Latest news of the domain name industry

Recent Posts

Euro-Whois advice still as clear as mud

Kevin Murphy, July 6, 2018, Domain Policy

European privacy chiefs have again weighed in to the ongoing debate about GDPR and Whois, offering another thin batch of vague advice to ICANN.
The European Data Protection Board, in its latest missive (pdf), fails to provide much of the granular “clarity” ICANN has been looking for, in my view.
It does offer a few pieces of specific guidance, but it seems to me that the general gist of the letter from EDPB chair Andrea Jelinek to ICANN CEO Goran Marby is basically: “You’re on your own buddy.”
If the question ICANN asked was “How can we comply with GDPR?” the answer, again, appears to be generally: “By complying with GDPR.”
To make matters worse, Jelinek signs off with a note implying that the EDPB now thinks that it has given ICANN all the advice it needs to run off and create a GDPR-compliant accreditation system for legitimate access to private Whois data.
The EDPB is the body that replaced the Article 29 Working Party after GDPR came into effect in May. It’s made up of the data protection authorities of all the EU member states.
On the accreditation discussion — which aims to give the likes of trademark owners and security researchers access to Whois data — the clearest piece of advice in the letter is arguably:

the personal data processed in the context of WHOIS can be made available to third parties who have a legitimate interest in having access to the data, provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of GDPR are met, including the provision of clear information to data subjects.

That’s a fairly straightforward statement that ICANN is fine to go ahead with the creation of an accreditation model for third parties, just as long as it’s quite tightly regulated.
But like so much of its advice, it contains an unhelpful nested reference to GDPR compliance.
The letter goes on to say that logging Whois queries should be part of these controls, but that care should be taken not to tip off registrants being investigated by law enforcement.
But it makes no effort to answer Marby’s questions (pdf) about who these legit third-parties might be and how ICANN might go about identifying them, which is probably the most important outstanding issue right now.
Jelinek also addresses ICANN’s lawsuit against Tucows’ German subsidiary EPAG, and I have to disagree with interpretations of its position published elsewhere.
The Register’s Kieren McCarthy, my Chuckle Brother from another Chuckle Mother, reckons the EDPB has torpedoed the lawsuit by “stating clearly that it cannot force people to provide additional ‘admin’ and ‘technical’ contacts for a given domain name”.
Under my reading, what it actually states is that registrants should be able to either use their own contact data, or anonymized contact information identifying a third party, in these records.
The EDPB clearly anticipates that admin and technical contacts can continue to exist, as long as they contain non-personal contact information such as “admin@example.com”, rather than “kevin@example.com”.
That’s considerably more in line with ICANN’s position than that of Tucows, which wants to stop collecting that data altogether.
One area where EDPB does in fact shoot down ICANN’s new Whois policy is when it comes to data retention.
The current ICANN contracts make registrars retain data for two years, but the EDPB notes that ICANN does not explain why or where that number comes from (I hear it was “pulled out of somebody’s ass”).
The EDPB says that ICANN needs to “re-evaluate the proposed data retention period of two years and to explicitly justify and document why it is necessary”.
Finally, the EDPB weighs in on the issue of Whois records for “legal persons” (as opposed to “natural persons”). It turns out their Whois records are not immune to GDPR either.
If a company lists John Smith and john.smith@example.com in its Whois records, that’s personal data on Mr Smith and therefore falls under GDPR, the letter says.
That should provide a strong incentive for registries and registrars to stop publishing potentially personal fields, if they’re still doing so.

Atallah encourages domainers to get involved in ICANN

Kevin Murphy, June 7, 2018, Domain Policy

ICANN Global Domains Division chief Akram Atallah today encouraged domain investors to participate more in the ICANN community.
“Domain investors’ voices need to be heard in ICANN,” he said during brief remarks opening NamesCon Europe here in Valencia this morning.
“Your voices are as important as everyone else’s and should be heard,” he said.
He noted to the largely European crowd here that ICANN has a public meeting coming up in Barcelona toward the end of the year.
The call came within the context of comments that focused almost exclusively on GDPR and Whois.
Atallah said that the absence of Whois would make it difficult to track down bad guys and harder for the average person to ensure that the information they get online comes from a reputable source.
“Not everything on the internet is true,” he said, to an faux-incredulous “WHAT?!?” from a member of the audience. “You need to know who is behind this information.”
He said that ICANN hopes to keep Whois as transparent as possible, and played up the fact that most community members are now in agreement that a tiered access system seems like the best way forward, which he called a “major shift from 12 months ago, when the community could not agree on anything”.
He added that now that the Article 29 Working Party has been replaced by the European Data Protection Board, it could help ICANN figure out how to proceed on GDPR compliance efforts.
“I think we’ll get more clarity,” he said.
Disclosure: I’m at NamesCon on my own dime, but with a complementary complemintary complimentary press pass.