ICANN72: We need to talk about data accuracy
The topic of registration data accuracy is picking up again at ICANN. Be it due to the fact that the EU is negotiating the NIS 2 Directive and the corresponding registration data verification obligation put on registries and registrars. Or that data accuracy keeps coming up in the ongoing GDPR compliance discussions by ICANN contracted parties (e.g. gTLD registries and registrars) after more than three years of law enforcement authorities and rights holders claiming not to be able to investigate illegal activities online due to the “darkened WHOIS”. One thing is sure: the data accuracy discussion underpins many current cross-community issues at ICANN, including ‘DNS abuse’, contractual compliance and public interest concerns.
Although the idea of ‘accuracy’ when it comes to collected registration data by registries and registrars is not new and has apparently already been included in the registrar accreditation agreement dating back to 1999, it is only recently that the data accuracy discussion reached another level of ‘urgency’. This coincides with the GDPR’s impact on the public availability of registration data across gTLDs (the so-called ‘darkening of WHOIS’).
After the GDPR entered into force in 2018, ICANN responded with the Temporary Specification that moved most of the personal information of registrants within ICANN contracted parties (gTLD registries and registrars) to no longer being publicly available. This suddenly became a pressing issue primarily for law enforcement and rightsholders. After more than three years of discussions on a potential consensus policy on “WHOIS obligations” within the unprecedented Expedited Policy Development Process (EPDP), there is still no end in sight on how to reconcile the differences between all stakeholder groups. With a number of loosely connected issues popping up that the EPDP allegedly needs to solve, it is no wonder this is taking so long. All the EPDP should have addressed is how to make sure that contracted parties respect and adhere to data protection principles, and include processes and procedures to keep that data safe and secure. All the other issues, such as access to personal information, consumer protection issues and even public interest beyond data protection are essentially out of scope and merit their own separate legal basis.
Indeed, data accuracy is also part of the data protection principles. In fact, it is one of the fundamental principles under the GDPR, and puts an expectation on data controllers and processors to take “every reasonable step[...]to ensure that personal data which are inaccurate are rectified or deleted”. As data protection is about protecting individuals, the data accuracy principle under the GDPR is about giving end-users control over their personal information. It is not about providing “efficient” access to third parties.
Accuracy of what?
The question of data accuracy is now a political question, as the EU is currently negotiating the revision of its cybersecurity rules that also include a very specific point on ensuring the accuracy of registration data. This obligation is a direct consequence of the alleged impact of the GDPR on the public availability of domain name registration data within gTLDs.
In fact, the EU NIS 2 proposal even borrows language from the GAC EPDP Phase 2 Minority statement, i.e. that the accuracy of domain name registration data is essential for maintaining a secure and resilient DNS. The issues that certain stakeholders, including governments and intellectual property rightsholder groups, have been raising within ICANN have all made it into the EU NIS 2: e.g. the obligation to publish all registration data concerning legal entities, and to provide access to non-public personal information of individuals to an unlimited group of “legitimate access seekers”. Meanwhile, the GAC continues to underline that the EPDP recommendations are not striking “the right balance of protecting personal information and protecting internet users’ safety and security”, which is a consistent agenda point during the joint meetings between the GAC and the GNSO Council, responsible for overseeing the policy development work at ICANN.
Interestingly, back in 2014 a Study on the Misuse of WHOIS found that publicly available registration data has, amongst other things, also contributed to the “highly sophisticated planning to extract money, distribute malware, and[...]a phishing attack using WHOIS information”. In other cases, registrant information was used to register numerous domains for illegal purposes.
Clearly, the whole debate about third-party (incl. public) access to WHOIS being essential for combatting ‘DNS abuse’ is not that black and white in the end. Data protection on the internet, including within the domain name industry, is also a security-related matter that unfortunately goes largely unnoticed in the GDPR-compliance discussions at ICANN.
In parallel with the EU negotiations on imposing a “security”-related data accuracy obligation on TLDs operating in Europe, the discussions on what accuracy is in the context of registration data is also picking up within the ICANN Community. The newly-established Registration Data Accuracy Scoping Team is expected to look into existing accuracy requirements under ICANN contracts with registries and registrars and assess the measures used by ICANN Compliance to monitor, measure, enforce and report on the accuracy obligations as specified in these contracts. From the discussions taking place at ICANN72, it seems that registration data accuracy within the ICANN context has primarily been a syntactical and operational check to ensure that registrants provide contact details that are functional.
In principle it should be for the community to decide whether any additional elements to the concept of accuracy need to be added to the definition through a formal policy development process in the GNSO and after the Scoping Team finishes its mapping work. However, the proximity of EU legislation that does not take into account these community discussions on accuracy might make these efforts moot. The EU discussions on NIS 2 are leaning heavily towards a different definition of accuracy obligations that include additional ID verification checks that put all the burden on technical operators. Since the EU NIS 2 Directive is intended to apply to all TLD operators that offer their services in Europe, it will also affect ICANN contracted parties.
Access to non-public registration data
The discussions on accuracy can no longer be distinguished from the questions of who shall receive access to non-public personal information of domain name holders and when. While the EU is in the process of obliging TLDs to give it out to all “legitimate access seekers'', the ICANN community is still discussing the possibility of establishing a System for Standardized Access/Disclosure (SSAD) to “centrally handle requests for non-public registration data”. To inform the deliberations on putting such a system in place, the ICANN Board has requested an Operational Design Phase (ODP) Assessment. Originally, the ODP Assessment was supposed to be completed by 25 September 2021. According to the project update given at ICANN72, the data collection activities have taken longer, and the data received has raised more questions, which merits more community discussions. In addition a proper cost-benefit analysis needs to be conducted before the ICANN Board can make a decision to proceed forward with the SSAD.
At the same time, another verification issue landed on the table: the verification of users who wish to use SSAD and request access to registration data. Ironically, the completion of the ODP Assessment phase has also been delayed by the fact that the GAC is not able to complete a survey on the accreditation of governmental entities, due to this being a “complex issue”.
Verifying the identities of registrants and legitimate access seekers should be easy, no? Otherwise, why are we in the process of putting a data verification obligation on registries and registrars operating in the EU, expecting them to figure this out on their own in order to effectively comply with it? This remains a mystery for now that would need to be fleshed out in the implementation phase. Not only in the case of the still largely hypothetical SSAD, but also the speedily approaching NIS 2 Directive compliance.
The sense of urgency
Registration data accuracy is indeed an urgent topic within ICANN. However, this urgency is not coming from the looming threats to the security, stability and resilience of the DNS. The urgency of data accuracy is underpinned by individual governments and regional policymakers trying to “fix” an issue that is uniquely relevant only in the context of global internet governance. The NIS 2 Directive won’t have an impact on contractual compliance by ICANN. However, it will have an effect on individual gTLDs, ccTLDs and registrars that will find themselves between a rock and a hard place trying to comply with unattainable standards.
This blogpost was written by Polina Malaja, Policy Director at CENTR. It is part of a series of blogposts CENTR will be publishing on the ICANN72 meeting.