Irony alert! Data protection agency complains it can’t get access to private Whois data
A European data protection authority has complained to ICANN after a registrar refused to hand over one of its customers’ private Whois records, citing the GDPR data protection regulation, according to ICANN.
Compounding the irony, the DPA wanted the data as part of its probe into an alleged GDPR violation at the domain in question.
This is the frankly hilarious scenario outlined in a letter (pdf) from ICANN boss Göran Marby to Andrea Jelinek, chair of the European Data Protection Board, last week.
Since May 2018, registrars and registries have been obliged under ICANN rules to redact all personally identifiable information from public Whois records, because of the EU’s General Data Protection regulation.
This has irked the likes of law enforcement and intellectual property owners, who have found it increasingly difficult to discover the identities of suspected bad actors such as fraudsters and cybersquatters.
Registrars are still obliged to hand over data upon request in certain circumstances, but the rules are vague, requiring a judgement call:
Registry and Registrar MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.
While an ICANN working group has been attempting to come up with a clearer-cut set of guidelines, administered by a central body, this so-called SSAD (System for Standardized Access/Disclosure) has yet to come to fruition.
So when an unidentified European DPA recently asked a similarly unidentified non-EU registrar for the Whois data of somebody they suspected of GDPR violations, the registrar told it to get stuffed.
It told the DPA it would “not act against a domain name without any clear and unambiguous evidence for the fraudulent behavior” and said it would respond to legal requests in its own jurisdiction, according to ICANN.
The DPA complained to ICANN, and now ICANN is using that complaint to shame the EDPB into getting off the fence and providing some much-needed clarity about when registrars can declassify Whois data without breaking the law.
Marby wrote that registrars are having to apply their “subjective judgment and discretion” and will most often come down on the side of registrants in order to reduce their GDPR risk. He wrote:
ICANN org would respectfully suggest to the EDPB that a more explicit recognition of the importance of certain legitimate interests, including the relevance of public interests, combined with clearer guidelines on balancing, could address these problems.
…
ICANN org would respectfully suggest to the EDPB to consider issuing additional specific guidance on this topic to ensure that entities with a legitimate interest in obtaining access to non-public gTLD registration data are able to do so. Guidance would in particular be appreciated on how to balance legitimate interests in access to data with the interests of the data subject concerned
ICANN and the EDPB have been communicating about this issue for a couple of years now, with ICANN looking for some clarity on this largely untested area of law, but the EDPB’s responses to data have been pretty vague and unhelpful, almost as if it doesn’t know what the hell it’s doing either.
Will this latest example of the unintended consequences of GDPR give the Board the kick up the bum it needs to start talking in specifics? We’ll have to wait and see.
ICANN board talking GDPR “litigation”
ICANN’s board of directors is meeting today to discuss its “litigation strategy” concerning the General Data Protection Regulation, the EU privacy legislation due to make Whois unrecognizable come Friday.
Those two words are basically the only item on its agenda for a special board meeting today.
I’ve been unable to squeeze any further information out of ICANN, but I can speculate about a few different things it could mean.
The first thing that springs to mind is a blog post by CEO Goran Marby dated April 12, in which he wrote:
Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.
To my knowledge, no additional information on this “legal action in Europe” has ever been released.
Could ICANN be ready to take a data protection authority to court preemptively, as a test case to insulate the industry against enforcement action from DPAs? Your guess is as good as mine at this stage.
Another possibility, still in speculative territory, is that the board will be discussing the many calls from the industry for some kind of legal or financial indemnification against GDPR-related regulatory actions. I’d assign a relatively low probability to that idea.
A third notion that springs to mind, slightly more realistically, is that the board could simply be discussing how ICANN would defend itself from incoming litigation related to its GDPR response.
It usually takes ICANN a few days to post the results of its board meetings, but on important hot topics it’s not hugely unusual to see same-day publication.
ICANN flips off governments over Whois privacy
ICANN has formally extended its middle finger to its Governmental Advisory Committee for only the third time, telling the GAC that it cannot comply with its advice on Whois privacy.
It’s triggered a clause in its bylaws used to force both parties to the table for urgent talks, first used when ICANN clashed with the GAC on approving .xxx back in 2010.
The ICANN board of directors has decided that it cannot accept nine of the 10 bulleted items of formal advice on compliance with the General Data Protection Regulation that the GAC provided after its meetings in Puerto Rico in March.
Among that advice is a direction that public Whois records should continue to contain the email address of the registrant after GDPR goes into effect May 25, and that parties with a “legitimate purpose” in Whois data should continue to get access.
Of the 10 pieces of advice, ICANN proposes kicking eight of them down the road to be dealt with at a later date.
It’s given the GAC a face-saving way to back away from these items by clarifying that they refer not to the “interim” Whois model likely to come into effect at the GDPR deadline, but to the “ultimate” model that could come into effect a year later after the ICANN community’s got its shit together.
Attempting to retcon GAC advice is not unusual when ICANN disagrees with its governments, but this time at least it’s being up-front about it.
