INTERNET INSIGHTS FROM THE WALLED CITY

Annie: Hello, everyone, and welcome to today's webinar, Internet Insights from the Walled City: A Report from ICANN 61. My name is Annie Bruxelles, and I will be your moderator.

Joining us today are Gretchen Olive and Ben Anderson. Gretchen is the director of policy and global domain name services for CSC. For nearly two decades, Gretchen has helped global 2000 companies devise global domain names, trademarks, and online brand protection strategies, and is a leading authority on the ICANN new gTLD program.

Ben is the director of Domain Product Management, including new generic top-level domains or gTLD services in the digital brand services division of CSC. He is responsible for overseeing the development of the company's product portfolio and proposition. And with that, let's welcome Gretchen and Ben.

Gretchen: Thank you so much, Annie. So welcome, everybody. Another eventful ICANN meeting. Never seems to disappoint, which, I guess, is a good thing. There's a lot to cover today. I know many of you are sitting on the edge of your seat, wondering how the conversations went around GDPR and WHOIS. We are definitely getting to that today. But let's just take a quick look at our agenda here to understand all the things we're going to cover.

So, we'll do our usual ICANN overview. We'll quickly today, when I say quickly, really quickly, go through key policy updates to just kind of make sure that you're staying in the loop on those different PDPs that are going on in the ICANN world. Then we're going to move into everyone's favorite topic, WHOIS, and, of course, GDPR on the back of that.

These groups all kind of form the ICANN communities. You'll hear a lot of people and even us in these webinars say "the community," and this is what we're talking about when we say "the community." But for the most part, you have the boxes below, the main bars up there, you see the Board of Directors. If you look straight underneath the Board of Directors, these are the key stakeholder organizations, the top one being the GNSO. That's the generic name supporting organization, and each of these supporting organizations has subgroups within them.

So, you can see in the GNSO with probably a lot of familiar listing there: registries, registrars, intellectual property, business constituency, ISPs. These are a lot of people who are very active in the internet, and a fair number of those, like registrars, registries, they are what's called Contracted Parties. So, they're the folks…CSC, as they register, we have a contract with ICANN. We need to have a contract with ICANN, and it's called an Accreditation Agreement, to be able to sell an offer gTLDs.

And so, there's a contractual relationship in some cases between members of the stakeholder groups and ICANN, but in other cases, like IP and business constituency, they don't have a contractual relationship as ICANN, but certainly have a very important stake in what goes on in terms of internet policy related to CNS.

You'll see some gray boxes all the way to the right. Those are different advisory committees. Those committees, some are technical in nature. Some are more from a public policy standpoint. So, you see the Governmental Advisory Committee at the very bottom, one of the darker gray boxes. They are a very vocal and kind of integral part of the ICANN process. They really look at all the policy work that's done at the community level.

So, below the board of directors, all the policy work gets done through the community and then it bubbles up to the board of directors for approval, and through that process these different advisory committees will provide input and tell ICANN, "Oh, we think this is good. We think you might have forgotten something here," or, "We think this is totally against public policy."

So, ICANN has three public meetings a year. They've recently gone through some restructuring over the last couple years, and really what we're at right now is three public meetings, meeting A, meeting B, and meeting C. They always kind of happen the same times of the year. They're dispersed across the globe.

And really what we're here to talk about is what happens in the meeting A session. This is a six-day meeting very similar to the ICANN meetings that have happened over the last dare I say 20 years. That's frightening to me because I've been a part of most of those.

But it really is one that has sort of the full, if you will, pomp and circumstance ICANN, welcome ceremony, public forums, all that. So, a lot of interaction occurs at these meetings.

So, the first policy update, first policy thing I would like to talk about is there's a couple of PDPs. So, when I say PDP, that's Policy Development Process. That is the formal acronym in the ICANN world to formulate policy there at that stakeholder level. It's a formal process that gets kicked off.

