At-Large Workspace: Registration Directory Service (RDS-WHOIS2) Review Team Draft Report of Recommendations

18 November 2018

The primary concern for ALAC in this review is the accuracy of registrant data (WHOIS data) and its use by security and law enforcement bodies in addressing the misuse and abuse of the DNS system.  We recognize that the GDPR and ICANN's response to its requirements mean that some of the Report's recommendations should await outcomes of ICANN's policies in response to the GDPR. However, other recommendations impact directly on the accuracy of registrant data and should be addressed without waiting for outcomes of ICANN's response to the GDPR.

The ALAC commends the work done by Registration Directory Service (RDS-WHOIS2) Review Team: they have come up with a very thorough and extensive report, the recommendations of which are mostly supported by the ALAC. Below, a couple are mentioned that according to the ALAC deserve highlighting.

In general terms, somewhat to the ALAC’s surprise, the report starts off with stating:

"ICANN Org implementation reports for the sixteen recommendations from the WHOIS1 Review Team state that all sixteen have been fully implemented.

The RDS-WHOIS2 Review Team’s conclusions are that, of the sixteen recommendations, eight were fully implemented, seven were partially implemented and one was not implemented."

As it has been six years since the first WHOIS Review Team published its findings, the ALAC finds it concerning that the current report establishes the fact that recommendations have not been implemented in line with what ICANN Org says. Six years is a very long time, and when it comes to the assessing the initial WHOIS1 Review recommendations, the ALAC thinks that the large time period before the second review was finalized, has lead to a situation that several of the original recommendations are overtaken by developments such as:

• Work on the adoption by ICANN of RDAP, replacing the WHOIS protocol
• Changes to the RAA in 2013, including new requirements on WHOIS accuracy
• Compliance adoption of enhanced monitoring of accuracy requirements and tools
• Most significantly, the initiation within ICANN of the EPDP and related Unified Access Model discussions to address issues on the collection of, access to and further processing of personal information by contracted parties because of RAA/Registry agreements they have with ICANN.

Despite the RDS-WHOIS2 Review Team explicitly not focusing on ICANN’s actions in response to the relatively new European Union General Data Protection Regulation (GDPR), the ALAC is happy to see that the report takes the following into account:

"Those actions are ongoing and the outcomes are not sufficiently firm as to allow them to be reviewed here. However, the review team recognized the issue is of significant importance and that it would probably impact several policies related to registrant data. To the extent GDPR and its effects on the RDS (WHOIS) could be factored in, the RDS-WHOIS2 Review Team did so."

The ALAC agrees with the report’s recommendations on Strategic Priority (R1.1, R1.2), especially as it seems as if findings from the WHOIS1 Review team to support its recommendations are still true:

"Although WHOIS services are provided by ICANN's contracted parties, WHOIS look ups have now become detached from the domain name supply chain. Users of WHOIS tend not to be customers of registries and registrars, but are law enforcement, or those enforcing private law rights, and those seeking to get in touch with registrants for whatever reason. There are no income streams associated with providing WHOIS. It is viewed by many in the industry as a cost and is often difficult to locate on registrar websites. As a result, it is not a priority for many of ICANN's contracted parties - who provide funding for ICANN the corporation. It is, however, a high priority for many users who are outside the ICANN inner circle, but for whatever reason their needs have not found organizational priority to date."

The ALAC also strongly agrees with the draft report’s recommendations on Single WHOIS Policy, Contractual Compliance, and the emphasis put on these topics.

Based on the Review Team’s findings the one with regard to Data Accuracy is a concern (R4.1, R4.2, CM.1), and the ALAC looks very much forward to the Board’s response on how to handle this in the long run. One of the issues found in surveying Law Enforcement Needs (Objective Three) is that those who were asked in which ways RDS (WHOIS) did not meet their investigative needs responded in line with the following:

"A large proportion of respondents (38%) cited inaccurate data, 12% referred to no data being available, and 50% named other issues, such as incomplete information, inaccurate data (despite the separate answer category), falsified information, and the use of privacy and proxy services."