ICANN chair Cherine Chalaby told GAC chair Manal Ismail:
Reaching a common understanding of the GAC’s advice in relation to the Interim Model (May 25) versus the Ultimate Model would greatly assist the Board’s deliberations on the GAC’s advice.
Of the remaining two items of advice, ICANN agrees with one and proposes immediate talks on the other.
One item, concerning the deployment of a Temporary Policy to enforce a uniform Whois on an emergency basis, ICANN says it can accept immediately. Indeed, the Temporary Policy route we first reported on a month ago now appears to be a done deal.
ICANN has asked the GAC for a teleconference this week to discuss the remaining item, which is:
Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;
Basically, the GAC is trying to prevent the juicier bits of Whois from going dark for everyone, including the likes of law enforcement and trademark lawyers, two weeks from now.
The problem here is that while ICANN has tacit agreement from European data protection authorities that a tiered-access, accreditation-based model is probably a good idea, no such system currently exists and until very recently it’s not been something in which ICANN has invested a lot of focus.
A hundred or so members of the ICANN community, led by IP lawyers who won’t take no for an answer, are currently working off-the-books on an interim accreditation model that could feasibly be used, but it is still subject to substantial debate.
In any event, it would be basically impossible for any agreed-upon accreditation solution to be implemented across the industry before May 25.
So ICANN has invoked its bylaws fuck-you powers for only the third time in its history.
The first time was when the GAC opposed .xxx for reasons lost in the mists of time back in 2010. The second was in 2014 when the GAC overstepped its powers and told ICANN to ignore the rest of the community on the issue of Red Cross related domains.
The board resolved at a meeting last Thursday:
the Board has determined that it may take an action that is not consistent or may not be consistent with the GAC’s advice in the San Juan Communiqué concerning the GDPR and ICANN’s proposed Interim GDPR Compliance Model, and hereby initiates the required Board-GAC Bylaws Consultation Process required in such an event. The Board will provide written notice to the GAC to initiate the process as required by the Bylaws Consultation Process.
Chalaby asked Ismail (pdf) for a call this week. I don’t know if that call has yet taken place, but given the short notice I expect it has not.
For the record, here’s the GAC’s GDPR advice from its Puerto Rico communique (pdf).
the GAC advises the ICANN Board to instruct the ICANN Organization to:
i. Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible;
ii. Provide a detailed rationale for the choices made in the interim model, explaining their necessity and proportionality in relation to the legitimate purposes identified;
iii. In particular, reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;
iv. Distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR;
v. Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;
vi. Ensure that limitations in terms of query volume envisaged under an accreditation program balance realistic investigatory crossreferencing needs; and
vii. Ensure confidentiality of WHOIS queries by law enforcement agencies.
b. the GAC advises the ICANN Board to instruct the ICANN Organization to:
i. Complete the interim model as swiftly as possible, taking into account the advice above. Once the model is finalized, the GAC will complement ICANN’s outreach to the Article 29 Working Party, inviting them to provide their views;
ii. Consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism; and
iii. Assist in informing other national governments not represented in the GAC of the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS.
Marby ponders emergency powers to avoid fragmented Whois
ICANN could invoke emergency powers in its contracts to prevent Whois becoming “fragmented” after EU privacy laws kick in next month.
That’s a possibility that emerged during a DI interview with ICANN CEO Goran Marby yesterday.
Marby told us that he’s “cautiously optimistic” that European data protection authorities will soon provide clear guidance that will help the domain industry become compliant with the General Data Protection Regulation, which becomes fully effective May 25.
But he said that a lack of such guidance will lead to a situation where different companies provide different levels of public Whois.
“It’s a a high probability that Whois goes fragmented or that Whois will be in a sort of ‘thin’ model in which very little information is collected and very little information is displayed,” he said. “That’s a sort of worst-case scenario.”
I should note that the interview was conducted yesterday before news broke that Afilias has become the first major gTLD registry to announce its Whois output will be essentially thin — eschewing all registrant contact data — from May 25.
Marby has asked European DPAs for two things.
First, guidance on whether its “Cookbook” proposal for a dramatically scaled-back, GDPR-compliant Whois is in fact GDPR-compliant.
Second, an enforcement moratorium while registries and registrars actually go about implementing the Cookbook.
“If we don’t get guidance that’s clear enough, we will see a fragmented Whois. If we get guidance that is clear enough we can work it out,” Marby said.
A moratorium could enable Whois to carry on in its current state, or something close to it, while ICANN goes about creating a new policy that fits with the DPA’s guidance.
If the DPAs refuse a moratorium, we’re looking at a black hole of indeterminate duration during which nobody — not even law enforcement or self-appointed trademark cops — can easily access full Whois records.
“It’s not something I can do anything about, it’s really in the hands of the DPAs,” Marby said. “Remember that it’s the law.”
While ICANN has expended most of its effort to date on creating a model for the public Whois, there’s a parallel effort to create an accreditation program that would enable organizations with “legitimate purposes” to access full, or at least more complete, Whois records.
