Road to nowhere
ICANN's staff and contractors have written roughly a paper every year for the past 20 years on Whois but none of them have ever led to any real change in the system. As time went on, the problem grew and so did the inertia around fixing it. Companies built more and more services on top of the flawed foundation.
Registrars were forced to half-check that the registration details given were accurate; ICANN started requiring that domain owners reconfirm their details every few years; researchers started delving into the vast treasure trove of information in order to elicit insights. Law enforcement became expert at reading Whois tea-leaves to figure out what criminal enterprise was behind a specific website.
The entire outdated, flawed, and hopelessly unfit-for-purpose Whois system became locked in time because no one could agree on what a better system would look like.
But chief among those blocking reform were American intellectual property lawyers. Those lawyers knew that even though the information they received from Whois was far from accurate, that any reform to Whois would almost certainly cut them out of accessing the data altogether. Or, just as bad, they would have to pay a fee to access the information every time.
All of which makes what has happened in the past few months even more significant.
European legislators decided, definitively, that they did not like the vast industry that had built up around gathering and selling people's personal data. The worst offenders are, of course, online services like Facebook and Google who leverage their enormous online reach to gather vast quantities of data and package them for advertisers.
Here's an idea
The result was GDPR, a law passed back in May 2016 that encompasses a very simple concept: people should be entitled to decide what is done with their personal information.
That means that if a company wants to gather and use their data they have to get their permission. And it means that someone can decide that they no longer want that company to use their data, and that company is obliged to stop doing so.
During the two-year lead-in to GDPR's implementation countless individuals told ICANN that the new law would have a direct impact on the ossified Whois service, but the organization simply refused to consider it.
Whois privacy shambles becomes last-minute mad data scrambleREAD MORE
And the reason it failed to do so was ably explained by ICANN's CEO Goran Marby. "GDPR is really the first – my understanding, is really the first law that has a direct affect on our ability to make policy," he told a gathering of governments at an ICANN meeting in March. "This law was designed several years ago. And, apparently, as a community, as an institution we didn't pay much attention. We started very late."
The truth is that, just as Whois has been a persistent problem argued over for two decades now, ICANN's disdain for literally any organization that tries to tell it what it needs to do knows no bounds.
For many years, the only organization that was able to prevent ICANN's staff and board from making the wrong decision was the US government – and that was because the US government held sway over the contract that gave ICANN all of its authority – the so-called IANA contract that decides what addresses are allowed to exist on the global internet.
On numerous occasions, when ICANN was about to make a bad decision, often one vehemently opposed by its own community, the US government's representatives would hold a private meeting with its senior staff or its board and tell them they needed to reconsider.
(There is even a transcript [PDF] of one such occasion from 2010 when US rep Larry Strickling made it plain that its plan to massively expand the internet's address space was half-baked and full of holes: ICANN's board delayed the decision for six months while it fixed the problems.)
Within the organization, as uncomfortable as people were with the idea of a single government being the ultimate force, the US government was nevertheless seen as a critical backstop for an organization that has a severe lack of accountability and a chip on its shoulder.
And in return, the US government fiercely protected ICANN, not least when it went toe-to-toe with the world's governments for two years during the World Summit on the Information Society (WSIS) and beat back an effort to pull ICANN into the United Nations.
It did it again in at the World Conference on International Telecommunications (WCIT) in 2012 when the US delegation literally walked out the room and took with them the majority of the western world's politicians when some governments tried to force through changes to the status quo.
Under the protection of the US government's wing, ICANN would literally sneer at other organizations and governments. A visit from the head of the International Telecommunication Union (ITU), Hamadoun Toure, to an ICANN meeting in 2007 led to a shouting match between him and an ICANN board member who felt he had been disrespectful.
A letter [PDF] sent in 2011 from the general counsels of 28 intergovernmental organizations including the World Trade Organization (WTO), World Health Organisation (WHO), OECD, UNESCO and NATO firmly asking ICANN to protect their organizations' names in the same way ICANN protects the names of its own internal constituencies was simply ignored.
And so on and so on.
Based in the United States, dominated by US corporations and protected by the US government, ICANN became used to doing exactly what it wanted.
Sponsored: Webcast: Simplify data protection on AWS