Istanbul Insights: Key Outcomes from ICANN 81

The New Registration Data Policy

Six years after the GDPR implementation, ICANN's Policy Development Process (PDP) has successfully completed a comprehensive registration data policy. Set to take effect in August 2025, it aims to balance compliance with data privacy laws and the core purpose of WHOIS: serving as a directory of domain name ownership.

The new policy provides registries with flexibility. They can choose to:

1. Maintain a centralised database with all registrants’ details, or

2. Limit this to a “minimum public data set” and let individual registrars manage registrant data for their respective domain names.

This choice requires registrars to adapt their platforms for each gTLD they offer. However, only 38% of registries have publicly disclosed their preferred approach, leaving many registrars uncertain and anxious. The meeting served as a platform for registrars to express their need for clarity and their preference for minimising data transfers outside the EEA - an approach EuroDNS strongly supports.

Introduction of RDRS - Registration Data Request Service

The redaction of WHOIS databases necessitated the development of a tool by ICANN to facilitate legitimate access to registrant data. The multistakeholder model, typically complex, led to the creation of a system that struggled to meet all stakeholder demands, prompting the simplification of the SSAD into a more pragmatic version, the RDRS.

Originally envisioned as a two-year pilot, the RDRS is likely to become a permanent fixture.

As a volunteer participant, EuroDNS provided valuable feedback to the standing committe in charge of it. Our critiques primarily addressed the significant limitations of the software powering this tool.

Conversely, other users offered more detailed and critical feedback, due to the frequent denials of disclosure requests by participating registrars, indicating a potential misunderstanding of the balance between privacy rights and disclosure requirements.

That said, the majority of the participants at this session were not opposed to adding ccTLDs and Privacy/proxy services disclosure to this system. Such a centralised system would undeniably be a perk for access seekers and registrars, provided that its execution dramatically improves on the current version.

Privacy and Proxy Services Analysis at ICANN 81 (PPSAI)

For the first time, the PPSAI team met in person at ICANN 81, moving away from their regular bi-weekly virtual meetings. This meeting aimed to assess the relevance of recommendations made six years ago, in the early days of privacy-compliant registration policies. The session also demonstrated how privacy services are implemented in practice.

The existing recommendations differentiate between two types of services: privacy and proxy services.

In practice, there are only three main scenarios of redaction and proxy registrations, and only one of them should be subject to this policy.

1. Redacted

The first type involves redacting personal data for domain name registrations by individuals. This is a direct application of privacy rights.

The registration data will only show the registrant’s country and an email forwarding address or a contact URL.

The accreditation system is not needed here.

2. Proxy registration

Domains are registered on behalf of others. This may happen for a variety of reasons: the underlying registrant isn’t tech savvy, the registrant licenses the right to use the domain name to one or several licensees, or a lawyer holds a domain name on behalf of their client.

In all those cases, the registrar only knows the registrant information and thus cannot disclose any information beyond the registrant data they have, even if presented with an actionable request.

The accreditation system is not needed here.

3. Privacy registration

Certain registrars offer a service to customers who do not want their details listed in a public database. This service is not mandated by privacy laws and can be provided to both natural and legal persons.

As part of the service, the registrar substitutes the name, address, phone number, and email address of the registrant for those of an entity directly or indirectly affiliated with them.

In this case, the registrar has access to the underlying registrant’s details and when presented with a legitimate disclosure request, they can acquiesce to it. EuroDNS offers such a service, detailed here: EuroDNS Privacy Service.

The accreditation system could be helpful here as it could impose certain standards on this service.

DNS Abuse amendments

Most avid readers of this blog will remember that EuroDNS was a member of the team that helped negotiate the DNS abuse amendments to the ICANN registrar agreement.

During the now-traditional DNS Abuse outreach session, the ICANN compliance department gave the community an outlook on the impact of those amendments since their entry into force 6 months ago.

They mentioned that they received 363 unique cases involving DNS abuse, but only half were supported by actionable evidence. This number proved a great need for the education of abuse reporters. And they comforted the CPH DNS Abuse Working in their endeavour to update their guide to abuse reporting.

This group is working with the Net Beacon Institute on a new, concise, clearer version in line with the DNS abuse amendments.

Of course, the figures mentioned by ICANN compliance are only the proverbial tip of the iceberg. Registrars receive and handle many more reports every day without the involvement of the ICANN compliance department.