[registration-issues-wg] [CPWG] URGENT: DRAFT ALAC Statement on the EPDP Phase 1 Final Report
icann at leap.com
Fri Feb 15 15:14:31 UTC 2019
Thanks for your reply. However, Rec #10 is in direct conflict with Rec
#6, as Rec #10 says "redaction ***MUST*** be applied as follows".
Furthermore, as you correctly not, there's no timeline, even if
registrars do allow non-redaction via Rec #6 (which I think many/most
will not, because Rec #10 gives the registrars justification to ignore
Rec #6). It's been 9 months since May 25, 2018, and my WHOIS is
completely redacted at one of the largest registrars, along with tens
of millions of domains owned by other registrants (see WHOIS for
leap.com, math.com, school.com, etc.) at other registrars.
"Commercially reasonable" in Rec #6, without a firm deadline, will be
read as a de facto "never". Rec #6 doesn't even say what that
"additional contact information" is (some will say it's just the email
address, whereas many registrants will want the full "classic WHOIS",
i.e. what it has always been pre-GDPR, which proves they're the owner
of their own domains.
I know the EPDP working group members have been working hard against a
deadline, but this report seems slapped together at the last minute
with obvious shortcomings that will persist and likely never be
corrected by any future policy working group. It's better to "get it
right" rather than "do it fast", in my opinion. We risk another
RegisterFly fiasco, if we don't get this right.
Failing this, ICANN should work towards changing the entire registrar
accreditation process, to allow boutique "mini registrars" (i.e. kind
of like .BRAND gTLD registries) to be established, where the "mini
registrar" owns all of their own domains at that registrar, without
any 3rd-party customers, with appropriate restrictions and
accommodations (e.g. no access to "batch pool" for expired domains,
more reasonable turnaround time for compliance, etc.). That boutique
registrar would then be able to fully publish their own full WHOIS,
and not be subject to the whims of the current contracted parties, who
are over-applying GDPR and removing choices for registrants. By adding
suitable restrictions, such boutique registrars could be lower cost
(lower accreditation fees, etc.), and also force the registrars (and
ICANN in general) to actually listen to the concerns of registrants,
lest those registrants move their domains to their own self-operated
On Fri, Feb 15, 2019 at 9:42 AM Alan Greenberg <alan.greenberg at mcgill.ca> wrote:
> Thanks George.
> Rec #6 requires that registrars must give registrants the choice of
> publishing contract details but there is no timeline when this will
> be done. So registrars could delay.
> At 14/02/2019 08:54 PM, George Kirikos wrote:
> >Hi Alan,
> >I have strong concerns that the current recommendations are
> >anti-choice, namely that they prevent registrants from even consenting
> >to publication of their full contact detail (i.e. all the contact
> >details that have historically been in the WHOIS).
> >According to the Feb 11, 2019 draft version at:
> >recommendation #10 forcibly redacts the registrant Name, Street,
> >Postal Code, Phone, Fax (which is completely missing in the table!).
> >Email is also redacted, subject to recommendation #13. Footnote 16
> >says it can be replaced by a form or anonymized email, but that
> >suffers from the issues I pointed out at:
> >Now, Recommendation #13 also refers to "Recommendation X"
> >(non-existent!) which would allow the Registered Name Holder to
> >provider consent for publication of just its email address. However,
> >that doesn't seem to allow the registrant to consent to publication of
> >*ALL* of its contact details (i.e. name, phone number, fax, full
> >mailing address, etc.).
> >Many registrants *want* that fully published, and these
> >recommendations take away that choice from the registrant.
> >The same issue exists for the tech contact. Some folks want that
> >separate contact's full info to be collected and published, but aren't
> >going to be able to even consent to that (again, it just says "Yes"
> >for "Redacted", without the footnote to consent to publication). That
> >secondary contact point is going to be useful if the primary contact
> >has downtime, becomes invalid, is on vacation, or is otherwise
> >unavailable. With just 1 visible contact, it creates a single point of
> >failure, if communications are missed.
> >In essence, these recommendations are overapplying the GDPR (e.g. to
> >non-persons, and to those outside the EU), *even* if the registrant
> >wants to fully consent to full publication of their own data (Rec #17
> >shows that overapplication). It takes a "father knows best" approach,
> >to disregard the registrant's own wishes and doesn't give them the
> >opportunity to consent, to exercise their own choices. By all means,
> >if someone wants to not publish their data, respect that choice. But,
> >those who *do* want to publish their data are totally disrespected by
> >the current recommendations.
> >Folks have many legitimate reasons for wanting to fully publish their
> >own data, including not wanting their communications to be intercepted
> >by the registrar, and also to be able to openly demonstrate that they
> >own their domains! The WHOIS is supposed to be the authoritative
> >record of domain ownership (simply putting the data on the website
> >associated with a domain name is *evidence* of ownership, but isn't
> >*proof* -- the WHOIS is the proof; e.g. the website or nameservers can
> >be hacked, and have false info in the "evidence", but the WHOIS itself
> >should always show the true owner).
> >The text of the recommendations is also open to interpretation, which
> >is unwise. e.g. on page 40 it says openly:
> >"The Team could not come to agreement on this issue and as such no
> >recommendation is included in this Final Report in relation to whether
> >optional also means, optional or required for the registrar to offer."
> >i.e. if one can't even agree on what the recommendations *say*, that's
> >just wishy-washy, and doesn't help anyone. Recommendations should have
> >clarity, not purposeful ambiguity.
> >By forcing more info to be private (even against the wishes of the
> >registrant), this will erode the trust of the entire DNS.
> >BTW, for Recommendation #16, one might want to mention that registrars
> >routinely accurately determine the location of registrants, in order
> >to make sure that the correct sales tax is charged to them. I'm not
> >too concerned about loss of thick WHOIS (.com has proven that thin
> >WHOIS can work).
> >Copying the message originator (on page 2 of the draft letter) isn't
> >going to work, as it would *enable* spam (unless the originator is
> >somehow verified in advance). This was pointed out in the first
> >paragraph of:
> >George Kirikos
> >On Thu, Feb 14, 2019 at 7:28 PM Alan Greenberg
> ><alan.greenberg at mcgill.ca> wrote:
> > >
> > > As discussed on the CPWG call yesterday, attached please find the
> > draft statement to be attached to the report.
> > >
> > > I believe that it addresses all of the issues we discussed and
> > for which there was general concern. As decided, we will support
> > the overall report, but note that some of the particular
> > recommendations do not have our support. Others we will support but
> > nevertheless have concerns.
> > >
> > > The lack of focus on public interest issues puts into question
> > whether Phase 2 will suitably address access and other issues.
> > >
> > > THIS STATEMENT MUST BE SUBMITTED BY THE END OF FRIDAY. Please
> > make any comments with utmost urgency.
> > >
> > > Maureen tells me that she will issue a VERY SHORT Consensus Call
> > tomorrow, to complete prior to the submission deadline.
> > >
> > > WORD and PDF formats are attached.
> > >
> > > Alan
> > > _______________________________________________
> > > CPWG mailing list
> > > CPWG at icann.org
> > > https://mm.icann.org/mailman/listinfo/cpwg
CPWG mailing list
CPWG at icann.org
More information about the registration-issues-wg