Ever since ICANN’s creation, there has been a clash between the protection of personal data and its contractually-required Whois service. Under ICANN contracts, registrars were required to publish sensitive information about domain name registrants. The email addresses, names and other contact information of domain holders was available to anyone in the world who requested it. This indiscriminate access to sensitive data was proven to exacerbate spam problems, aid domain name hijackers and in a few cases facilitate stalkers.
The implementation of Europe’s General Data Protection Regulation this year finally knocked some sense into the ICANN regime. In an emergency temporary specification issued in May, the ICANN board authorized its contracted registries and registrars to redact sensitive data from their Whois output.
Under the temporary specification, Whois still delivers the basic data about domain names needed to support ICANN’s mission of coordinating the domain name system (DNS). One can see who the registrar is, the nameserver data, the date the domain was created, etc. You can also see all the other information if the domain registrant is willing to publish it. If there is a trademark dispute over the domain, the registrar still must provide the dispute resolution provider with the full registration data for each of the specified domain names. Registrars and Registries must still provide reasonable access to personal data to third parties with legitimate interests that are not overridden by privacy rights, such as law enforcement agencies pursuing criminals.
Privacy opponents who cried doom and gloom when this change was enacted, embarrassingly enough, are now looking like religious nuts whose predicted date for the end of the world has come and gone. The Internet still functions as before. There is no discernable change in internet security. And there are some clear security gains, for example registrars are seeing fewer attempts to hijack domains because would-be hijackers cannot spoof a name, email address, and street address if they cannot see it.
The temporary specification was just that – a temporary fix meant to prevent ICANN and its contracted registries and registrars from being sued after the implementation of the GDPR. Recognizing the need for a more formal policy process, ICANN put into motion an expedited policy development process (ePDP) to review the temporary specification and allow all the stakeholders involved in ICANN to accept or alter its terms in ways that would make it a consensus policy. In this policy process, all sides are represented: registries, registrars, privacy advocates, intellectual property interests, commercial users, and governments via ICANN’s Governmental Advisory Committee. The ePDP commenced in August and is now headed into its 8th meeting. The goal is to have a proposal ready by ICANN’s Barcelona meeting in late October.
But now the special interests who oppose privacy are circulating draft legislation to cut short this process. They want to substitute U.S. law for the ICANN process. We have a draft of the proposed law available here. The people pushing this legislation are the same folks who are always trying to regulate and control the Internet. Copyright maximalists, big pharma, and the like. Economic interests are also at play. To companies like Domain Tools, Whois data is raw material for commercial services that they offer to brand protection firms and others. By negating domain registrants’ privacy rights, they are able to monetize the sale of their personal information – and unlike Google, Facebook and others who monetize personal information, there is no service offered in exchange, no contract, no ability to opt out. It’s like the government allowing a cereal producer to harvest its raw materials for free; to go into a farmer’s field of wheat or oats and grab what they want. Obviously, Domain Tools doesn’t want that sweet deal to end. But keep that subsidy in mind when you hear them wrap themselves up in the mantle of cybersecurity.
There are clearly conflicting rights and interests and this all has to be sorted out at the global level. ICANN, not the US Congress, is the right place to settle this issue. A U.S. intervention here would be a fateful step toward increased jurisdictional fragmentation of the global domain name system. Maintaining the global scope of DNS policy was the reason ICANN was created in the first place. If the U.S. can pass a law that compels ICANN to adopt a certain policy regarding Whois data, any other government can pass a law that goes in a different or even opposite direction. There are some powerful centrifugal forces pulling at the internet right now, in a variety of contexts. Those concerned with the global connectivity of the Internet – not to mention individual rights to privacy and Internet freedom – need to push back against this intervention by a national government in global internet governance.
Forgive me if I’m missing something here Milton, but do I detect a double-standard?
“ICANN, not the US Congress, is the right place to settle this issue… If the U.S. can pass a law that compels ICANN to adopt a certain policy regarding Whois data, any other government can pass a law that goes in a different or even opposite direction. ”
Surely the EU already did this with GDPR?
ICANN has already adopted a policy — albeit “temporary” — in order to comply with a law that overruled its usual policy-creation process.
Well, Kevin pointed out the obvious double standard I was going to mention, so…
No, sorry, you’re both reacting superficially. There are issues of extraterritoriality in both cases, but there are also fundamental differences between what Europe did with the GDPR and what some people want the US Congress to do.
First difference is that GDPR was not a domain name regulation. It was not legislated specifically to overturn ICANN’s Whois policy. It was a general privacy law that upheld the rights of individuals regarding their data. In conforming to that law – and ICANN has _always_ been obligated to conform to national laws – ICANN had to change its practices.