It’s the IP lawyers that are driving this effort, primarily, terrified that their ability to hunt down cybersquatters and bootleggers will be diminished come May 25.
ICANN has so far resisted calls to endorse the so-called “Cannoli” draft accreditation model, with Marby publicly saying that it needs cross-community support.
But the organization has committed staff support resources to discussion of Cannoli. There’s a new mailing list and there will be a community conference call this coming Friday at 1400 UTC.
Marby said that he shares the worries of the IP community, adding: “If we get the proper guidance from the DPAs, we will know how to sort out the accreditation model.”
He met with the Article 29 Working Party, comprised of DPAs, last week; the group agreed to put Whois on its agenda for its meeting next week, April 10-11.
The fact that it’s up for discussion is what gives Marby his cautious optimism that he will get the guidance he needs.
Assuming the DPAs deliver, ICANN is then in the predicament of having to figure out a way to enforce, via its contracts, a Whois system that is compliant with the DPAs’ interpretation of GDPR.
Usually, this would require a GNSO Policy Development Process leading to a binding Consensus Policy.
But Marby said ICANN’s board of directors has other options, such as what he called an “emergency policy”.
This is a reference, I believe, to the “Temporary Policies” clauses, which can be found in the Registrar Accreditation Agreement and Registry Agreement.
Such policies can be mandated by a super-majority vote of the board, would have to be narrowly tailored to solve the specific problem at hand, and could be in effect no longer than one year.
A temporary policy could be replaced by a compatible, community-created Consensus Policy.
It’s possible that a temporary policy could, for example, force Afilias and others to reverse their plans to switch to thin Whois.
But that’s perhaps getting ahead of ourselves.
Fact is, the advice the DPAs provide following their Article 29 meeting next week is what’s going to define Whois for the foreseeable future.
If the guidance is clear, the ICANN organization and community will have their direction of travel mapped out for them.
If it’s vague, wishy-washy, and non-committal, then it’s likely that only the European Court of Justice will be able to provide clarity. And that would take many years.
And whatever the DPAs say, Marby says it is “highly improbable” that Whois will continue to exist in its current form.
“The GDPR will have an effect on the Whois system. Not everybody will get access to the Whois system. Not everybody will have as easy access as before,” he said.
“That’s not a bug, that’s a feature of the legislation,” he said. “That’s not ICANN’s fault, it’s what the legislator thought when it made this legislation. It is the legislators’ intention to make sure people’s data is handled in a different way going forward, so it will have an effect.”
The community awaits the DPAs’ guidance with baited breath.
ICANN chief begs privacy watchdogs for Whois advice
ICANN CEO Goran Marby has written to the data protection authorities of all 28 European Union states, along with the European Data Protection Supervisor, to ask for guidance on how to implement new privacy laws.
Marby also asked the DPAs about the possibility of an enforcement moratorium, to give the domain industry and ICANN more time to formulate their collective response to the General Data Protection Regulation.
GDPR, which aims to give EU citizens more control over their personal data, comes into full effect May 25. Companies that break the rules face fines that could amount to millions of euros.
But ICANN does not yet have a firm plan for bringing the distributed Whois system into compliance with GDPR, and has repeatedly indicated that it needs guidance from European DPAs.
“ICANN and more than a thousand of the domain names registries and registrars are at a critical juncture,” Marby wrote (pdf).
“We need specific guidance from European data protection authorities in order to meet the needs of the global internet stakeholder community, including governments, privacy authorities, law enforcement agencies, intellectual property holders, cybersecurity experts, domain name registries, registrars, registrants and ordinary internet users,” he wrote.
ICANN has already written a proposal — known as the “Cookbook” and sent to DPAs three weeks ago — for how gTLD registrars and registries could comply with GDPR by removing most fields from public Whois records.
But Marby’s letter points out that many ICANN community members think the Cookbook either goes too far or not far enough.
As we reported a week ago, the Governmental Advisory Committee and Intellectual Property Constituency are not convinced ICANN needs to chop quite as much info from the public Whois as it’s currently planning.
But on the flipside, there are privacy advocates who think far less data should be collected on registrants and fundamentally question ICANN’s power to mandate public Whois access in its registry and registrar contracts.
Both sides of the debate are referenced in the letter.
“Guidance from DPAs on ICANN’s plan of action as presented in the Cookbook, and in particular, the areas where there are competing views, is critical as soon as possible, but particularly during the next few weeks,” Marby wrote.
Whether ICANN will get the answers it needs on the timetable it needs them is open to debate.
Many community members expressed skepticism about whether the DPAs’ commitment to the urgency of the issue matches ICANN’s own, during ICANN 61 earlier this month.
There seemed to be little confidence that the DPAs’ responses, should ICANN receive any, will provide the clarity the industry needs.
It may also be bad timing given the unrelated Cambridge Analytica/Facebook scandal, which appears to be consuming the attention of some European DPAs.
Recent Comments