Communications Litigation Today was a Warren News publication.
Not ICANN's Fault

Congress Must Solve the Whois Access Problem, Panel, Lawmakers Say

Unintended consequences of the general data protection regulation (GDPR) are blocking access to Whois domain name registration, and Congress should consider acting to fix the problem, Rep. Bob Latta, R-Ohio, said Thursday. Whois data is a "public lands record for the internet," but an overly broad interpretation of the EU GDPR is preventing law enforcement, security experts and cybersecurity investigators from getting at bad actors, he said in a recorded statement for a Coalition for a Secure and Transparent Internet webinar. Consumers are also feeling vulnerable online and need to know their privacy and security will be protected, said House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill. Panelists also urged legislative action.

ICANN decided after passage of the GDPR to no longer make registration details available, rather than doing the due diligence required to distinguish whether a domain name seeker is a natural person (to which the regulation applies) or a company (to which it doesn't), said Kroll Cyber Risk Managing Director John Bennett. Among more recent problems arising from the lack of accessibility to Whois data is the "rash of sites" on cryptocurrencies and non-fungible tokens, many connected to celebrities and public figures who fail to disclose they're paid to endorse the product, said Kroll Senior Managing Director Alan Brill. This involves the broader problem of transparency, he said.

ICANN gets very few complaints from law enforcement about lack of access to the information, President Goran Marby said in a prerecorded comment. The GDPR is the law, he said: Registries and registrars can't circumvent it, and have no business interest in doing so. It's not ICANN's fault the GDPR happened, and it can't fix the problems, he said, adding that's the role of legislation.

Panelists, however, disagreed. Registries and registrars, which are under contract to ICANN, don't want to make the information available because "it's a pain in the ass," leads to more calls and hikes call center costs, said Perkins Coie intellectual property attorney Fabricio Vayra. The regulation applies only to natural persons, and only about 11% of registrations are made by people, he said. The rest are made by corporate entities, but ICANN has taken the position that Whois data on these can also be "dark."

The Whois database going dark is an example of privacy "going off the rails," said Information Technology and Innovation Vice President Daniel Castro. He urged U.S. lawmakers to push back against the EU law. This isn't simply a U.S. problem, said Iggy Ventures Strategic Adviser Rick Lane. In its updated network and information security directive, the EU said access to accurate registration data is essential to maintain high-level cybersecurity. If the GDPR had been enacted by Russia, Iran or China, the U.S. government wouldn't have stood aside and said it can't correct the problem, Vayra said. Lane believes Congress "will take up legislation to fix the Dark Whois/GDPR" problem this year, he told us later.