For the past five years, I and many others have felt like Horton dealing with Sour Kangaroo (ICANN.org) and the Wickersham Brothers (Contracted Parties) when raising concerns about the impact of the overly broad interpretation of the European Union’s General Data Protection Regulation (GDPR) that has severely limited access to WHOIS data putting U.S. national cyber security, consumer privacy, and child protection at risk. The simple purpose of WHOIS is to provide Internet users free access to accurate domain name registration data on “who is” behind a website/domain name that may have caused them harm, and law enforcement, consumer/child protection entities, cyber security experts, and intellectual property owners with accurate domain name registration data on “who is” behind a website/domain name that may be engaged in illegal activity. A free, open, accurate, and accessible WHOIS has been a fundamental safety and security feature of the Domain Name System (DNS), even before the creation of ICANN itself.
Even though Goran Marby, ICANN’s CEO, stated publicly that ICANN could not fix the Dark WHOIS/GDPR problem, two days before ICANN 75, ICANN.org released the “WHOIS DISCLOSURE SYSTEM DESIGN PAPER” as a means to address the Dark WHOIS/GDPR problem. A WHOIS “data disclosure system” proposal that carves out the registries (e.g., Verisign, Internet Society) and is voluntary for the registrars (e.g., GoDaddy, Tucows, Namecheap). But as Lori Schulman, President of the ICANN Intellectual Property Constituency (IPC), stated to the ICANN leadership at an ICANN 75 public forum, this proposal is not a WHOIS “disclosure” system but a WHOIS “request” system.
So therein is the rub. The Dark WHOIS/GDPR problem is not about the inability to make WHOIS requests to the Contracted Parties; But about gaining access to the underlying WHOIS registration data. Hence, the problem of a Dark WHOIS.
Here are what U.S. federal agencies and cyber security experts have said about the Contracted Parties’ responses to their WHOIS requests:
Federal Trade Commission (FTC) Letter to Congress on Consumer Protection Investigations
“Before the GDPR took effect in May 2018, the FTC and other consumer protection and law enforcement agencies routinely relied on the publicly-available registration information about domain names in WHOIS databases to investigate wrongdoing and combat fraud.
The FTC uses this information to help identify wrongdoers and their locations, halt their conduct, and preserve money to return to defrauded victims. Our agencies may no longer rely on this information because, in response to the GDPR, ICANN developed new policies that significantly limit the publicly available contact information relating to domain name registrants.”
U.S. Homeland Security Criminal Investigations Letter to Congress
“HSI views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations, including COVID-19 fraud. Since the implementation of GDPR, HSI has recognized the lack of availability to complete WHOIS data as a significant issue that will continue to grow. If HSI had increased and timely access to registrant data, the agency would have a quicker response to criminal activity incidents and have better success in the investigative process before criminals move their activity to a different domain.”
Federal Drug Administration (FDA) Letter to Congress Regarding Criminal Case Investigations
“Access to WHOIS information has been a critical aspect of FDA’s mission to protect public health. Implementation of the E.U. General Data Protection Regulation (GDPR) has had a detrimental impact on FDA’s ability to pursue advisory and enforcement actions as well as civil and criminal relief in our efforts to protect consumers and patients.”
“You cite a concern raised in the presentation that “A requester must have a subpoena to access non-public domain name registration data.” Unfortunately as SA Burke noted, this is not the actual experience of FDA-OCI special agents who, when requesting non-public domain name registration data from any one of the over 2,400 ICANN-accredited registrars operating globally, are often asked to submit a subpoena, court order (sometimes within the jurisdiction of the registrar), or Mutual Legal Assistance Treaty (MLAT) to obtain such information. However, since personal contact information within WHOIS records became unavailable to U.S. investigators under ICANN’s implementation of the European General Data Protection Regulation (GDPR) in 2018, the issue regarding WHOIS access for public health and law enforcement agencies is still unresolved four years later. Requests for legal process/orders from registrars understandably caused delay in FDA-OCI’s investigations.”
ICANN, GDPR, and the WHOIS: A Users Survey — Three Years Later Key Finds
“From our analysis of over 270 survey responses, we find that respondents report that changes to WHOIS access following ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data (Temporary Specification, adopted in May 2018), continue to significantly impede cyber applications and forensic investigations and thus cause harm or loss to victims of phishing, malware or other cyber attacks.”
Therefore, the only conclusion is that supporting the ICANN “WHOIS Disclosure System” will continue to put U.S. citizens’ health, safety, cybersecurity, and privacy at risk. This proposal gives ICANN.org and the “Contracted Parties” cover to say to Congress, and other US government officials, that the ICANN multi-stakeholder community is addressing the Dark WHOIS/GDPR problem by creating a “ticketing” system. A system that does nothing to address the underlying problem of lack of access to accurate WHOIS information and merely delays access & disclosure of WHOIS data for lawful purposes for another two years (2024). Remember, this proposal comes after almost five years (starting in 2018) of ICANN trying to “fix” the Dark WHOIS/GDPR problem through the so-called multi-stakeholder process. This is why Congress must act now to fix the Dark WHOIS/GDPR problem before more Americans are harmed.
But to save WHOISVILLE and get Congress’s attention, we need everyone in WHOISVILLE to make as much noise as possible. Just like in the story, Horton Hears a Who, we need to find JoJo with his yoyo to help convince Congress to finally fix the Dark WHOIS/GDPR problem.
