Summary of Expert Working Group on gtld Directory Services June 2014 Final Report

Transcription

1 Summary of Expert Working Group on gtld Directory Services June 2014 Final Report 1) Overview/Purpose ICANN formed an Expert Working Group (EWG) on gtld Directory Services to discuss how to replace the current WHOIS system with a next generation Registration Directory Service (RDS). Based on the deficiencies in today s WHOIS system, as identified by numerous community reports and studies, the EWG aims to design a system to support domain name registration and maintenance that (1) provides appropriate access to accurate, reliable, and uniform registration data, (2) protects the privacy of personal information, (3) enables a reliable mechanism for identifying, establishing and maintaining the ability to contact Registrants, (4) supports a framework to address issues involving Registrants, and (5) provides an infrastructure to address appropriate law enforcement needs. The EWG published its initial report (Initial Report) in June 2013, concluding that the current WHOIS model that gives every user the same anonymous public access to gtld registration data should be abandoned. This recommendation was based on past reports identifying WHOIS deficiencies and the varying stakeholders that use today s WHOIS system. Later, in November 2013, the EWG published a Status Update Report to provide more detail on the Initial Report. Then, based on the feedback received on both the Initial Report and Status Update Report, the EWG published another report in March 2014, focusing on: (1) existing cctld and commercial data validation practices, (2) existing Privacy/Proxy service provider practices, (3) exploration of organizations capable of accrediting RDS users, (4) analysis of RDS risks/benefits and costs. Some of the WHOIS deficiencies identified by the EWG 1 include (1) little accountability or ability to remedy mining and abuse given anonymous public access of all data elements, (2) limited ability to protect the privacy of individuals, (3) limited ability to ensure integrity of registration data, (4) lack of security features, (5) lack of auditing capabilities, (6) access that is not directly linked to stated legitimate purposes, (7) inconsistent WHOIS query interfaces and responses, (8) lack of support or standards for displaying internationalized registration data, (9) limited ability to apply different rules to conform to differing data privacy regimes, (10) unacceptable accuracy levels that create inefficiencies for those that want to communicate with Registrants, (11) cumbersome management process for updating contacts across multiple domain names, (12) difficulties in identifying and communicating with customers of privacy and proxy services, (13) no regulation or 1 See p118 for a chart of the WHOIS deficiencies and the corresponding links to the sections in the Report that address such deficiencies.

2 privacy or proxy services beyond the 2013 RAA requirements that apply only to Registrars and their affiliates. The Final Report is divided into the following sections: (1) the EWG mandate, purpose, and outputs, (2) users and purposes, (3) improving accountability, (4) improving data quality, (5) legal and contractual considerations, (6) improving registrant privacy, (7) possible RDS models, and (8) costs and impacts. In this Final Report, the EWG concluded that a new RDS would provide a better foundation than today s WHOIS system. Examining issues of privacy and data protection, deficiencies in the current WHOIS model, and costs, the EWG proposed several models for a new RDS system, and recommends a Synchronized Model as a replacement system. 2) Users and Purposes The EWG sought to take a clean slate approach to define a new RDS instead of proposing mere improvements to the current WHOIS system. To do this, the EWG members drafted an extensive set of actual use cases involving the current WHOIS system, analyzing them to identify (1) the users who want access to data, (2) their rationale for needing such access, (3) the data elements they need, and (4) the purposes served by such data. The EWG also used the cases to identify the stakeholders involved in collecting, storing, and providing registration data. 2 The EWG identified the main users of the existing WHOIS system, such as the general public, internet tech staff, individual internet users, internet researchers, IP owners, LEA/OpSec, business internet users, online service providers, all registrants, and miscreants. The EWG then created a table 3 to map the users to their main rationale for registration data access in specific use cases. For example, an IP owner, in a domain name user contact (use case), would want to access registration data to enable contact with a party using a domain name that is being investigated for trademark infringement. The EWG also prioritized the purposes identified for each user group to narrow the scope of permissible purposes in accessing registration data. Such permissible purposes include domain name control, DNS transparency, technical issue resolution, individual internet use, domain name research, regulatory enforcement, abuse mitigation, legal actions, domain name purchases or sales, domain name certification, and personal data protection. The EWG then analyzed the scope of tasks within each permissible purpose and the users needs for access to data. Through its analysis of RDS users and Permissible Purposes, the EWG formulated foundational principles to enable purpose-based access to registration data. Such principles include: (1) ICANN must publish a user-friendly policy that describes the purpose and permissible uses of registration data to inform Registrants why data is collected and how it will be handled and used; (2) there must be clearly defined 2 See Annex C, p126, for a detailed description of the use cases. 3 See pp21-25.

