Solving privacy issues post GDPR
When GDPR came into force in 2018, the redaction of whois databases caused a lot of concern about internet security. To solve the problem of getting non-public registration data without breaking privacy laws, the EPDP Team suggested a complex system called the Standardised Access System for Non-public Registration Data (SSAD). But it was too costly and complicated. So, ICANN is testing a simpler system called the Registration Data Request Service (RDRS), which connects users with ICANN-accredited registrars.
After ICANN adopted the (not so) temporary specifications on May 17, 2018, a mere eight days before the GDPR entered into force, there was a great outcry that the redaction of the whois databases would turn the internet into a lawless space. Although the criminals did not take over, obtaining the disclosure of a registrant’s details is indeed akin to a dark art. Each registrar follows its own procedure and operates its balancing test according to its self-defined criteria with a varying degree of caution.
To address this issue, the EPDP Team - the Working Group in charge of transforming the Temporary Specification into durable policies - attempted to devise a standardised access system for nonpublic registration data (SSAD). The team initially considered two models for the SSAD:
1/a fully centralised model where accreditation of requestors, request processing, and disclosure decisions were all handled within a single clearinghouse; and
2/ a decentralised model where requests were handled by contracted parties, with no central hub for requests.
As neither model appeared to meet all the needs of a trusted system, the Team proposed a hybrid model, where requests were sent to a centralised clearinghouse, and then action on requests, decisions, and disclosure of requested information were taken up by each contracted party, as applicable.
Although this proposal appeared satisfying on paper, Moltke the Elder was again proven right: “No plan of operations extends with certainty beyond the first encounter with the enemy’s main strength.” The enemy, in that case, is the cost to develop and maintain such a system. The findings of the Operational Design Phase speak for themselves.
Considering the reaction of this system’s potential users (and cost-bearers), ICANN wisely initiated a testing phase with a rather trimmed-down system called the Registration Data Request Service (RDRS). Gone is the whole accreditation system, the types of users, dedicated policies, SLAs for registrars…. as described by the ICANN Board in its February 27, 2023 resolution; ICANN is now developing and launching a “ticketing system”.
The system will connect requestors seeking nonpublic registration data with the relevant ICANN-accredited registrars for gTLD domain names. The system will not deliver registration data, links, or instructions to access registration data to the requestors; all communication and data disclosure between the requestors and registrars will occur outside the system. The participating registrars will be solely responsible for assessing the request and deciding whether to disclose the requested data per local laws.
ICANN aims to launch the system in November 2023 and will collect the relevant usage data for up to two years to assess the need for such a system and, more importantly, its expansion to a more complex and onerous one, as imagined in 2018.
There is no incertitude as to the over-complexity and over-engineering of the SSAD; balancing the need to protect personal data and the need of law enforcement agencies and right owners to identify domain registrants on a worldwide scale is not something that 25 people - no matter how qualified - could achieve with an ICANN policy.
But this does not mean that a degree of uniformity in the disclosing procedure and some guidance to legitimate access seekers in identifying the appropriate party to send a disclosure request will be futile. With some adjustments, such a system could be enough to fill some gaps created by the rushed redaction - this is why EuroDNS will participate in this testing phase.
To round it all up, after the GDPR concerns arose in 2018 the EPDP team decided to tackle the issue head on. They came up with a plan for a standardised access system for non-public registration data (SSAD). They tried a few different models, but they were all pretty complex and expensive. So, ICANN has decided to test out a simplified system called the Registration Data Request Service (RDRS). The RDRS will connect people who want registration data with ICANN-accredited registrars, who will then decide whether to disclose the information in accordance with local laws. It's a bit like a ticketing system - ICANN won't actually deliver the data, but they'll help you connect with the right people who can.ICANN is planning to launch the RDRS in November 2023 and see if it's worth expanding in the future.
EuroDNS is actually taking part in the testing phase, so we're excited to see how it all plays out. Overall, it's a step in the right direction for making registration data more accessible while still protecting personal data.