ICANN and GNSO Council will meet to discuss the future of SSAD.
Today, the ICANN board and the Generic Names Supporting Organization (GNSO) Council will meet to discuss ICANN’s first-ever Operational Design Assessment for the proposed System of Standardized Access/Disclosure (SSAD). The SSAD could end up being the post-GDPR successor to Whois access. The meeting is scheduled for 21:00 UTC, and people can register to attend on Zoom.
As anyone who has checked a Whois record lately knows, GDPR has substantially limited the availability of domain registration data. While GDPR protects citizens within the EU, its reach is effectively global, with most registrars now blocking personal information in Whois.
In response to GDPR, ICANN issued a Temporary Specification in 2018 for registrars so they could continue to collect Whois info but also be compliant under the new privacy regulation by blocking access to it.
Most registrars have used proxy and privacy services to shield registration data. Some registrars simply block the data and note that it’s blocked because of GDPR. A 2021 study (pdf) by Interisle, sponsored by Microsoft, Facebook, and consumer protection organizations like the Anti-Phishing Working Group, noted that:
At present, only 13.5% of domains have an actual registrant identified in WHOIS. Registrars and registry operators have used ICANN’s post-GDPR policy to redact contact data from 57.3% of all domains. Adding proxy-protected domains, this means that 86.5% of registrants cannot be identified via WHOIS.
For domain buyers, this means difficulty undertaking due diligence. For domain journalists, it means difficulty doing research.
When ICANN adopted the Temporary Specification in 2018, it asked the GNSO to launch an expedited policy development process to come up with a system for registration data access. (While it undertook its work, some registrars created their own system.) The result was a series of recommendations for creating SSAD, a centralized clearinghouse for data requests that refers them to registrars for resolution. The process creates an audit trail that, in theory, would allow ICANN’s Contractual Compliance department to review and respond to complaints concerning non-responsive registrars.
However, as ICANN board chair Maarten Botterman noted in a letter (pdf) to GNSO leadership this week, “There is no guarantee that SSAD users would receive the registration data they request via this system.” That’s because the SSAD, as proposed, does not compel registrars to provide anything more than proxy data or extremely limited information if the registrant is using a privacy service.
Oh, and the new system comes with a hefty price tag. ICANN estimates it would cost $20-$27 million to build and anywhere from $14-$106 million a year to run, depending on usage levels. Clearly, there’s little agreement about how many requests the system would receive. It reminds me of the Trademark Clearinghouse for new top level domains. Actual usage was far below what was anticipated.
So today’s meeting between the board and the GNSO Council will be an important moment for the future of Whois data access. If SSAD moves to the next phase, don’t get too excited. ICANN estimates it will take 5-6 years to build and implement it.