3 permissible and impermissible uses of the RDS; (3) the RDS must support defined permissible purposes; (4) the RDS must be able to accommodate new users and permissible purposes that will emerge over time; (5) the RDS must accommodate all identified permissible purposes except known malicious internet activities; (6) gtld registration data should be collected, validated, and disclosed for permissible purposes only; and (7) every Registrant must be able to access all public and gated information published in the RDS about their domain name. In its report, the EWG further identified the various stakeholders involved in the RDS in relation to collecting, storing, disclosing, and using gtld registration data, and mapped such stakeholders to their associated purposes of use. 4 The EWG found that most stakeholders are parties involved in initiating data requests or parties impacted by data disclosed. The EWG also proposed purpose-based contact principles to balance the need to contact a person or organization associated with a domain name with privacy matters. Such purposed-based contact principles include: (1) providing one Purpose-Based Contact (PBC) for every registered domain name, (2) using a Registrant s Contact ID as a default PBC ID during domain name registration, (3) activating a domain name only when a valid PBC ID is provided for every applicable purpose, (4) varying requirements for data elements that need to be collected and published for every PBC, (5) developing processes and policies to enable Registrantdesignated contacts to opt-in or out of having their IDs published as PBC IDs for domain names, and (6) allowing flexibility for PBCs to state new purposes and contact types. 5 3) Improving Accountability To improve accountability, privacy, and accuracy, the EWG recommends an RDS with a gated access paradigm instead of today s one-size-fits-all WHOIS system. With a gated access paradigm, the RDS would (1) log all access to gtld registration data, including unauthenticated access to public data elements, and access restrictions to deter bulk harvesting, (2) make sensitive data elements available to requestors that applied for and were issued credentials for RDS query authentication, and (3) audit both public and gated data access to minimize abuse and impose penalties for inappropriate use. The EWG recommends the following data element and access principles to improve accountability: (1) the RDS must accommodate purpose-drive disclosure of data elements; (2) not all data collected becomes public; (3) some public access to an identified minimum data must be available; (4) data elements that are more sensitive must be protected by gated access; (5) only data elements permissible for 4 See pp32-33 for a summary of the various stakeholders. 5 See p 39 for potential responsibilities for different PBCs.

4 a declared purpose must be disclosed; (6) data elements collected must have at least one permissible purpose; (7) each data element must be associated with a set of permissible purposes; (8) lists of minimum data elements to be collected, stored, and disclosed must be based on known use cases and a risk assessment; and (9) all Registries and Validators must store the full set of data elements they provide to the RDS. The EWG also proposed guidelines for data collection 6, data disclosure for permissible purposes, 7 data element classifications (mandatory or optional) 8, and alignment with the 2013 RAA data element names (page 56). Further, the EWG recommended principles for unauthenticated and gated data access, such as (1) creating a minimum set of data elements to be accessible by unauthenticated RDS users, (2) supporting multiple levels of authenticated data access, (3) accrediting RDS user credentials, (4) allowing non-discriminatory access, (5) deterring misuse and promoting accountability, (6) applying accreditation to requesters of gated access, (7) employing message encryption and authentication of RDS queries/responses, (8) providing a Reverse Query service to search public and gated data elements, (9) providing a WhoWas service to return historical snapshots of public and gated data elements for specified domain names, (10) supporting innovative services that make use of data elements, (11) ensuring all disclosures of gated data elements occur through defined RDS access methods, (12) accommodating the display of registration data in multiple languages, scripts and character sets, and Internationalized Domain Names (IDNs), (13) supporting future GNSO defined transliteration policies for gtlds, and (14) enabling collection and display of registration data elements in local languages. The EWG also examined whether the technical protocols used in the current domain registration systems, such as the EPP and the Registration Data Access Protocol (RDAP) that is developed by the WEIRDs group, can support the EWG s recommended design features. EWG s analysis suggests that the proposed RDS can use both the EPP and RDAP but may require a few extensions. 4) Improving Data Quality The EWG also recommends a more robust validation of Registrant data than today s WHOIS system, namely, in increasing data accuracy. To do so, the EWG suggests the following improvements: (1) the RDS should apply standard validation to all gtld registration data that would occur at the time of data collection; and (2) the RDS system should include a pre-validated Contact Directory. 6 See pp See pp See pp47-56 for a description of data element classifications and a table that details the resulting classification for each RDS data element.

