Battle lines drawn, skirmishes commence: ICANN community debates future of WHOIS access

  • ICANN 63 taking place in Barcelona this week, with WHOIS a key focus
  • CEO responds to accusations of siding with interest groups over unified access model
  • Registrars slam AppDetex over claims on Facebook data requests

This week, the ICANN community is gathered in Barcelona for its latest official meeting. High on the agenda are efforts to develop permanent policy on the treatment of WHOIS data in light of the EU General Data Protection Regulation (GDPR). However, even before the community stakeholders arrived in Spain, the battle lines were being drawn, with pushback over ICANN’s perceived bias towards IP interests and fierce criticism of data access requests lodged on behalf of Facebook.

Last week, in the run-up to the meeting, the leadership of the Non-Commercial Stakeholders Group (NCSG) wrote to ICANN CEO Göran Marby, expressing disappointment that the organisation had taken a biased approach to the reform of WHOIS. The letter maintained: “Representatives from ICANN have repeatedly focused on advancing certain interests to the point of eclipsing concerns emanating from other parts of the ICANN community. More concretely, the demonstrated intention of ICANN has been to ensure the unrestrained and unlawful access to personal data demanded by special interest groups.” One such interest group is the IP community, with the NCSG contending: “While collecting, processing, and disclosing personal information may be necessary for law enforcement functions, consumer protection, or cybersecurity, the implication that it is up to ICANN to facilitate identification of criminals, aid consumer protection agencies, protect intellectual property, or identify fake news through WHOIS is fundamentally flawed.”

The letter argues that ICANN has been more focused on how – post-GDPR – barriers to access by third parties can be circumvented, rather than focusing on data subjects’ rights. As such, the NCSG argues that ICANN’s “unflagging quest” to find a rationale for disclosing WHOIS data means that its efforts to gain legal clarity from authorities are being framed within a certain agenda and not from a neutral viewpoint. Bias is also identified in ICANN’s efforts to formulate a ‘unified access model’, the group adding: “Let us be crystal clear: the whole community has never asked for ‘unified’ access to registration data. Only the Intellectual Property Constituency and the Business Constituency have insisted upon it, along with certain members of the GAC — many of whom are ignoring their own national laws. ICANN in much of its correspondence claims that the ‘community’ ‘urgently’ needs to have access to the personal and sensitive data of domain name registrants, or a cyber doomsday will result. We are part of the community, and we disagree.”

In an unusually quick reply, published on the ICANN site on Saturday, Marby expressed concern with “mischaracterizations” and “opinion asserted as fact” in the NCSG position. He states that ICANN “does not presuppose the outcome of the policy development process, including what types of access – unified or otherwise – the community will recommend”.  As to ICANN’s role in pursuing solutions related to access, he notes that – as data controller – the organisation’s requirements of registrars and registries to collect and publish WHOIS data causes ICANN to have a role in determining the legality of those contractual requirements.

This is not the only skirmish that has centred on WHOIS data access in the run-up to this week’s gathering. On Friday we reported on a letter in which AppDetex Brand Protection highlighted the “extreme difficulties faced in obtaining ‘reasonable access’ to redacted WHOIS for legitimate purposes”, the company highlighting Facebook’s 9,041 request notices sent to a universe of 350 registrars – of which only 3% have resulted in access to full WHOIS records. It added that 1.4% of responses required a subpoena or UDRP action to be lodged before the request would d be granted, while 59.6% of requests had gone unanswered. We suggested that the letter will likely be the focus of attention and this weekend ICANN published responses from Tucows and Blacknight Internet Solution – both of which slammed AppDetex’s position.

Elliot Noss, CEO of registrar Tucows notes that, while there are “reasonable and legitimate needs for third parties to gain access to our registrants’ data”, there is a “lack of care” in some of the AppDetex requests, some of which were sent multiple times. He expands that “we are also concerned that, given the clear lack of human-review and due care presented by the requests we have received from AppDetex, they are simply creating algorithms to identify potential infringements and demanding personal registrant data for these potentialities wholesale”. He also questions the timing: “It is apparent to us that the concern here is not for the trademarks of Facebook, or any other customer, but for generating baseless noise and attempting to shift public and government perception of registrar.” Michele Neylon, managing director of Blacknight Solutions offers a shorter, but more combative, response, similarly pointing to a lack of follow-up engagement from AppDetex and characterising its requests for data as insincere and designed “to create a particular narrative to reinforce AppDetex and Facebook’s particular views”.

The ICANN meeting continues through Thursday and there may be significant developments in efforts to reach an agreement on the way forward for both the temporary specification and the future access model for WHOIS data. Equally, the two sides may find themselves even more entrenched as emotions run high. However, the clock is ticking, with ICANN having set a 25 May 2019 deadline for the confirmation (or otherwise) of the temporary specification as consensus policy. In the meantime, the struggle for rights holders to obtain access to domain name registrant data continues.

Last week the Messaging, Malware and Mobile Anti-Abuse Working Group released the details of a survey that found that the changes to WHOIS access since GDPR is significantly impeding cyber investigations – 17% of respondents stating that the public WHOIS service is no longer useful or reliable. It also observes that “requests to access non-public WHOIS by legitimate investigators for legitimate purposes are routinely refused… [and] registrars and registries disclose redacted WHOIS data at their individual discretion, often without reasonable justification”.

In short, while AppDetex is the focus of furious debate, the plight of those seeking to investigate infringement and protect their brands is very real. Something has to give and this week’s discussions in Barcelona will go some way to illuminating what the future may hold for brand protection professionals.

Unlock unlimited access to all WTR content