WHOIS afraid of reform? Report recommends changing nature of WHOIS records

An ICANN-convened Expert Working Group has released a mammoth 166-page report broken out over 180 recommendations for a next-generation Registration Directory Service (RDS) designed to replace the current WHOIS system for all gTLDs. The scheme is an ambitious attempt to please domain name registrants, law enforcement agencies and brand owners in one fell swoop by replacing the current WHOIS record with a centralised system of validated contacts that are either publicly available or ‘gated’ - that is to say, hidden from the general public. Gated elements of the record would be available via an RDS account in accordance with a user's accreditation, which would depend upon their status. The report has already come in for some criticism from industry commentators and even some dissent from one member of the group itself and it remains to be seen whether such an extensive overhaul of the system could be realised any time soon.

ICANN CEO Fadi Chehadé convened the Expert Working Group late in 2012 on the back of an ICANN resolution in November of that year calling for "a new effort to redefine the purpose of collecting, maintaining and providing access to gTLD registration data, and consider safeguards for protecting data, as a foundation for new gTLD policy and contractual negotiations". The Expert Working Group, whose representatives included registry and registrar operators, internet infrastructure experts and brand owners, were chosen on the basis of their “operational knowledge and experience with registrant data or directory services… along with consensus-building skills, aptitude to innovate, geographic diversity”.

If implemented, the recommendations in the Registration Directory Service report would change the whole nature of WHOIS records making certain fields mandatorily public and others ‘gated’ and thus not publicly available. Most of the data concerning the registrant would be gated and thus not visible to the public, but the admin contact name, email address and country would always be visible. The level of access granted to the various gated fields within the RDS would depend on the role assigned to individual RDS account holders' user accreditation (eg, tax authorities, UDRP providers and law enforcement agencies would have greater access to gated fields than the general public), but the name of the registrant would be available to any RDS account holder.

Under the new system, there would be up to six purpose-based contacts - an admin contact, a legal contact, a technical contact and an abuse contact, which would all be mandatory, as well as a privacy/proxy contact and a business contact. The legal contact would be "designated to handle TM (trademark) disputes or other claims regarding a domain name" whereas the abuse contact's role would be to "handle enquiries about abusive behaviour emanating from a domain name and manifesting in traffic or other highly time-sensitive malicious internet activities". This purpose-based contact would also need to "have an email address capable of receiving and responding to valid complaints and an active phone number to receive inquiries".

The requirement for all domain names to have legal and abuse contacts has already come in for criticism by industry bloggers on the basis that very few private individuals would easily have access to such a contact. It is difficult to see how most registrants, other than simply listing themselves (the default option), would be able to fulfil this requirement unless registrars or other independent operators step in to the breach and begin offering such a service. As such, a change of this nature seems likely to be unpopular with both registrars and the general public in that it seems likely that it will place an additional administrative burden on registrars and mean added costs for registrants.

The report does not rule out the use of WHOIS privacy and proxy services, but makes a number of recommendations aimed at ensuring greater accountability for such services. These include a requirement for all such proxy and privacy services to be accredited by ICANN, an obligation to relay email correspondence received on to the registrant and to respond to requests to reveal the true details of the registrant (reveal requests) in a timely manner. This would ensure that the privacy and proxy services could continue to co-exist with the RDS.

However, the subject of privacy did cause ructions within the group with the only privacy advocate in the group, the Canadian Stephanie Perrin, raising serious concerns about the privacy consequences for domain name registrants under the RDS. Ms Perrin, although expressing "strong support for this report", wrote a dissenting report, pointing out:

“Obviously large companies are eager to publish their contact data, as it makes it easier for them to streamline requests and manage the actions over thousands of domain names. A simple registrant with a couple of domain names has entirely different needs and resources, and is unlikely to want to spend money hiring an ISP or registrar to provide these contacts for them.”

Ms Perrin points to how the system will inherently discriminate against those less privileged actors in the global domain name system by saying that "if you understand the risks, you will hire a proxy service. From the perspective of an elite North American, this looks like a no-brainer, just hire a proxy."

Ms Perrin also expresses concerns regarding the principle of consent by registrants to the use or processing of their gated information for accredited actors behind the gate and goes on to say:

“Consent must be read in the context of legitimacy of purpose, proportionality, rights to refuse, rights to withdraw consent, specificity of purpose and use, and so on. To offer individuals and organisations the opportunity to consent to the use of their sensitive, gated data, for all the permissible purposes, in my view can be read as providing blanket consent to accredited users behind the gate. It can be read as voluntarily giving up any privacy protection one might have expected under local law, and any right to select some purposes as opposed to others.”

The authors of the report have warned against adopting elements of the proposal in isolation, stating that this would undermine benefits for the whole ecosystem. It is difficult to see how such a complex and radical overhaul of the WHOIS system, irrespective of its possible merits, could be sold to the various interest groups and implemented (particularly in relation to retrospective registrations) any time in the near future.

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris