Domain industry talks data privacy in Panama

ICANN met from June 25^th – 28^th to achieve in 4 days what normally take 6: fix the Internet! (For a refresher on how ICANN meetings work, see this. Suffice to say, those were 4 very busy days.) And, yes, data privacy was the topic du jour.

Unless you don’t have an email address (in which case just register a domain name with us and get one for free) you must have been hammered by emails informing you that the European General Data Protection Regulation (aka GDPR) entered into force on May 25, 2018 and now, all of the sudden, every vendor you’ve ever dealt with is “valuing your right to privacy”.

But while we’ve already detailed how EuroDNS has modified the handling of its WHOIS databases to comply with GDPR data privacy laws, we’ve not described how ICANN has modified its regulations to comply with the provisions of the GDPR.

ICANN issues temporary GDPR-compliance policy

ICANN’s policy development process (PDP) usually relies on a bottom-up approach. Various community stakeholder representatives (registries, registrars, business users, intellectual property owners, non-commercial users, government representatives) participate in working groups to create policies that rule the domain name industry.

However, this time, community stakeholders were not prepared with a policy that would render ICANN GDPR-compliant. The ICANN Board of Directors had to step in and issue a temporary policy amending that which is currently used. As its name suggests, this policy can only remain in effect for a limited time - a maximum of one year.

Solving the data privacy issue and fast

While the regular ICANN PDP has many advantages, speed isn’t one of them, generally requiring years to conclude. To quickly solve the issue at hand, the community opted to initiate an expedited-PDP (or e-PDP). The majority of sessions held in Panama related to the initiation of this e-PDP and, more specifically, to the drafting of its charter.

To be perfectly frank, the crux of the matter is not so much to ensure that domain registrants personal data isn’t published. What’s really at stake is finding a balance between the individuals' right to privacy and the rights of others.

As previously explained, personal data has been redacted from the WHOIS databases and only the registrar of record and the applicable registry have access to it. Nonetheless, the right to privacy must not be perverted so that it becomes a shield for registrants using their domain names in an abusive manner.

Therefore, on top of devising a policy that will ensure the right to privacy is respected, the members of this e-PDP will have to reflect on how redacted data can be accessed by third parties with a legitimate interest in it.

Reforming WHOIS: help wanted!

The previous working group tasked with reforming the WHOIS system had 200+ participants, not all of them willing to find a solution agreeable to the community as a whole. After 2 years of weekly phone calls and quarterly meetings, this rather contentious and fruitless exercise was put on hold indefinitely. To avoid repeating this fiasco and ensure the e-PDP’s speed, the number of participants will now be limited to 36. ICANN is currently searching for a neutral candidate to chair this e-PDP.

Candidates should have the following qualifications:

• Willingness to spend 30 hours a week arbitrating conversations between divergent interests for 4 month
• Willingness to perform this primary task for no money at all

If this is you, you should definitely apply!

On a more serious note, this position and the work of this group, once formed, will modify the shape of the domain name industry for years to come. If you are willing to volunteer, please do contact EOI-EPDPTeam-Chair@icann.org

Current Registration Data Access Protocol an 80’s throwback

When navigating the ICANN world, it’s sometimes easy to forget that policy making would be impossible if not for the technical processes it creates and relies on. Regardless of whatever policy comes out of the e-PDP, a technical solution must be implemented. This is where the Registration Data Access Protocol (RDAP) enters into play. The current protocol is based on a 1982 technical documentation. As you can imagine, it’s not very well suited for the current needs of its users.

This is why technical experts in the ICANN community worked on creating a modern and granular protocol. Thanks to this protocol, different level of access will be granted to users. For example, law enforcement agencies may be granted access to certain non-public data that they require for criminal investigations, while registrars may be granted access to other data required for the transfer of a domain name from a competitor. And, of course, all of this requires that private data is never disclosed to the public.

During the Panama meeting, the group working on this process discussed how to best implement RDAP to abide by ICANN’s temporary policy and the resulting e-PDP policy.

Next round of gTLDs expected by 2020

And on an unrelated note, new gTLDs.

Time flies! The first round of new extensions was launched already 5 years ago. Not every new TLD has launched but the Community is hard at work to ensure the next round of applications (expected by 2020) will avoid the pitfalls of its predecessor. One Panama session focused on the best way to decide on applications for the same extensions. During the session, it came out that while the auction processes used during the first round doesn’t satisfy everyone, the working group hasn’t been able to find a better solution. This group’s final report is expected by Q1 2019.

More data privacy news from ICANN to come

The next ICANN meeting will be held in Barcelona from October 20 to October 27. And this time, it will be a full-fledged 7 day meeting much to the relief of many. Or, at least, me.

More to come so watch this space for the latest domain name industry news.

Photo credits: Luc