US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy
Yeah that oughta do the trick
The US government has waded into the omni-shambles that is the internet infrastructure industry's failed effort to comply with European privacy laws.
Having tried to use its behind-the-scenes influence at a recent meeting of DNS overseer ICANN to drive decisions, the Department of Commerce's frustration had led to it going public with a letter to ICANN [PDF] in which it pressures the organization to investigate the world's largest registrar GoDaddy for limiting access to its "Whois" service.
In preparation for the May 25 deadline of Europe's General Data Protection Regulation (GDPR), and in light of the utter failure of ICANN to come up with a way to make the Whois service compliant with that law, GoDaddy has started hiding personal contact details for the 50 million+ domain names it looks after and has begun throttling access to its Whois service.
That would appear to be a commonsense response to a law that can see the company fined millions of dollars for failing to keep personal details private. But it earned the ire of several companies that make a living from accessing such details.
A letter [PDF] from one intellectual property lawyer representing those interests urged ICANN to take action against what he claimed were "clear and direct violations" of GoDaddy's contract with ICANN. ICANN responded [PDF] with no more than an acknowledgement it had received the complaint.
But the US government has unexpectedly came to their defense, noting in its letter that "the actions taken by GoDaddy last month... are of grave concern for NTIA given the US government's interest in maintaining a Whois service that is quickly accessible for legitimate purposes."
The letter from head of the National Telecommunications and Information Administration (NTIA), David Redl, also notes that it is worried that GoDaddy's approach "will be replicated by other registrars and registries, compounding the problems these actions create."
While it stops short of making a legal judgment on whether the approach breaks GoDaddy's contract, it does argue that there is a "potential conflict" with the contract and "encourages" ICANN to investigate it "as a contractual compliance matter."
That is an extraordinary intervention given that the entire Whois service is under doubt and may cease to exist in a little over a month. It most likely represents an effort by the US government to force ICANN to be more decisive rather than follow its typical route of ignoring issues.
ICANN has ignored warning letters from the European Union about the Whois service for over a decade, and its approach to the impending GDPR deadline has been to tell registrars and registries it will simply ignore those parts of its contract until a solution is found: something critics say amounts to an organizational failure to fulfill its obligations.
As things stand, ICANN has no solution for changing the Whois service to comply with GDPR. Last month, it wrote to Europe's data protection agencies asking them to comment on its broad "cookbook" plan, as well as grant it a "moratorium" on the law until it has worked out a replacement.
So that's a No, then
Last week, those agencies got back and tore ICANN's plan to shreds, pointing out that it needs to be much more precise and to include both compliance and auditing functions. Critically, however, it did not address ICANN's request for a moratorium.
Without a special exemption, the entire internet infrastructure industry will be breaking the law come May 25 and so will inevitably go their own routes. As an industry leader, GoDaddy's actions will be seen by many as a useful blueprint.
One registry, CoCCA, has gone public with a different solution: removing all personal details in Whois and straight up charging trademark holders for access to the data.
But as ICANN's CEO prepares to jump on a plane to Brussels to plead with the members of the Article 29 Working Party to give it a moratorium, the bigger question is: what does ICANN do?
Having failed to address the situation until six months ago, the organization has started pushing the idea of an expedited version of its policy development process (EPDP), with the organization's board and its main policy council, the GNSO, holding a meeting last week in which it discussed [PDF] removing an initial report and public comment period in its normal process in order to speed things up.
ICANN estimates that with this approach it could get a formal policy in place in just under a year (ICANN's policy development process have historically taken, on average, two years and four months).
That would allow ICANN's CEO to plead for a one-year moratorium. Although it is important to note there is no evidence that the Working Party is willing to agree to such an approach.
Hang on a second
Even the idea of a moratorium appears to have been invented by ICANN. This is no evidence of a similar request from any other industry, and the GDPR is, after all, a globally applicable law that affects everyone. It was first put forward in 2012 and was finalized in May 2016 with a two-year lead-time.
As to how resolve the fundamental issue of Whois – namely, that some groups want access to every registrant's data and the law requires there be a clear legal justification for it – the NTIA letter offers an intriguing suggestion.
It proposes a radical overhaul of how the DNS currently works, noting that it "sees merit in examining the roles other parties could play" in "services that manage specific DNS resource records." Currently only ICANN-accredited registrars are allowed to make changes to name server and mail server records.
It's not entirely clear what lies behind this proposal but given that almost all the pressure on ICANN – and the US government - comes from large corporations and their intellectual property lawyers, it is likely to represent a legal workaround that would allow IP lawyers direct access to Whois data by bypassing the legal obligations contained in the contract ICANN has with registrars.
With a little over a month to go, and with ICANN pinning all its hopes on a solution that it has devised itself, the NTIA's letter could be viewed as an effort to shake some sense into the organization. It is unlikely to work. ®
Sponsored: Becoming a Pragmatic Security Leader