And typically, PDPs take about two years. They can take more. I've not very often seen them take less, but it's a formal process that occurs. And so, after the new gTLD, first round of the new gTLD program, there have been two very active PDPs going on. One's called new gTLD subsequent procedures PDP, and this is related to a lot of the policies and processes that made up round 1 of the new gTLD program.

This particular PDP has multiple work tracks. You see on the screen, there are five work tracks trying to break the work up into bite-sized chunky pieces, if you will, but really, it's trying to get at…looking at what occurred in round 1 and refining the process or the policy, making those recommendations to improve the user experience and the community experience, and the internet user experience, if you will, with new gTLDs.

So, to give you a quick summary and in terms of where this is, it's not moving very fast. I guess that's the short answer. Now, just because it's not moving fast doesn't mean that anybody doing anything wrong. It just means that this stuff does take time, and ICANN is a consensus policy organization.

This isn't majority rules, and so you have a lot of different volunteers coming together with these workgroups, a lot of different points of view and perspectives and experiences and agendas, and that sometimes flows the wheels of change. And so, the work tracks are developed so that we can get to some draft recommendation for changes in each of the areas. And that's what's going on.

We also have a rights protection mechanisms PDP. So, rights protection mechanisms is another ICANN acronym. It is a world of acronyms. RPM, Rights Protection Mechanisms, that really means what are those things within the program that are baked in to try to protect the right, typically the trademark rights, intellectual property rights, of brand holders.

So, there are a number of rights protection mechanisms that are being tested as part of round 1. You see some of them listed here, The Trademark Post-Delegation Dispute Resolution Procedure, very long acronym, Trademark Clearing House, Sunrise and Trademark Claims, and then something called Uniform Rapid Suspension. That's comprising phase 1 work.

Phase 2 work is actually going to evaluate the UDRPs. That is also a rights protection mechanism that's part of the round one of ICANN's new gTLD program. But as many of you on this call know, UDRP, Uniform Dispute Resolution Process, the process by which you can recover or dispute the ownership of a domain name based on claim of infringing on trademark rights, that has been in existence since the late '90s, really since ICANN's inception.

So, this is a process that's been around a really long time. It's very predictable. Many brand owners like it and think that it's fine just the way it is. But this rights protection mechanisms PDP group has decided, and it's not just them, the community has decided that they should also review that. And that's phase 2, but that is something that has existed even before the new gTLD program.

So, where exactly are we on the rights protection mechanism PDP? As I said, not much has changed. And a lot of that is because of the topic we're going to talk about in just a little bit with GDPR. That really has sucked all the air out of the room, for a lack of a better phrase. It has been something that it's kind of hit everybody in the face. Probably took longer to do that than should have, but nonetheless, taken a lot of energy and I would say traction away from some of these PDPs that are going on.

There still going on, but they're kind of moving at a glacial pace. And the rights protection PDP is really tightly coupled with that subsequent procedures PDP, and so the challenge is it's hard for one to kind of move forward without the other. They have to walk together, and so there's a lot of back and forth.

So, a lot of people are wondering, "Well, when is this work going to get done?" That's often a question. I get it in one of two forms. There's "When is work going to get done, this analysis, this review, this evaluation?" I think many brand owners, and I can tell you we here at CSC think there are some substantial improvements that can be made to the round 1 process and policies, and so it's important work and it should be done and should be done well.

So, no need to rush, but there are some people out there in the community who want to get to round 2 quicker than others. And so, the question which comes in when are they going to finish this work, because they need to finish this work to get to round 2. Or the question is "When is round 2?"

So, you can see here for the RPMs, here's the best-case timeline. You'll hear a lot of phrasing when people talk about this about the plausible path. You see this work for phase 1 is not going to be projected to be completed until mid Q2 of 2019, so that's still a year away.

You can also see now and in the next slide that tight linkage between these two PDPs and the overlap. They are running concurrently, which I think is a good thing, and I think that is…It does cause some challenges in terms of being able, for one, to move forward. The other one is sort of dealing with some of the similar questions that will require input from the other working group.

