ICANN 63 BARCELONA INSIGHTS

Annie: Hello, everyone. And welcome to today's webinar. ICANN 63, Barcelona Insights. My name is Annie Triboletti and I will be your moderator. Joining us today is Ben Anderson. Ben is the director of domain product management, including new generic top-level domain or gTLD services in the digital brand services division of CSC. He is responsible for overseeing the development of the company's product portfolio and proposition. And with that, let's welcome Ben.

Ben: Thank you very much, Annie. And welcome to everyone joining us today. I'm glad you can join us. So, ICANN 63, it's been quite a long week last week but really predominantly the biggest discussion point was the Expedited Policy Development Process, the ePDP, looking at the temporary specification which is helping ICANN and the contracted parties deal with the issues that have come about because of the GDPR. There's some other important meeting insights that we'll share with you. Obviously the new gTLD subsequent procedures, so the next round of TLD, even when that might happen as well as the privacy and proxy services accreditation work that's going on.

So, before we look at what's happening with the ePDP, I think it's important to probably just take a step back and walk you through a brief history of exactly what has happened in the ICANN world surrounding GDPR when it came into effect at the middle of this year. So, ICANN was pretty late to the party, which is safe to say, they only really started looking at this at the beginning of 2018. The community itself had tried to mount pressure on ICANN to address the issues that everyone saw coming with the implementation of GDPR. And they just took a really, really long time to consider this.

And so, at the beginning of 2018, ICANN announced three potential models that could be used to address GDPR and ask for community input and feedback. And it's safe to say that quite a lot of the models that were divided the community, on one side were privacy advocates, on the other side were those looking for access especially brands and rights holders who wanted access to the information to be able to make sure that they could find out who owns a domain or even prosecute those using domains for nefarious purposes.

A lot of the large retail registrars got behind a model called the Eco Model which was developed outside of ICANN but included a lot of industry players such as Tucows and GoDaddy. And there was a great deal of support for that model but, however, ICANN pushed forward and pushed for another model as well. ICANN had asked the European Union for a moratorium on enforcement against the contracted parties to the registries and registrars, whilst the community worked out how to develop a model to maintain the current function of WHOIS or the function that was there previously.

But the EU formally told ICANN shortly after that, that in actual fact the unlimited publication of WHOIS was in breach of GDPR. And therefore something needed to be done about the publication of all of the personal information. So, ICANN rushed to create what is now known as the temporary specification. It's a temporary policy, it has a one-year time limit on it, and that's what all of the parties have being implementing over the last few months.

But as you can see from the timeline itself, the temporary specification was published with just one week until GDPR came into effect. And clearly, data protection authorities and the EU weren't looking to find parties on day one. But there's been a bit of a scramble to get to the point where contracted parties feel comfortable about the way that they're publishing data because they feel that they may be responsible under the rules of GDPR for that publication of data.

To give a, kind of, better view of the ICANN models and the model that we're left with, you'll find this unfortunately slightly busy slide in front of you. What it does is it moves from left to right and left where there is a minimal amount of data published, and to the right was the full publication of data. And you'll see in the top right-hand corner that was what the WHOIS looked like before the middle of this year, so you could go to a WHOIS server query at domain and find out who owned it. And we move from the bottom to the top, and the bottom is where information on the WHOIS is only provided through due process, all the way up to where it was previously, where there was full public access to the WHOIS data.

What we've been left with is the ICANN temporary specification, which is sort of to the left of data publication where there's a minimal amount of data published, and only allowing access to that data, just above a kind of due process level. And this is the area which is causing, I think, the most amount of frustration for parties who wish to query the WHOIS because all of the information has been redacted with the exception of a few small areas, which I'll share in a minute. And getting access to that data and asking registrars or registries to provide it has become complex and confusing because there isn't a set standard in which parties can request or access the data.

So, the temporary specification itself really has four key areas that we'll focus on right now, and really these are the focus of the ePDP as well. And that is the public WHOIS first, and the impact of the temporary specification, as most of you all know, on the public WHOIS is that all of the social data with some very small exceptions has been redacted.

