Comments on the Initial Report on the Thick Whois Policy Development Process

[Patrick Vande Walle <patrick@xxxxxxxxxxxxxx>]

Please find hereafter my personal comments on the above-mentioned report.

The report mentions that /"The thin model is thus criticized for 
introducing variability among Whois services, which can be problematic 
for legitimate forms of automation."/
It should be noted to that the port 43 WHOIS protocol was never designed 
with any form of automation in mind. It was meant to display ASCII text 
strings on text terminals. Hence, any complaint that the thin Whois 
model makes automation difficult is irrelevant. This seems a weak 
argument for dumping the thin Whois model. On the contrary, the fact 
that some registrars may change on a regular basis the way their WHOIS 
results are displayed is an additional protection for the registrant, in 
that it makes large-scale harvesting of their data slightly more difficult.
With regard to applicable privacy laws, the working group notes that: 
/"Again, these questions must be explored in more depth by ICANN Staff, 
starting with the General Counsel’s Office, and by the community, with 
registries and registrars taking the lead."/
I would have expected that the domain name registrants would be the ones 
to take the lead. It is their data we are talking about, after all, not 
that of registries and registrars. I would rather suggest that the NCUC, 
BC and ALAC should take the lead, in collaboration with the GAC for 
those aspects regarding trans-border data exchanges and compliance to 
local laws. This should be a customer and government-led effort, not an 
industry-led one.
Although the report mentions that the transition to the thick Whois from 
the thin model would require the transfer of the private data from the 
registrar to the registry, it does not currently examine the legal 
issues that may arise from this transfer to a third country, both for 
registrars and registries. For example, none of the major gTLD operators 
located in the United States seem to be listed in the US-EU safe harbour 
list for their gTLD-related activities, which may be problematic for 
registrars that need to seek prior authorization from the national data 
protection authority. See https://safeharbor.export.gov/list.aspx   As 
noted in the report, the fact there were no legal actions taken in the 
past does not mean there are no legal issues and is certainly no 
guarantee there will not be any in the future.
More generally, it is questionable to still invest time and resources in 
trying to fix the protocol and the model, both of which will go through 
substantial changes in the near future. On the protocol side, port 43 is 
obsolete, and unsatisfying for all parties. WEIRDS will address many of 
the current shortcomings of the port 43 WHOIS. This includes the 
required standardisation through JSON formatted responses for automation 
of the queries, as well as the support for non-ASCII data. Further, the 
possibility to implement differentiated access will allow to address 
many of the concerns regarding privacy and compliance to law.
On the legal side, the European union is drafting a revised privacy 
framework which could have a considerable impact on directory services 
like the Whois. This will be of particular importance for those 
registries and registrars that have a sizeable market in Europe, and 
will need to comply with law if they wish to continue their business there.
Given that both factors will induce significant costs in implementation, 
it would seem reasonable to freeze all changes to the Whois services 
until both the technical and legal landscapes clear up.However, starting 
right away the discussions on the *future* directory services would 
certainly speed up the adoption and deployment at a future stage.
Respectfully submitted,

Patrick Vande Walle
Domain name registrant and former member of the ALAC and SSAC