ICANN Corp seems to have finally taken the tension between Whois and privacy rights seriously, thanks to the impending General Data Protection Regulation (GDPR) in Europe.
In preparing for the advent of GDPR, ICANN has solicited legal advice from Hamilton Advokatbyrå, a Swedish law firm, regarding possible conflicts between its Whois policies and European data protection law. The latest of these legal advice memos purports to explain how the processing of data by the Whois services might be changed “in order to become compliant with the GDPR.”
We have reviewed this memo. While it contains some important and astute observations, the conclusions it reaches are seriously muddled. We attribute this muddle not to incompetence on the part of the law firm; we suspect that its client, ICANN, has pushed them very hard to find a rationale for permitting certain current uses of Whois, uses that are clearly inconsistent with the GDPR. In other words, the law firm was probably asked to square the circle verbally and legally, which accounts for the awkwardness of some of the report’s conclusions.
The critical issue here is the purpose of Whois. Purpose is the starting point of law regarding data protection. According to Article 5 GDPR, once the purpose of a data base is defined, the following must be taken into account:
- Only personal data needed for the relevant purpose shall be processed (purpose limitation).
- The processing shall be limited to processing that is necessary for the purpose (minimization).
- Only the parties (registrars, registries, ICANN or the general public) that need to process the data for the established purpose shall be able to access it.
From this one can see how a clear purpose for data is central to all of those legal mandates. With those legal parameters in mind, the Hamilton firm report examines Whois. The memo recognizes that there is no clearly defined and commonly accepted purpose of Whois.[1] The 2013 RAA states that the registrars shall permit use of the Whois data for “any lawful purposes” with only two specific exceptions (spamming and automated repetitive querying of the database). The RAA thus does not define a purpose, nor does any extant ICANN policy.
The Hamilton firm then takes a bit of a wrong turn. It starts confusing current uses of Whois with the purpose of the Whois service. It should be obvious that if you collect a bunch of data and provide indiscriminate global access to it, then it can and will be used for any number of purposes. The fact that people use it for these purposes, however, does not mean that the purpose of Whois is to facilitate those uses.[2]
The Hamilton report divides these alleged purposes of Whois into four broad categories:
1. The processing of Whois data for administrative actions.
This involves collection and processing of data that can identify the true owner or registrant of the domain, and facilitates the administrative actions by the registrar and registry required to maintain, manage or transfer the domain. Clearly, insofar as there is any essential purpose for registrars’ collection of registrant data, this one passes all tests. The Hamilton report concludes that this purpose “cannot be used to motivate the publication of the Whois data in public directories” (p.6). In other words, you don’t need to publish the contact data to anyone who requests it to fulfill keep track of who owns a domain. One down, three to go.
2. Recovery of registrant data due to disasters or disruptions
Another possible “purpose” for Whois data collection and storage is to recover essential identifying data about the registrant in the case of a disaster or technical failure. This is an important, necessary function, but in this case, too, it is impossible to justify indiscriminate global access to Whois data based on this purpose. As Hamilton states, disaster recovery purposes cannot be used to motivate publication of the Whois data in public directories (p. 7). Two down, two to go.
3. Law enforcement support
A third purported “purpose” for Whois data collection and storage is the facilitation of law enforcement activities. Usually in the ICANN environment, when law enforcement is mentioned everyone tends to kowtow and forget about law, due process and rights. Surprisingly, however, the Hamilton firm analyzes the situation correctly. “[P]rocessing for law enforcement purposes [cannot] be used to motivate publication of the Whois data in public directories,” the memo states, “as it should be possible to fulfill the needs of the law enforcement agencies without making the Whois data public” (p. 7-8). And this is exactly right. LEA access to personal data is not unqualified, but must be linked to a specific purpose, such as a criminal investigation focused on a particular person – and it must follow due process.[3] So law enforcement uses also do not justify making Whois into a public directory. Three down, one to go.
4. Processing of data by rights holders (a.k.a., the grab bag)
The last class of uses (or claimed “purposes”) of Whois is labelled “processing of data by rights-holders.” But that is not an accurate label. There is no clear, well-defined purpose here, but rather a mélange of objectives that many people currently using the public Whois happen to have. It includes:
- Checking suspected fraud on websites
- Scanning for trademark infringement
- Scanning for copyright infringement
- Consumer interest in the authenticity of a service provider
- Finding the owner of a domain to make an offer to buy the domain
It is in connection with these category 4 “purposes” (actually, uses) that the Hamilton report starts to wobble. On the one hand, it recognizes the obvious conflicts between them and privacy law. On the other hand, it shows great solicitousness for finding some form of compliance with GDPR that would continue to make these uses possible.
The Hamilton report recognizes the above uses as “legitimate” but concludes that “access to the e-mail addresses of registrants which are natural persons is not necessary for the purposes listed in 2.7.1(i) – (v) above” and so “e-mail addresses should not be made publicly available through the Whois services.” (p. 10). The report also refers to its October 17 memo, which says that “the opinion of both the Article 29 Working Party and the Data Protection Authorities appears to be that legitimate interest in accordance with Article 6.1(f) GDPR cannot be used to legitimize making personal data publicly available through the Whois services.”
Further, the report says that layered access is no solution to this problem. The report concludes that “it will not be practically feasible to fulfill the purposes listed under this section 2.7 through a layered access model” because such a model, to comply with Article 6.1(f) GDPR, would require registrars to assess the status and interests of people requesting access on a case-by-case basis each time a request is made. “This would put a significant organizational and administrative pressure on the registrars and also require them to obtain and maintain the competence required to make such assessments in order to deliver the requested data in a reasonably timely manner. In our opinion, public access to (limited) Whois data would therefore be of preference and necessary to fulfill the above purposes in a practical and efficient way.” (p.12) The report notes that having “automatically qualified persons” faces the exact same problem.
