Jump to content

Second Registration Directory Service Review

From ICANNWiki
Revision as of 20:09, 16 May 2023 by Jessica (talk | contribs) (Final Report and Implementation Phase)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The Second Registration Directory Service Review (RDS2, also known as WHOIS2) was initiated in the fall of 2016 and completed in September 2019. Implementation of recommendations is ongoing as of May 2021.[1]

Background[edit | edit source]

The Affirmation of Commitments, an agreement between ICANN and the United States Department of Commerce, establishes ICANN's obligations to perform its duties with specific commitments in mind. All of the commitments bear on public and consumer trust of the organization. ICANN is to perform its functions in a manner that:

  • ensures accountability and transparency of decision-making;
  • preserves the security, stability, and resiliency of the DNS;
  • promotes competition, consumer trust, and consumer choice; and
  • enables access to registration data.

ICANN is also charged to periodically review and assess its performance through the lens of each of the above commitments.[2]

ICANN's board enshrined these commitments (and the associated reviews) in its Bylaws in Article 1 (Mission, Commitments, and Core Values)[3] and in Article 4 (Accountability and Review).[4] Article 4.6 deals with "Specific Reviews," each of which are tied to one of the commitments in the Affirmation of Commitments.[5]

The Organizational Effectiveness Committee of the board oversees the conduct of specific reviews.[6] The RDS is one such review. The Affirmation of Commitments specifies that RDS reviews should be carried out by volunteers from among the community, as well as "experts, and representatives of the global law enforcement community, and global privacy experts."[7]

External Factors and Timing of Substantive Work[edit | edit source]

The General Data Protection Regulation was passed by the EU in 2016, with full implementation planned for May 2018. The implications of this regulation on WHOIS data collection and display was the subject of much conversation within the ICANN community. As the RDS2 review was being planned, ICANN staff and organizations were preparing to begin work to craft the Temporary Specification for gTLD Registration Data.[8] In addition, the Implementation Advisory Group on WHOIS Conflicts with National Privacy Laws completed work in the spring of 2016.[9]

As a result of the crowded work environment, and citing concerns about volunteer workload, the board extended the deadline for volunteer applications twice, with a final deadline set for March 20, 2017.[10] The review team was not fully formulated until June 2017, and did not deliver its Terms of Reference until February 2018.[1]

At that time, the review team noted a total of nine ongoing projects which might potentially overlap with the scope of review:

  • GNSO PDP on Next-Generation Registration Directory Service (RDS)
  • Registration Data Access Protocol (RDAP) Implementation
  • Cross-Field Address Validation
  • Translation and Transliteration of Contact Information Implementation
  • Privacy/Proxy Services Accreditation Implementation
  • ICANN Procedures for Handling WHOIS Conflicts with Privacy Laws
  • WHOIS Accuracy/GAC Safeguard Advice on WHOIS Verification and Checks
  • Implementation of THICK WHOIS
  • ICANN organization’s work with the community on GDPR Compliance with existing agreements with registries and registrars[11]

In its Terms of Reference document, the team also noted that some review work may need to be deferred pending policy decisions and directions that might emerge from the above list:

In recognition that the WHOIS landscape will be changing, perhaps radically, over the coming months as ICANN addresses how it will respond to the EU General Data Protection Regulation (GDPR), the review team may choose to defer some or all of its work in relation to the scope items on Law Enforcement Needs, Consumer Trust and Safeguarding Registrant Data until it is more clear what path ICANN will be following. Should any work be deferred, individual timelines may slip. However, it is the intent of the review team that the overall schedule calling for the final report to be delivered by the end of December 2018 not change appreciably.[11]

Scope of Review[edit | edit source]

In November 2016, the chairs of ICANN's supporting organizations and advisory committees proposed a narrowed scope of review for RDS2, given the crowded and uncertain field of work being conducted at the same time.[12]. The proposal suggested a narrow focus on review of implementation of RDS1 recommendations.[12] The proposal was summarized in a memo prepared for the review team in February 2017. SO and AC commentary on the proposal was included.[13]

After deliberation among the review team regarding the possibility of a narrowed scope of review, the team decided that it should engage topic areas beyond simply reviewing the progress made on RDS1 implementation:

After much discussion the RDS-WHOIS2 Review Team decided that it would review all of the Bylaw mandated areas, except the OECD Guidelines, as they were under consideration by the Next-Generation gTLD RDS PDP and were judged to be less relevant, particularly in relation to the GDPR. In addition, the RDS-WHOIS2 Review Team included in its scope a review of new policy adopted by ICANN since the WHOIS1 Review Team published its report, and decided to perform a substantive review of Contractual Compliance with the intent of (a) assessing the effectiveness and transparency of ICANN enforcement of existing policy relating to RDS (WHOIS) through ICANN Contractual Compliance actions, structure and processes, including consistency of enforcement actions and availability of related data, (b) identifying high-priority procedural or data gaps (if any), and (c) recommending specific measurable steps (if any) the team believes are important to fill gaps.[14]

Substantive work began with the drafting of the Terms of Reference document in 2018.[1]

Findings and Public Comment[edit | edit source]

The review team submitted its draft report in September of that year.[1][15] The review team included findings regarding implementation of RDS1 recommendations. They found that eight of the RDS1 recommendations were fully implemented, seven of the recommendations were partially implemented, and one recommendation was not implemented.[15] The draft report contained 23 recommendations, with some recommendations building on or expanding RDS1 recommendations, and some directed toward new initiatives in law enforcement support, consumer trust, and data privacy issues.[15]

The impact of GDPR was considered in multiple recommendations, and the review team took pains to emphasize that their recommendations should be implemented with an eye toward flexibility and reaction to the evolving regulatory environment.[15]

The public comment period was extended into November 2018, with an eye toward submitting the final report in early 2019.[16] Public comments on the draft largely applauded the report and expressed support for its recommendations. Commenters expressed dismay that the recommendations of RDS1 had not been fully implemented, despite reports from ICANN org to the contrary.[17]

Final Report and Implementation Phase[edit | edit source]

The review team submitted its final report in September 2019.[1] It largely maintained the structure and content of the recommendations in the draft report.[18]

The final report included a separate statement from Stephanie Perrin, the review team member representing the Non-Commercial Stakeholders Group. Perrin stated that she did not want to disrupt consensus on a variety of issues discussed in the report, but that in her opinion ICANN had long ignored the advice and commentary from data protection officials from a variety of jurisdictions and organizations. In Perrin's view, the entire process of review begged the question of whether the entire structure and premise of WHOIS data collection should be scrapped.[18]

Public comment on the final report was mixed, although largely supportive of the recommendations.[19]

Following the public comment period, the ICANN board resolved to act on fifteen recommendations, placed four recommendations in a pending status while an impact statement was prepared regarding overlapping or dependent policy development processes, referred two recommendations to the GNSO, and rejected two recommendations.[20] One rejected recommendation was out of date, while the board rejected a recommendation to expand the scope of future RDS reviews on the basis that it could be prohibitively expensive, and challenging to find volunteers with the required expertise.[20] Following its common practice, the board issued a scorecard regarding the recommendations and the board's proposed response.[21]

As of April 2023, eight of the 15 recommendations have been completed. Recommendations 1.1 and 1.2, which call for a forward-looking mechanism to monitor legislative and policy developments, were already addressed by an ICANN org initiative. Recommendation 1.3, which requires demonstrating Board activity on RDS, is being addressed. Recommendation 11.2, which concerns the common interface display of information and updates, is addressed by the RDAP lookup tool and profiles. Recommendation 15.1, which calls for improvements to ICANN org's project management and implementation reports, was considered complete with the first quarterly report on Specific Reviews. Recommendations LE.1 and LE.2, which identify data gathering on RDS effectiveness for law enforcement agencies, were addressed via an EPDP Phase 2 study for the SSAD ODA. Recommendation CC.3 about funding ICANN Contractual Compliance is now part of ICANN’s budgeting and planning process.[22] Recommendation 3.1 required improvements to web information and educational materials on RDS, and so ICANN updated the registration data look-up tool and the Domain Name Registration Data Policies page. Recommendation CC.2 will be addressed through the implementation of EPDP Phase 1 – Registration Data Policy for gTLDs with publication of the Registration Data Policy in Q2 2023. Recommendation 3.2 will begin as soon as the dependency on outcomes of the EPDP has been resolved. Two recommendations, 10.2 and 12.1, cannot be prioritized or implemented because of the subsequent review team's work (RDS3) and until the next ATRT determines future RDS reviews. Recommendation SG.1 will be implemented through a gap analysis in Q2 2023. The Board also directed ICANN org to include an element for gTLD domain names suspended due to incorrect RDS contact data in contract negotiations, in response to Recommendation 4.1.[23]

References[edit | edit source]