And other input from Law Enforcement Agencies apparently confirms these findings:

"law enforcement struggles both with inaccurate data (while highlighting that even inaccurate data may allow the detection of patterns or provide helpful leads)"

Besides the primary task of reviewing the recommendations of the 2012 WHOIS Final Report, the WHOIS2 Review Team set itself additional Objectives. As a final comment the ALAC wants to once more refer to Objective Three of the Review Team: "Law Enforcement Needs":

"Consistent with ICANN’s mission and Bylaws, Section 4.6(e)(ii), the review team will assess the extent to which the implementation of today’s WHOIS (the current gTLD RDS) meets legitimate needs of law enforcement for swiftly accessible, accurate and complete data."

Inaccurate records, the use of privacy and proxy services, as well as changes brought about by the Temporary Specifications to secure compliance with the General Data Protection Regulation (GDPR), seem to have impacted the work, particularly investigational, of law enforcement. The ALAC can agree with the recommendation to continuously monitor the impact of WHOIS/RDS related developments, but it is unclear to the ALAC how surveys and data gathering are to lessen the potential negative consequences on law enforcement work.

The ALAC response to each of the recommendations is summarized below:

Objective 1:

Recommendation 1: Strategic Priority

ALAC Response: Support the aim of the recommendation in the WHOIS Policy Review Team Final Report of 2012 (WHOIS1) for the ICANN Board adopting a "culture of proactive monitoring and planned improvement in RDS (WHOIS)."

Recommendation 2: Single WHOIS Policy

ALAC Response: Support for regular revision and updating to the WHOIS information, particularly as ICANN policies on registrant data are finalized. 

Recommendation 3: Outreach

ALAC Response: ALAC support in principle, but only when ICANN policies on Registrant Data are finalized.

Recommendation 4: Compliance

ALAC Response: Support recommendation.

Recommendation 5 - 9: Data Accuracy

ALAC Response: Support recommendations for determination of causes of data inaccuracy and actions to be taken to address the inaccuracy.

Recommendation 10: Privacy/Proxy Services

ALAC Response: Support recommendation.

Recommendation 11: For common interface on all publicly available registrant data, and suggestions metrics/SLAs to track and evaluate access and accuracy of registrant data.

ALAC Response: Support recommendation, particularly when ICANN policies on registrant data finalized.

Recommendation 12- 14: Internationalized Domain Names

ALAC Response: Support deferral of review of effectiveness until the program is fully implemented.

Recommendations 15 - 16: Plan and Annual Reports

ALAC Response: Accept recommendation.

Objective 3: Law Enforcement Needs

ALAC Response: Support recommendation, particularly after finalization of registrant data policies.

Objective 5:  Safeguarding Registrant Data

ALAC Response: Support recommendation.

Objective 6: ICANN Contractual Compliance Action, Structure and Processes

ALAC Response: Support recommendations.

ICANN Bylaws

ALAC Response: Support recommendation.

16 November 2018 - Bastiaan Goslings

The ALAC commends the work done by Registration Directory Service Review Team: they have come up with a very thorough and extensive report, the recommendations of which are mostly supported by the ALAC. Further below a couple are mentioned that according to the ALAC deserve highlighting.

In general terms, somewhat to the ALAC’s surprise, the report starts off with stating:

‘ICANN Org implementation reports for the sixteen recommendations from the WHOIS1 Review Team state that all sixteen have been fully implemented.

The RDS-WHOIS2 Review Team’s conclusions are that, of the sixteen recommendations, eight were fully implemented, seven were partially implemented and one was not implemented’.

As it has been six years since the first WHOIS Review Team published its findings, the ALAC finds it concerning that the current report establishes the fact that recommendations have not been implemented in line with what ICANN Org says. Six years is a very long time, and when it comes to the assessing the initial WHOIS1 Review recommendations, the ALAC thinks that the large time period before the second review was finalised, has lead to a situation that several of the original recommendations are overtaken by developments such as:

• Work on the adoption by ICANN of RDAP, replacing the WHOIS protocol
• Changes to the RAA in 2013, including new requirements on WHOIS Accuracy
• Compliance adoption of enhanced monitoring of accuracy requirements and tools
• Most significantly, the initiation within ICANN's of the EPDP and related Unified Access Model discussions to address issues on the collection of, access to and further processing of personal information by contracted parties because of RAA/Registry agreements they have with ICANN.

