Compliance with the EU general data protection regulation and what to do with proceeds of auctions on new generic top-level domain (gTLD) names will be among hot topics at the Saturday to Thursday meeting in Barcelona, the internet body said. There will be sessions devoted to ICANN efforts to amend its Whois registration database to comply with the EU law, including the status of an expedited policy development process on ICANN's temporary specification for Whois and issues surrounding the creation of a system to allow third-party access to nonpublic registrants' data (see 1810080002). A Cross-Community Working Group will present its preliminary report on auction proceeds. Auctions were used as a last resort in 16 of 218 contested new gTLD applications, with proceeds placed in a separate reserve pending a decision by the community on how they should be used, the report noted. Other likely topics, stakeholders said: (1) The continuing review of rights protections mechanisms, considering whether to keep, narrow or expand them. (2) The nonprofit's failure, more than two years after accountability bylaws were enacted, to establish independent review panels. (3) Whether the organization has a strategy for dealing with expected battles at the Oct. 29-Nov. 16 ITU Plenipotentiary over who controls the domain name system root zone.
ICANN continues to struggle with who can access domain name registration data under the EU general data protection regulation, a Monday webinar heard. The law is specific about the role of data controllers, and ICANN is trying to determine if creating a unified model for access to nonpublic Whois data complies, said CEO Goran Marby. It's up to the community to decide whether it supports such unified access, he said. Legal and technical approaches are under consideration, said General Counsel John Jeffrey, including the Registration Data Access Protocol (RDAP), to enable users to access current domain registration data that could eventually replace the Whois database. Third parties seeking access to nonpublic data would submit a request to ICANN, which would approve it and pass it along to the data controllers (registries and registrars) or deny it, he said. Comments are due Oct. 13. There's also an expedited policy development process (ePDP) on ICANN's temporary specification for generic top-level domain registration data, said David Olive, senior vice president-policy development support. EPDP is expected to deliver a draft initial report by the Oct. 20-25 ICANN meeting in Barcelona, followed by publication of an initial report for comment shortly thereafter, he said. Marby said GDPR is fairly specific about the individual role of data controllers, and the only way to change the situation would be to lower the risk of liability for registries and registrars. He stressed that none of the proposed solutions will happen if contracted parties don't feel their GDPR risks are diminished. The probability of having a technical solution such as RDAP is likely low but ICANN must ask, he said.
An ICANN policy panel made "important progress" toward revising the Whois system to comply with the EU general data protection regulation, Georgia Institute of Technology School of Public Policy professor Milton Mueller blogged. Meeting in Los Angeles Sept. 24-26, the expedited policy development group (ePDP) pushed past the "same old conflicts of interest" to strike a tentative approach, he said Friday. Stakeholder groups need to approve the proposals, and the ePDP must submit an initial report for review at the Oct. 20-26 ICANN meeting in Barcelona. The ePDP "finally recognized a clear distinction" between the purposes for data collection and third-party legitimate interests in gaining access to that information, said Mueller, an ICANN participant. The panel identified the purposes of the database, the data required for them, and which GDPR rules apply to the data processed, he said: "Progress almost broke down" over "Purpose B" on enabling third-party access to nonpublic registrant data. The group compromised for lawful access for legitimate third-party interests to registration data already collected and identified, and to classify Purpose B as a registry/registrar, rather than ICANN, purpose. Other proposals include establishing rights of a registered name holder in a registered name and coordinating development and implementation of policies for resolving disputes over registration of domain names.
The Donuts top-level internet domains owner said a majority stake is being bought by private equity firm Abry Partners. "Individuals and businesses manage their digital identities in an increasingly complex world of proliferating devices, platforms and access points," said Abry Managing Partner Erik Brooks about what he called the biggest portfolio of new TLDs. Separately Wednesday, the FTC said it won't challenge the deal, which got an early termination notice. Abry also has invested in midsize cable operators including Atlantic Broadband; TV-station owner Nexstar; and radio broadcaster Citadel Communications.
Special interests are pushing legislation to weaken Whois registrants’ privacy rights in favor of maximizing the monetization of personal information, Georgia Tech scholar Milton Mueller blogged Wednesday. Congress' draft legislation apparently would supplant ICANN’s expedited policy development process (see 1807110041). ICANN is gathering stakeholder input through the process to develop a framework that would let third-parties access nonpublic domain registry data. Companies like Domain Tools stand to benefit from the draft legislation, which would allow them to harvest raw data for free, Mueller said: “By negating domain registrants’ privacy rights, they are able to monetize the sale of their personal information -- and unlike Google, Facebook and others who monetize personal information, there is no service offered in exchange, no contract, no ability to opt out.” Domain Tools didn’t comment.
