ICANN and the Whois: no more admin-c?
After the internet community had struggled in vain for years to come up with a privacy-friendly Whois policy, ICANN introduced a temporary solution on 25 May 2018 (GDPR D-Day). Under the 'temporary specs' , the number of Whois fields that gTLD registries and registrars are required to show was greatly reduced, pending a permanent agreement. At the same time, an 'expedited policy development process' was launched, which had to yield a definitive solution within a year. It should be stressed that the arrangements described apply only to gTLDs (.com, .hotel, .amsterdam, etc); country-code TLDs such as .nl define their own rules.
A uniform global solution is wanted soon
Given the size of the undertaking, the many competing interests at stake, and the need for a solution to be global and to at least satisfy the GDPR requirements, the prospects for the one-year 'deadline' being met don't look good. And, if the deadline is missed, the old rules will come back into force. That implies everyone being obliged to resume publication of the full range of Whois data. However, full publication would put European registries in breach of the GDPR, and is therefore unenforceable by ICANN. So, if a permanent solution isn't ready on time, the situation is liable to become chaotic.
The ICANN working group with the unenviable task of tackling this issue recently released its first interim report. The working group is addressing three central questions:
What data should registrars and registries record for each registered domain name?
What data should registrars and registries make public by means of a Whois service?
What data should registrars and registries share with, for example, investigative authorities, internet security agencies and bodies that protect intellectual property rights?
In order to answer those questions, various subordinate and ancillary issues are being considered as well.
Solution still appears remote
With everyone anxious to avoid disorder, the working group is under a lot of pressure to come up with a solution. Unfortunately, the first interim report does not inspire confidence, since the working group is apparently still wrestling with the first question: what data can/should we record? One of the few points on which there is currently consensus is that the admin-c (administrative contact) should no longer be recorded. It seems that the gTLD world sees that role as redundant.
What about the admin-c in .nl?
Within .nl, the admin-c has historically been viewed rather differently. SIDN regards the admin-c as the person who represents the registrant vis-a-vis SIDN on matters concerning the registration. In practice, the admin-c is by no means always the registrant. So we send all system messages about the domain name -- e.g. confirmations of cancellations and registrant changes -- both to the registrant and to the admin-c's e-mail address. In fact, until the middle of 2010, SIDN didn't even record registrants' e-mail addresses or phone numbers. We didn't need that information, because we communicated with the registrant only through the registrar and the admin-c.
Someone besides the registrant can act as the contact for a domain name
One of the reasons why the registrant's contact details weren't originally recorded was probably that a registrant is sometimes not a person, but a legal entity. In such cases, it's useful to have details of the person or department who can act as the contact for the domain name. Another possible reason is that not all registrants fully understand how domain name registrations work. The existence of a separate admin-c role enables less expert registrants to nominate someone else to handle administrative matters relating to the registration. In other words, having an admin-c is helpful to registrants. And more knowledgeable registrants can always act as their own admin-cs -- often the most straightforward arrangement.
The point is worth making that the question as to whether a registrar should be required to record admin-c data is no longer a privacy issue. Existence of the admin-c role merely gives the registrant the option of nominating someone else to act as the contact for the domain name. There is no obligation to do so.
It's important that the registrant can be reached by others
Of course, it is debatable whether any (and, if so, what) admin-c data should be made available in the public Whois. Where .nl is concerned, we publish only the admin-c's e-mail address, which can be something totally anonymous, such as email@example.com or firstname.lastname@example.org. Our only interest is making it possible for others to contact the registrant. We believe that the importance of enabling contact is sufficient to justify the minor privacy implications of publishing the admin-c's e-mail address.
We'll continue to monitor developments
Various alternative ideas remain on the table. We will therefore continue to monitor Whois-related developments at ICANN and in neighbouring countries. And we will continue to review our policies on the registration and publication of data in light of those developments.