Despite the RDS-WHOIS2 Review Team explicitly not focusing on ICANN’s actions in response to the relatively new European Union General Data Protection Regulation (GDPR), the ALAC is happy to see that the report takes the following into account:

‘Those actions are ongoing and the outcomes are not sufficiently firm as to allow them to be reviewed here. However, the review team recognized the issue is of significant importance and that it would probably impact several policies related to registrant data. To the extent GDPR and its effects on the RDS (WHOIS) could be factored in, the RDS-WHOIS2 Review Team did so.’

The ALAC agrees with the report’s recommendations on Strategic Priority (R1.1, R1.2), especially as it seems as if findings from the WHOIS1 Review team to support its recommendations are still true:

‘Although WHOIS services are provided by ICANN's contracted parties, WHOIS look ups have now become detached from the domain name supply chain. Users of WHOIS tend not to be customers of registries and registrars, but are law enforcement, or those enforcing private law rights, and those seeking to get in touch with registrants for whatever reason. There are no income streams associated with providing WHOIS. It is viewed by many in the industry as a cost and is often difficult to locate on registrar websites. As a result, it is not a priority for many of ICANN's contracted parties - who provide funding for ICANN the corporation. It is, however, a high priority for many users who are outside the ICANN inner circle, but for whatever reason their needs have not found organizational priority to date.’

The ALAC also strongly agrees with the draft report’s recommendations on Single WHOIS Policy, Contractual Compliance, and the emphasis put on these topics.

Based on the Review Team’s findings the one with regard to Data Accuracy is a concern (R4.1, R4.2, CM.1), and the ALAC looks very much forward to the Board’s response on how to handle this in the long run. One of the issues found in surveying Law Enforcement Needs (Objective Three) is that those who were asked in which ways  RDS (WHOIS) did not meet their investigative needs responded in line with the following:

‘A large proportion of respondents (38%) cited inaccurate data, 12% referred to no data being available, and 50% named other issues, such as incomplete information, inaccurate data (despite the separate answer category), falsified information, and the use of privacy and proxy services’

And other input from Law Enforcement Agencies apparently confirms these findings, as a.o.

‘law enforcement struggles both with inaccurate data (while highlighting that even inaccurate data may allow the detection of patterns or provide helpful leads)’

Besides the primary task of reviewing the recommendations of the 2012 WHOIS Final Report, the WHOIS2 Review Team set itself additional Objectives. As a final comment the ALAC wants to once more refer to Objective Three of the Review Team: ‘Law Enforcement Needs’:

‘Consistent with ICANN’s mission and Bylaws, Section 4.6(e)(ii), the review team will assess the extent to which the implementation of today’s WHOIS (the current gTLD RDS) meets legitimate needs of law enforcement for swiftly accessible, accurate and complete data’

Inaccurate records, the use of privacy and proxy services, as well as changes brought about by the Temporary Specifications to secure compliance with the General Data Protection Regulation (GDPR), seem to have impacted the work, particularly investigational, of law enforcement. The ALAC can agree with the recommendation to continuously monitor the impact of WHOIS/RDS related developments, but it is unclear to the ALAC how surveys and data gathering are to lessen the potential negative consequences on law enforcement work.

11 November 2018 - Holly Raiche

Introduction

It has been six years since the original WHOIS Final Report Report Recommendations were made which means that many of them have already been implemented (as acknolwedged by the working group) or overtaken by implemenation of the following (as acknowledged in this Report). 

• Development and adoption by ICANN of RDAP, replacing the WHOIS protocol
• Changes to the RAA in 2013, including new requirements on Whois Accuracy
• Compliance area adoption of enhanced monitoring of accuracy requirements anad tools
• Most significantly, ICANN's urgent steps through the work of the EPDP and Unified Access Model to address issues on the collection, access and use of personal information by the RAA/Registry agreements as raised by the GDPR.

