In order for the Internet to function properly there has to be “trust”.
Trust in “online” is something that has ebbed and flowed over the years, but over the past two decades more and more of our daily lives are linked closely to “digital”. Our banks encourage us to use online banking and their mobile apps. Government agencies share (and collect) information from private citizens and businesses online. And of course we all do more and more of our shopping online, be that via behemoths like Amazon or smaller businesses offering niche products and services.
All of this growth only works when there is trust in the entire system.
Blacknight is a primarily online company. Yes, we have physical offices with staff. We own thousands of servers which we have placed in data centres in Ireland. But the bulk of our business is either online via our site or is in the background, providing the tools and infrastructure to facilitate online business for companies from the four corners of the earth. When a business chooses to put their trust in us (or one of our competitors) that chain of trust is cornerstone to their online presence. That trust has multiple layers. We are trusted to provide reliable services. We are trusted to respect our clients’ data and, by extension, the data of their clients.
We’ve always taken security and privacy seriously. We try our best to keep our network clean and free from abuse. We are ISO certified and take our responsibilities very seriously.
With the introduction of GDPR earlier this year there was a general “sea change” in how many online companies viewed and handled data and privacy. While being “compliant” with GDPR is still in many respects not clearcut, most companies have taken steps to be as compliant as possible. On our side we’ve documented in detail our various policies around handling data and have worked with both clients and suppliers to ensure that we have the necessary processes and agreements in place.
One of the areas, however, where there were always going to be potential for extra headaches was with data that left our control as part of the service provisioning. So, for example, when somebody wants to register a domain name we collect and process the information required on our end and then share it with the respective registry operator. In the world of country code domains, like .ie, the personal information that we shared with the registry never went anywhere else and was not made public. Unfortunately, however until the end of May this year, with the ICANN controlled domain extensions it was a different matter and unless domains were using a privacy service a lot of personal information was being made public by default.
It all boils down to one simple core tenet: trust.
When somebody gives us information while buying a service from us they have an expectation that the information will only be used by us and our partners to provide the service.
Sure, if they break the law then their data could end up in the hands of law enforcement. But unless they’ve actually done something fundamentally wrong why would we breach that trust? Why would be give a 3rd party access to our client’s data?
So if someone wants to access the non-public data associated with a domain name on our accreditation we are not going to handover that information unless we are confident that not only is the request valid, but that the private data will be accessed and processed in accordance with both the law (GDPR) and security best practices. We cannot simply handover our clients’ data on a whim, as to do so would breach the chain of trust.
While we haven’t finalised a formal policy document for non-public whois access requests we are currently asking that requestors provide us with the information and the assurances to maintain the trust. So that looks a little like this:
- the full contact details of the person or organisation submitting the request. We obviously aren’t going to even consider taking an access request seriously unless we know who exactly we are dealing with
- Details of how they will comply with Chapter V GDPR (if they’re from outside the EU)
- A statement, on the letterhead of the party they represent, that they represent them and their interests with regard to this request.
- A statement, under penalty of perjury, that requested data are related to a good-faith belief that the rights of you or the party you represent have been violated and the data you are requesting is required to further pursue assertion of those rights.
- A statement, under penalty of perjury, that the personal data that you receive will be processed in a legally-compliant manner at all times, not stored, transferred, or otherwise shared without legitimate interest, and deleted as soon as it is no longer needed to pursue this assertion of rights.
We have been in communication with the Irish data protection authorities over the past few years in relation to ICANN’s demands on us. And they’ve made it very clear that we need to ensure that all appropriate safeguards are in place and without same we cannot transfer data.
So if someone wants to access our clients’ data they will need to make sure that their request is not frivolous. We take the trust of our clients very seriously and our responsibilities under GDPR are not something we take lightly!
