AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

09 December 2019

Registration Directory Service (RDS-WHOIS2) Review Team Final Report

ADOPTED

15Y, 0N, 0A

Hadia Elminiawi

20 November 2019

08 December 2019

09 December 2019

12 December 2019

09 December 2019

Negar Farzinnia
negar.farzinnia@icann.org

AL-ALAC-ST-1219-01-01-EN

Hide the information below, please click here 

Brief Overview

Purpose:

In its Final Report, the Registration Directory Service Review Team assessed the extent to which prior Directory Service Review recommendations have been implemented and implementation has resulted in the intended effect. The review team also assessed the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promotes consumer trust and safeguards registrant data. Informed by ICANN organization briefings and available documentation, the review team has formulated draft recommendations based on a factual analysis.

Current Status:

This Public Comment proceeding aims at gathering community input on the RDS-WHOIS2 Review Team's proposed findings and final recommendations.

Next Steps:

By 3 March 2020, within six months of receipt of the Final Report, the ICANN Board shall take action on the Final Recommendations. Part of the Board's consideration around taking action will entail looking at the feasibility analysis and impact assessment of implementation of recommendations, taking into account initial cost and resource estimates and dependencies with other ongoing efforts within the community, and the report of the Public Comment submissions received. The Board will then direct implementation of the recommendations that were accepted and provide written rationale for the decision if any recommendations are not accepted.

Section I: Description and Explanation

The Registration Directory Service Review is one of the four Specific Reviews anchored in Article 4.6 of the ICANN Bylaws. These specific reviews are conducted by community-led review teams which assess ICANN's performance in reaching its commitments. Reviews are critical to helping ICANN achieve its mission as detailed in Article 1 of the Bylaws.

According to the Bylaws (Section 4.6(e)), ICANN shall use commercially reasonable efforts to enforce its policies relating to registration directory services and shall work with Supporting Organizations and Advisory Committees to explore structural changes to improve accuracy and access to generic top-level domain registration data, as well as consider safeguards for protecting such data.

Convened in June 2017, the RDS-WHOIS2 Review Team is now seeking input on its Final Report, which assesses:

  1. the extent to which prior Directory Service Review recommendations have been implemented and the extent to which implementation of such recommendations has resulted in the intended effect.

  2. the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promotes consumer trust and safeguards registrant data.

Community input is being sought on 22 final recommendations.

All comments will be reviewed and summarized in the report of Public Comment submissions. The ICANN Board shall consider the report and Public Comment submissions to determine whether to approve the recommendations. The Board will then direct implementation of the recommendations that were approved and provide written rationale for the decision if any recommendations are not approved.

Commenters are requested to clearly indicate the relevant sections of the Final Report, or numbered recommendations, with their comments.

Section II: Background

Convened in June 2017, the RDS-WHOIS2 Review was conducted under Section 4.6 of the ICANN Bylaws. This review effort was anchored in the portfolio of Specific Reviews, which address the following range of topics in addition to Registration Directory Services (RDS): Accountability and Transparency (ATRT), Competition, Consumer Trust and Consumer Choice (CCT), and Security, Stability and Resiliency of the DNS (SSR).

The RDS-WHOIS2 Review began with a call for qualified volunteers to serve on the review team. Choosing from a pool of candidates seeking nominations, ICANN's Supporting Organizations and Advisory Committees (SO/ACs) nominated a list of candidates to inform SO/AC Chairs' discussions and decision as they assembled composition of the review team. Eleven review team members were appointed to conduct this review, including a Board member who served on the review team. The Country Code Names Supporting Organization (ccNSO) opted to not participate in the review after consideration of the scope.

Prior to this review, community proposals were made to both limit the scope of this RDS-WHOIS2 Review to the assessment of the first WHOIS1 Review Team's recommendations, and also to include a range of other issues over and above those mandated in the Bylaws.

Formally, the scope of a review is the responsibility of the review team. After much discussion the RDS-WHOIS2 Review Team decided that it would review all of the Bylaws-mandated areas, except the OECD Guidelines, as they were under consideration by the Next-Generation gTLD RDS PDP and were judged to be less relevant, particularly in relation to the GDPR. In addition, the RDS-WHOIS2 Review Team included in its scope a review of new policy adopted by ICANN since the WHOIS1 Review Team published its report, and decided to perform a substantive review of Contractual Compliance with the intent of (a) assessing the effectiveness and transparency of ICANN enforcement of existing policy relating to RDS (WHOIS) through ICANN Contractual Compliance actions, structure and processes, including consistency of enforcement actions and availability of related data, (b) identifying high-priority procedural or data gaps (if any), and (c) recommending specific measurable steps (if any) the team believes are important to fill gaps.