The recommendation on outreach is also premature until EPDP and Access Model requirements are settled.

Generally, the ALAC should continue to support the need for accuracy of the personal data collected, and that the accuracy of data continue to be a priority of Compliance.

As this Report notes, while ICANN believes all of the 16 recommendations in the WHOIS Final Report have been fully implemented, this working Group finds that only 8 of the Report's recommendations have been fully implemented - as noted below.

The Report sets out the Working Group's Objectives.  Apart from its primary task of review of the recommendations of the 2012 WHOIS Final Report (Objective One) other objective include Anything New (Objective 2), Law Enforcement Needs (Objective 3),  Consumer Trust (Objective 4) Safeguarding Registrant Data (Objective 5), and  ICANN Contractual Compliance Action, Structure and Processes (Objective 6)

Objective One: Suggested Responses to the original recommendations (and whether they have been implemented) are proposed as follows:

• Strategic Priority (Rec 1) (Partially Implemented)

The Report makes three recommendations for the Board to establish a Board subcommittee and monitor legislative and policy developments on RDS from a legislative and policy perspective

Suggested ALAC Response: Revise and defer the recommendation. The Board is already engaged in the development of new policies to address the GDPR. Once there is established policy on the collection, use and access to personal daa under a revised RAA/Registry agreements, clearly there should be Board oversight of relevant legislative and policy developments that further impact on RDA.

• Single Whois Policy (Rec 2) (Fully Implemented)

There has been a single portal with links to elements of Whois. The Recommendation is for revision and updating to documentation

Suggested ALAC response: Accept ( only when ICANN policies on registrant data are finalised)

• Outreach(Rec 3) (Implemented but not to communities outside ICANN)

Recommendation to identify and target groups outside of ICANN for information on RDA

Suggested response: Accept in principle, but only when ICANN policies on registrant data finalised

• Compliance (Rec 4) (Significant Improvement, partially implemented)

Recommendation for Board to proactively monitor and enforce RDS data accuracy requirements – detailed in recommendations

Suggested ALAC response: Support recommendation

• Data Accuracy (Rec 5 – 9) (Rec 5 Fully implemented, Recs 6-7 partially implemented, Rec 9 not implemented)

Recommendations for methodology to determine underlying causes and action to be taken to address accuracy

Suggested ALAC response: strongly support recommendations

• Privacy/Proxy Services (Rec 10) (PDP completed recommendation assessment of effectiveness)

Recommendation for monitoring of effectiveness of the PPSAI

Suggested ALAC response: support recommendation

• Common Interface (Rec 11) (Fully implemented)

Recommendation for common interface on all publicly available RDS output with suggestions on metrics for tracking and evaluation of effectiveness

Suggested ALAC response: delay implementation until finalisation of EPDP and Unified Access Model

• Internatonalized Domain Names (Rec 12 – 14) (Fully implemented)

No recommndation - review of effectiveness to be deferred until the program is fully implemented

Suggested ALAC Response: Agree on recommendation to delay

• Plan and Annual Reports (Rec 15 – 16) (Partially implemented)

Recommendation for regular gathering of data to allow assessment of effectiveness of RDS

Suggested ALAC Response: Accept recommendation

Objecive Two: Anything New

(no new recommendations at this time)

Objective Three: Law Enforcement Needs

Recommendations for regular surveys/studies to assess the effectiveness of RDS policies on meeting the needs of law enforcement agencies and other users working with law enforcement agencies

Ssugggested ALAC Response: Srongly support

Objective Four:  Consumer Trust

no recommendations at this time

Objective Five Safeguarding Registrant Data

Recommendation calling for a review to ensure all ICANN contracts with contracted parties include strong uniform requirements for the protection of registrant data

Suggested ALAC Response: Support recommendation

Objective Six: ICANN Contractual Compliance Action, Structure and Processes

recommendations to address issues of the inaccuracy of data and the use of special tools to detect inaccuracies of data

