Panic stations as Europe plays hardball on Whois privacy
Hopes that Whois records will continue to be available to broad sections of the internet community appeared dashed this week as European data protection heads ripped holes in ICANN’s plan for the industry to comply with the General Data Protection Regulation.
ICANN CEO Goran Marby warned that Whois faces imminent fragmentation and expressed disappointment that authorities have basically ignored his repeated requests for a moratorium on GDPR enforcement.
The Article 29 Working Party, made up of the heads of data protection authorities of EU member states, told ICANN this week that its so-called “Cookbook” compliance plan is nowhere near detailed enough.
In a letter (pdf), it also strongly hinted that intellectual property interests have little hope of retaining access to Whois contact information after GDPR comes into effect next month.
Any notion that WP29 might tell ICANN that the Cookbook was an over-reaction to GDPR, eschewing too many data elements from public records, was firmly put to bed.
Instead, the group explicitly supported ICANN’s plan to replace email addresses in the public Whois with anonymized addresses or a web-based registrant contact form.
It said it “welcomes the proposal to significantly reduce the types of personal data that shall be made publically [sic] available, as well as its proposal [to] introduce alternative methods to contact registrants”.
It also approved of the plan for a “layered” access plan, under which some entities — law enforcement in particular — would be able to access private contact information under an accreditation program.
But WP29 pooh-poohed the idea, put forward by some in the trademark community, that access to Whois could be restricted merely with the use of an IP address white-list.
It warned that the purposes for such access should be explicitly defined and said that what can be accessed should be tightly controlled.
WP29 does not appear to be a fan of anyone, even accredited users, getting bulk access to private Whois data.
While the group endorsed the idea that law enforcement agencies should be able to access Whois, it failed to provide similar comfort to IP interests, security researchers and other groups with self-declared “legitimate interests” in the data.
In what I’m reading as a veiled attack on the IP lobby, the WP29 letter says:
ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet’s unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.
While it would be fairly easy to argue that giving access to security researchers contributes to “stable operation of the Internet’s unique identifier systems”, I think it would be considerably harder to argue that giving trademark owners an easy way to pursue suspected cybersquatters does the same.
In short, the letter clarifies that, rather than complying too much, ICANN has not gone far enough.
WP29 also roundly ignored ICANN’s request for an enforcement moratorium to give the community enough time to come up with a compliance policy and the industry enough time to implement it, irking ICANN into threatening legal action.
Marby said in a blog post yesterday:
Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.
He said that the WP29 statement puts ICANN at odds with the consensus advice of its Governmental Advisory Committee — which, it should be noted, includes the European Commission and most of the EU member states.
The GAC has told ICANN to “Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible” and to reconsider its plan to remove registrant email addresses from public records.
That’s how stupid the situation has become — the same governments telling ICANN to retain email addresses is also telling it to remove them.
Outside of Europe, the United States government has been explicit that it wants Whois access to remain available.
Marby said that an ICANN delegation will attend a meeting of the WP29 Technology Subgroup in Brussels on April 23 to further discuss the outstanding issues.
In a quick response (pdf) to the WP29 letter, he warned that a fragmented Whois and the absence of a moratorium could spell doom for the smooth functioning of the internet.
We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.
Reaction from elsewhere in the community has so far comprised variations of “told you so” and hand-wringing about the impact after May 25.
Michele Neylon, head of the registrar Blacknight, blogged that the letter signaled “game over” for the public Whois.
“Come the end of May, public whois as we know it will be dead,” he wrote.
Academic Farzaneh Badii, executive director of the Internet Governance Project and a leading figure in ICANN’s non-commercial users community, blamed several factors for the current 11th-hour predicament, but mainly the fact that her constituency’s lobbying was ignored for so long.
“The Noncommercial Stakeholders Group was the broken record that everyone perceived as not worth paying attention to. But GDPR got real and ICANN has to deal with it,” she wrote.
Matt Serlin of the IP-centric registrar Brandsight, wrote that the letter was “predictable” and said:
The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for gTLDs is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.
Serlin held out some hope that the unspecified legal action Marby has floated may go some way to extend the May 25 GDPR enforcement date.
The community awaits Marby’s next update with bated breath.
Surely this is relatively easy to deal with?
1) Less than 7% of the world’s population is in the EU
2) Only a small percentage of those names are registered to individuals for personal websites. (The vast majority are registered for either speculative or commercial purposes)
3) The picture is further narrowed down by EU citizens choosing to use Non EU registrars.
So we are talking about a small percentage of the domains.
For this small percentage of domains there are 2 issues
(1) Domains already registered
(2) New domains registered after the 24th May 2018
New domains are easy: Simply require future registrants to agree to
(a) Have their data exported outside the EU and
(b) Either have their data published in the WHOIS or agree to use an accredited Privacy Provider.
This a single tick box on the registrar’s site.
Existing names require a similar consent. Registrants have to confirm their WHOIS details already so there are tools already that could be modified to get this kind consent.
This narrows the number of affected domains even further
(1) People who consent
(2) People who do not give their consent.
This will be a very small percentage of the total domains probably less than 1%
Simply explain to these people that WHOIS (with or without acreditted privacy) is part of the bargain for being able to publish information on the net using an ICANN domain registration. And if they do not agree then it will not be possible to renew their domain and it will not be possible to export their data outside the EU for escrow purposes etc.
Finally place a default non consent notice in the WHOIS, the majority of which will be gone with in a year. This is a relatively small price to pay to combat people who want to make a single variable change to complex systems without understanding the consequences because they are more concerned with feeling good for ideological reasons.
Some misinformations about GDPR keep being repeated. First of all, for registries and registrars with presence in Europe, it applies to all its records, not only to citizens from the EU.
Second, consent in GDPR needs to be freely chosen; denying service on grounds of not consenting to data processing by third parties is not allowed.
Ideology is not at play here; abiding the law is.
Agreed the applicability of GDPR is tied to the location of the Data Controller and Processor rather than the Subject. The important point is, it only applies to a very small percentage of all domain names.
GDPR requires granular consent, if Escrow is an option, as long as the consent is freely given, informed and unambiguous, why should requiring consent for Escrow be problematic?
GDPR also applies to any business that have an establishment in EU. Since GoDaddy owns Host Europe Group since 2016, GDPR applies to all GoDaddy registrations. So actually the majority of domain names will be under the GDPR umbrella.
Thanks Ruben, it was wrong to say it only affects a small percentage of domains. You’re right the GoDaddy EU subsidiary corporate structure makes the volume of names owned by natural persons caught under GDPR much larger.
Thinking about this, it may be better/easier to just update the WHOIS to c/o the registrar and use its address/contact details for all of the registrants that don’t respond.
That way the registrar will be aware of any problems or issues and will be able to pass the info on to the registrant should they so wish.