But you can see is this maps out, these two I would call them intertwined PDPs. You see this maps out, and we're well into 2019.

For those of you who have joined Ben and I for webinars on the ICANN and when we talk about round 2, it's something we kind of talk about a lot and we've been a little bit off. We haven't been in complete alignment, the two of us, on this. I've been predicting for some time 2020. Ben always being the optimist thought it could be sooner. I'm now planting my flag in 2022, and Ben I think you've moved from 2018 to 2019. So, I guess the banter will continue and we'll have to come up with our new formal predictions.

So, policy PDPs moving slowly, but still moving, still going. On top of all this, in the air if you will, is a process that happens every year, and that's the ICANN budget process. And the budget is something that always leads to some conversation, but it's one of those things where it's necessary. It's something that has to happen. And the ICANN budget cycle runs from July 1 to June 30, so this time of year is always where this all comes in.

So, anyway, what we have today is a lot of people unhappy with ICANN's budget, feeling like ICANN needs to focus on its core mission and spend its money focusing on that core mission. It is something that people will point fingers and say, "The new gTLD program is not as successful as it was anticipated. So, ICANN needs to be more realistic on those revenue projections," and they have come down from that.

There are concerns around ICANN's…what they should have in reserve funds, and there are some concerns that there's not enough money there. There are discussions around the auction proceeds from round 1. Those were supposed to be used for community benefit, but now there's some discussion about whether or not some of those auction proceeds should come in to ICANN's budget.

So, there's a lot going on here, and on top of all this is whether or not ICANN should look to trim staff, travel, those types of things. So, many of the issues you all face, we all face in corporate life trying to get business done. ICANN is coming to some hard realities, and that also too has an impact on the speed of things, because again, it's another distraction. It's one more thing ICANN staff are spending time on. Again, important, but it does detract and slow down often the sense of urgency on other items.

So, this is kind of all what's going on and in the overall ICANN world, but the one thing that is the issue of the day is definitely WHOIS, and the impact that GDPR will have on that.

So, Ben and I we've probably been talking about WHOIS since we both walked on the scene of this industry. I know Ben's 15 years, I'm 17 almost 18 years plus into this industry and WHOIS never seems to go away. So, Ben why don't you tell us about the latest chapter in this saga?

Ben: Perfect. Thanks, Gretchen. And welcome, everyone, joining us today. So, next generation RDS to replace WHOIS, this is a PDP that's going on at the moment, and I'll get to the acronyms in a minute, but it's an important subject to touch on. I think as you'll see as we move forward, you'll see that this is connected to GDPR and the discussions that are going on in the community at the moment about WHOIS.

But first on this PDP, in April 2015 the ICANN board requested that this PDP was initiated. And the goal of this PDP is to define the purpose of collecting, maintaining, and providing access to gTLD registration data, and consider some safeguards for protecting that data.

And then at the end of January 2016, that working group commenced its deliberations, attempting to answer two main questions. And those questions are "What are the fundamental requirements for gTLD registration data?" So, you'll know when you register a domain, you're asked to provide a registrant contact, an admin contact, a technical contact, and a billing contact. And the question is, is that information still necessary?

The second question is "Is a new policy framework and next generation registration directory services, or RDS, needed to address these requirements?" So, is the WHOIS, the port 43, the thing that we all query today, fit for purpose in the next generation of registration data?

So, comprehensive WHOIS policy reforms remain. As Gretchen said, a source of long-running discussions within ICANN, and with Gretchen and I on an almost daily basis. And any discussion on the WHOIS system for domain registration data involves various topics, and those kind of revolve around the purpose of the data itself, its accuracy, and how to improve that accuracy, the availability of it, privacy surrounding it, data protection, cost and policing, an important thing, intellectual property protection, and security and malicious use and abuse. So, those are all the things that revolve around this RDS.

ICANN's requirements for gTLD domain name registration data collection have undergone some important changes. Nevertheless though, after more than 15 years of task forces, and working groups, and workshops, and hallway debates, this policy still needs comprehensive reforms that address many of the contentious attached to it.