5 The EWG purports that pre-validation of Registrant or other contact information is desirable for increasing the accuracy of contact information, avoiding the need to validate Registrant or other PBC contact data every time a Registrant registers a new domain name, and avoiding delays in domain registration processing. To promote the principles of data accuracy and validation, the EWG suggests providing mechanisms to allow easy use of contacts by multiple Registrants. In addition, the mechanisms should be user friendly for updating contact information. The EWG recommends the following principles for data accuracy and validation: (1) allowing contact portability and accountability by making contact management feasibly separate from domain management, (2) using Validators who manage contact databases and implement validation regimes to manage contacts, (3) associating Contact IDs with domain registrations, (4) ensuring contacts contain valid mandatory data elements, (5) controlling change management and authorization of use through the Contact Holder without burdening PBCs or Registrants, and (6) having a Contact ID with every individual block of contact data to identify both the Validator and Contact Holder. To address the aforementioned principles, the EWG further outlines specific guidelines for a pre-validation process, 9 an accuracy, audit, and remediation process, 10 an operational framework for managing Contact IDs and associating them with registration information, 11 principles for interaction with Validators and Contact Validation at the syntactic, operational, and identity levels. 12 Further, to combat impersonation, defamation, and abuse, the EWG recommends various principles for Validator interactions with Contact Holders 13 and principles surrounding contact data validation at the syntactic, operational, and identify levels. 14 The EWG also states that Contact Holder designate their contact data as unique and not be used by other Contact Holder claimants by (1) ensuring unique data include many elements of a contact set, (2) providing a mechanism for other Validators to compare a requested set of contact data against the Contact Holder s so that new Contact ID applicants do not impinge on uniquely protected data, and (3) validating the identify of any data designated as unique to prevent impersonation and denial-of-service type attacks. The EWG believes that adopting such Contact ID Management and Validation systems in the next generation RDS will improve data quality and refuse fraud and identity theft by making it more difficult for Registrants to input false data. 9 See p See pp See pp See pp See pp See pp76-78.

6 5) Legal and Contractual Considerations The EWG outlined the legal and contractual considerations relating to the new RDS. Most of these considerations surround principles found in data protection laws, such as the processing, transferring, and disclosure of personal data. The EWG also acknowledged privacy rights that extend to legal persons and entities in regard to free speech and freedom of association. The data protection principles include laws surrounding the export of data outside the jurisdiction of the individual, such as EU s data protection directive. To comply with such laws, the EWG examined Data Protection Mechanisms 15 for protecting personal data through the RDS ecosystem, that is (1) do nothing, (2) introduce mechanisms to facilitate compliant data collection and transfer, (3) introduce mechanisms, such as a basic ICANN privacy policy for the RDS, to harmonize privacy and data protection through the ICANN ecosystem, and (4) subject the entire RDS to the instrument of binding corporate rules. In assessing the four options, the EWG recommends that the option of developing a basic privacy policy for the RDS using standard contractual clauses that are harmonized with privacy and data protection laws would be the most feasible. The EWG also assessed various options for implementing data protection mechanisms, and concluded that the best option would be to adopt mechanisms that facilitate routine legally compliant data collection and transfer between actors in the RDS ecosystem, using standard contract clauses that are harmonized with privacy and data protection laws in contracts between all actors in the RDS ecosystem, and ensuring that there are two means of implementing high level data protection: using an information system to apply data protection laws and localizing RDS data storage. In regard to data access by law enforcement, 16 the EWG recommends that the RDS store data in jurisdictions where law enforcement is globally trusted. In addition, the EWG has recommended principles around contractual relationships and accountability among RDS parties. 17 6) Improving Registrant Privacy To ensure Registrant privacy with the new RDS, the EWG recommends the following principles: (1) using accredited services for general personal data protection, (2) making sure Registrants assume responsibility for the domain names they register outside domains registered via accredited privacy services, and (3) ensuring that ICANN investigates the development of a single, harmonized privacy policy that governs RDS activities. 15 See pp85-86 for a detailed analysis of the various data protection mechanism options. 16 See pp89-90 for a detailed analysis of the various law enforcement access options considered. 17 See pp91-95.