At contacting registrants say seeing the email address of the registrant of a domain, that's no longer available and most registrars and registries have implemented a system where you can submit your query in a web form and then that's forwarded to the registrant.

Who gets access to the WHOIS data? As I explained a bit earlier, dispute providers still get access to the data because that's part of the contractual obligations of registries and registrars. Law enforcement agencies have the ability to get the information, ICANN and escrow providers, so all registrars are required to escrow their data to a third party to ensure continuation.

And so, they all have access. But there's also another subset of users and those are users with legitimate interests. And part of the temporary specification talks to the fact that registries and registrars must provide access to parties with a legitimate interest. The issue is, is that legitimate interest has not been defined. So, this has really been left to registries and registrars to decide ‘what is a legitimate interest?', and then determine whether or not they're prepared to hand the data out as well. Subsequent to that, transfers have been impacted as well. But it's actually made transfers of gTLDs a lot easier because the information is no longer available in the public WHOIS. So, those are the four key areas that the temporary specification touches on.

And if we look at actually what that means in reality, what you've got in front of your screen now, is what we call the thin data. This is the information about a domain name that is used for its operation. So, the domain name, who the registrar is, when the domain was registered, when it's due to expire, and the name servers, and so on. So all of this information is still available on the WHOIS both at registry and registrar levels, so you're able to get access to these key pieces of information.

But the information that most people are after, especially when it comes to brand protection issues or dispute issues, is who actually owns the domain. And what the temporary specification has said is that this data which we call the thick data, the social data, the data on who owns the domain, who the admin contact, who the technical contact, and billing contact of a domain is. That does not have to be displayed anymore. And many registrars and registries have decided to redact that information. So, in most cases you'll see a statement for each field saying that the information is not disclosed or is protected under privacy.

The only information that is actually available now is the state or province of the registrant and the country in which the registrant resides. As I said a link to a web form that allows you to contact the registrant if you so choose, but all this other information has been redacted.

One thing to note and for those that are using CSC as a registrar is we still continue to publish this WHOIS data. We know it's important for our customers to show that the website that a customer may be visiting is genuine and is held by the brand that they think they're visiting. So, our information remains published. If you wish to redact that information, then you can just ask us and we'll be able to do that. But we continue to display that information as standard.

If you were to decide to redact the information, then we would provide a web form, as you can see on your screen now, and that allows interested parties to contact you and messages are sent through to the email address of the domain.

One thing to note, however, is there's two different types of gTLD, there's thin TLDs and thick TLDs and this links to the information that I was just displaying earlier. Thin TLDs are com and net. There's also a couple of ccTLDs as well, but com and net the registry will publish the thin data, so information about the domain itself, and then it's up to us as the registrar of record to publish the thick data, the social data. So, we have control over the information published for .com and .net as well as the handful of ccTLDs on the screen there. But all the other gTLDs are known as thick TLDs, so, it's the registry that publishes the data.

Now, some registries have decided based on their own assessment of the impact of GDPR that what they've done is they've either redacted the data or provided a mechanism to allow us to display that. But some of this data is obviously out of our control. But it's still subject to the temporary specification. So, in most cases registries have decided not to display that information.

And here's just a small example, once again, sorry if the text is slightly small there, but you'll see a version of redacted data in and this is published from one of the other registrars in our group Ascio that serves retail and reseller customers. And you'll see here that the information is not disclosed. To the right of that is there an open WHOIS and this is our own domain CSC global and you'll see that we provide all of the information.

So, these are the two key differences and this is pretty much what the WHOIS in general looks like right now. The vast majority of WHOIS is redacted with a handful of domains with registrars like CSD still available to query. But it's not the domains that that are managed by CSC that are going to be of interest, especially when it comes to rights enforcement. There will be the domains that are held by retail registrars and the vast majority of those have redacted the WHOIS. So, that's a brief history of GDPR and the temporary specification.

