Hi Alan, Thanks for your reply. However, Rec #10 is in direct conflict with Rec #6, as Rec #10 says "redaction ***MUST*** be applied as follows". Furthermore, as you correctly not, there's no timeline, even if registrars do allow non-redaction via Rec #6 (which I think many/most will not, because Rec #10 gives the registrars justification to ignore Rec #6). It's been 9 months since May 25, 2018, and my WHOIS is completely redacted at one of the largest registrars, along with tens of millions of domains owned by other registrants (see WHOIS for leap.com, math.com, school.com, etc.) at other registrars. "Commercially reasonable" in Rec #6, without a firm deadline, will be read as a de facto "never". Rec #6 doesn't even say what that "additional contact information" is (some will say it's just the email address, whereas many registrants will want the full "classic WHOIS", i.e. what it has always been pre-GDPR, which proves they're the owner of their own domains. I know the EPDP working group members have been working hard against a deadline, but this report seems slapped together at the last minute with obvious shortcomings that will persist and likely never be corrected by any future policy working group. It's better to "get it right" rather than "do it fast", in my opinion. We risk another RegisterFly fiasco, if we don't get this right. Failing this, ICANN should work towards changing the entire registrar accreditation process, to allow boutique "mini registrars" (i.e. kind of like .BRAND gTLD registries) to be established, where the "mini registrar" owns all of their own domains at that registrar, without any 3rd-party customers, with appropriate restrictions and accommodations (e.g. no access to "batch pool" for expired domains, more reasonable turnaround time for compliance, etc.). That boutique registrar would then be able to fully publish their own full WHOIS, and not be subject to the whims of the current contracted parties, who are over-applying GDPR and removing choices for registrants. By adding suitable restrictions, such boutique registrars could be lower cost (lower accreditation fees, etc.), and also force the registrars (and ICANN in general) to actually listen to the concerns of registrants, lest those registrants move their domains to their own self-operated boutique registrars. Sincerely, George Kirikos 416-588-0269 http://www.leap.com/ On Fri, Feb 15, 2019 at 9:42 AM Alan Greenberg <alan.greenberg@mcgill.ca> wrote:
Thanks George.
Rec #6 requires that registrars must give registrants the choice of publishing contract details but there is no timeline when this will be done. So registrars could delay.
Alan
At 14/02/2019 08:54 PM, George Kirikos wrote:
Hi Alan,
I have strong concerns that the current recommendations are anti-choice, namely that they prevent registrants from even consenting to publication of their full contact detail (i.e. all the contact details that have historically been in the WHOIS).
According to the Feb 11, 2019 draft version at:
https://community.icann.org/display/EOTSFGRD/g.+Draft+Final+Report
recommendation #10 forcibly redacts the registrant Name, Street, Postal Code, Phone, Fax (which is completely missing in the table!). Email is also redacted, subject to recommendation #13. Footnote 16 says it can be replaced by a form or anonymized email, but that suffers from the issues I pointed out at:
https://mm.icann.org/pipermail/cpwg/2019-February/000853.html
Now, Recommendation #13 also refers to "Recommendation X" (non-existent!) which would allow the Registered Name Holder to provider consent for publication of just its email address. However, that doesn't seem to allow the registrant to consent to publication of *ALL* of its contact details (i.e. name, phone number, fax, full mailing address, etc.).
Many registrants *want* that fully published, and these recommendations take away that choice from the registrant.
The same issue exists for the tech contact. Some folks want that separate contact's full info to be collected and published, but aren't going to be able to even consent to that (again, it just says "Yes" for "Redacted", without the footnote to consent to publication). That secondary contact point is going to be useful if the primary contact has downtime, becomes invalid, is on vacation, or is otherwise unavailable. With just 1 visible contact, it creates a single point of failure, if communications are missed.
In essence, these recommendations are overapplying the GDPR (e.g. to non-persons, and to those outside the EU), *even* if the registrant wants to fully consent to full publication of their own data (Rec #17 shows that overapplication). It takes a "father knows best" approach, to disregard the registrant's own wishes and doesn't give them the opportunity to consent, to exercise their own choices. By all means, if someone wants to not publish their data, respect that choice. But, those who *do* want to publish their data are totally disrespected by the current recommendations.
Folks have many legitimate reasons for wanting to fully publish their own data, including not wanting their communications to be intercepted by the registrar, and also to be able to openly demonstrate that they own their domains! The WHOIS is supposed to be the authoritative record of domain ownership (simply putting the data on the website associated with a domain name is *evidence* of ownership, but isn't *proof* -- the WHOIS is the proof; e.g. the website or nameservers can be hacked, and have false info in the "evidence", but the WHOIS itself should always show the true owner).
The text of the recommendations is also open to interpretation, which is unwise. e.g. on page 40 it says openly:
"The Team could not come to agreement on this issue and as such no recommendation is included in this Final Report in relation to whether optional also means, optional or required for the registrar to offer."
i.e. if one can't even agree on what the recommendations *say*, that's just wishy-washy, and doesn't help anyone. Recommendations should have clarity, not purposeful ambiguity.
By forcing more info to be private (even against the wishes of the registrant), this will erode the trust of the entire DNS.
BTW, for Recommendation #16, one might want to mention that registrars routinely accurately determine the location of registrants, in order to make sure that the correct sales tax is charged to them. I'm not too concerned about loss of thick WHOIS (.com has proven that thin WHOIS can work).
Copying the message originator (on page 2 of the draft letter) isn't going to work, as it would *enable* spam (unless the originator is somehow verified in advance). This was pointed out in the first paragraph of:
https://mm.icann.org/pipermail/cpwg/2019-February/000853.html
Sincerely,
George Kirikos 416-588-0269 http://www.leap.com/
On Thu, Feb 14, 2019 at 7:28 PM Alan Greenberg <alan.greenberg@mcgill.ca> wrote:
As discussed on the CPWG call yesterday, attached please find the
draft statement to be attached to the report.
I believe that it addresses all of the issues we discussed and
for which there was general concern. As decided, we will support the overall report, but note that some of the particular recommendations do not have our support. Others we will support but nevertheless have concerns.
The lack of focus on public interest issues puts into question
whether Phase 2 will suitably address access and other issues.
THIS STATEMENT MUST BE SUBMITTED BY THE END OF FRIDAY. Please
make any comments with utmost urgency.
Maureen tells me that she will issue a VERY SHORT Consensus Call
tomorrow, to complete prior to the submission deadline.
WORD and PDF formats are attached.
Alan _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg