Recap: why are we still discussing WHOIS?
The ICANN community is making slow but steady progress in its work on GDPR compliance. A false dichotomy between balancing privacy with security seems to be the pinnacle of these discussions. Access to domain name registration data (or WHOIS information) is seen as essential in conducting investigations regarding criminal activity online, while data protection is continuously referred to as an obstacle to secure “public interest”. In order to address the concerns regarding accessibility of non-public WHOIS information and assess the need for a standardised access and disclosure system (aka SSAD) that has previously been deemed to exert significant costs for ICANN, a pilot project called the “Registration Data Request Service” (RDRS), which is effectively a mini-SSAD, will be launched by the community in November.
What is RDRS?
The RDRS, designed as a test to assess the usefulness of and the need for a more complicated SSAD, aims to gather data on the volume of registration data access requests by managing the request intake and distribution process. As registrars are mostly responsible for offering domain names to end-users and managing the contractual relationship with domain name holders, they also collect and process most domain name registration data at the time of registration. From an access seeker’s perspective, addressing registrars is the first and most logical step in any access procedure. For these purposes, the RDRS is seeking wide registrar participation in order to receive meaningful results.
The RDRS aims to centralise access request submissions to participating registrars. To access the data, a valid legal basis must be provided along with each request, while registrars must follow their internal procedures when assessing the request and deciding whether disclosure is justified. No data can be transmitted through the RDRS itself, but participating registrars will be asked to report whether the request was approved or not, and include reasons for denying access.
Concerns from the community
There are still some concerns on the usefulness of the RDRS, most notably from the “requestor community” because the submission of requests via the RDRS does not guarantee that the data will be disclosed. This may discourage access seekers from participating in the pilot. In addition, there seems to be a lack of clarity on the opportunity to submit bulk requests. From a “public interest” perspective, most prominently assumed by the Governmental Advisory Committee (GAC), the main concern with the pilot is the potential for SSAD not to materialise, as a result of “the lack of actionable data'' in case the RDRS is not used. In addition, the GAC is concerned over the absence of privacy/proxy services from the scope of the RDRS, as they allegedly amounted to 65% of COVID-19 related domains reported to law enforcement. As a result, these domains were unavailable for further investigations. Registrars on other hand seem to have received the RDRS plan relatively well, although more public awareness activities are needed to incite higher registrar participation.
Next steps
The RDRS will run for a maximum of two years, with monthly public reports, specifically on usage rates and other metrics, such as number of requests and number of approvals/denials. Registrars will be able to join as of September, and requestors will be able to submit access requests starting from November.
Link with the EU NIS 2 Directive implementation?
The ICANN community discussions on access are moving in parallel with the ongoing implementation work of the EU NIS 2 Directive that was finalised at the beginning of this year. EU Member States have 18 months to implement the Directive’s provisions into their national jurisdictions, and access to non-public domain registration data is one of the areas where the EU attempted to address some of the “pain points” of the GDPR implementation discussions at ICANN. The RDRS might alleviate some of the concerns related to “public interest” and (the lack of) access to registration data by bringing a more constructive perspective to the discussion, which often relies on emotional arguments and the juxtaposition of privacy and security. The community, and possibly the world, is looking forward to the data that could perhaps finally put to rest the endless WHOIS discussions.