ICANN Enters Final Negotiations On WHOIS Replacement After EU’s GDPR Rendered It Obsolete

It took the European Union 4 years of preparation and debate to develop the General Data Protection Regulation (GDPR) and it was finally approved by the EU Parliament in April 2016, then came into being in May 2018. But it’s taken ICANN to this week to get to the stage to enter final negotiations with its constituencies on the Registration Data Access Protocol (RDAP), a replacement to WHOIS, that was in effect rendered obsolete and not compliant when the GDPR came into being for those registrars selling gTLD domain names and gTLD registries with operations within the EU.

In letters this week to the Registries Stakeholder Group [pdf] and Registrars Stakeholder Group [pdf], ICANN’s CEO and President Göran Marby said they were ready to enter negotiations regarding the form and substance of the proposed revisions for a period of at least 90 days in an “attempt to reach a mutually acceptable agreement to the proposed revisions.” Marby writes if agreement is reached, proposed revisions will be posted on the ICANN website for public comment for no less than 30 calendar days.

Marby goes on to write ICANN and the Working Group will then consider the public comments and submit the proposed final version of the amendments for Registry Operator approval and approval by the ICANN Board. If these approvals are obtained, the amendment will become effective upon 60 days’ notice from ICANN to the Registry Operators. Going by these timeframes and the consultation required, it is reasonable to expect WHOIS to be replaced by RDAP in late 2020, or early 2021 at the latest.

Within the European Union, as Domain Pulse has previously reported, registrars such as the German EPAG were none too happy with ICANN’s proposals, a “Temporary Specification”, that applied to generic top-level domains (gTLDs). ICANN went to court at least 4 times, losing each time, as they sought to have EPAG, and all registrars, collect the registrant data that put registrars within the EU in contravention of the GDPR.

To be fair to ICANN, they had realised a replacement to WHOIS had to come eventually long before the GDPR was mooted. But discussion progressed at a snail’s pace. In a post Wednesday on the ICANN blog, Cyrus Namazi, Senior Vice President, ICANN Global Domains Division, outlined the background of the move to the replacement, called the Registration Data Access Protocol, known as RDAP. It doesn’t roll of the tongue like WHOIS does.

Outlining the change, Namazi writes “the WHOIS protocol, or Port 43, has been the standard to access domain name registration data for more than 35 years. For most of ICANN’s existence, the community has discussed issues related to registration data (or in ICANN-speak, Registration Data Directory Services, or RDDS) and over time identified limitations with the existing technology. These limitations include:

  • No standardised format.
  • Lack of support for internationalisation.
  • Inability to authenticate users.
  • Lookup-only abilities and no search support.
  • Lack of standardised redirection or reference.
  • No standardised way of knowing what server to query.
  • Inability to authenticate the server or encrypt data between the server and client.”

“The Registration Data Access Protocol, known as RDAP, was created by the technical community in the Internet Engineering Task Force (IETF) as an eventual replacement for the WHOIS protocol. RDAP enables users to access current registration data and was designed to help address the limitations of the WHOIS protocol. As we shared in February 2019, the ICANN organisation took another important step in a multi-phased approach to transition WHOIS services to RDAP by mandating that all generic top-level domain (gTLD) registries and ICANN-accredited registrars provide RDDS over RDAP in addition to WHOIS by 26 August 2019. We are now well underway with the first step of registrars and registry operators executing the technical implementation of RDAP.

“The next step is to amend the current Registry Agreement (RA) and Registrar Accreditation Agreement (RAA) to incorporate contractual requirements comparable to the WHOIS services for RDAP, such as Service Level Agreements, or SLAs. We have initiated negotiations with the gTLD Registries Stakeholder Group and the Registrars Stakeholder Group to begin this process and to define a coordinated transition from the WHOIS protocol to RDAP. ICANN will continue to communicate progress on the amendments and the transition from WHOIS to RDAP, including the plans to raise global awareness of what’s changing with the introduction of RDAP, in the coming months.”