ICANN governs the vital infrastructure that businesses and consumers depend on every day. Websites, online shops, and email servers all rely on domain names, making ICANN meeting outcomes highly significant for any modern business.
Fortunately, EBRAND’s Chief Legal Officer regularly participates in ICANN policy development groups, and the most recent meeting was no exception. Below, Luc Seufer provides a detailed account of the key developments. These insights should inform your strategy going forward, and help you embrace upcoming changes. As Luc himself says, the 79th conference drew a solid attendance alongside the allure of the picturesque surroundings, and it’s well worth absorbing their insights.
DNS Abuse Outreach
DNS abuse, a top threat for businesses and consumers, rose again to the top of ICANN’s agenda. The corporation and its contracted parties addressed this topic by negotiating amendments to their accreditation agreements. These amendments aim to enhance accountability in combating DNS abuse. They serve two essential purposes: requiring actionable evidence from DNS abuse reporters to aid registrar investigations, and mandating prompt investigation and mitigation actions by registrars upon receipt of reports, with potential repercussions for non-compliance.
With these amendments set to take effect on April 5, 2024, DNS abuse dominated several sessions at ICANN 79. There, we elucidated the new obligations for registries and registrars, addressing community concerns, and discussing potential ramifications.
Stakeholders clarified that these amendments set a minimum standard, not a maximum, for mitigation efforts against DNS abuse. This caveat set the stage for implementation adjustments and/or policy developments further down the line.
DNS Abuse Takeaways from Different ICANN Groups
During a session of the registry and registrar DNS Abuse Working Group, ICANN constituencies conveyed their expectations regarding the amendments:
- Intellectual Property Constituency stated they would like more “predictable results”. Regrettably, this desirable goal seems unrealistic. Every case is different, requiring a specific analysis and thus a different response from registrars.
- Business Constituency looked forward to developing new policies. However, it did agree that metrics to measure the effect of the amendments could be helpful.
- ICANN Compliance looked forward to enforcing those new obligations. (The redaction of whois details follows the Temporary Specifications entry into force. Registration data (whois) inaccuracy complaints, which constituted the brunt of their daily work, is now the smallest part of it.)
- Non-Commercial Stakeholder Group stressed that safeguards should be implemented. These would ensure that due process is followed when mitigating DNS Abuse cases.
- Governmental Advisory Committee representatives hinted that they would like to condition the launch of the next round of extensions on a reduction of DNS Abuse in existing gTLDs.
- Representatives from registries and registrars stressed that content issues fall outside the scope of DNS abuse. They added that it should be addressed by relevant service providers. However, they expressed optimism that the amendments would empower ICANN Compliance. This increased power should help hold those who disregard abuse on their services accountable.
The agreement from different parts of the community that DNS Abuse needs to be empirically measured to assess the effectiveness of those amendments is in itself a positive outcome.
Indeed, we need to move away from feelings and impressions to confront reality. This confrontation will deliver the appropriate measures to mitigate DNS Abuse.
Expediting the Registration Data Policy
ICANN has been engaged in reforming its registration data policy since 2018. Fortunately, it opted for the Expedited version of the standard policy development process, resulting in the finalization and adoption of a new policy a mere seven years later.
ICANN staff drafted the Temporary Specification for registration data in a matter of weeks, and also secured board approval. However, this document’s final version required additional time to undergo the multistakeholder decision-making process.
As illustrated in the graphics below, the new policy must be implemented within a timeframe of less than 18 months.
This process may seem lengthy, but it’s important to consider that each registry and registrar operates with distinct systems and faces varied technical, operational, and contractual obligations.
The Registrar Stakeholder Group Communication and Outreach team has produced concise slides summarising over 20 pages of policy intricacies.
These slides show that registries maintain considerable flexibility in implementing the new registration data policy. Each registry determines the specific information required from accredited registrars. With over 1,500 extensions and corresponding registration policies, registries must promptly decide how to integrate the new registration data policy to allow registrars to adjust their platforms accordingly.
Learning from these Considerations
In light of these considerations, registries and registrars convened an initial coordination meeting. During the meeting, registrars urged their registry counterparts to promptly issue the necessary contractual and technical updates for their extensions.
The enactment of this policy does not mean that whois pre-GDPR will resuscitate. Indeed, only non-personal data will be published in the registration database. Furthermore, as most registries will most certainly choose the path of the minimum data set, requests for disclosure of registrant’s data will have to be addressed to registrars located across the world, in different jurisdictions.
Nonetheless, this policy will have the benefit of disclosing the details of legal persons that were redacted only due to ICANN tardiness in addressing its data privacy flaws.
This not a DPA (or a pipe)
If you’ve conducted business in the EU or California since 2018, following the enactment of GDPR, you’re likely aware of the necessity of a Data Processing Agreement for personal data processing. Without such an agreement or its equivalent, gathering personal data from individuals would constitute a serious legal violation.
This agreement outlines a range of aspects. These include the subject matter and duration of processing, the nature and purpose of processing, types of personal data and categories of data subjects, and the obligations and rights of the processor. In the domain name industry, this requirement is widely recognized.
Prior to GDPR taking effect, every registry promptly appended an addendum to its agreement with their registrar partners while registrars developed their privacy policies. This framework is the legal foundation allowing registrars to register domain names for clients with registries. Without these registrations, registries couldn’t store domain name owner details.
However, no such legal instrument exists with ICANN, preventing registries and registrars from transferring any personal data to ICANN. This poses challenges as there are instances where ICANN needs access to registrant details, such as audits or compliance notices.
ICANN’s Data Processing Progress
Unfortunately, negotiating with ICANN to enter into a Data Processing Agreement proved challenging. Discussions began in January 2018 and persisted for five years. As a (passive) participant in the negotiations, I commend my colleagues for their patience and diplomatic efforts.