ICANN, which plans to change the domain name system (DNS) cryptographic keys, published a guide (available here) to tell users what to expect. The changing of the keys, known as the "Root Key Signing Key (Root KSK)" is scheduled for Oct. 11, pending approval by the ICANN board, the organization blogged. The DNS was signed with Domain Name System Security Extensions (DNSSEC) in 2010 and has two kinds of keys: zone-signing keys (ZSKs) that sign the main data in the root zone and key-signing keys that sign only the root key sets in the root zone, the guide said. The rollover occurs when the Root KSK is changed and the new KSK starts signing the root key set for the zone, the guide said. The new KSK is KSK-2017; all validating resolvers, which are configured with a set of trust anchors -- copies of the keys or key identifiers that match the root KSK -- will have to add KSK-2017 to their trust anchor configuration. Most resolvers either did that manually when KSK-2017 was created and published or had the change made for them by their software vendor, ICANN said. Some resolver operators, however, didn't update their configuration and are unprepared for the rollover because they're still using KSK-2010 as a trust anchor. When rollover occurs, those operators will have no valid trust anchors, and will start to fail to validate the answers they get from authoritative DNS servers. (Authoritative name servers are defined as a network of hundreds of servers in many countries that are configured in the DNS root zone as 13 named authorities). When such failures happen "is not predictable," the guide noted. Failure starts when the ZSK can't be validated, it said. Whenever a validating resolver gets a response from an authoritative name server, it checks the signature and saves the validation status of the signature on each name in its cache. For example, ICANN said, validating the signature on a name such as "www.example.com" means resolvers must validate the signatures on the root, on ".com," on "example.com" and on "www.example.com." At some point within 48 hours after the change, DNS queries from some users -- either individuals or automated systems -- will begin to fail, which could mean a web page becoming unavailable or the inability to receive new email, ICANN said. The failures will then "cascade until no program is able to show new information from the Internet." Once operators discover that their resolvers' DNSSEC validation is failing, they should change their resolver configuration to temporarily disable DNSSEC validation, which should fix the problem immediately, the guide said. Data analysis "suggests that more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover," ICANN said.
ICANN is getting questions about how it will enforce temporary rules for Whois compliance under the EU general data protection regulation, Senior Vice President-Contractual Compliance and Consumer Safeguards Jamie Hedlund blogged Monday. The temporary specification, effective May 25, modifies ICANN registry and registrar contracts, and awaits EU data protection authorities' OK (see 1807160017). Hedlund hears concerns including: (1) How ICANN will obtain non-public registration data needed to process complaints. (2) The availability of data published in Whois, which includes issues about over-redacting public registration data, and redacted fields that are missing anonymized email and/or webforms to contact domain name owners. (3) Missing required registrant email addresses. (4) Registries providing thick bulk registration data access files to ICANN instead of thin data. There are queries about the process for filing complaints alleging noncompliance, Hedlund said: The most relevant form for filing is here, but ICANN "will process complaints regardless of the form used."
ICANN is "carefully evaluating" guidance from the European Data Protection Board (EDPB) on Whois compliance with the general data protection regulation, General Counsel John Jeffrey blogged Friday. The July 5 letter provides additional advice that could "help significantly advance" the discussion, he said. Privacy officials answered questions about ICANN's approach. The EDPB said personal data identifying individual employees or third parties acting on behalf of a registrant shouldn't be made publicly available by default, but if the registrant provides generic contact email information (e.g., admin@domain.com), publication is OK. On a unified access model for legitimate Whois users, EDPB said nonpublic data could be made available to third parties "provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary" and other GDPR mandates are met. It's likely the internet body will receive additional input if the community agrees on a method for providing access to nonpublic Whois information, Jeffrey wrote. The board also discussed ICANN's ongoing legal case in Germany against domain name registrar EPAG (see 1806220001), and ICANN has submitted the letter to the court. Governments are struggling to help ICANN comply with the GDPR while keeping the Whois database as open as possible (see 1806260021).
ICANN’s Generic Names Supporting Organization plans to launch an “expedited policy development process” by the end of July for a proposed framework that would let third-parties access nonpublic domain registry data, said U.S. Council for International Business Vice President-ICT Policy Barbara Wanner in a newer blog post that was revised from Friday’s version (see 1807060026). She characterized this outcome from last week’s ICANN meeting as a positive development and described setting the “ambitious timeline” as “significant” progress.
A German court will revisit its ruling in ICANN's case against domain registrar EPAG, ICANN blogged. The injunctive action, filed in May in the Regional Court in Bonn, asked for "assistance in interpreting" the EU general data protection regulation after EPAG said it will no longer collect registrants' administrative and technical contact information when it sells new domain names, for fear of violating the regulation (see 1805280001). The court ruled against ICANN (see 1805310014), which then appealed for an order requiring EPAG to reinstate collection of the data. The regional court had the option of re-evaluating or reaffirming its decision and chose the former to seek comment from EPAG, ICANN said Thursday. It's "pursuing this matter as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain [gTLD] system," ICANN said. Separately, the International Trademark Association said Tuesday it will continue to push for full access to Whois information. ICANN's "temporary specification" for gTLD registration, approved May 17 (see 1805140001), "seriously limits the amount of publicly available information and only provides an anonymous email address or web form from which an email could be forwarded rather than a live contact," INTA said. While the organization recognizes the importance of personal privacy, trademark owners need continued access to all Whois data to protect consumers online, said INTA Senior Director-Internet Policy Lori Schulman.