Suggested ALAC Response:  Support recommendations

ICANN Bylaws

Recommendation to amend  the Bylaw 4(6)(e) on 'safeguarding registrant data' and replace with a more generic requirement for RDS review teams to assess RDS policies and practices

Suggested ALAC Response: Support recommendation

Holly Raiche - First Draft for Comment

Notes for Response to WHOIS Review2 Draft Report

(Note: I have still not developed a response to the additional recommendations made by this draft report, although some of them should also be deferred until there is clarity on a new RDS policy on the collection, retention and access of data).

Introduction

It has been six years since the Report and Recommendations were made – thus making the recommendations either no longer necessary or meaning recommendations should be updated, including the following (some of which have been acknowledged in the draft report

• Development and adoption by ICANN of RDAP, replacing the WHOIS protocol
• Changes to the RAA in 2013, including new requirements on Whois Accuracy
• Compliance area adoption of enhanced monitoring of accuracy requirements
• Most significantly, ICANN push through the EPDP and Unified Access Model to address GDPR

In particular, the urgent focus on the development of revised policies to address compliance impacts on the 2012 recommendations in two specific areas including

• Focus on the ICANN GNSO and Board on the development of revised policies mean

recommendations for a stronger Board focus on WHOIS policy are inappropriate at this time, given the Board’s new focus on the GDPR and development of new RDS policies

• Given the uncertainty on what personal data will be collected, retained and access and who will have access on that data in what circumstances, it is premature to strengthen WHOIS requirements on data collection and access before the EPDP and Uniform Access Model are adopted and there is clarity on what data is collected, what data is publicly available and in what circumstances. As well, the recommendation on outreach is also premature until there is finality on the EpDP and Access Model requirements

Nevertheless, the ALAC should continue to support the need for accuracy of the personal data collected, and that the accuracy of data continue to be a priority of Compliance.

Suggested Responses to the 12 Original recommendations(and whether they have been implemented) are proposed as follows:

• Strategic Priority (Rec 1) Partially Implemented

The Report makes 3 recommendations for the Board to establish a Board subcommittee and monitor legislative and policy developments on RDS from a legislative and policy perspective

Suggested Response: Defer the recommendation (or delete) The Board is already engaged in the development of new policy to address the GDPR

• Single Whois Policy (Rec 2) (Fully Implemented)

There has been a single portal with links to elements of Whois. The Recommendation is for revision and updating to documentation

Suggested response: Accept in principle, but only when ICANN policies on registrant data is finalised

• Outreach(Rec 3) (Done but not to communities outside ICANN)

Recommendation to identify and target groups outside of ICANN for information on RDA

Suggested response: Accept in principle, but only when ICANN policies on registrant data finalised

• Compliance (Rec 4) (Significant Improvement, partially implemented)

Recommendation for Board to proactively monitor and enforce RDS data accuracy requirements – detailed in recommendations

Suggested response: Support recommendation

• Data Accuracy (Rec 5 – 9) (Partially or fully implemented – but not necessarily clear  of improvement in contactability)

Recommendation for methodology to determine underlying cause and action to be taken

Suggested response: support recommendation

• Privacy/Proxy Services (Rec 10) (PDP completed recommendation assessment of effectiveness)

Recommendation for monitoring of effectiveness of the PPSAI – which becomes operational on 31Dec 2019

Suggested response: support recommendation

• Common Interface (Rec 11) (Fully implemented)

Recommendation for common interface on all publicly available RDS output with suggestions on metrics

Suggested response: delay implementation until finalisation of EPDP and Unified Access Model

• IDNs (Rec 12 – 14) (Fully implemented)
• Recommendation  - to defer implementation, and review occur after RDAP is implemented

Suggested Response: Agree on recommendation to delay

• Plan and Annual Reports (Rec 15 – 16) (Partially implemented)
• Recommendation for regular gathering of data to allow assessment of effectiveness of RDS

Suggested Response: Accept recommendation