And this is a working group that is extremely contentious and in quite a hostile place to be in. There are opposing views, very many extremes, and that usually results in discontent and argument, and so much so that the ICANN Ombudsman has had to get involved to ensure that people are behaving themselves in the appropriate manner.

So, a contentious issue. We'll move on to really have that links into the GDPR discussion.

Gretchen: I know I was talking to someone last week about it during the ICANN meeting, and even since then there have been some developments. So, let's see if we can…first, let me kind of explain what GDP are, and again, I want to make sure that we're all on the same page. Poll results are up and no surprise. They're very concerned.

So, anyway, GDPR, let's make sure everybody knows what that is. GDPR is the general data protection regulation. So, this is replacing the Data Protection Directive that came out in 1995 in the EU.

And really, in '95 when that directive came out, what had to happen on the back of that was each country had to then pass enabling legislation to protect the data privacy of persons in Europe and in the EU. That's what happened, and even though, the directive was something that was sent out for everybody, each country and their enabling legislation kind of took a slightly different approach and interpretation, so what you wound up with was, yes, a lot of data protection statutes and requirements, and I think by and large consistent that that was now an important requirement.

But the implementation was a little different every place, so that left a lot of variability. With business being so global and people moving through borders, especially the internet, which is borderless, it left a lot of people always confused about what they could do, where, when, etc.

So, here we have the GDPR now. This was actually passed in 2016, and the statute, the regulation, the general data protection regulation, doesn't require, because it's a regulation, any additional enabling legislation in each of the countries. But it did give a two-year ramp-up period, a period of time to come into compliance.

So, while the regulation was enacted in 2016, it doesn't go into effect for enforcement purposes until May 25, 2018. So, that's not far from now and that's a big problem. This tries to harmonize the data privacy laws. It tries to kind of put that big umbrella over EU citizens' data privacy and reshape the way organizations across the globe approach data privacy, but don't be fooled. This is not just an EU thing.

Again, because business is so global, the internet is so global, many of us, even though we do not sit in the EU, do business and handle data of EU citizens. So, this does have extraterritorial scope, and it's something that we really need to make sure that everyone's aware of and planning for.

And so, what we have on the next slide is just an exact definition of personal data. I think the part of this that's particularly scary is the regulation has very stiff penalties for non-compliance. So, you're looking at 4% of annual turnover or 20 million Euros, whichever is greater, for non-compliance, and then there are also additional fines for failure to provide adequate notice and things like that.

So, this is a very different animal than the directive that existed in '95. And it's really something that all companies far and wide are trying to come to terms with, and ICANN is really no exception.

So, Ben, how would you like to share with everybody where we are?

Ben: Perfect. Yes, I'd love to. This is a really fluid situation. So, you'll see that we kind of move in between a few different things. Over the last four hours, this has changed a little bit as well. So, we're keeping up with this as things happen, but the timeline set out on your screens is what ICANN have been working towards, and that, as with all things ICANN, has been delayed and changed numerous times.

So, the global WHOIS system is as old as domains themselves. I think we all know that. And it's a way of finding out who owns a domain. But that WHOIS displays a significant amount of personal data, including the name, address, and phone number, of the registrant and the other contacts.

And that's been overly abused for many years. As many of you know who have personal domains, it's used as a way of harvesting information for the use of unsolicited communication, and sometimes much worse. But it's an important tool for CSC and our customers in combatting online abuse.

And it's fair to say that in spite of various attempts to get ICANN organized to bring GDPR into focus, they've arrived to the GDPR party extremely late. So, after a lot of pressure, ICANN finally announced three different models designed to address the WHOIS issue. And this is done in conjunction with their law firm, Hamilton's.

Before we move in to where we're sitting, I think it's worth briefly touching on the history of how we've arrived at this current position.

You'll see there there's such a small amount of time left to implement a solution that works for the contracted parties, and also all the interested parties that require this information. There's a lot of positioning, but also compromise being required at the moment.