Indeed, what ICANN was doing with Whois was already illegal in many parts of the world, and unfair to registrants even where it was technically legal. ICANN just ignored that fact for many years. The only difference GDPR made was that it created penalties that made the ICANN community pay attention to the illegality. In contrast, TOSI is an attempt to specifically and directly set ICANN policy via one nation-state’s legislation.
The second difference is that from an individual rights perspective, what Europe did advanced rights, what the US is trying to do is undermining them. Yeah, that matters.
The third difference is that the worst elements of ICANN’s Whois policy were never consensus ICANN policies to begin with. The open Whois directory was a legacy of the Internet’s earlier days. We never had a policy that defined Whois purpose, it was just there and we could never get rid of it because those who benefited from open whois could always block consensus. And even when we did come up with a consensus definition of Whois purpose in 2006 that would have mitigated Whois’s privacy problems, the US government, acting through the GAC and with complicity of the “tossers,” buried it. The 2013 RAA, which cemented into place some of the worst elements of policy desired by LEAs and copyright maximalists, also was never community consensus policy. It was imposed on the registrars by the US government, which was able to influence ICANN through its control of the IANA contract and the threat of Congressional intervention driven by the FBI and trademark lobbyists.
So the difference is this: Europe passes a law that protects the privacy rights of everyone within its jurisdiction; the domain name industry is so globalized that many providers outside of Europe have to conform to it in order to continue doing business in Europe. Yet ICANN still has the capability to develop policies using its own processes to adjust to that. The US, on the other hand, is sticking its hands directly into the domain name industry and telling ICANN and its community what data elements will be displayed. If you think those things are equivalent, I think you’re being an apologist for the tossers.
Thanks for clarifying in detail, Milton. I see now where you see the differences.
You’re invoking a dual-purpose demon here. On the one hand, you offer the red meat of “Copyright maximalists, big pharma, and the like,” but then you make a copyright maximalist argument on behalf of an imaginary privacy right of domain registrants: “It’s like the government allowing a cereal producer to harvest its raw materials for free; to go into a farmer’s field of wheat or oats and grab what they want.”
I suggest you drop the emotional imagery and try to develop a coherent argument that recognizes accountability in some form.
Your comments are as broad as Icann’s. Measuring meer months after gdpr went into affect is simply to early to provide any indication which direction this new reality will take. There are many different ioc from a security perspective, that can be used to identify c2 systems. However by removing the pii you make attribution harder. This makes it easier for the bad guys to hide, and harder for the cops to prosecute.
It is basically like saying there is no need to register your gun, since all that information is pii.
If you open a business you must register it and all that information address name etc is available to anyone that asks for it. That is so that if some business rips you off then the owner can be brought to court. The spirit of whois was to mirror that. Yes, as with anything else that can be abused for profit it was, and that needed to be fixed (and icann was taking their sweet time in doing this). But this is not going to be a healthy road to travel for the long term imho
Nz
<> calling your opponent something they wouldn’t call themselves is amateur hour stuff. one cannot stop beating one’s wife if one has never started. can you try again without this intellectual dishonesty front and center? i don’t oppose privacy but i do want it balanced against the rights of e-crime victims for accountability, and i have always felt that anyone who wants a globally unique internet identifier is asking the community for a privilege, and this privilege comes with a responsibility of disclosure as to how to reach a bad actor who uses their identifier to abuse others.
This is a nicer version than I would have written.
Paul, John:
Two questions for both of you:
1. Do you support or oppose the proposed legislation?
2. Do you have an economic interest in open access to Whois data?
Very weak answer, Milton.
I support the proposed EU legislation. I think ICANN’s temp spec far exceeds the scope and intent and creates more issues than it satisfies.
The redaction’s applied without discrimination.
The redaction ignores the legitimate uses clauses in the GDPR.
The redaction assumes that the EU GDPR is the now and future, one and only Data Protection reg. How do you account for a future where another country doesn’t align exactly with GDPR with this implementation?
There is no proposed EU legislation. There is US legislation. Did you get your continents mixed up? And, your analysis is wrong: Redaction does not prevent a party with a legitimate interest from getting the data, it means that people without a legitimate interest cannot get it.
As somebody that has been protecting consumers altruistically for years, I can patently say we are seeing the GDPR have the opposite effect as intended, now shielding malicious parties, some in unaccountable jurisdictions. In turn that leads to innocent consumers losing their privacy. The responsible parties are essentially insider threats to the DNS system, not even bothering covering their tracks, some being domain resellers. This results in victim consumers who are already shamed as “stupid”, “deserving idiots” and more, now having to blindly accept what somebody who is a malicious registrant chooses to deceive them with, essentially signing a blank check of trust to ICANN and it’s registrars, who already made clear they accept no responsibility for fraud. Law enforcement in many countries have already publicly stated cyber crime is out of control.
So, having to choose in terms of consumer rights, I guess I’ll use your phrase on Twitter: I’m a “tosser”.