7 (a) Accredited Privacy and Proxy Service Principles Two main services that are currently offered to obscure the identity and/or address of entities using domain names are (1) a Privacy Service by which a Registered name is registered to its beneficial user as the Registered Name Holder, but reliable contact information is provided by the P/P Provider 18 for display of the Registered Name Holder s contact information in WHOIS, and (2) a Proxy Service where a Registered Name Holder licenses use of a Registered Name to the P/P customer 19 to provide the P/P customer use of the domain name, and the Registered Name Holder s contact information is displayed in WHOIS instead of the Customer s contact information. Today s privacy or proxy services, however, are not standardized as providers have no contractual relationship with ICANN and privacy and proxy service providers do not employ standard processes. This fails to address the needs of (1) relaying communication to privacy or proxy service customers, (2) revealing the identity of the licensee and direct contact detail for a proxy customer in response to domain name related complaints; such processes tend to vary, (3) unmasking the licensee s identity, and (4) turning to Registrars when requestors cannot contact a proxy service customer or get a resolution from a proxy service provider. To address domain name Registrant and stakeholders needs for more uniform and reliable Privacy and Proxy Services that provide greater accountability, the EWG recommends: (1) accreditation of Privacy and Proxy service Providers by ICANN under the 2013 RAA Specification, (2) use of accredited Privacy Services when entities and persons register domain names, (3) requirement of specific terms in a terms of service by ICANN to include that a service provider endeavor to provide notice in cases of expedited takedowns, (4) accredited Privacy Services must provide the Registrar with accurate and reliable contact details for all mandatory Purpose-Based Contacts, (5) accredited Privacy services must relay s received by a Registrant s forwarding address, (6) entities and natural persons should register domain names using accredited proxy services, (7) accredited proxy service providers have to provide the Registrar with their own name and contact details and a unique forwarding address, (8) accredited proxy service providers must assume all usual Registrant responsibilities for the domain name and accurate registration data, (9) accredited Proxy services must provide the Registrar with accurate and reliable contact details for all mandatory PBCs, (10) accredited Proxy services have to relay s received by the Registrant s forwarding address, and (11) accredited Proxy services have to respond to reveal requests in a timely manner P/P Provider is the provider of Privacy/Proxy services. See p P/P Customer refers to a licensee, customer, beneficial user, or other recipient of Privacy and Proxy Services. 20 See Annex H, p158, for details on relaying and revealing s.

8 (b) Secure Protected Credential Principles In addition to privacy and proxy service matters, some individuals and groups desire to preserve their anonymity as making their personal information available may be a threat to them. Such groups/individuals include (1) religious minorities, (2) victims of domestic abuse, (3) political opposition parties, (4) ethnic or social groups, and (5) journalists in hostile territories. Currently, there are various secure credentials such as Microsoft s U-Prove and IBM s Identity Mixer where recipients can prove various attributes without revealing their personal information by relying on recognition and authentication by a trusted authority. Using such technologies, an RDS can establish a process where at-risk entities can get a domain name that has been registered using a secure protected credential such that Registrars and Registries do not bear the risk and responsibility of identifying vulnerable individuals to their aggressors. There are risks associated with such a service, such as the inability to establish the identity of a person in a life or death situation, the limited nature of revealing information in the case of a criminal or libelous activity which requires a takedown, and instances where government agencies allege treason or crime and force Registrars to use expedited take-down for websites using domain names registered with secure credentials. Despite such risks, secure credentials would still provide more security to at-risk entities. To develop such a service, functions such as the following would need to be developed: (1) a process to establish criteria for at-risk entity eligibility for secure credentials, (2) collecting application forms, attestations, and financial systems with a focus on ensuring that the identifies of the at-risk entities are protected, (3) creating an independent review board that evaluates and approves applications for secure credentials, (4) ensuring trusted parties are willing to relay secure credential applications and domain names to the independent review board, (5) ensuring that accredited proxy service providers accept secure credentials when registering domain names, and (6) developing policies surrounding expedited take-down procedures and mitigations of DNS abuse such as including enhanced security monitoring of secure credential registered domain names. The EWG believes that its recommended data protection principles, principles for accredited Privacy/Proxy providers, and Secured Protected Credential principles will facilitate the protection of personal data. Notably, with the Secured Protected Credential principles, it will be the first time of establishing procedures to safeguard vulnerable and disadvantaged groups.