So, ICANN asked the community to propose some interim models to deal with the impending GDPR deadline, and the ICANN models and those submitted by the community are separated out into this chart that you can see in front of you now. The top line and the right, the orange box, is the current WHOIS as it stands today: unlimited access to that data. And inside of here are all the different models that have been submitted, and you can see from the left-hand side of your screen the models requested a minimal amount of data to be shown in the WHOIS, moving all the way across to the right, which is full data.

And then access to that data is graded from top to bottom, with the top being self-certification access where a user can just come along, request to see WHOIS data, enter in their details, and then be provided that data back.

As we move down, it moves into an accreditation system, whereby users could get access to extended WHOIS data by passing some form of accreditation with some body making sure that the users were using the data correctly.

And then we move down to the final models where access to that information was only provided through due process, and was that only real means of revealing the registrant data. So, lots of different models looking at lots of different ways to access the data, and also how much data is actually shown.

It's worth pointing out…and I'll just go back. It's worth pointing out that there's a model in there, the Echo model, which received wide support from within the contracted party's house. And most of the major retail registrars actively supported that model, so the likes of GoDaddy and Tucows. But that model was initially discounted by ICANN, the organization who wanted to push their own middle ground option, which was the ICANN model 2.

High-level descriptions of the ICANN models are on your screen now. And I don't want to dwell too much on these, but it's important to see how they move through the process.

The second model itself was separated into two parts, and that separation being between model 2A and 2B. And 2A would apply to registrants within the EEA, or the European Economic Area, and 2B would be applied to domain name registrars on a global basis.

It appears now the general consensus is that this will apply to all domain name registrations irrespective of where the registrant comes from. So, this won't just be about European registrants anymore. This will be about every single domain name or gTLD domain that is registered irrespective, again, of where the registrant comes from.

So, after some pressure, ICANN have now published this interim model, which is a blend of what some feel are the good points from each of the models that were proposed. And it's certainly a compromise and the middle ground, because as you can see, it really in the middle of everything.

This is called the Calzone model, which is in reference to the ICANN CEO GDPR pizza comment. It's kind of an in-joke and the CEO poking fun of himself a bit. But this is the model that we're now looking at being a working model for implementation.

So, the model itself still has some large holes, and at the ICANN meeting, the GDD, the Global Domains Division, essentially asked the community to fill up or fill those holes and provide additional information to form this interim model.

And now, we've been participating behind the scenes to try and help address missing parts of those models, especially where it comes to access to the WHOIS, because we realize how important it is for our customers. But some of the major points are data collection, as we spoke about before, whether or not you need more than the registrant data to register a domain anymore, transfer of data from the registrar to the registry. Do registrars need to send all of the information? For some gTLDs that require more than just the standard details, should passports be required? That kind of information.

More of a thing about a business running, but data retention and whether or not local law should apply over and above what ICANN requires within its contracts.

But the major part is public WHOIS and access to that information, what information will be removed, and when that information is removed, is there a way that interested parties can get to see that data.

So, before we go to what that gated access might look like, I just like to show you the information that we are all likely to see after May 25. So, the first bit is this thin data, and everyone or most people will be familiar with this information. This is the information relating to the domain name and its operation. So, the domain itself, the registrar of record, its registration and expiry date, the name servers that it's on, whether or not it's locked, and some other technical forms. And that's the main block of data that you usually see at the top of any domain name registration.

That's helpful to find out where a domain is registered, when it was registered, or where it's being hosted, which are all really good pointers in terms of investigation, or just trying to understand what's going on with the domain. But I know a lot of us will start to then look at the registrant information. And this is probably where the big change will occur.

So, hopefully, you can see on your screens a separation of information for both legal persons and natural persons, so organizations and private individuals. And you'll see all the common contact areas that are usually displayed, so the address, state, postcode, country, telephone number, email address, across those four different contacts.

What this model proposes is that going forward, only the registrant organization, which is still a matter of debate, but definitely the state or province and country of the registrant will be displayed.

