[Disclosure: I work for a domain registrar based in the EU, and I implemented pretty much 95% of the company's infrastructure as far as us acting as a registrar goes.]
I think there are some major misunderstandings around what ICANN are doing with WHOIS privacy.
ICANN have pretty much always required that registrants provide registrars with accurate contact information. ICANN required that registrars periodically escrow this data with an escrow provider (Iron Mountain, usually, though there are now more).
When you use registrar-provided WHOIS privacy, the registrar is still able to escrow the correct contact information. This is not the case with third-party WHOIS privacy providers. The difference now is that, due to the demands of law enforcement agencies, they're now requiring that information be validated and verified.
Third-party WHOIS privacy services always existed in a legal grey area, whereas registrar-provided WHOIS privacy did not. Even before the 2013 RAA came in, you were risking having your domain being taken from you by using a third-party provider and providing their contact information to your registrar as it meant that the registrar had inaccurate contact information and thus could not provide accurate information to the escrow provider.
Before the LEAs got all antsy about this, the WDRP emails you get from your registrar, giving you a list of domains and their WHOIS data and a warning of the consequences of providing inaccurate data, were the most ICANN required in practice. It was an honour system, and the requirement to provide accurate data - which has always been a requirement - wasn't actively enforced. All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
The requirement on third-party WHOIS privacy providers is to normalise their situation so that they have the same requirements to record information correctly and escrow it that domain registrars already have had to do for ages. And it's not that onerous a requirement: actually implementing an EPP client is orders of magnitude more difficult that writing the code needed to do data escrow: https://www.icann.org/en/system/files/files/rde-specs-09nov0... - you can implement that in an afternoon. The accreditation process for a WHOIS privacy provider is nowhere near as horrible as it's being made out to be. All you need to do is show that you can accurately escrow data.
Everybody's so late to the party on this one. The registrar constituency in ICANN fought pretty hard against this. If you think what ICANN are requiring now is bad, the LEAs were demanding much crazier stuff during the negotiations. If you're an EU citizen or using an EU registrar, you're even better off, as EU data protection law meant that some of the requirements of the RAA were illegal in the EU, so EU-based registrars are able to get an opt-out of certain requirements of the RAA. We still do have to validate, verify, and escrow contact details associated with domains we manage, however.
> All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
You say that like it's a small thing.
If the government suddenly started throwing all the operators of marijuana dispensaries in federal prison, you could say that all they're doing is enforcing the law, but it still represents a fundamental shift in policy.
Rules that aren't enforced don't get repealed because people care more about what happens in actual fact than what would happen on paper. Threaten to start enforcing them and you can't be surprised when the thing people want to know is not why it wasn't previously enforced but rather why such a stupid rule is still on the books.
I wrote that ICANN were laissez-fair about enforcement, not that they didn't enforce these rules. The difference is when they enforce them.
In the past, they encouraged an honour system through the use of WDRP emails. In addition, they only acted or required registrars to act when an issue was reported or noticed. I guess you could call this passive enforcement.
Now, what they're requiring is that contact details are validated and verified upon first use and subsequent changes. This would be active enforcement, and was requested by the LEAs.
The practical difference that when you register a domain name, the registrar will attempt to make sure that your address is valid, that the email address you provide actually accepts email and you answer it, and check that the phone number you provide is valid.
I'm fully aware of the impact of all this. Even if wasn't personally affected by it, given I own domain names, I had to implement this stuff on the technical end, and make sure that in enabling it, we wouldn't end up scheduling thousands of our customers' domains for deletion. From a purely selfish point of view, I'm all too familiar of what the impact of the change from passive to active enforcement means.
> In the past, they encouraged an honour system through the use of WDRP emails. In addition, they only acted or required registrars to act when an issue was reported or noticed. I guess you could call this passive enforcement.
In practice for anyone who isn't a wrongdoer this is also known as non-enforcement. Nobody would normally notice or care when a website operated by an innocent person has inaccurate whois data or uses a whois privacy service that will actually keep the registrant's personal information private.
You're wrong there. I know that, because unlike you, I work for a domain registrar. And let me tell you something. There are actually people there who purposely trawl WHOIS looking for invalid data, just so that they can submit WHOIS inaccuracy reports to ICANN. The ICANN compliance department is far from underworked. You should talk to some of their staff some time.
Who are they and why would they do that to innocent people?
Perhaps more importantly, how can they even tell when the data is inaccurate? I have a hard time believing that domain contacts are inclined to respond to unsolicited unprovoked third party "offers" to verify their address. Hi, can you let me know that someone is reading this so I can start sending you an unending stream of spam? Meanwhile just because you have a third party whois privacy service doesn't mean they don't faithfully forward your mail.
