Thomas Rickert reports on the ongoing work of the EPDP in ICANN, and coming up with a digestible – if not appetizing – solution to data protection compliance for the Whois service.
ICANN seems to have a fetish for food analogies when it comes to GDPR and registration data. A “calzone model” was presented well over a year ago and recently, the so-called “strawberry team” has been pulled together by Göran Marby to explore ways to interact with European data protection authorities. As if that weren’t enough, the EPDP’s chair Janis Karklin came up with the suggestion of the “hamburger model” to describe the EPDP’s approach to a system that was previously called Universal Access Model in ICANN lingo but which has been rebranded (and rightfully so) to the SSAD, the “Standardized System for Access and Disclosure”.
Yummy! Want some more or are you fed up already?
Before you answer, here is where we are:
In this second phase of the EPDP, we were working on use cases to better understand who wants to obtain non-public registration data for what purpose on which legal basis. Also, we discussed the safeguards required in order to prevent abuse / misuse of the system. Now, a description of use cases does not make a policy, which is why a zero-draft of a policy was created based on the findings of the use-case exercise. The zero-draft consists of building blocks on different topics, such as purposes of requestors, user groups (LEAs, IP enforcers, cyber security researchers etc.), acceptable use policy, retention and deletion of data, accreditation of requestors, response requirements, disclosure agreements, etc.
The idea is to have a policy ready for sharing in December, but whether or not that is possible is yet to be seen. The upcoming ICANN Meeting in Montréal is going to be pretty decisive for that.
Let’s be clear: There are a lot (I repeat: a lot) of unanswered questions in almost every aspect of an SAAD, such as
- Who makes the decisions on disclosure requests?
- Is there room for automation?
- Will data be centrally stored or distributed?
- What approach should be taken to fund the system?
- Who can be eligible requestors?
- What does the accreditation of requestors entail?
The slow progress we are making on such questions is reason for some in the community to call the EPDP a failure and beg for regulation. I think it is premature to declare all the dishes poisoned. The ICANN community has managed to solve difficult problems more than once. Remember the IANA Stewardship Transition where many have not thought it could be possible for the community to come to consensus given the diverging and contradictory views held by different stakeholders? The community did pull it off and proved the doubters wrong. What about the outcome of that process? Well, no one really loved it, but they could live with it, as everyone had to cut back on expectations to reach consensus.
Reflecting on where we are with the EPDP, there are three conclusions I would draw from the IANA Stewardship Transition:
- The preconditions for the IANA Stewardship Transition were fundamentally different from what we have here. The pre-transition phase was a phase of good governance – different, but still good. ICANN/IANA performed their respective roles based on an arrangement with the US Government in an orderly fashion. That was a situation that almost everybody could live with and many even loved. For Whois / dealing with registration data, the situation is different. Public Whois was a service that was offered illegally and it was known to be illegal for many, many years. That situation exceptionally benefitted “Whois customers” and was unacceptable for all those interested in privacy and compliance. This imbalance makes it so difficult for stakeholders to come to consensus, as typical Whois customers feel like they are losing all the time and that the privacy / compliance camp always wins. Success on the EPDP is fundamentally dependent to the paradigm shift and the recognition that the old system is dead – it cannot be sustained with minor tweaks – and we have to accept that any new system will be completely different from the old Whois system.
- In preparation for the IANA Stewardship Transition, the working groups hired expert lawyers to help with the governance model. These lawyers gave advice on what can and what cannot be done and that was the basis for the policy considerations. We pretty much copied this approach and hired external experts to answer the legal questions the EPDP team put together. In contrast to the IANA project, however, folks are challenging the responses we get, probably because the answers do not fit their policy goals. That makes it almost impossible to make progress. We need to agree to trust our advisors, or agree that we will not be able to get the work done. Let me illustrate this: The question of who will ultimately be liable for disclosing data is probably the biggest elephant in the room. The EPDP team almost reached consensus that we have to work on the basis of the contracted parties and ICANN being joint controllers, but ICANN Org in particular did not want that result hardcoded in our report. Instead, we tasked ICANN and the contracted parties to work on the required data protection arrangements. This work is not completed and – at least from what is publicly known – has not matured to a status where we can hope to get that question resolved in the near future, despite the assessment from our external counsel (in addition to innuendos from the European Data Protection Board) that the ICANN scenario is a joint controller scenario. Lacking a clear answer to this question is a road block for the EPDP Team to make progress.
The ICANN Community is capable of delivering policy on challenging questions under difficult circumstances. It has produced good results in the past and it will be able to work the same wonders now if we can all take the lessons learned to heart. That might be difficult to swallow for some, but – to stay with the food analogy: we might not be able to cook everyone’s favorite dish, but come up with something digestible for all parts of the community.