The other things that will be displayed are the registrant email address, the admin email address, and the technical email address. But within this model, registrars may opt or elect to anonymize those email addresses. So, when you look at a domain that maybe has a proxy or masking service over the top, that service provider will usually anonymize those email addresses, and sometimes change them on a regular basis, to prevent spam.

The other thing the registrars will have the option to do is provide a web form through which interested parties can contact the registrants. So, the email address will not be displayed, but there will be a method of contact.

I realize this for those that haven't seen this already, it can be definitely a worrying thing, because this information will disappear at the end of May. And at the moment, there's no real clear path as to how access to that information can be gained again, and that's something that Gretchen and I are working extremely hard on.

So, here's a summary of how why you must…Sorry, Gretchen.

Gretchen: No, my apologies for interrupting. I think I just want to emphasize that point, Ben. Things are moving very quickly, and I think you even mentioned earlier in the webinar that just in the last for hours we've seen some updates, which is just true.

How this is all going to exactly land is still a big question mark and whether or not all registrars will handle this in the same way. As of right now, this is a proposal, and it's a proposal that's gaining support and steam in the industry and people are leaning in that direction. But there may be folks who go a different way, and until there's sort of a mandate that that's what you need to do, or something else emerges that everybody coalesces around, I think in the short term this is likely what we'll see for most, but it's still quite fluid. It's not a done deal yet.

Ben: Precisely. And so, you'll see the second point on this slide is a game of RDAP chicken being played. And this goes back to this RDS and RDAP PDP that I was talking about earlier. This system is operational in quite a small capacity, but is operational, and has been designed to provide layered and gated access to WHOIS information. So, the technology is there. It's just that this PDP is taking a long time to conclude.

Now, in the ICANN meeting, the GDD team asked the contracted parties how long it would take them to implement an as-yet undesigned solution to provide gated layered access to WHOIS data. That system already exists, and I think what we're going to probably see happen is ICANN and the contracted parties are waiting for the first person to say, "Why don't we just use RDAP?"

We've seen some large registries publicly state that they support the use of that technology because it's already in place and wouldn't require much more development. And a lot of the registries and registrars have said it would take them 12 months to implement something new. So, that's another year down the line with lots of people trying to vie for position about who gets access to what elements of the data.

So, I think my feeling, as with my next round new gTLD predictions, which are sometimes quite optimistic, I'm going to be optimistic about this and say we may see something within the next six to nine months that would allow access to that data. And ultimately, it could happen. There's a caveat that I am an optimist.

So, this is how this kind of works. Apologies for the way this looks, but this is an ICANN illustration. So, you'll see that the registrant data goes to the registrars, and then the registries. ICANN keeps some, and that data is escrowed to providers to make sure that that information is maintained in case of registries or registrars going out of business.

The registrant data for public display is that information that we spoke about earlier on those last slides, and then there's the nonpublic registration data. Firstly, that should be available for governments and law enforcement agencies, and those law enforcement agencies can go through the GAC to request that information.

The other position is a certification program. What is the criteria and who should be provided that access? We've seen some suggestions today from a working group specifically around allowing intellectual property rights holders access to that information, all their providers to be able to go in and get that data. But I think one thing will be very clear. It won't be in the bulk fashion that we might be used to. I think one of the compromises is that the data will be provided, but on a per-domain basis. So, it's certainly going to slow down any kind of enforcement activity, especially at scale.

But again, this is this is something that is being proposed. There is no working system. There are rules or policy around this. So, how far and how long is this going to take? And this is really the question. So, how long will this interim model be used?

ICANN has already put up that RDAP is their chosen system. They might be more optimistic than I am. They're saying May 2019, so there's the potential for having a year of this interim model in operation that many registrars adhere to.

Even if that data is available, we know that some registrars may look to mask it further so they protect their business from the concerns that they have about GDPR. We're not entirely sure that those concerns are warranted for such an extreme measure. But, of course, many of the retail registrars obviously want to show that they're trying to assist in this issue.