As hinted by the title of this post, the resulting documents aren’t data processing agreements. Instead, agreements between contracted parties and ICANN incorporate “data processing specifications”, one for registries and another for registrars.
These specifications are optional. They only apply to TLDs where the registry necessitates the transfer of registrant personal data, which may only sometimes be the case.
Additionally, clarification is needed regarding this document. Some members of the ICANN community misunderstand the inclusion of an “accuracy” clause. This clause simply mirrors the GDPR obligation for controllers to allow data subjects to maintain accurate data and, if necessary, delete it. It does not impose an additional validation obligation on registrars and registries. However, such a validation obligation may arise from the NIS2 directive, a topic for another discussion in October 2024.
The Privacy Proxy Accreditation Program Update
Have you ever wondered why so many domain names are registered under names like “Whois Privacy S.A.”, “Domains by Proxy Inc.”, or “Contact Privacy Inc.”?
Despite EU data privacy laws existing since 1995, ICANN policies historically disregarded them, mandating registries and registrars to publish the personal data of every registrant.
To address this oversight, registrars and others introduced privacy services, replacing registrants’ details with those of an entity, often affiliated with a registrar. While ICANN required the actual name of the privacy service provider to be published in the whois database, these entities adopted suggestive names to indicate the redaction of registrant details.
Amidst growing privacy concerns and rampant email marketing spam, privacy services gained immense popularity. However, not all users had noble intentions, with some exploiting these services for illegitimate domain use.
Consequently, when the 2009 version of the Registrar Accreditation Agreement was revised in 2013, a specific clause was added to foresee that ICANN would establish and implement a Privacy and Proxy Accreditation Program to regulate this service.
In October 2013, a working group was formed to develop this program’s policy. After 76 meetings, a final report was adopted by the ICANN Board, a process marked by challenges reconciling privacy advocates and intellectual property interests.
ICANN’s RAA and the EU’s GDPR
This policy was developed before GDPR was even adopted by the EU, which led the group to devise a policy on semi-blind guesses about what obligations would apply to registrars and privacy service providers.
In October 2016, a new group of volunteers formed an Implementation Review Team to implement the final report. The team tried its best, but after 61 weekly meetings and the passing of the Temporary Specifications, we had to wait for the registration data policy to be revised in light of data privacy laws.
With the adoption of Temporary Specifications, registrars gained authority to redact whois data without replacement details, leading to a proliferation of “redacted for privacy” entries.
Following the publication of the final registration data policy, ICANN can now resume PPSAI implementation efforts. An informal meeting during the San Juan gathering discussed the discrepancies between the 2016 report and the 2024 registration data policy. The consensus was to reconvene the Implementation Review Team, examining potential conflicts and, if necessary, seeking revisions from the GNSO Council.
While it may be disappointing that the accreditation program of privacy provider services (and its mechanism to request the disclosure of underlying registrants’ details) will be stalled again, moving forward with a weak policy would not have satisfactory results.
It should also be noted that contrary to cases of redacted data in the application of privacy laws, proxy registrations must use accurate details of an existing and possibly liable entity. As such, no balancing test is required, and disclosure requests have more successful results.
Taking stock of RDRS
In November 2023, ICANN introduced the Registration Data Request System (RDRS). This system enables requestors to seek disclosure of redacted domain name registration data from participating registrars. ICANN’s tool must complete a two-year period to gauge potential requestor interest. Then, the board will decide on the adoption of the System for Standardized Access/Disclosure (SSAD). Experts anticipate SSAD to cost between USD 20 and 100 million per year.
At the ICANN meeting in San Juan, the first usage metric reports for RDRS were discussed. The reports indicated that registrars representing 50% of all globally registered domain names participated in RDRS. This participation allowed requestors to seek whois data disclosure for every two domain names. Additionally, the Registrar Stakeholder Group stated that it aimed to encourage more member participation to expand RDRS’s scope further.
However, the reports highlighted that requestors using the system did not fully grasp its purpose. Dominant misconceptions implied that every request would be granted, despite a 74% denial rate.
Takeaways from RDRS and SSAD
It’s important to reiterate that RDRS and SSAD serve as mediums to rapidly and adequately contact registrars. It won’t serve to bypass the balancing test between requestors’ rights to access registrant details and registrants’ rights to privacy.
Feedback indicated that IP holders and security researchers comprised the majority of requestors. Notably, an INTA director announced plans to task 150 members with submitting at least 50 disclosure requests each. This underscores the need for continued education on RDRS among potential users.
While the tool is available to everyone, law enforcement agencies are expected to have a higher chance of receiving positive. Indeed, while a registrar is not suited to assess the claimed infringement of intellectual property rights, they can read a subpoena or warrant and comply with it.
Consequently, the Registrar Stakeholder Group presented RDRS to the Governmental Advisory Committee, urging them to inform local law enforcement agencies.
Conclusions: Learning from ICANN with EBRAND
EBRAND and all members of the Namespace Group are actively participating in RDRS. Thus far, only denial responses have been received. These include requests for data portability, domain name whois history, and an attempt at bypassing the initiation of UDRP proceedings. In each case, appropriate actions or recommendations were provided in response.
In conclusion, ICANN 79 showcased significant advancements in combating DNS abuse, particularly through amendments to the registrar accreditation agreement. These amendments, effective April 5, 2024, were central to discussions addressing community concerns and outlining new obligations for registries and registrars. Key topics included the swift implementation of the Registration Data Policy, efforts to regulate proxy and privacy service providers, and an early review of the Registration Data Request System (RDRS).
These developments underscore the importance of timely communication and transparency within the domain ecosystem. For further insights or to capitalize on these changes with EBRAND expertise, connect with our experts here.