What we'll do now is just look at what this ePDP is. And this is the subject that dominated ICANN 63. And in the halls, in the meeting rooms this was discussed extensively. And what it's done is it's really divided the community. But to explain what it is, we're in uncharted territory. This is the first time that ICANN has launched an expedited policy development process.

For those of you that know the ICANN ecosystem well and how policy is developed is you'll know that policy development takes a good two to three years if you're lucky. It can take a lot longer than that and we've had PDPs that have taken, a great deal of time to conclude. But because the temporary specification has a one-year time limit on it, this ePDP needs to complete its work prior to, or on the day of the expiration of the temporary specification.

So, what the ePDP does is it skips quite a few steps. So, on the left you'll see the standard plan for a policy development process. And on the right, you'll see what the ePDP process is. And in essence what happens is that no issue reports are required, there's no public comment on those issues reports, and a final issues report is skipped. Ultimately, the members of the ePDP get straight down to the work of dealing with providing answers to the questions or the charter of the PDP and try and create a final report that can then move into implementation.

So, this has not been tried before. It's an extremely contentious issue. There have been PDPs in the past trying to deal with changes in WHOIS, and they went on for a serious amount of time and consensus was never reached. So, this is a very small amount of time with a small group of people trying to get through maybe one of the biggest issues that ICANN has faced in its 20-year history.

So, what is the ePDP trying to solve? The scope of the ePDP is extremely contentious. It really is only dealing with the temporary specification and whether or not and that should become policy within ICANN. So, that would be policy that registries and registrars adhere to. The policy itself and the subsequent things to that, such as who gets access to the WHOIS information and whether or not there should be an accreditation process or system for access to that information, is out of scope of this ePDP.

And really that's the thing that everyone's trying to get to. Everyone's jumping to, can we get access? Where is there an access model that allows us to query WHOIS information? But this PDP is not dealing with that. They're trying to also to work out, you know, what legitimate interest there is. And that's really dividing the community. So, who should get access? Should it be IP rights holders? Should it be researchers? Should it be brand protection companies, like CSC? And should researchers be allowed to get access to that information? And that's probably one of the biggest parts.

And with that, you know, should the access…what's required and what do you get once you have the access to that information? At the moment, ICANN had launched its fifth court proceedings in Germany against the registrar called EPAG which is part of Tucows. Because Tucows decided to stop collecting admin and billing information from its registrants. Do they only collect the registrant information of a domain now? And ICANN has taken Tucows to court five times to get them to continue to collect information.

ICANN has lost five times, so that leaves us in a position now about what information is required to register a domain name going forward. And the ePDP is also looking at that. So, it's a big ball of confusion and contention and the members of the ePDP are trying to cut through that and get to a point where consensus can be reached.

At the beginning of the ICANN meeting last week, we didn't think that that was possible. However, there are a few rays of sunshine. It took 10 hours to agree on two lines of text. But it appears that everyone has now agreed to those pieces of text. So, it feels like there is movement and a willingness to take it forward. But again, we'll see how far they get.

As I said, there is a massive amount of time pressure. I think by my calculations we've got about 200 days left until this policy development process should be finished. There's of course only the one-year validity on the temporary specification and we've got until the 25th of May next year to have all of this resolved.

The normal PDPs they wait for ICANN meetings so they can publish their reports. But really this isn't an option for this PDP. We had expected this report during the ICANN meeting in Barcelona. However, we didn't get to the point where the policy development team could provide or publish a report. But that's now expected to be delivered at the beginning of next week. So, for those that are interested, we'll definitely provide you with our analysis of what that report talks to and what the impact of that report will be when it's published next week.

So, 29 weeks to go, not very much time and a whole load of stuff to do. And so, this was the draft timeline of the ePDP that was published maybe last month. And so, they had looked to deliver the initial report just before the ICANN meeting in Barcelona. What has actually happened is that that timeline is slipped and we've now moved to that information of the initial report happening on the 5th or 6th of November, so Monday or Tuesday of next week.

After that initial report has been provided, they'll then be public comment, so if you're interested in the outcome of this process or wish to make your own comments on it, then once the initial report is published, I would recommend that you read it and make your own comments online. So, the more weight behind specific positions, the more that people will listen to those positions.

