More problems with ICANN and WHOIS

Almost from the very beginning of the internet, or at any rate from the beginning of the worldwide web, there has been an explicit rule which says that the name, address and contact details of whoever owns or manages a domain must be accurately recorded and published in a way which is accessible to anyone who wants to know. It was repeated in the so-called “Affirmation of Commitments” (para 9.3.1) which for practical purposes is the modern foundational charter of ICANN.

It is a rule honoured more in the breach than in the observance. In a review published a few years ago it was found that of the then 220 million domain names in existence only 23% fully met the accuracy requirement. In other words to find accurate details of who owned a domain was very much the exception rather than the rule.

Why is this so? Because verifying the information given by people buying domain names takes time, costs money and potentially deters people from buying in the first place. Those things can impact adversely on the revenues and profits of Registries and Registrars, and therefore also, ultimately, ICANN itself.

Because of this ICANN has failed to take any meaningful enforcement action to secure compliance with its own rules and, instead, has set in train what feels like an endless cycle of reviews and re-examinations. The longer they can drag it out the longer the money keeps rolling in. If, eventually, they have to move then, c’est la vie, they milked it for all it was worth.  But the rest of the world has paid a terrible price.

Why? Because the volume of fraudulent and criminal misuse of the domain name system has overwhelmed the capacity of law enforcement agencies and other regulators. The amount of time it takes, the cost and complexity of determining who precisely did something which appears to be unlawful, is now so onerous unless it is an egregious instance most cases simply end up in an ever-growing inbox. The bad guys know this and play the odds. Yet it is hard to imagine that if all internet users knew they could be rapidly, reliably and inexpensively identified that there would be quite so much bad or criminal behaviour taking place.

This has nothing to do with being anonymous in the sense that, broadly-speaking, I could hardly care less what names people use when they log on to or use a service. What is important is that people know, rather like the position with car number plates,  if  it is necessary for the purposes of carrying out an investigation,  law enforcement or regulators in their country could quickly get a fix on them if a legitimate request came in which complied with the current rules of their own national law and international law.

However, now it seems a couple of Registries in Holland are saying the GDPR forces them not to publish details of who owns a domain. Their argument is partly technical i.e. if a Registry makes it a condition that a would-be purchaser of a domain name must agree to their personal information being published, as a condition of being able to buy it, that to some degree is coercive or it is called “bundling” and both are forbidden.

For now, ICANN appears to be objecting to this interpretation of the GDPR but I can imagine a great many interests in and around ICANN would be delighted if this Dutch view prevails. It musn’t.

PS: For the avoidance of doubt, in the end, I  guess I am less concerned about the names and addresses of domain name owners being published than I am about the data being accurate and easily and inexpensively accessible to law enforcement and regulators. Of course, it should be possible for consumers, should they be so minded, to check out who owns a site before they engage with it.