to ensure a continued WHOIS. ICANN did this by instituting a stop-gap measure, Temporary Specification, which ensured immediate compliance and a temporary solution for accessing WHOIS information.
However, as its name implies, that was not a long-term answer to how WHOIS would have to be redesigned to accommodate GDPR. Furthermore, any long-term policy and/or approach would require multistakeholder community development.
For that, ICANN’s community joined together in an Expedited Policy Development Process (EPDP) to re-imagine WHOIS going forward. The EPDP strikes an important balance between the positives of a regular ICANN policy development process and the necessity of a speedy resolution. The first phase of the EPDP had a very ambitious timeline, and even so, the EPDP team reached it without reducing the quality of the debate. Furthermore, completing Phase One paved the way for Phase Two and the much anticipated discussion of developing a System for Standardized Access/Disclosure (SSAD).
The EPDP is now in Phase Two, where the community – comprised of distinct, varied and at times opposing interests – are hammering out what will be an SSAD that gives the registries and registrars comfort that they are not in violation of GDPR; gives the users of WHOIS confidence that they can attain access to WHOIS information for pursuing their legitimate interests; and give assurances to the wider Internet community that data protection is taken seriously.
In order to get the requisite clarity, Phase Two requires more interfacing with other entities, specifically European regulatory bodies, such as the European Data Protection Board (EDPB). Input from the EDPB is crucial to making sure an SSAD will be developed in a manner that its operations and policy foundations will be both compliant and appropriate for the ICANN community.
Permitting access to domain name registration information in a GDPR compliant manner is an extremely complex challenge. It has to take into account a significant amount of distinct perspectives, from law enforcement to civil society to business interests. Even more, it has to take into account two different but equally important objectives: providing access to personal information for legitimate interests and data protection. These two objectives do not need to be mutually exclusive, in fact, GDPR recognizes that legitimate interests in data exist whereby access to personal information can and should be permitted. So, finding a solution that meets both objectives is complex, but possible. The exercise just needs requisite time to “get it right,” so that any solution and associated policy is acceptable to all involved.
While the global discussion surrounding WHOIS has captivated many in policy-making circles, further legislation or regulation from other national constituencies feeling like they are competing with GDPR for who would set global norms would be entirely counter-productive. A patchwork of national rules and laws would not solve the concern at the heart of the matter, but it would, in fact, aggravate it. Multiple external inputs, would at best stall the EPDP indefinitely and, at worst, create a fractured Internet by which different laws and policies apply depending on the state, country, region.
The ultimate solution has to come through an open, transparent and inclusive process that looks at the issue globally, and allows for the businesses involved in the domain name world to properly navigate their global responsibilities.
A national legislative solution at odds with GDPR, one favored by some of those that are understandably worried about their work being impacted by changes to the WHOIS service, will not truly be a fix. Rather, it will be a wrench in the necessary policy development process, causing more delays as every layer of the infrastructure of the Internet has to readjust to another external unilateral decision, with policy and technical principles needing to be redrawn.
The ICANN EPDP is well on its way to providing a long-term, genuine, and robust solution, and we will stand witness to this process, keeping the public, as well as policy-makers, informed of its continued progress.