Making ICANN’S Whois Service Data Protection Compliant

Thomas Rickert, Director of Names & Numbers at the eco Association speaks to Lars Steffen from eco about the challenge of creating a universally applicable, data protection compliant, system for the Whois database.

Watch the video or read the transcript below.


By loading the video, you accept YouTube’s privacy policy.
Learn more

Load video

Lars Steffen: With me is Thomas Rickert, Director of Names & Numbers at eco – Association of the Internet Industry. And today we would like to discuss the EPDP and what it’s all about. So, Thomas, welcome. We cannot assume that all viewers are familiar with ICANN and what ICANN is doing. Can you give us a brief explanation of what it’s all about?

Thomas Rickert: Well, the data protection laws have been a concern in the ICANN world for many, many years. But with the GDPR kicking in, ICANN had to do something in order to make its Whois service – which so far had been wide open – compliant with applicable data protection laws. And the way ICANN’s bylaws are structured, the ICANN board cannot just impose rules on all players (i.e. on all registries and registrars). What they can do is have emergency rules by virtue of a Temporary Specification, but afterwards a community process needs to be started. And that’s the Expedited Policy Development Process that I’m a part of. So, I’m a member of the EPDP team that needs to review this emergency policy the ICANN board implemented and launched before May 25th, when the GDPR was kicking in.

Steffen: Can you give us a little bit more background? When was the EPDP team set in place, and what’s the current status of its work?

Rickert: The GDPR became effective on May 25th, 2018. And on that day, the Temporary Specification that was issued by the ICANN board became effective. Shortly thereafter, the GNSO Council launched the EPDP process, and the EPDP team had its inaugural meeting. The way the work was structured was in two phases. We discussed a couple of fundamental questions in phase one, and we’ve submitted our final report to the ICANN board through the GNSO council. It was adopted there. And now we’re in the second phase of the EPDP’s work, and that’s where we’re discussing a system which either automatically or semi-automatically processes disclosure requests by third parties that want to get access to non-public registration data.

So, to illustrate this: Before the GDPR came into effect, law enforcement, IP lawyers, but also you and I – everybody – could look up registration data for basically every domain name in the gTLD world. It was wide open. And that was a concern for data protection experts and lawyers around the world. This data was then made private, or most of the data could not be viewed publicly afterwards. We’re now looking for ways to standardize the process of revealing private data to those who have a legal right to get access to the data. That can be IP holders that want to pursue trademark infringements, that can be law enforcement authorities that need certain data for their investigations. And we’re trying to find a way – if at all possible – to make this universally applicable around the globe, to have a standard approach to disclosing data that should facilitate the efforts for registries and registrars.

Steffen: So it sounds like the EPDP and the work that you’re currently doing is very important for everyone in the Internet industry.

Rickert: Previously it was heaven on earth for everybody that wanted to get access to personal data, and GDPR stopped that almost overnight. And therefore governments, law enforcement authorities, and security practitioners are very concerned that they can’t really do their work and prevent bad things from happening, because they can’t identify patterns of abusive behavior using the DNS – since all the data is behind closed doors now.

Steffen: You already mentioned that the GDPR has been in place since May 2018 and you’re currently still working in the EPDP on ensuring GDPR compliance within the ICANN space. Can you give us an idea why is it behind schedule from this perspective, and what are the next steps to get this done?

Rickert: Well, when Fadi Chehadé – ICANN’s previous CEO – gave his inaugural speech, he said that there are two issues that can hardly be resolved on this earth: One is the Palestinian conflict. The other is Whois. That, I think, is a good example to illustrate how difficult this Whois topic is. ICANN has had several groups working on a reform for the directory service, and all of them were not really successful. I think it’s been a huge task for our team to come up with a solution to this issue, where you have vastly diverging views.

There are certain parts of the community that want to keep the system more or less as it was before the Temporary Specification was put into force, and others – privacy advocates, user representative groups – that want to keep as much data as possible private. And therefore we have a huge task that we’re working on, and certainly that doesn’t resolve itself, to say the least.

So, even though we’re slightly behind schedule, I’m confident that we will be able to submit a final report in the next couple of months. And I think that the upcoming meeting in Montreal will be a major milestone for us to see how much progress we can make. And then we will also learn more about the likelihood of our group succeeding or not.

Steffen: Thomas, you’ve been heavily involved with being a co-chair on the CCWG Accountability during the IANA transition process, now you’re on the EPDP team. So from your perspective, what will be the next big challenge that ICANN or the ICANN community will face in the near future?

Rickert: Well, I think the good thing about the ICANN community is that we will never run out of challenges, whether predicted or not. But I think that after this one, possibly the next big thing for ICANN is to come up with a structured approach to launching yet more new TLDs.

Steffen: Thank you very much, Thomas, for being with us, and thank you for the insights about the EPDP and what will come in the near future in the ICANN community.

Rickert: Thanks Lars.


Making ICANN’S Whois Service Data Protection Compliant 1