What will happen then is that the working group will review all of the public comments and then look to submit a final report. And we expect that final report to happen towards the middle of January of next year. That will then go to the Generic Name Supporting Organization Council who will consider that final report, and then make recommendations, and then ask for further public comment before submitting what hopefully is the policy to the ICANN board for their consideration.

So, again, not much time, a whole load of things that have to happen. Definitely not in the steps the people are used to, not of the cadence that people are used to either. This is extremely fast. And I'd imagine that the next ICANN meeting, ICANN 64, which will happen right before the board makes its considerations, will either be celebratory or full of contention. So, we'll wait to see what happens and wait to see what comes out of the initial report, and then go back to customers and let them know exactly what's happening.

I'm going to be skip this slide because I think, you know, we've kind of spoken to that. What a lot of people ask us is, you know, where does CSC fit into this ePDP, and are you involved, and are you talking about what we want as customers? So, as a member of the ExCom of the registrar stakeholder group, we're providing specific guidance to the contracted parties, housed within the GNSO, so, that arrow pointing down to the registries which is Ry and the registrars which is Rr. So, we're helping to drive what our representatives are discussing in the ePDP and hoping to influence and effect change within there that is both balanced but also talks to the concerns of our customers.

If the ePDP fails and it failed to deliver consensus across this group of individuals, we're asked what happens next? And this is a bit of a grey area and lots of people are trying to work out exactly what does happen next. Does the temporary specification get extended? I don't think that's actually possible. There may be a way to do it but I think it would discredit this entire process.

What's likely to happen is that the contracted parties will have to have new contract talks with ICANN because they are seen as joint controllers within this ecosystem. So, it would remove all of the other parties to this process and move specifically to contract negotiations. That's going to be a difficult position to be in, so, we're just going to be continue to push for this balanced approach of, you know, allowing contracted parties to mitigate their risk against potential GDPR fines. But also make sure that access to the WHOIS data is available to those that are authenticated or need it.

And we'll continue to push that position because I think it's fair to give this PDP a chance. And I think there's a lot of interesting debate within the PDP itself. And we will certainly get to a point in the near future where we understand exactly where this group is going publicly.

You know, how does this impact all of you? It's great that we can talk about what's going on in ICANN, but how does this impact registrants or holders of domain portfolios, or those that are looking to protect their brands online? Well, as we all know visibility on WHOIS data is at an all-time low. Some have tried to push for the status quo to keep the WHOIS as it was, fully available, fully queryable.

But, you know, that's no longer fit for purpose and this isn't just about the use introduction of GDPR, we've seen in other parts of the world further consideration to extending privacy laws for individuals. So, this isn't just about GDPR. We expect to see privacy laws launched in three or four other jurisdictions in the not-too-distant future. So, will the work that's done here affect how those governments view privacy online?

That's yet to be seen but I certainly feel if we get this right now, then it will certainly create a framework for the future. And ensure the access for legitimate interests is available. The dispute and legality of all of this, as I mentioned before, ICANN lost for a fifth time in German courts against Tucows to force them to collect all of this data. The EU's provided guidance on what needs to be displayed. But it's likely, if the ePDP doesn't work, then this will end up in contractual negotiations between the contracted parties.

It's also worth noting an often-used resource online, DomainTools, has just had a U.S. Court deem that its collection of WHOIS data for a specific ccTLD was in breach of those terms and conditions. So, we'll start to see more and more ccTLDs push to have their data removed from services such as DomainTools or others because the storage of that data is deemed to be in contravention of certain laws.

The ePDP obviously continues and as that work progresses at the same time there is additional work looking at the WHOIS replacement. This is specifically where we feel that time is best spent because this new queryable system called RDAP will certainly be the place where all information is deposited, is really just making sure the access is granted and is available to those that authenticate themselves. So, we're certainly looking that RDAP is the place to spend a lot of our time.

