Protection concept: Eye and Data Privacy on keyboard background

When Whois Policy and Local Law Collide ..

Protection concept: Eye and Data Privacy on keyboard background

I’ve written quite a bit about privacy and the implications that various rules and policies can have on it in the past. It’s a topic that concerns everyone, not just industry.

We are an Irish based company. We are, therefore, obliged to operate in compliance with Irish law. We cannot choose to ignore some of the laws of this land and since Ireland is part of the EU we also need to keep an eye on what the EU’s various bodies are legislating and ruling.

Over the last couple of years the topic of digital rights and privacy have gone from being something that only those of us who work in IT cared about to being “front and centre”. I often use my mother as an example of an “average internet user”. 18 – 24 months ago she’d never have asked or taken any interest in online privacy but in the post-Snowden world it is a topic that comes up at the dinner table. (And she wants to borrow my copy of No Place to Hide)

Last year we became embroiled in a long and tiring battle with ICANN over privacy and data retention, as we refused to sign the new ICANN contract for registrars since we viewed it as being in contravention of Irish and EU legislation with respect to data privacy and retention. We weren’t the only ones saying this, as it had been raised by both Article 29 and others.

As I mentioned recently we’ve since reached a compromise with ICANN and have signed the new contract. ICANN on their side are still going through their “process”, but we’d expect it to be “put to bed” pretty soon.

So what’s going on now?

ICANN has a bunch of policies and processes surrounding whois. There are rules about what registrars (and registries) are meant to collect and how they should display that data.

Essentially in the ICANN “model” all registrant data has to be collected, processed and displayed in full to everyone.

ICANN is conscious that the way these policies collide with local law can be problematic and they are, therefore, asking the wider community to provide input on how they might improve them. If you have an opinion then that’s all you need to get involved. You can submit your comments here.

Is the current ICANN model compliant with Irish and EU data privacy law?

In short, probably not.

This is not how most EU based country codes behave with domain registration data.

If you register a domain name in most of the EU’s 28 member states’ country code domain name the way your data is handled will be quite different

Taking a couple of examples:

Ireland – it doesn’t matter if you are a limited company, a charity or a private individual the amount of data that is published is minimal:

 

whois blacknight.ie

% Rights restricted by copyright; http://iedr.ie/index.php/mnudomregs/mnudnssearch/96

% Do not remove this notice

domain:       blacknight.ie

descr:        Blacknight Internet Solutions Limited

descr:        Body Corporate (Ltd,PLC,Company)

descr:        Corporate Name

admin-c:      AAE553-IEDR

tech-c:       AAM456-IEDR

registration: 21-August-2003

renewal:      21-August-2014

holder-type:  Billable

wipo-status:  N

ren-status:   Active

in-zone:      1

nserver:      ns.blacknightsolutions.com

nserver:      ns2.blacknightsolutions.com

source:       IEDR

person:       Blacknight.com Hostmaster

nic-hdl:      AAE553-IEDR

source:       IEDR

person:       Blacknight.ie Hostmaster

nic-hdl:      AAM456-IEDR

source:       IEDR

Or .eu:

% WHOIS blacknight
Domain: blacknight
Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.

Reseller:
Technical:
Name: Blacknight Hostmaster
Organisation: Blacknight Internet Solutions Ltd.
Language: en
Phone: +353.599183072
Fax: +353.599164239
Email: accounts@blacknight.ie

Registrar:
Name: Blacknight Internet Solutions Ltd
Website: www.blacknight.com

Name servers:
ns.blacknightsolutions.com
ns2.blacknightsolutions.com

Keys:

Please visit www.eurid.eu for more info.

However if you do a lookup on any .com domain name that I’ve registered all my personal contact details are published for all the world to view. In my case I use the office address and phone number for a lot of my domain registrations so the “renewal notices” and other junk end up there instead of cluttering up my personal space.

To date only two domain name registries have been able to get ICANN to agree to a different whois policy – .cat and .tel.

So  if you were to take my personal .tel domain name you’d get:

whois mneylon.tel

Domain Name:                                 MNEYLON.TEL

Domain ID:                                   D649645-TEL

Sponsoring Registrar:                        BLACKNIGHT INTERNET SOLUTIONS LTD.

Sponsoring Registrar IANA ID:                1448

Registrar URL (registration services):       www.blacknight.com

Domain Status:                               clientTransferProhibited

Registrant Name:                             Michele Neylon

Name Server:                                 A0.CTH.DNS.NIC.TEL

Name Server:                                 D0.CTH.DNS.NIC.TEL

Name Server:                                 N0.CTH.DNS.NIC.TEL

Name Server:                                 S0.CTH.DNS.NIC.TEL

Name Server:                                 T0.CTH.DNS.NIC.TEL

Created by Registrar:                        TUCOWS.COM CO.

Last Updated by Registrar:                   BLACKNIGHT INTERNET SOLUTIONS LTD.

Last Transferred Date:                       Tue Mar 09 16:45:41 GMT 2010

Domain Registration Date:                    Mon Mar 23 23:59:59 GMT 2009

Domain Expiration Date:                      Tue Mar 22 23:59:59 GMT 2016

Domain Last Updated Date:                    Tue Jan 15 12:06:02 GMT 2013

The key thing here is about display / publication  NOT collection.

Law enforcement agencies (and others) can access the data, but if you are a private individual the amount of your data that is being republished is reduced.

Can registrars or registries currently avoid conflict with local law?

As mentioned above, registries have the option to change parts of their contract with ICANN. As far as I know there is no specific process related to data protection / privacy, but both .tel and .cat were able to get a whois policy into their contracts that protect the rights of private individuals and does not conflict with national law.

What about registrars?

At the moment there are two “avenues” open to registrars

1 – the “waiver” process. But this only deals with data collection and retention. It doesn’t deal with display ie. what gets output via WHOIS

2- If a registrar is already in trouble with their local DPA or similar then and only then they can apply to ICANN to get some kind of “waiver” in relation to whois. However as this process is so “odd” I’m not aware of ANY registrar being able to avail of this

Ideally ICANN would update its policies and contracts so that they were more compliant or at least more understanding of EU law.

At the moment ICANN expects every single registrar who wants a waiver to apply. Even if a registrar in your country already has a waiver you will still need to explicitly apply to ICANN to get one.

This is a little bit odd and causes, in my view, unnecessary burden on registrars. Applying for a waiver is not free and doing it “properly” involves legal fees etc., If one registrar in France gets a waiver then all the other registrars in France should be granted the same terms automatically.

I suspect this will be one of the many topics up for discussion at the next ICANN meeting in London at the end of the month..

, , , , , , , , ,

Comments are closed.