All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
All that will be changing on the data collection, verification, and escrow front, you mean? That isn't an aspect that people seem focused on at the moment. Almost everyone is focused on REVEALS and what processes will become mandatory.
We already had a requirement to reveal contact information to LEAs with just cause. At least here in the EU, we can't go revealing data to just about anybody who asks for it due to data privacy law.
'Relays' isn't a big deal. In fact, it was already a requirement for registrars to deal with registrants in the first place. After all, registrars were required to send out WDRP notices and potentially schedule a domain for deletion if those emails bounced. Moreover, registrars required valid email addresses so that domain transfers could take place and, also, so that people could be billed.
'Relays' requires that email forwarding works on the provider's side when WHOIS privacy is in place. There are other complicating factors that can cause issues here, such as SPF records for the domain that don't mention the forwarding mailserver, but that's really it.
'Reveal' is a consequence of the situation with third-party WHOIS privacy services being normalised. Up until now, you were effectively in breach of your contract with ICANN as a registrant if you used a third-party WHOIS privacy/proxy service because the registrar had invalid contact details for the registrant.
'Reveal' does not mean that just anybody will be able to ask or demand that the provider disclose the contact details behind a private registration. Most registrars have LEA liaisons who they use to validate that a request from a law-enforcement agency is genuine. If we get a legal demand disclose to disclose details, that goes straight to our solicitors, and we would only reveal them if there's a genuine legal reason for doing so. Any other requests are invalid and, at least here in the EU, giving out the contact details of a proxy registration would be against data protection law. So no, the argument that this would be a conduit for doxxing isn't a valid one. The exact baseline requirements for the reveal process haven't been locked down yet, but they will likely be similar to what I've outlined.
You see, both of these processes are already mandatory based on other parts of the registrar-registrant relationship and existing legal requirements. The difference is that it wasn't explicitly formalised and non-registrar WHOIS privacy was a massive grey area.
I'm generally supportive of privacy providers being required to forward important communication to the registrant. I hope the finalized requirements will be sensible, and I hope there will be no attempts to equate contacting the privacy provider with having given registrants sufficient legal notice.
I, like most of people, live outside the EU and lack experience with EU privacy protection laws. So it is difficult to evaluate your optimism.
Here in the USA, for example, we'd be concerned about not only LEA requests but also requests by individuals and corporations. We just don't have privacy laws that are sufficient to protect against inappropriate disclosures to such parties.
Here, and in many other places I suspect, the best case would be privacy providers voluntarily adhering to a standard where they refuse to disclose registrant information to any party unless compelled to do so by law. If language like "Disclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena;" remains in the final cut, privacy providers won't be able to do this and remain accredited.
I think there are some major misunderstandings around what ICANN are doing with WHOIS privacy.
ICANN have pretty much always required that registrants provide registrars with accurate contact information. ICANN required that registrars periodically escrow this data with an escrow provider (Iron Mountain, usually, though there are now more).
When you use registrar-provided WHOIS privacy, the registrar is still able to escrow the correct contact information. This is not the case with third-party WHOIS privacy providers. The difference now is that, due to the demands of law enforcement agencies, they're now requiring that information be validated and verified.
Third-party WHOIS privacy services always existed in a legal grey area, whereas registrar-provided WHOIS privacy did not. Even before the 2013 RAA came in, you were risking having your domain being taken from you by using a third-party provider and providing their contact information to your registrar as it meant that the registrar had inaccurate contact information and thus could not provide accurate information to the escrow provider.
Before the LEAs got all antsy about this, the WDRP emails you get from your registrar, giving you a list of domains and their WHOIS data and a warning of the consequences of providing inaccurate data, were the most ICANN required in practice. It was an honour system, and the requirement to provide accurate data - which has always been a requirement - wasn't actively enforced. All that's changing now is that ICANN are actively enforcing a part of the registrant contact they previously had been laissez-faire regarding.
The requirement on third-party WHOIS privacy providers is to normalise their situation so that they have the same requirements to record information correctly and escrow it that domain registrars already have had to do for ages. And it's not that onerous a requirement: actually implementing an EPP client is orders of magnitude more difficult that writing the code needed to do data escrow: https://www.icann.org/en/system/files/files/rde-specs-09nov0... - you can implement that in an afternoon. The accreditation process for a WHOIS privacy provider is nowhere near as horrible as it's being made out to be. All you need to do is show that you can accurately escrow data.
Everybody's so late to the party on this one. The registrar constituency in ICANN fought pretty hard against this. If you think what ICANN are requiring now is bad, the LEAs were demanding much crazier stuff during the negotiations. If you're an EU citizen or using an EU registrar, you're even better off, as EU data protection law meant that some of the requirements of the RAA were illegal in the EU, so EU-based registrars are able to get an opt-out of certain requirements of the RAA. We still do have to validate, verify, and escrow contact details associated with domains we manage, however.