EPDP 2a: Small changes? Big impacts.

Like many things in life, the domain industry is something that seems simple at first glance but reveals itself to be really complicated when you do a little digging. There are stringent ICANN policies dictating how domain registrars and registries need to operate, and a lot of thought, discussion, and legal review goes into making even what may appear to be the smallest of changes. Why? Because a seemingly small change tends to have a large impact—to running code, operations, and registrants—and all the consequences have to be thoroughly thought through.

As the world’s largest wholesale registrar, we feel a responsibility to participate in this type of policy development work, and we do so with three goals in mind: keeping things as simple as possible for our resellers and registrants, protecting the privacy of the data with which we are entrusted, and mitigating risk for ourselves and our resellers.

Today we want to talk about our participation in the Expedited Policy Development Process for gTLD Registration Data, usually called the EPDP. It’s a prime example of how a subtle legal distinction, or small change, can have big consequences. We’ve written about the EPDP before, most recently in our ICANN70 recap blog post. The current Phase (2a) has now released their Initial Report, addressing two specific questions which came up during the Phase 1 work and were deferred to be addressed when more information was available.

The first question: should registrars and registries be required to differentiate between legal person domain owners (corporations) and natural person domain owners (real people)?

The second question: can registrars display an anonymized contact email address in the public Whois by default, either unique per domain or one which is the same for all domains owned by the same person?

Currently, registrars and registries have options: they can differentiate between legal and natural domain owners, or not, and they can provide either an anonymized email address or a web form to let people contact the domain owner via the public Whois.

Each of these questions also comes with an bonus question: what guidance can be provided to registrars and registries who do choose to differentiate or to display an anonymized email instead of a web form, so they can do so in accordance with the GDPR or other relevant data protection laws?

In classic ICANN fashion, there’s quite a lot to consider in answering these seemingly simple questions.

Let’s start with question two, whether unique anonymized emails can be displayed by default in the public registration data record. The legal advice obtained by the EPDP Team is clear that because this anonymized email is unique to a specific person and forwards through to their real email address, it does qualify as personal data, and therefore publishing it would be considered publishing personal data on the Internet. As a registrar, this means we need to determine how to protect that personal data, and how to mitigate any risks to that data; not publishing it for the world to see is a great starting point on that data protection journey.

On top of that, publishing an anonymized email isn’t actually necessary—there is already a method to contact the domain owner. As required by the Phase 1 EPDP, Tucows (like many other registrars) provides a web form that can be used to send a message to the owner of any domain on our platform. Using a web form instead of an email address means less spam for the domain owner, because bots can’t get past the CAPTCHA, and it allows registrars to cycle the URL so that it can’t be archived for ongoing use.

So what did the Phase 2a participants have to say? The Phase 1 EPDP team conclusion was that registrars and registries need to have the choice between publishing a unique anonymized email (and assuming all the related risks) or offering a web form; the Phase 2a team recommendation will likely maintain that flexibility. We’ll continue to offer the webform by default, but don’t see a need for an anonymized email option; people with a legitimate need to contact the registrant can use the web form, and registrants who want to encourage people to reach out to them via email can always choose to have their own email address displayed in the public Whois. Putting the choice in the hands of the domain owner means it’s exactly where it belongs.

Now, let’s return to the first question: whether differentiation between legal and natural person domain owners should be mandatory. The extended effect of this mandatory differentiation would be the publication—by default—of a corporation’s domain registration data. This mandatory differentiation would require the registrar to take a risk. Here’s why: whenever the person type is set, there’s a chance that it will be set incorrectly. In cases where a natural person is accidentally marked as a legal person, or a natural person’s data is contained within a set marked as a legal person, then personal data would be published in the Whois record when it should instead be protected. A risk like that must only be mandatory when there’s a very strong reason for it to be. In this case, there are no such justifications.

Tucows does not differentiate between domain owners in this manner, for legal, commercial, and technical reasons. As we said above, there is quite a bit of risk in doing so. Some claim that most domain owners are legal persons, not natural ones, and so the relative risk is low, but that doesn’t hold up in our own data. In fact, when we looked at a sample of registrations, we found that only about 15% appeared to be actually owned by legal persons. Also, in many of these cases, a natural person’s data is included in the contact information, so it must still be protected under the GDPR.

Commercially, we haven’t seen any desire from our customers to make system changes requiring them to do something which is already optional; the decision is already in their hands, where it should remain. From a technical perspective, this would mean adding unnecessary complications to a currently straightforward process, again to no discernible benefit. There’s no evidence that DNS Abuse would be reduced by having more legal-person data public. Instead we find that publicly-available data is most often used for malicious purposes, which disproportionately affect individual Internet users and small businesses with fewer resources to protect themselves than big multinational organizations.

So what did the Phase 2a participants have to say? The recommendation isn’t yet final, but so far the conclusion is that there should be no change to the Phase 1 recommendation, and differentiation based on person type should remain optional for the registrar or registry.

The EPDP 2a team has also set out a series of questions for the public comment period and we look forward to seeing what the input is and if there are new ideas to help the team come to agreeable conclusions. At this point, we are relieved to see acceptable preliminary recommendations for both of these questions, but we’re also concerned that there may be further attempts in the future to reopen these decisions with a view to requiring registrars to take legal risks or process personal data in a way that benefits third parties to the detriment of domain owners.

As an industry, we need to focus on changes that will have a meaningful impact and make the Internet better, instead of just different. Sometimes the best possible outcome of a policy development process is to determine that no further changes are needed, and that’s what’s happened here: the preliminary recommendation is that no changes should be made to the outcomes from EPDP Phase 1.

The Registrar representatives on the EPDP team have published a letter going into more details about why differentiation between legal person and natural person domain owners must not become a mandatory requirement for all gTLD domain name registrars and registries. We encourage everyone to take a moment to read that letter and get a view into the complexities of this issue as well as more context for our representative team’s conclusion.