The RDS-WHOIS2 Review Team explicitly did not focus on ICANN's actions in response to the relatively new European Union GDPR. Those actions were ongoing, and the outcomes were not sufficiently firm as to allow them to be reviewed. However, the Review Team recognized the GDPR issue was of significant importance and that it would probably impact several policies related to registrant data. To the extent GDPR and its effects on the RDS (WHOIS) could be factored in, the RDS-WHOIS2 Review Team did so.

To conduct this review, subgroups consisting of a rapporteur and 2-4 team members were formed to research facts associated with each objective, summarized below:

  • Objective 1 – WHOIS1 Rec #1: Strategic Priority
  • Objective 1 – WHOIS1 Rec #2: Single WHOIS Policy
  • Objective 1 – WHOIS1 Rec #3: Outreach
  • Objective 1 – WHOIS1 Rec #4: Compliance
  • Objective 1 – WHOIS1 Rec #5-9: Data Accuracy
  • Objective 1 – WHOIS1 Rec #10: Privacy/Proxy Services
  • Objective 1 – WHOIS1 Rec #11: Common Interface
  • Objective 1 – WHOIS1 Rec #12-14: Internationalized Registration Data
  • Objective 1 – WHOIS1 Rec #15-16: Plan & Annual Reports
  • Objective 2 – Anything New
  • Objective 3 – Law Enforcement Needs
  • Objective 4 – Consumer Trust
  • Objective 5 – Safeguarding Registrant Data
  • Objective 6 – Contractual Compliance Actions, Structure, & Processes
  • Objective 7 – ICANN Bylaws

Informed by ICANN organization briefings and available documentation, these subgroups analyzed facts to identify possible issues and then formulated recommendations (if any) to address those issues.

The Review Team reviewed the Public Comment submissions received on its Draft Report and discussed incorporation in the Final Report at their fourth/last face-to-face meeting.

To ensure full transparency, the Review Team operated in an open fashion where all review team calls and meetings were public, open to observers, with publicly-accessible recordings and transcripts.

Section III: Relevant Resources

Registration Directory Service (RDS-WHOIS2) Review Team Final Report

Executive Summary

Section IV: Additional Information

Registration Directory Service (RDS-WHOIS2) Review Team Wiki Space

Registration Directory Service (RDS) Review Information Page

Registration Directory Service (RDS-WHOIS2) Review Team Draft Report Public Comment Proceeding

WHOIS Review Team (WHOIS1) Final Report

Section V: Reports

FINAL VERSION SUBMITTED (IF RATIFIED)

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

The ALAC welcomes the report of the registration directory service (RDS) second review team and takes this opportunity to provide its comments on the report herein.

We highlight the importance of recommendation R5.1 which addresses the accuracy of the data and we strongly advise its acceptance by the Board. Given the fact that the WHOIS Accuracy Reporting System (ARS) project has shown that there are many errors in existing registration data and taking into consideration the EPDP team phase one report on gTLD registration data which reduced the number of contact fields, ensuring accuracy is even more important than before. Entities that work to protect the Internet end users depend heavily on the accuracy of the data and the contact information provided through it. In addition, principle 5(1)d of the GDPR particularly requires that all reasonable steps are taken to ensure the personal data is not incorrect or misleading as to any matter of fact. Depending on the purpose of use of the data, it should be kept updated. To comply with GDPR, serve the purpose of collection (specifically to be able to contact the registrant), give the data subjects their rights and allow parties trying to protect end users to access useful data; implementation of this high priority recommendation is required.

In light of the GDPR and to enhance the accuracy of the data we note the importance of recommendations R4.1, R4.2 and CC.3 which address contractual compliance methodology and resourcing. Compliance should be taking a more pro-active position and not just responding to individual complaints. This also aligns with recent discussions during ICANN 66 on domain name abuse.

Recommendation R3.1 about documentation is also important to end users and to registrants. WHOIS is confusing to users and registrants and GDPR makes it more so. In addition GDPR requires documenting what we are doing.

The ALAC regards the team's findings with regard to recommendations LE.1 and LE.2 in relation to the law enforcement needs as very important. 89% of the respondents deemed RDS as very important in their investigations. We note that 60% of the respondents to the law enforcement survey responded that they did not have alternatives that would fulfill the same investigative need as the former WHOIS. However, when respondents who said they had alternative options were asked to identify the tools, the majority identified tools that also rely on RDS lookup. When asked about how investigation is affected if RDS information is not available on a public query basis, 79% indicated that investigations are either delayed or discontinued altogether. The ALAC welcomes the recommendations of the team and supports surveys and information gathering. In addition, we note to the importance of the surveys conducted by the review team to the EPDP team working on gTLD registration data policy development.

With regard to consumer trust the ALAC finds the definition of consumer trust in relation to the RDS provided by the WHOIS1 review final report which says “consumer trust can be narrowly construed to mean the level of trust users have in available WHOIS data; or more broadly as the level of trust consumers have in Internet information and transactions in general” as a very important guide when looking at the benefits of the RDS to users. The report notes that although users do not directly use the system nevertheless the data stored does indirectly significantly impact users.

Recommendations R11.1, R11.2 addressing the WHOIS portal are also important, although GDPR has reduced the amount of information publicly available, the portal is not delivering all of the data that is available, maintaining full functionality is required. The portal must provide all available information in a clear and usable fashion.  

With regard to recommendation R12.1 we would like to highlight the importance of the translation of the registration data. However, we understand that reviewing the effectiveness of the recommendations of the first review team in this regard is currently not possible and that such an evaluation will only be possible after the adoption of the new Registration Data Access Protocol (RDAP)

Finally, in light of the Temp. Spec and the new RDS policy being developed to comply with the GDPR the ALAC acknowledges the challenges that might have faced the review team in the development of the report. Nevertheless, we find the report including very useful information that should be used to guide the development of relevant policies. The ALAC appreciates the team’s effort and supports the provided recommendations.


DRAFT SUBMITTED FOR DISCUSSION

The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).

Hadia ElMiniawi

12/3/2019 3:30 UTC

The ALAC welcomes the report of the registration directory service (RDS) second review team and takes this opportunity to provide its comments on the report herein. We note the importance of recommendation R5.1 which addresses the accuracy of the data. Given the fact that the WHOIS Accuracy Reporting System (ARS) project has shown that there are many errors in the registration data and taking into consideration the EPDP team phase one report on gTLD registration data, which reduced the number of contact fields, ensuring accuracy is even more important than before. Entities that work to protect the Internet end users depend heavily on the accuracy of the data and the contact information provided through it. In addition principle 5(1)d of the GDPR particularly requires that all reasonable steps are taken to ensure the personal data is not incorrect or misleading as to any matter of fact. Depending on the purpose of use of the data, it should be kept updated. In addition, all challenges to the accuracy of the data should be taken into consideration. To comply with GDPR, serve the purpose of collection, give the data subjects their rights and allow parties trying to protect end users to access useful data; implementation of this high priority recommendation is required. In light of the GDPR and to enhance the accuracy of the data we note the importance of recommendations R4.1, R4.2 and CC.3 that address compliance and resources for compliance. Compliance should be taking a more pro-active position and not just responding to individual complaints. This also aligns with the needs of important issues like domain name abuse. Recommendation R3.1 about documentation is also important to end users. WHOIS is confusing to users and registrants and GDPR makes it more so. In addition GDPR requires documenting what we are doing. The ALAC regards the team's findings with regard to recommendations LE.1 and LE.2 in relation to the law enforcement needs as very important. Where 60% of the respondents to a survey to identify possible alternatives to the RDS lookups that would fulfill the same investigative need, indicated that they do not have any other tool in this regard. In addition, 89% of the respondents deemed RDS as very important. The ALAC welcomes the recommendations of the team and supports surveys and information gathering. In addition, we note to the importance of the surveys conducted by the review team to the EPDP team working on gTLD registration data policy development. With regard to consumer trust the ALAC finds the definition of consumer trust in relation to the RDS provided by the WHOIS1 review final report which says “consumer trust can be narrowly construed to mean the level of trust users have in available WHOIS data; or more broadly as the level of trust consumers have in Internet information and transactions in general” as a very important guide when looking at the benefits of the RDS to users. The report mentions that although users do not directly use the system nevertheless the data stored does indirectly significantly impact users. Recommendations R11.1, R11.2  addressing the WHOIS portal are also important, although GDPR has reduced the amount of information publicly available, the portal is not delivering all of the data that is available, maintaining full functionality is required. With regard to recommendation R12.1 we would like to highlight the importance of the translation of the registration data. However, we understand that reviewing the effectiveness of the recommendations of the first review team in this regard is currently not possible and that such an evaluation will only be possible after the adoption of the new Registration Data Access Protocol (RDAP)

Finally, in light of the Temp. Spec and the new RDS policy being developed to comply with the GDPR the ALAC acknowledges the challenges that might have faced the review team in the development of the report. Nevertheless, we find the report including very useful information that should be used to guide the development of relevant policies. The ALAC appreciates the team’s effort and supports the provided recommendations.