9 7) Possible RDS Models The EWG considered several models for its recommended RDS 21, relying on the principles of data collection, storage, access, and protocol. Applying these principles, the EWG considered the following models, (1) the current WHOIS system, (2) a Federated model, (3) a Synchronized RDS model (also known as the Aggregated RDS model), (4) a Regional model, (5) an Opt-out model, and (6) a bypass model. Of the models considered, the EWG recommends the Synchronized RDS (SRDS) Model. This model would resolve the WHOIS concerns about reducing consumer confusion as to how and where one can access registration data. The SRDS is an RDS that would, in near real-time, copy data received from distributed storage areas operated by Registries and Validators into a synchronized system that would aggregated and store data in a distributed architecture operated by the RDS. RDS would be the authoritative data source and would provide authoritative access, moving beyond the current RAA requirement for Registrar and Registry timeliness of updates. All requests for gated data would have to be answered by querying the RDS. The EWG suggests that the RDS would provide access to the data but the data would not be stored in a single location, instead, data would be stored in multiple locations. Registries and Validators would store their own data but the RDS can use synchronized copies of that data to process access requests. 22 Via the EPP, data is pushed to the SRDS by Validators and Registrars/Registries. 23 The SRDS provides various benefits in terms of (1) security implications, (2) jurisdictional and privacy concerns, (3) accreditation, (4) operation, (5) implementation, and (6) costs. The SRDS addresses security implications by being better able to ensure consistent security implementation and policy enforcement. Using its synchronized model with distributed architecture managed by one operator would likely produce a more uniform approach to reaching the EWG s security goals. The SRDS also satisfies jurisdictional and privacy concerns by enabling a more consistent application of rules and local privacy requirements through the administration of rules by one entity as opposed to management by over a thousand participants under different models. In terms of accreditation, the SRDS offers features to track and enforce abusers. The SRDS also offers efficiencies in operational areas such as deploying a user friendly portal to display data in multiple languages and scripts consistently, and allowing random data quality 21 See Annex F, p141, for a detailed analysis of the criteria used by the EWG in considering the possible RDS models. 22 See p112 for an illustration of the workings of the SRDS. 23 See Annex I, p162-63, for a detailed description of the RDS flowcharts illustrating data flows

10 audits. Compared to other models, the SRDS would also be more cost efficient to implement. 24 8) Costs and Impacts The EWG also analyzed the costs and impacts of implementing the new RDS system. Although current WHOIS operating costs are unknown, the EWG is confident that the new RDS will reduce the hidden costs incurred with the current inefficient and often inaccurate WHOIS system. Accordingly, the EWG proposes the following cost principles: (1) providing free access to unauthenticated public data elements, (2) subjecting authenticated access by law enforcement to authorized data elements to special cost considerations, (3) striving for cost-efficiency and minimization with the RDS design, (4) operating the RDS on a cost-recovery model, (5) creating and funding an RDS software development platform by ICANN to facilitate migration from WHOIS, and (6) preventing the software development platform from unduly burdening other RDS users. As discussed in the Improving Accountability 25 section of the report, the EWG recommends performing a widely scoped risk assessment to ensure that the RDS principles recommended do result in the appropriate collection and disclosure of data for defined purposes. The EWG has already collected a survey from over 180 parties worldwide to garner information about the risks and benefits of a next generation WHOIS replacement system. 9) Conclusion and Next Steps In conclusion, the EWG recommends abandoning the current WHOIS model that gives every user the same anonymous public access to gtld registration data. The EWG instead recommends a new RDS to ensure greater accuracy, accountability, and transparency. The EWG acknowledges several other issues that need to be addressed in the future, such as (1) creating accreditation bodies and policies for identifying who qualifies as a member of an RDS user community, (2) creating extensions to support the new RDS model and data elements, (3) undertaking a full risk and impact assessment before implementing the new RDS, (4) drafting a basic ICANN privacy policy for the RDS, (5) examining how to apply new policies to the recommended RDS based on existing policies, and (6) creating an accreditation program for Validators. 24 See Annex F, pp150-53, for a detailed cost analysis for the different proposed models. 25 See pp40-68.