ICANN has been told for a second time that it must fundamentally change its Whois service to become compliant with Europe's incoming privacy law – and do so within the next month.
At a meeting in Brussels this week with the European Union's data protection authorities (DPAs), the US-based DNS overseer had hoped to persuade regulators to grant it a year's special extension to the law, and for them to reconsider allowing several key aspects of the Whois service, such as publishing people's email addresses.
It failed in both aspects, as a blog post by ICANN reluctantly admits.
"During the discussion regarding the timeline, the DPAs requested information regarding the implementation of anonymized email addresses in WHOIS contact information," said the organization. "It is clear from our meeting that registrant, administrative, and technical contact email addresses must be anonymized."
ICANN had somehow persuaded itself, despite clear guidance from the European authorities, that it was still going to be able to publish everyone's personal emails, through a vague reference to its own bylaws.
But everyone agrees...
ICANN's executive team said it had "hand-delivered" no less than five letters to the Article 29 Working Party – four of which are dominated by US intellectual property interests, who want to retain unfettered access to all domain name registration information.
The one letter that did not come from a group dominated by US corporate interests – ICANN's Non-Commercial Stakeholders Group – bluntly disowned [PDF] each argument that ICANN's executives have put forward.
Regardless, ICANN presented the letters, along with a policy matrix showing its proposed solution alongside others, a technical explanation of Whois and a proposed timeline to implement a new solution.
As we predicted, the timeline [PDF] shows ICANN coming up with and implementing a new Whois approach within one year – and formed the basis of ICANN's main goal in the discussion: a one-year "moratorium" during which the authorities would turn a blind eye to internet registries across the world breaking the law.
Despite having publicly and repeatedly made the moratorium its explicit priority, there is no mention of it in ICANN's meeting update, demonstrating that the Article 29 Working Party has refused to grant it.
Whois is dead as Europe hands DNS overlord ICANN its arseREAD MORE
ICANN is still holding out hope though. With literally a month to go before the law is enforced, and with no solid plan for what to do, ICANN notes that it told the regulators it "still needs additional time for implementation."
"We also shared some further thinking on the accreditation model and will provide them with a more detailed version based on their input during the meeting," the post outlines, before noting that "there are still open questions remaining, and ICANN will provide a letter seeking additional clarifying advice to better understand our plan of action to come into compliance with the law."
Failure is not an opt... oh dear
ICANN's failure to come up with a plan despite Europe's General Data Protection Regulation (GDPR) being approved two years ago, and despite more than a decade's worth of letters from the self-same Article 29 Working Party warning it about how the Whois was not compatible with European law, is a sign of just how dominated by US interests the organization is.
It is also a sign of how the organization's risk-averse culture has made it a dangerously ineffective vehicle for developing new internet policies.
And in what looks like an extraordinary lack of strategic thinking, ICANN appears to have no Plan B if the European regulators refuse to grant it a special exception to the law before the end of next month.
In its FAQs [PDF] on the topic – watched fervently by internet registries and registrars who are worried about being fined millions of dollars for failing to follow GDPR – ICANN fails to even answer the question: what happens if there is no moratorium?
Q. What happens if ICANN working in consultation with the GAC, DPAs and contracted parties are unable to develop an accreditation procedure ahead of the GDPR enforcement deadline?
A. In its Proposed Interim Model (section 5.6), ICANN org has proposed an approach to accrediting users with legitimate purposes to gain access to full Thick registration/WHOIS data. We welcome community discussions surrounding this proposed model. ICANN org has offered secretariat support to one such effort and urged participation from representatives from across the community to participate.
A similar sense of denial is visible in another critical question: is ICANN a "data controller"?
The answer is apparent to ICANN's Non-Commercial Stakeholders Group, the same group that wrote the letter disagreeing with pretty much every argument put forward by its staff.
"ICANN is a data controller," it states. "ICANN does not acknowledge that it is a data controller and has not appointed a privacy officer as required under the GDPR. However, in its media release, ICANN presents itself as acting to protect the potential use of the WHOIS by third party actors. In presenting this list of 'potentially averse scenarios' we believe ICANN is acting as a data controller in seeking to maintain access to the WHOIS for these purposes."
If ICANN is taken to be a data controller, then the GDPR requirements not only land on the companies that it contracts with but on ICANN itself – meaning it could also be subject to millions of dollars in fines.
Perhaps unsurprisingly then, its own answer as to whether it is a data controller is written in indecipherable legalese:
As noted in section 7.2.11 of the Proposed Interim Model, each contracting party is acting as an independent controller in connection with the processing of WHOIS data. The contractual commitments contemplated above will address ICANN’s and each contracting party’s obligations as controllers and impose reasonable cooperation obligations to enable the exercise by data subjects of their data protection rights as set forth in the GDPR.
Also, these contractual commitments will require the contracting parties to acknowledge and agree that each is acting independently as a data controller with respect of WHOIS data processed by the party and the parties are not joint controllers as defined in the GDPR.
Which is a very long way of saying: God, we hope not.
In order to get some clarity we asked ICANN three questions in response to its meeting with the data protection authorities. Its responses are included below and are... well, you read em:
Q: Did ICANN ask for a moratorium / suspension for a year?
A: ICANN requested further guidance from the data protection authorities (DPAs) in addition to sufficient time to implement an interim compliance model.
Q: If so, what response did it get?
A: We were provided feedback from the DPAs and agreed there remain open questions where ICANN will submit to the DPAs in our effort to seek additional clarifying advice to better understand and develop our plan of action to comply with the GDPR.
Q: If no moratorium / suspension happens - what will ICANN do?
A: ICANN will continue to work with the community, including the GAC and DPAs, as well as contracted parties and the ICANN Board on the next steps.
To be clear, there are now 30 days to go before GDPR comes into force. ®