So let’s summarize where the report has taken us so far. Putting personal data into a public directory is not necessary for technical and administrative support of domain names, nor for disaster recovery, nor for law enforcement. It helps those attempting to use Whois for the purposes in category 4, but making personal data publicly available to those users violates the GDPR. And layered access is not a practical solution.
So it appears they are not advocating layered access, they are advocating indiscriminate public access to a much more limited set of Whois data; e.g., Whois without email addresses or physical addresses for natural persons.
But wait….
In their conclusion, Hamilton says “the best chance of continuing to provide the Whois services and still be compliant with the GDPR will be to implement an interim solution based on an layered access model that would ensure continued processing of Whois data for some limited purposes.” We can’t figure out where this conclusion came from; perhaps from outer space?
The report suddenly asserts that “the purpose of the gTLD Whois services goes beyond …providing technical and administrative points of contact.” It does? Earlier in the report Hamilton correctly stated that there was no agreed definition of purpose, so how, exactly, did they decide that the purpose is broader than that?
In short, the final conclusions of this memo are not supported by its analysis. The report shows that all of the identified purposes and uses don’t require indiscriminate publication of all the personal data that is currently in Whois, and that such publication is not compliant with GDPR. Yet the report argues for a “public interest” in such publication. The report calls for layered access as an immediate step to prepare for GDPR compliance, but it notes that layered access, to be GDPR compliant, is impractical. And speaking of impracticality, the law firm probably has no idea how difficult it will be to get the ICANN community to agree on what the layers are and how various parties will be authorized to traverse them in the next three months.
The Hamilton report has not identified a viable way forward, neither long term nor short term.
The real solution to this problem is to identify a purpose of Whois that is consistent with ICANN’s limited mission. The real purposes behind the collection and storage of Whois data are identified in categories 1 and 2 above – administrative actions and data recovery – and perhaps some technical coordination and stability concerns that are advanced by public access to minimized data about the registrant. Insofar as other uses of this public data are made, we must recognize that they are ancillary uses, not the purpose of Whois, and thus policy and contracts have no obligation to facilitate them.
Given this purpose, the analysis in the Hamilton report actually points away from a complicated layered model to continued public access to a far more limited set of data. This is the easier, and most legally correct path to follow. That is where ICANN should go.
Endnotes
[1] The report states: “the purposes for processing of personal data within the scope of the Whois services have historically not been very elaborately described in the communication with the public and the external understanding of the purposes for processing seems to be rather limited” (p. 4).
In our next blog, we will look at how ICANN’s GNSO did put forward a consensus definition of Whois purpose back in 2006, only to be rebuffed in a top-down manner by the US government. Nearly all information about that effort has been erased from ICANN websites, but we have dug up some of the key historic documents.
[2] For example, if the purpose of Whois was to facilitate law enforcement, then the data collected would be vastly different. It might make sense to require a photo ID and social security number or some other national identifier when registering a domain.
[3] The report cites EU Court of Justice Cases C-203/15 (Tele2 Sverige) and C-698/15 (Watson) regarding LEA use of data retained by service providers, and notes: “In the abovementioned CJEU cases, … access to retained data by competent law enforcement agencies as a general rule must, except in cases of validly established urgency, be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those law enforcement agencies submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.”
Excellent analysis Milton, which hopefully ICANN and the “ICANN community” will follow.
While I agree with John that this is a detailed analysis, it fails at the very beginning. Given that anyone can operate a mail server, how are they supposed to be able to administer that and find remote points of contact without public whois data?
Surely you are not suggesting that only “authorized” parties are allowed to operate a mail server. What would your process be to distinguish between someone claiming to operate a mail server from someone that is actually operating a mail server? One should have rights under GDPR to access the data for administrative purposes while the other should not, but how do you sort that out without creating a list for those “authorized to operate a mail server”?
Are you suggesting that only someone with a domain registration should be able to access whois? Since anyone can register a random string as a domain name and never use it for more than access to the whois database, what is the point of hiding the contact info? Surely anyone motivated enough to type the string ‘whois’ to find data would understand the trivial step necessary to bypass the distinction between public and members-only data. Given that having the facility and typing whois already provides a filter on access to the data, is the data truly ‘public’ to begin with?
Restricting rights to run an independent mail server in the name of protecting the dubious need to hide contact info related to a domain name is nothing more than ‘privacy advocacy’ run amuck.
I’m afraid this comment fails at the beginning. None of the models suggested eliminating all public Whois data. There are good reasons to have the name servers published, the name of the registered name, the registrar, etc. Please take another look at the proposed models and see what is really up for discussion. The debate is about how much personal information about the registrants needs to be published. You do not need access to my home address to operate a mail server.
You also seem to be deeply confused about this:
“Are you suggesting that only someone with a domain registration should be able to access whois? Since anyone can register a random string as a domain name and never use it for more than access to the whois database, what is the point of hiding the contact info?”
If I understand this somewhat muddled point, you are implying that we are proposing that someone who registers a domain gets “all you can eat” access to all registrant data for ALL domains in the world merely because they have registered a domain, and anyone who has not registered a domain gets no access. No one has proposed such a model. Again, some Whois data should be available to anyone and everyone, the issue is which data elements are public and which require permissions or is not collected or published at all. Of course, the registrant and registrar of a domain should have full access to all information about the registrant OF THAT NAME.
The article contains links to the relevant reports with the contending models. I hope you get a chance to read them.