Comments on the Initial Report on the Thick Whois Policy Development Process
Please find hereafter my personal comments on the above-mentioned report.The report mentions that /"The thin model is thus criticized for introducing variability among Whois services, which can be problematic for legitimate forms of automation."/
It should be noted to that the port 43 WHOIS protocol was never designed with any form of automation in mind. It was meant to display ASCII text strings on text terminals. Hence, any complaint that the thin Whois model makes automation difficult is irrelevant. This seems a weak argument for dumping the thin Whois model. On the contrary, the fact that some registrars may change on a regular basis the way their WHOIS results are displayed is an additional protection for the registrant, in that it makes large-scale harvesting of their data slightly more difficult.
With regard to applicable privacy laws, the working group notes that: /"Again, these questions must be explored in more depth by ICANN Staff, starting with the General Counsel’s Office, and by the community, with registries and registrars taking the lead."/
I would have expected that the domain name registrants would be the ones to take the lead. It is their data we are talking about, after all, not that of registries and registrars. I would rather suggest that the NCUC, BC and ALAC should take the lead, in collaboration with the GAC for those aspects regarding trans-border data exchanges and compliance to local laws. This should be a customer and government-led effort, not an industry-led one.
Although the report mentions that the transition to the thick Whois from the thin model would require the transfer of the private data from the registrar to the registry, it does not currently examine the legal issues that may arise from this transfer to a third country, both for registrars and registries. For example, none of the major gTLD operators located in the United States seem to be listed in the US-EU safe harbour list for their gTLD-related activities, which may be problematic for registrars that need to seek prior authorization from the national data protection authority. See https://safeharbor.export.gov/list.aspx As noted in the report, the fact there were no legal actions taken in the past does not mean there are no legal issues and is certainly no guarantee there will not be any in the future.
More generally, it is questionable to still invest time and resources in trying to fix the protocol and the model, both of which will go through substantial changes in the near future. On the protocol side, port 43 is obsolete, and unsatisfying for all parties. WEIRDS will address many of the current shortcomings of the port 43 WHOIS. This includes the required standardisation through JSON formatted responses for automation of the queries, as well as the support for non-ASCII data. Further, the possibility to implement differentiated access will allow to address many of the concerns regarding privacy and compliance to law.
On the legal side, the European union is drafting a revised privacy framework which could have a considerable impact on directory services like the Whois. This will be of particular importance for those registries and registrars that have a sizeable market in Europe, and will need to comply with law if they wish to continue their business there.
Given that both factors will induce significant costs in implementation, it would seem reasonable to freeze all changes to the Whois services until both the technical and legal landscapes clear up.However, starting right away the discussions on the *future* directory services would certainly speed up the adoption and deployment at a future stage.
Respectfully submitted, Patrick Vande Walle Domain name registrant and former member of the ALAC and SSAC