And then as I said before, ownership and display of data. CSC or registrars in general are responsible for the display of common net information. But it's the other TLDs where that data is being redacted that are also important. So, we'll continue to work with our registrar partner, sorry, registry partners, and to make sure that that data is available.

So, some short-term advice because we actually get asked this a lot in, where is the best place to find WHOIS data? Well, the ICANN WHOIS is the best place. Also, if you want to query CSC data, there's a specific WHOIS address that we allow as well. You can get these from the slides but certainly talk to your CSC representative about getting your WHOIS information from inside of Domain Manager or the best place to query WHOIS information for domains not managed by CSC.

So, that's the ePDP and the temporary specification. And certainly, as I said, this is dominated the discussions during this ICANN meeting. But there's also been some other things going on as well, other things that Gretchen and I have spoken to you all in the past about. The first is the privacy and proxy services accreditation issue, which is a mouthful, also known as PPSAI. And what this is looking at is looking at the issues surrounding the provision of privacy and proxy services by registrars and registries to individuals.

To prior to the WHOIS being redacted, if you didn't want your information displayed, you could purchase a privacy service, which would anonymize your email address and telephone number, or a proxy service which would completely anonymize all the data of the domain that you own. And some people use that for obvious privacy reasons to stop themselves getting spammed, but others used it as a method of hiding their identity from others online. And so, this was seen as a pretty big issue and a lot of work has gone into trying to work out how ICANN could accredit privacy and proxy service providers.

Now, one thing that is clear is that because most of the WHOIS information is redacted right now, is there still a need for the services? Some still use them because some information is provided and of course there is underlying data as well. But really the temporary specification and GDPR had a massive impact on the validity of this policy development process and the recommendations for implementation.

So, ICANN have now put this on a ‘go-slow' track and really that go-slow track means that this is suspended until further notice. And I think the community is going to take some time to satisfy and make sure that all the issues the temporary specification are resolved. And then once we understand what the WHOIS landscape will look like after that, I think this will either be kicked off again to address issues that come up, or will be completely canned. So, depending on what happens with the ePDP, this currently is paused or it's going slowly. So, I think we'll probably see either this start again in the middle of next year or the ICANN board just completely stop it from happening.

The next area is, and obviously one of our favorites, is the new gTLD subsequent procedures PDP. And this PDP is looking at the next round of new gTLD applications. So, it's been looking at the issues from the previous round and then making sure that all of those issues are resolved for a more predictable and standard ability for those that wish to apply for a new TLD and to have that.

There is some serious contention in what's known as Work Track 5 and that's the geographic names. But for the most part, Work Tracks 1 and 4 have concluded their initial work and have produced an initial report. That initial report was published in July of this year and closed at the end of September. So, all of the public comments that have been submitted on the initial report are being reviewed at the moment and collated by three groups within this PDP.

That review began during the ICANN meeting where members met face-to-face to talk about the comments received, and started to put them into buckets, so they can understand what the general consensus is around the initial report. We expect this supplemental report, a supplemental report to the initial report that was published. We expect that in the coming weeks, and then there will be a formal consensus call on recommendations after the public comment period. And once that's all completed, we'll see those integrated into a final report. And that final report will then move to look at when we can expect the next gTLD round.

So, this is the latest timeline from that PDP. And you'll see that Work Tracks 1 to 4 have done their work. Some new subgroups will be convened to review the public comments and then we'll look to find this next report. So, this comes down to, again and usually the thing that we finish up these webinars with is, you know, when is the next round of new TLDs?

Well, some in the industry are pushing for a brand- and city-only round, so they think that the previous acting guide book, whilst not perfect, was good enough to allow brands to submit their applications for TLDs that they wish to own and operate themselves. We're not sure, we don't think that's a good idea firstly but whilst we understand that some people want to have their applications for dot brands submitted as quickly as possible, I think there's a need to get this right. And so, this PDP will continue to carry on and we expect that final report and some deliberations towards the end of next year. If I could hazard a guess, I'd say that that will push out into 2020 and I don't think we will see a dot brand or a new TLD round until at least then, or stretching into 2021.