Hadia Elminiawi

The ALAC welcomes the report of the registration directory service (RDS) second review team and takes this opportunity to provide its comments on the report herein. The ALAC fully supports the recommendations in relation to objective one with regard to the recommendations of the first RDS review team and we particularly note the importance of recommendation R5.1 addressing the data accuracy. Principle 5(1)d of the GDPR particularly requires that all reasonable steps are taken to ensure the personal data is not incorrect or misleading as to any matter of fact. Depending on the purpose of use of the data, it should be kept updated. In addition, all challenges to the accuracy of the data should be taken into consideration. To comply with GDPR, serve the purpose of collection and give the data subjects their rights; implementation of this high priority recommendation is required. We also note the importance of this recommendation in supporting the entities that work to protect the Internet end users. With regard to recommendation R12.1 we would like to highlight the importance of the translation of the registration data. However, we understand that reviewing the effectiveness of the recommendations of the first review team in this regard is currently not possible and that such an evaluation will only be possible after the adoption of the new Registration Data Access Protocol (RDAP). The ALAC regards some of the findings with regard to objective three in relation to the law enforcement needs as very important. Where 60% of the respondents to a survey to identify possible alternatives to the RDS lookups that would fulfill the same investigative need, indicated that they do not have any other tool in this regard. In addition, 89% of the respondents deemed RDS as very important. The ALAC welcomes the recommendation of the team and supports surveys and information gathering. In addition, we note to the importance of the surveys conducted by the WHOIS2 review team to the EPDP team working on gTLD registration data policy development. In addressing objective four, consumer trust the ALAC finds the definition of consumer trust in relation to the RDS provided by the WHOIS1 review final report which says “consumer trust can be narrowly construed to mean the level of trust users have in available WHOIS data; or more broadly as the level of trust consumers have in Internet information and transactions in general” as a very important guide when looking at the benefits of the RDS to users. The report mentions that although users do not directly use the system nevertheless the data stored does indirectly significantly impact users. The ALAC would like to emphasis on the findings of the review team and its importance to the Internet users.

Finally, in light of the Temp. Spec and the new RDS policy being developed to comply with the GDPR the ALAC acknowledges the challenges that might have faced the review team in the development of the report. Nevertheless, we find the report including very useful information that should be used to guide the development of relevant policies. The ALAC appreciates the team’s effort and supports the provided recommendations.

3 Comments

  1. Alan Greenberg

    Several comments:

    On a overall basis, I would delete the references to "Objectives". The term was used in organizing the Review Teams work but it confuses the points in this comment because Objective 1 covers all sorts of ground and a reference to the specific toipic for the others would be much more understandable.

    I'm not sure that reinforcing 12.1 is needed, but if you wish to incude it, I would move it to nearer the end,

    Recommendations that I think could benefit from strong ALAC support include:


    R3.1 Documentation - WHOIS is confusing to users and registrants and GDPR makes it more so. There is also a GDPR requirement to document what we are doing.

    R4.1, R4.2 - Compliance: These are important. Compliance should be taking a more pro-active position and not just responding to individual complaints. This also goes along with the current sudden interest in domain abuse.

    R5.1 - Accuracy: I would not rely purely on GDPR as others in the community are adamant that this is NOT how they interpret GDPR. What is important is that the ARS has shown that there are many errors and the EPDP has now significantly reduced the number of contact fields available. So ensuring accuracy and thus contactability is even more important.

    R11.1, R11.2 - WHOIS Portal: Although GDPR has reduced the amount of information publicly available, the portal is not delivering all of the data that IS available.

    LE.1, LE.2 _ Law Enforcement: Your comments are good, but referring to the Rec. Numbers instead of the Objective will make it clearer.

    CC.3 - Resources for Compliance: Along with the above compliance Recs, this one is also key.

    1. Hadia Elminiawi

      I have incorporated all of your comments kindly take a look

  2. Justine Chew

    Thank you, Hadia and Alan, for a very compelling statement.