ICANN’s response to the European Union’s Network and Information Security Directive (NIS2) is a litmus test on whether its policy processes can address the needs of all stakeholders, instead of only satisfying the needs of the domain industry. Early indications from the ICANN Hamburg meeting point to another disappointment for law enforcement, cybersecurity professionals, and the many businesses seeking to reinstate WHOIS as required by NIS2. ICANN should change course and update its global WHOIS policy to be consistent with NIS2, as called for by the CyberTech Accord in its recent blog.
Years-long inaction on ICANN’s part has led to governmental frustration in lack of progress on critical issues, like DNS abuse, domain name registration data policy, and other matters of importance. It’s been proven again that when ICANN isn’t proactive on issues such as these, a vacuum is created, enabling others to step in to manage needed changes through fragmented regulation.
This has been the case with NIS2, a directive that clarified the legal basis under the General Data Protection Regulation (GDPR) to collect, maintain, and disclose “WHOIS” information—the registration data of domain name owners. ICANN, by its own admission, was late to the game in terms of updating its global WHOIS policy to be consistent with GDPR. Then, registries and registrars (“contracted parties”) managed to over-correct in addressing GDPR (with ICANN’s complicity) in a way that has nearly completely hidden WHOIS data from those who rely on it to prevent or mitigate online harms. The stated reason for the over-correction was uncertainty over whether GDPR allowed access to WHOIS data. But now, the pendulum has swung too far in the direction of: “We don’t care—no one can have this data.”
During these delays, DNS abuse continued to grow exponentially (see, for example, Interisle Consulting Group’s August 2023 phishing landscape report, which documented a tripling of phishing attacks over the previous three-year period). This prompted a response by the European Commission (EC), which observed the gulf created between a blanked WHOIS and cybercrime growth and included revised WHOIS policy in Article 28 of the NIS2 directive. Without ICANN brokering a compromise between the “we really need some data, and we’ll play by data access rules” and “no, you can’t have it” camps, the EC stepped in.
NIS2 accomplished what ICANN did not: a reasonable compromise on WHOIS data access, including distinguishing between legal and natural person data, free-of-charge access, reasonable response times, and the like. The rest of the world sees relief on the horizon.
Prior to the start of the Hamburg meetings, a gathering of (mostly) contracted parties seemed to realize for the first time what NIS2 requires. There was heightened concern about the operational changes necessary for compliance. EU representatives reminded registries and registrars that NIS2 is long established, will become EU member state law, and will require some retrofitting in order to come into compliance, such as to require all registries to maintain complete, accurate, and verified WHOIS.
We’re now at risk of seeing a repeat of the last-minute rush to comply with GDPR in 2018. While ICANN’s current position appears to be that NIS2 compliance is no worry, the community isn’t so sure and is hoping ICANN will come around to reconcile the conflicts between ICANN’s current policy and NIS2. A chart (shown at the end of this post) developed by members of the Commercial Stakeholder Group identifying these differences could serve the starting point for a new Temporary Specification to update global WHOIS policy to track NIS2.
Failure to do so endangers the ICANN model—of which the great majority of us are fans. It’s safe to say that no one wants to see ICANN moving further towards the precipice—things already are tenuous enough.
To be clear, this is not an editorial of derision of the ICANN model. But if we want to maintain our independence as a community of DNS coordinators, prevent the almost certain attempt by some world powers to gain control of this critical resource and shut out important voices (with WSIS+20 just around the corner), we need to do better to be inclusive and find compromise. It’s not too late.
By Mason Cole, Internet Governance Advisor at Perkins Coie
Perhaps NIS2 doesn’t require reinstation of WHOIS, and the whole premise of this article is flawed ? Or, if ICANN is reading NIS2 wrong, file a suit in Belgian court as soon as Belgium publishes its implementation of the directive ?
Nothing in current ICANN policy prohibits registrars and registries from complying with appicable law. Nothing in current ICANN policy prohibits full compliance with NIS2. Current ICANN policy is therefore already in full compliance with NIS2, even though contracted parties and other parties providing registration services (resellers) may have some adapting of their current processes to do.
It is helpful that the NIS2 indirectly references current ICANN policies as a model how to do so.
This is an excellent overview of how the EU has stepped in to correct ICANN’s failure to fix the Dark WHOIS issue that puts EU cybersecurity, child protection, and consumer privacy at risk and the real risk to ICANN’s future by not hearing the clarion calls.
It is also a shame that after more than 5 years of ICANN’s decision to allow WHOIS to go dark, the US Congress and Biden Administration have yet to enact legislation following the EU’s lead to protect US cybersecurity, children, and consumer privacy. Instead, the Dept of Commerce and NTIA are trying to make the .US ccTLD go Dark (https://lnkd.in/eGrp7ED4
). Studies have shown the .US already has the most domain name abuse/cybersecurity risk of any ccTLD, outpacing China (.cn) and Russia (.ru) country codes.
Whois just became compliant with data privacy laws and regulations. Blasting the personal information of all registrants into the ether for all to see was problematic from a privacy perspective for a long time and seeing it adressed with the event of the GDPR resulted in a great reduction in the receipt of spam, identity theft, phishing and other abuse registrants were regularly and in volume subjected to. The new obligations regarding publication of legal entity data will not prevent one incident of DNS abuse, or do you believe criminals go out of their way to register legal entities to register their domains? This is not happening now and will not be likely to happen in the future either…
This is an excellent overview of how the EU has stepped in to correct ICANN’s failure to fix the Dark WHOIS issue that puts EU cybersecurity, child protection, and consumer privacy at risk and the real risk to ICANN’s future by not hearing the clarion calls.
COMMENT PREVIEW
Comment Title:
Notify me of follow-up comments
We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.
More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It’s a quick and easy read.
I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
A World-Renowned Source for Internet Developments. Serving Since 2002.
FOLLOW
About The Author
More Stories
Zombie IXPs: The Four Types of Exchanges That Refuse to Die, but Fail to Live
The Shift in Peering Threatening the Internet’s Foundations
Remembering Alan Barrett: A Builder of the African Internet