Governments demand Whois reopened within a year
ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.
The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.
The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.
She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.
It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.
It strikes me as a ludicrously ambitious deadline.
Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.
The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.
IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).
Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.
Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.
The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.
Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.
Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.
The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.
For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.
With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
I hope that tradition is now set so the community can impose deadlines to GAC too.
If only there were some requirement for government representatives and LEA’s to act on reports of crime from registrars.
In 2017, I wrote to Ms. Ismail seeking a law enforcement contact in Egypt, based on confirmed information obtained from a registrar as to the identity of a person in Egypt responsible for a site posting child abuse material.
Since Ms. Ismail was the GAC representative for Egypt, one might think she has appropriate contacts in the Egyptian government. Specifically, I wrote to her on October 4, 2017, describing the information and the method by which it was obtained, to ask:
“I would like to know if there is an appropriate authority in Egypt to whom I might provide the information we obtained”
She received that email, viewed my LinkedIn profile, and sent no response whatsoever.
In view of her apparent desire for registrars to provide this information to law enforcement, I do not know what to make of her deciding to deliberately ignore a request to provide precisely that sort of information to law enforcement in her own country.
How did you wind up getting it sorted?
I gave up. Quite obviously, if the Egyptian government’s own representative is not interested in addressing criminal activity in Egypt, then I was obviously overestimating the degree of actual concern there might be about such things, in contrast to making a public show of concern.
But for her to pretend that her government is interested in identifying criminals is a joke.
Every group is selfishly driven by their mission. There simply isn’t one group advocating for the overall interests of all, driven by a genuine need to add value to the domain name space as part to the whole of the Internet.
There just isn’t any form of curiosity or genuine care at all if it doesn’t benefit the self and/or group. Why would ever think the industry will be a better place if the same folks lead it year over year, decade after decade, with the same troops behind, joking that nothing ever changes …so it would be realistic to not expect change.
Other registry’s like eurid from .eu can just be emailed if you need access to private whois information of a domain and if you have a legitimate interest. Everyone’s privacy is ensured and trademark lawyers have their information in no time. How hard can it be?
Just let Icann increase the price of domains by 1 cent and use it to hire a bunch of people to answer emails.
I do not understand this demand as they already have such access right now. Just send us an email detailing their legal rights to access the data and we will comply.
If however they have no legal right to the data or no adequate safequards to protect the data, they would not get the data in a new whois system either.
The EU commission was very clear in their letter to ICANN this month: Data access is ok, but it must be justified in every single case.
No more drinking from the fire hose, pick up your ordered drinks at the bar.
I think the problem is that there are no standards in place. Different registrars will have different views on what constitutes legal rights and will have different reporting requirements.
I think the truth here is a bit more complex. As you say, what constitutes legal rights? Add John Berryhill’s comments above.
Now add the recent IC3 report. Gary Warner did a brilliant summary and analysis of some of the numbers here: https://garwarner.blogspot.com/2019/04/ic3gov-bec-compromises-and-romance.html
The GDPR was meant to protect consumer privacy. If we have a system where somebody can buy a domain for a year, sometimes discounted to less that a dollar, then defraud consumers with it and law enforcement does not do anything, what do we do?
At this stage the ball is in the LEA court. But then again they are massively overwhelmed. “A 5 minute crime can take 3 years to prosecute” – the words of an Interpol member. A simple MLAT can take 6 months. So can we blame them if they are overwhelmed?
Many registrars claim they will not allow their services to be abused. Some live up to this, some don’t. The latest game is to insist on a court order for GDPR hidden WHOIS despite clear evidence of abuse. Just like proxies.
Refer to this lovely can of worms: https://blog.aa419.org/2019/02/04/what-protection-does-icann-offer-the-consumer/ – so the GDPR is now used as an excuse where the previous un-hidden WHOIS was fake to begin with? Complain at ICANN?
At another registrar the .US ccTLD (even though not an ICANN issue) gives us some insight as to what passes as acceptable for WHOIS. Yet for their other discounted domains they dish out free proxies. At a similar registrar anything goes, no details verified (already at ICANN Complaints office since Aug last year after Compliance considered totally junk WHOIS to be a content issue).
This leads to situations such as where the Reserve Bank of India can be spoofed over a hundred times with different domains, targeting consumers where law enforcement is not too efficient.
While commerce and government spends billions to protect themselves, fail and may have a reason to complain, ordinary consumers are the real losers in the whole GDPR-WHOIS debacle.
For those in Europe trying to make this off as US/Third World problems, search our database for Beninloan – Europe is squarely in the sights of criminals, each incident also leading to identity theft and privacy loss. While the GDPR may be great to protect consumers at legitimate businesses, the effect is devastating on consumers when it comes to fraud and the GDPR as implemented in the ICANN system.
So WHOIS or RDAP is not only important to consumers, it’s rather vital.
We need anonymity! Not for the bad, but for the good of the world. Sure the bad will still have it – but protecting the good is more important!
Do you perhaps also not mean privacy?
How do you give the good anonymity or privacy without giving the bad the same?
Also, what stops a bad actor in the DNS system from abusing the DNS system to deprive innocent people of their anonymity? Imagine buying at an online business and dealing in good faith, only to find out it’s a scam. What will stop your details from being stolen and abused? One bad domain can massively compromise the privacy of many people. An impressum on a website? How do you know it’s the real website or not a spoof? Many countries do not give access to company registration details. These are real world problems we see every day.
Just for fun, I’m currently looking at a website hosted on a malicious domain that has defrauded 271 people in a jurisdiction where law enforcement is not very mature, the malicious actor in another country. Previously the same content has also been used on two other domains. The content itself is claiming to be a bank – all very professional, stolen from a well known German bank. How would we stop this. The cost of the domain <$10. The cost of investigation, financial losses and loss of privacy to people who can ill afford it massive. This is a daily occurrence.
Asking questions are truly good thing if you are not understanding anything entirely, but this post presents
good understanding even.