Domain services

The Future of Whois Access is on the Table Today – Domain Name Wire

ICANN and the GNSO Council will meet to discuss the future of SSAD.

Today, the ICANN Board and the Generic Names Supporting Organization (GNSO) Council will meet to discuss ICANN’s First-Ever Operational Design Assessment for the proposal Standard Access/Disclosure System (SSAD). SSAD could become the post-GDPR successor to Whois access. The meeting is scheduled for 21:00 UTC, and people can register to attend. on Zoom.

As anyone who has checked a Whois record recently knows, the GDPR has significantly limited the availability of domain registration data. Although the GDPR protects EU citizens, its scope is actually globalmost registrars now blocking personal information in Whois.

In response to the GDPR, ICANN has published a Temporary specification in 2018 for registrars so that they can continue to collect Whois information but also comply with new privacy regulations by blocking access to it.

Most registrars have used proxy and privacy services to protect registration data. Some registrars simply block the data and note that it is blocked due to GDPR. A 2021 to study (pdf) by Interisle, sponsored by Microsoft, Facebook and consumer protection organizations like the Anti-Phishing Working Group, noted that:

Currently, only 13.5% of domains have a real owner identified in WHOIS. Registrars and registry operators used ICANN’s post-GDPR policy to redact contact data from 57.3% of all domains. Adding proxy-protected domains means that 86.5% of registrants cannot be identified via WHOIS.

For domain buyers, this means difficulties in undertaking due diligence. For journalists in the field, this means difficulties in doing research.

When ICANN adopted the Temporary Specification in 2018, it asked the GNSO to initiate an expedited policy development process to propose a registration data access system. (While he undertook his work, some registrars created their own system.) The result was a series of recommendations for the creation of SSAD, a centralized clearinghouse for data requests that directs them to registrars for resolution. The process creates an audit trail that, in theory, would allow ICANN’s Contractual Compliance Department to investigate and respond to complaints about unresponsive registrars.

However, as Maarten Botterman, Chairman of the ICANN Board, noted in a letter (pdf) to the GNSO leadership this week, “There is no guarantee that SSAD users will receive the registration data they request through this system.” Indeed, the SSAD, as proposed, does not require registrars to provide anything other than proxy data or extremely limited information if the registrant uses a privacy service.

Oh, and the new system comes at a steep price. ICANN estimates that it would cost between $20 million and $27 million to build and between $14 million and $106 million per year to operate, depending on usage levels. Obviously, there is little agreement on how many requests the system would receive. It reminds me of the Trademark Clearinghouse for new top-level domains. Actual usage was much lower than expected.

Today’s meeting between the GNSO Board and Council will therefore be an important moment for the future of access to Whois data. If SSAD goes to the next phase, don’t get too excited. ICANN estimates that it will take 5-6 years to build and implement.