One thing that I think is worth pointing out is that we met with NTIA last week in the ICANN meeting, and they've tried for a long time to get the data protection authorities, the DPAs, and the Article 29 Working Group of the European Union to essentially allow WHOIS to continue.

And NTIA haven't had much success. They've asked the contracted parties to write to Article 29 Working Group and ask for forbearance on this specifically around WHOIS, nothing else but WHOIS. So, NTIA haven't had much success and they're now looking to the registrars and the registries to request that this is happening.

I'm pleased to say that a lot of the large retail registrars are actually in support of doing that. So, there's definitely not a feeling that they're looking to obscure this. They want a secure and stable internet, I think, as much as anyone else. But it just shows that even such…A part of the US government has not had much success with Article 29. It might be the moving towards getting this RDS system up and running to regain access to the information could be the right place to start. I don't know what you think about that, Gretchen.

Gretchen: I think that is critical. I think that just the thought of having to go to each DPA and getting their approval is…I just can't imagine that happening when NTIA can't make it happen. So, I think that's where we're spending a lot of our efforts is just pushing, pushing, pushing to try to get some certainty.

Ben: Perfect. So, I appreciate this. For some that haven't been following this closely, this may come as a bit of a shock or a surprise. We're certainly here to assist in any way possible. We'll continue along this avenue of trying to drive the system implementation of access, but it's certainly open to suggestions from any CSC customer who would like us to explore different avenues.

Gretchen: Absolutely. I think on top of that is…I know that this is a lot of information, and this issue does change very quickly. It's really hard to keep track of it. I know everybody's got day jobs, if you will, and this is one more thing. But we're working hard to get to the right place, and as Ben said, all suggestions welcome. But we'd also like to say that there's a need for brand engagement in this dialogue to give it that energy, that urgency, that weight.

Particularly, there are a lot of people within the community that say, "The registries and the registrars, they're just trying to get to something operationally efficient." There's certainly a part of that. The domain registration system is one that is very automated. But I think what we really want is we want to get to a place where all the activities that happen today, monitoring and enforcement of brands, and the ability to deal with bad actors and track them to the extent that WHOIS can help, we want that all to continue. We need to really get to this final destination sooner as opposed to later, because being in the dark is not going to serve anybody's needs.

There are also other things. There are other places in the ecosystem or other players in the ecosystem that rely on WHOIS to provide things like SSL certificates. There's a domain validation component of that. And if WHOIS disappears, how does that happen to ensure that certificates are being issued to the right people?

So, this is a really important issue and one that we encourage you to get engaged on. If we can help you get engaged, let us know. If you have ideas, let us know. We're going to try to continue to keep you up to date. Not by the hour because I think that could be a little maddening, but at key milestone moments. Definitely there's a drive to May 25, and then there's likely to be an ongoing fight and push after that May 25 to try to get to the final model quicker or sooner as opposed to later.

Ben: Excellent. Perfect. Thanks, Gretchen. I think some final things to consider is how you manage your own portfolio and your domains themselves. So, as we've said, visibility will decrease, and so it may be worth considering how you use the WHOIS today and what impact that will have on your business if that information is removed.

As we said, disputing whilst UDRP remains in place and registrars must adhere to UDRP, again, disputing a domain, say, through cease and desist, or just a kind and gentle letter to the registrant may not be possible anymore because that information will no longer be available. So, it may be a formal dispute policy that you need to go through.

I think I'm always sometimes surprised that after 15 years of domain name management, the portfolios are still in disparate locations and we continuously find new domains that are being registered by new parts of the business in other registrars. So, if you feel that's an issue for your business, then now is the time to audit and use the tools available to ascertain where other domain names that your business may own are located. It's likely that that information will be limited going forward.

And then from the ownership of own domains and that perspective, we always recommend using generic contacts. And now might be the time for you to review who are the contacts for your domains and are you using something generic. If that information were to be displayed, those individuals, will they do something about it? So, it's worth understanding or auditing where you have other domains and how your domains are owned.

