We’ve talked about the conflicts between our ICANN contract and privacy law in the past. Not once, not twice, but multiple times. We refused to sign the 2013 Registrar Accreditation Agreement (RAA) with ICANN until we’d received a data retention waiver. That decision probably cost us money, but if we have to choose between operating legally or illegally our path is clear.
We’ve also been talking a bit about GDPR, and how WHOIS and various other obligations imposed on us, either directly by ICANN or indirectly through its contracts with the domain name registries, are problematic.
So who decides what is permissible when it comes to privacy rules? Short answer: the data protection authorities.
If you want to know what the general view of something is then you need to talk to all the EU DPAs at once, which is where the Article 29 Working Party comes into play. They’re the body where all the DPAs in the EU go and they often issue advice as a collective group. If the Article 29 WP make a formal statement on something (and they regularly do) then that statement carries the weight of all 28 data protection authorities of the European Union member states. So you need to take it very seriously.
So ICANN decided to ask Article 29 for some specific guidance about WHOIS and how ICANN plans to deal with it in light of GDPR. You can read the original letter here. Article 29 were meeting in Brussels this week and they not only discussed the ICANN request, but issued formal advice in response to ICANN’s letters.
The advice is pretty damn clear and isn’t exactly “news” for those of us who’ve been reading Article 29’s missives to ICANN over the past decade (and more).
There are a few bits in the response that are worth highlighting, but this one in particular struck me as being worthy of attention (emphasis added):
ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet’s unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case
Basically what they’re saying is that ICANN’s attempts to retrofit current usage of WHOIS data to data protection law is fundamentally flawed. ICANN’s mandate is narrow and if 3rd parties want access to data for reasons outside that narrow mandate ICANN should not be acting as their proxy.
Over the past couple of months we’ve had notifications from multiple country code domain name registries (ccTLDs) about how they’re changing the collection, processing and publication of domain name registration data (I’ve a separate blog post in the works that will cover a lot of this!) and it’s very clear that the current “status quo” is simply not viable.
So what does all of this mean?
Come the end of May public whois as we know it will be dead.
This does not come as a surprise to many of us – we’ve been raising issues with it going back years. However the upcoming changes to public whois will upset some people.
What will ICANN do?
It’s not yet 100% clear, but it’s pretty clear that they’ll have to follow the advice that they requested. (Be careful what you ask for!!)
Registrars and registries, including ourselves, are not interested in operating outside the law.
It’s the law.
(Sorry – I couldn’t resist the Judge Dredd reference!)
ICANN’s “interim model” may not be 100% perfect in every way, but with some tweaks many of us believe it could be viable.
Will the “death” of public whois lead to problems?
Sure, but let’s be realistic and not hysterical about it.
There will be some issues that will definitely arise, but if public whois data was as important as some would have us believe then many big ccTLDs would have massive headaches.
That doesn’t mean that we don’t see a “value” in WHOIS data. We do, but the last 10+ years of circular conversations, task forces and work groups within ICANN have never resolved anything. Privacy extremists want completely anonymity, while IP lawyers and anti-abuse types want all the data. And, unfortunately, the number of informed people from those groups who were willing to either compromise, think outside the box a little or come up with different ways to achieve similar results has been tiny.
And what of the ICANN response?
Their formal letter might go out in the next few days and whatever it says will have been carefully vetted by their legal team.
You can read their initial reaction here.
UPDATE: Since originally publishing this article earlier today I’ve spoken to senior ICANN Staff who have clarified a couple of things in the ICANN response (linked to above).
ICANN had asked for “forbearance” of enforcement in their communication to Article 29. They didn’t receive it, so they are going to explore other legal routes to get that moratorium. The “delay” in enforcement is to allow registrars and registries to implement the changes necessary to operate a compliant suite of systems and processes. Also interestingly ICANN is asking to be included in ANY proceedings taken against a registrar or registry in relation to WHOIS anywhere in the EU.
Lutz Donnerhacke sagt:
The GDRP issue is not new. I already made a proposal which was rejected. So let me summarize it again:
Acknowledge the fact, that legal systems do differ in different parts of the world.
Accept the fact, that legal systems evolve (rather quickly), so any solution may be invalidated at any unforeseen time.
Therefore: Do not collect or store data at points where the data was not generated. This solves the problem of transferring personal data from one jurisdiction to another.
Try to find out, which use cases are really existent. Which data should be available and for whom. Be honest.
Whois does offer a redirection scheme: A whois server can respond with partial information and point to a different server to get more information.
Favor an ultra thin whois:
Every response contains only the information about the contract local to the queried server.
Start always at whois.iana.org (which is already implementing such a thin whois there).
Do not stop at the registry level. The registry should respond with the contract details and a referral to the accredited registrar, who was registering the object.
Include registrar level whois into the Registrar Accreditation Agreement. Allow subdelegation to resellers for whois data. In the case of subdelegation, the whois response at registrar level should contain the reselling contract details and the referal to the reseller-whois.
If the reseller or the registrar is unable to run the whois service according to the ICANN enforced Service Level Agreements, they have to use the upper level whois and clear all the legal issues themselves.
Now back to the Law Enforcement Agencies and their private operated surroundings: They have to follow the whois referral tree down to the registrar/reseller whois. It’s likely, that they will not have access to the data, they want, if they are querying from a foreign country. So they do have to use the legal ways to ask the LEA in the destination country. In order to ease this process, all contract based referal data should not be hidden. This might be part of the contracts. End customer data should be handled according to the local law.