Communications Litigation Today was a Warren News publication.
GDPR an Obstacle?

Congress Urged to Act on Whois Data; Latta Mulls Legislation

House Communications Subcommittee ranking member Bob Latta, R-Ohio, wants to legislate access to personal Whois data, he told us (see 2008270055). Stakeholders concerned with intellectual property, online security, law enforcement and other interests said in interviews that Congress must take control of the debate because ICANN can't resolve the issue.

The organization is working on a standardized model for access to domain name registration information. The recently passed Consolidated Appropriations Act says NTIA, working though ICANN's Governmental Advisory Committee (GAC), should come up with a mechanism. Bipartisan interest is growing among lawmakers to fix the problem, which was exacerbated by EU's general data protection regulation.

It’s an area that we’ve got to take seriously because we’re talking about privacy," Latta said last week, referencing shifting trends in the EU. "It’s important for us to make sure we’ve got laws on the books so we can get out there and help when it comes to law enforcement.” Latta introduced a resolution in 2020 saying Whois information "should remain open and accessible" for the protection of U.S. national and economic security, IP rights enforcement, cybersecurity, health, safety and privacy.

I agree that privacy laws like the GDPR can certainly be an obstacle for our law enforcement," said Sen. Shelley Moore Capito, R-W.Va., in a statement. "It’s important that we reach a compromise here for law enforcement to sufficiently access that needed data in an efficient manner.”

Sen. Mazie Hirono, D-Hawaii, told us she's interested in “misuse of domain names,” disinformation and misinformation. There’s more that domain name registrars and hosting sites can do to verify who controls domain names, she said: "There’s a whole series of issues. I’m always careful about making sure that we understand what the ramifications will be if we submit legislation. I start with letters.” She and fellow Democrats Cory Booker of New Jersey and Maggie Hassan of New Hampshire sent a letter in April to eight domain name registrars and hosting sites about scams and misinformation during the pandemic.

Several lawmakers we spoke with said they're unfamiliar with Whois issues, suggesting it's not a top-of-mind concern. That included Senate Commerce Committee ranking member Roger Wicker, R-Miss.; Tammy Baldwin, D-Wis.; Jacky Rosen, D-Nev.; John Kennedy, R-La.; House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill.; and Rep. Jerry McNerney, D-Calif. It hasn’t come up in daily staff conversations, said Baldwin. “I didn’t know it was an issue with law enforcement at this point,” said McNerney.

Industry Concerns

Complaints to lawmakers about the difficulty of accessing Whois data have come from Iggy Ventures CEO Rick Lane, the Coalition for a Secure and Transparent Internet (CSTI), and Coalition for Online Accountability (COA).

Lane cited growing cyberthreats from Russia, Iran and China for the need to resolve the Whois "problem." In a Dec. 31 letter to then-Senate Commerce Committee Chairman Wicker and then-ranking member Maria Cantwell, D-Wash., CSTI, founded by DomainTools, LegitScript and Spamhaus, noted NTIA has "for over three years tried to work through the GAC to establish a global access model," but the ICANN process "failed to address the basic issues to implement such a system."

Registries and registrars have never wanted to provide access, and now they're using the GDPR as an excuse, said Libby Baney, who represents CSTI. It’s a “perfect storm” for public policy, she said: The first piece of internet accountability is knowing who’s behind websites.

COA supports NTIA's conclusion that ICANN's policy "fails drastically and unacceptably short" of meeting the public interest, particularly in the areas of safety, security, consumer welfare and protection of intellectual property, Executive Director Dean Marks wrote in a Feb. 4 letter to Schakowsky and Consumer Protection Subcommittee ranking member Gus Bilirakis, R-Fla. COA, whose members include MPA, and RIAA, urged lawmakers to "take up the guidance offered by NTIA and 'explore alternative approaches'" to allowing prompt, effective access to Whois information.

The European Commission, which in December unveiled a proposed cybersecurity directive and digital services act (see 2101290006) "clearly demonstrated that it does not find ICANN's policies either adequate or fit for purpose," Marks wrote. The EC said last week it supports ICANN's effort to find a standardized Whois access model and is simply trying to create legal certainty for registries and registrars (see 2102260045).

This "will certainly” affect ICANN, said Hogan Lovells' David Taylor. The appropriations legislation directs NTIA to act in its capacity as a member of the GAC and isn't a request for the U.S. to take unilateral action, an approach many GAC members will likely approve, he said. Given the proposed European cybersecurity directive, he emailed, this "lends valuable support to the need for the establishment of a centralised global access model for timely access to accurate domain name registration data for legitimate purposes."

ICANN "will raise the conflict of law issue" and say U.S. legislation is an attack on the multistakeholder process, said Lane. However, U.S. law wouldn't directly affect ICANN, since the organization itself doesn't collect registration data, nor is this an attack on the broader multistakeholder model, he said. The focus is on the collection, accuracy and accessibility of Whois data collected by registrars and registries under their contracts with ICANN. Those obligations, agreed to by the ICANN community, "have now been undermined by another government's action," he said.

In the absence of legislation, ICANN has "nothing to comment on," a spokesperson emailed. It's focused on designing a system for standardized access/disclosure (SSAD) recommended by the community, she said. That process "will explore the impact of existing laws on the SSAD."

Kennedy told us he's considering competition legislation that's modeled after the EU's Digital Markets Act and would subject large, "gatekeeper" tech platforms to a new set of competition rules. It's partly meant to stop platforms from self-preferencing their own products and services. The DMA is “very comprehensive, and I’m thinking about just taking it and introducing it for America," he said. It's not a bill he would have considered introducing a year ago, he said. “We’re working on it. I’m thinking about it.”