After two years of failed policy work, ICANN has returned to Europe, dropped to its knees, and begged the continent to finish the rest of the DNS overseer's half-done Whois domain-name database so that it doesn't fall foul of GDPR.
In a seven-page letter [PDF] to three European commissioners, CEO Goran Marby asked no less than ten times for “clarity” on how ICANN's overhauled Whois system can fit within strict European rules on protecting people's privacy and personal information. And Whois is full of personal information about domain name owners, which is a problem.
But rather than ask a precise series of questions aimed at soliciting clear responses that ICANN can then use to finalize its new system, the letter instead comprises a rambling rundown of the unfinished process its community has developed, and effectively asks Europe to solve its remaining problems for it.
Referring to the Standardized Access/Disclosure (SSAD) that ICANN has spent two years developing but remains far from complete, Marby wrote: “Whether the SSAD can be further developed to enable greater centralization critically depends on whether legal clarity and certainty can be achieved with regard to the applicability of the GDPR’s controllership provisions.”
He later noted: “Legal clarity could mean the difference between ICANN having a fragmented system that routes most requests for access to non-public registration data from requestors to thousands of individual registries and registrars for a decision, on the one hand, versus ultimately being able to implement a centralized, predictable solution...”
The letter continues like this for pages, frequently repeating itself: “The decision whether or not to disclose will continue to remain with the registrars and registries as individual parties that weigh requests against their own standards, unless further clarity and certainty can be obtained about the impact centralized decision-making will have on the controllership for the processing activities in relation to the disclosure decision.”
But... why would it?
What comes across is an apparent belief on ICANN’s part that the European Commission will wade into the precise details of its (somewhat obscure) system. Which is odd, not only because the EC will manifestly not do that, but that it has repeatedly told ICANN in the past – sometimes in blunt terms – that it has to sort out its own problems with its own system.
In fact, ICANN and this very issue was responsible for one of the most bizarre policy approaches the internet world has ever seen when, back in 2018, ICANN persuaded itself that Europe’s data protection authorities would grant it a special one-year “moratorium” after it failed to come up with a GDPR-compliant solution for Whois before the May 25 deadline.
Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampireREAD MORE
"Unless there is a moratorium,” ICANN wrote in a blog post to its own community, “we may no longer be able to give instructions to the contracted parties through our agreements to maintain Whois. Without resolution of these issues, the Whois system will become fragmented.” It then wrote several letters to European data protection watchdogs and the EC insisting on being granted the moratorium.
When The Register spoke to the president of its Global Domains Division, Akram Atallah, and asked why ICANN believed this was going to happen, he was unable to give a single example of another industry that has been granted similar relief. Instead, he argued that public statements from privacy regulators saying they weren't seeking to punish people immediately over GDPR would mean the moratorium would be granted.
ICANN’s CEO then flew to Brussels, confidently promising to come back with a one-year extension. But, of course, he returned empty-handed when the European authorities said not only was there no such mechanism, but that it wouldn’t be able to legally grant one even if it did exist because GDPR was already in place.
The self-delusion didn’t stop there: ICANN then launched into a legal battle in Europe over Whois and GDPR. One of its registrars in Germany refused to maintain ICANN’s Whois system because, they noted, it broke the law in their country.
So ICANN sought an injunction, insisting that the German legal system rule on the legality of its Whois system. The German courts immediately threw the case out. ICANN appealed, insisting the court had erred by not deciding what the law was with respect to Whois.
The appeal was also thrown out. So ICANN appealed that decision. And was unceremoniously thrown out again for the very simple reason that while Whois was important to ICANN, it was not that important to the rest of the world which lives with millions of databases much larger and more important than Whois every day.
It is worth noting that pretty much every other massive database in the world managed to get its own GDPR compliance lined up before the regulation came into force, in large part because there had been a two-year lead time.
In the end, ICANN was forced to simply shut down the Whois system altogether until it could develop an alternative.
In an effort to come up with a solution, ICANN launched an “expedited” policy process for a replacement but even now, years later, it has not reached agreement on anything but a vague framework [PDF] that no one is happy with.
It has proposed a system that it estimates will cost $9m to set up and as much to run every year but which governments [PDF] and intellectual property lawyers remain deeply dissatisfied with. It’s not clear who will pay for the solution or if it even has the votes to pass a first approval hurdle.
And so, with pressure building on ICANN to resolve the issue, the organization has again turned to the European Commission and asked it to rule on complex issues of data accuracy and data controllership within the confines of its own Whois system.
The answer, when it comes, looks inevitable: no, you sort it out. And ICANN’s credibility as a global policy-making body will fall one further step. ®