The Internet Corporation for Assigned Names and Numbers organization (ICANN org) has hosted two webinars about the proposed WHOIS Disclosure System since its Annual General Meeting in Kuala Lumpur, Malaysia, last month. The two virtual events, which took place on 4 and 10 October, drew dozens of participants and elicited numerous questions and discussion.
The WHOIS Disclosure System, if implemented, would be a temporary method for gathering data to gauge the demand for a system that would streamline the process for submitting and evaluating requests for access to nonpublic generic top-level domain (gTLD) registration data. That data would inform the discussion between the Generic Names Supporting Organization (GNSO) Council and the ICANN Board regarding a System for Standardized Access and Disclosure to Nonpublic gTLD Registration Data (SSAD). The SSAD was recommended in the Final Report of the GNSO Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data Phase 2 (EPDP Phase 2).
The proposed design for the WHOIS Disclosure System would simplify the process of submitting and receiving requests for nonpublic gTLD registration data for both the requestors and ICANN-accredited registrars. The majority of the questions during the two webinars fell into three categories: design, procedural and legal, and implementation.
One issue that came up was the possibility of incorporating an application programming interface, or API, which allows two applications to talk to each other. Some registrars have requested an API to be able to connect their internal systems to the WHOIS Disclosure System so there would be less manual work in responding to requests. An API was not included in the initial proposed design.
Procedural and Legal Discussion
Other questions about the proposed system centered on data disclosure requests – how much of the data in those requests would be retained and for how long, as well as how those disclosure requests may be accessed by the relevant registrars. The proposed design envisions that ICANN org would maintain the request data. The retention policies for that data would have to be determined in the early phases of the development of the system, as part of the refinement of a data protection impact assessment and in line with the principles of privacy by design, where the same security and data privacy measures apply for all requests.
The topic of how registrars would be notified of new requests, and what would be included in the notification, also was addressed. If a registrar opts in to using the WHOIS Disclosure System, an email would be sent to that participating registrar with a notification that a request has been received in the system. The email would not include details about the request. The detailed information for each request would be visible only in the ICANN Naming Services portal.
Some registrars have requested that the full data disclosure request and all associated data be sent via encrypted email. Others have requested the use of an API to ease the burden of processing requests as noted above, though the GNSO's EPDP Phase 2 Small Team has indicated that an API may be delivered in a later phase of operation if there is interest and demand from both registrars and requestors. ICANN org is discussing these possibilities with the GNSO Small Team.
There also was interest in how the system would be promoted for use. ICANN org recognized that, if implemented, there would be a need for an outreach and education campaign to inform potential requestors, outside of the ICANN community, on how to make requests. The org is also cognizant that there will be continued dialogue with ICANN-accredited registrars to ensure participation.
These and other details have not been fleshed out yet, as implementation of the system has not been decided on. The proposed design now rests with the Small Team, which is expected to make a recommendation to the GNSO Council on the next step. The Council will then issue a recommendation to the ICANN Board on whether to proceed with the implementation of the WHOIS Disclosure System.