These are, as I said, our final GDPR recommendations purely from a perspective of managing your portfolio. Audit now, evaluate who your suppliers are, and consolidate with the most secure. GDPR isn't just about the publication of personal data in the WHOIS. It's about so much more than that. And making sure that you are secure and the data that you use is secure is vitally important.

We've seen some major incidents over the last few months, and serious fines for the businesses that have had data breaches. So, it's important to make sure that you evaluate where those things are. Review the policies that you have and make sure that you have controls in place for the management of your digital assets.

As I said, be prepared to adjust your tactics when it comes to monitoring and enforcement. If you're using the WHOIS data for anything specific, then work out what happens if that information isn't there anymore. Do you need to change tact in order to address the issues that you're trying to resolve?

Annie: Thank you, Gretchen and Ben. That was great. Folks, we will now open the Q&A session. So, if you have any questions you'd like to ask Ben and Gretchen, send them in right now. Also on the screen, we have one final prompt for you. Please indicate how CSC can help you in preparing for GDPR implementation. You select any of the options that apply to you. We will make sure that someone gets in touch with you.

Gretchen: Annie, thank you very much. There's a lot of information here and I know that it may take people a little bit to kind of digest it. So, if you don't have a question today, certainly feel free to reach out to us. This is a journey, and it's a marathon and not a sprint. I once had a colleague that often reminded me of that. And I think nothing is more true than that right now.

We do have a couple of questions I'm going to take in the Q&A, but why while we're doing that, we'll leave the polling question up. Again, if there's anything else we can help you with, please just drop us a note in the Q&A box and we will get that.

So, one of the questions actually came in pretty early into the webinar. We weren't sure we'd have enough time, so I'm going to just quickly address it. It's from Adam. "Do you think there's a chance there won't be a second round of ICANN's new gTLD program?" I think that that train has left the station. I think there will be. Go back about a year, there was a lot of groundswell of activity about getting to second round quickly. I think that's slowed. Like I said, GDPR has definitely taken the air out of the room.

I think we're delaying, so it may quite honestly be 10 years between rounds, which is interesting that that's the case, considering one of the initial drafts of the applicant guidebook said that ICANN would open up a second round within one year of the closing of the first round, so kind of interesting.

The second question that we got in is from Julianne, I think. "Will GDPR only impact the WHOIS of companies who are based in the EU?" Ben, do you want to take that one?

Ben: Sure. The short answer is no. It applies to any business that is…Let me start again. It applies not only to EU entities dealing with personal data anywhere in the world, but also entities outside of the EU dealing with personal data of EU residents. I think one thing to mention is that many other jurisdictions are looking at this as a potential blueprint for their own privacy regulations. So, we don't think that this will just stop at the EU.

Gretchen: I think for those of you who are with us this afternoon in the in the US, certainly the news over the last few days relating to Facebook and things like that, the data, gate issues there, it's a reality of today's world. There's a lot of data exchange to transact business, to communicate with each other, to interact, to share information. And the EU has really been out front for many years on data privacy. I think I couldn't agree more, that GDPR is what's being looked at by other places around the world, regions of the world as a model.

We've seen activity in the US, in New York, and I believe it was last September there was some very strict data privacy regulations put into effect as it relates to financials. I believe there's been some other regulation. I think it's in Colorado. So, it's popping up in the state legislatures, but quite honestly in the US, I think it's just a matter of time before we get to something at the kind of national federal level. So, much more to come. This is truly a marathon.

I think we're at of time. There are a few other questions we didn't get to, so we'll circle back with you. I think we've filled everybody's brain with enough on the GDPR today hopefully.

Annie: Yes. Thank you, Gretchen and Ben, once again. Folks, as Gretchen mentioned, that's all the time we have for today. If we didn't get to your question, we will contact you with a response after the webinar. Last reminder, you can download a copy of today's materials from your resource widget. Thanks to everyone who joined us today. We hope to see you next time.