ICANN, GDPR Compliance: 'Huge Crash' or Business as Usual?
As EU data protection authorities pan ICANN's proposed interim plan for to comply with the EU general data protection regulation (GDPR), the question becomes: What, in practical terms, will happen to the Whois database May 25, the effective date of the new law? Horror stories about threats to internet security, intellectual property rights protection and law enforcement activities arising from GDPR compliance abound. Some we spoke with said ICANN missing the compliance date could be a mess, but others said things aren't that dire.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The ICANN community has been unable to decide how to collect and process domain name registrant data, and last month officials offered data protection authorities in the Article 29 Data Protection Working Party (WP29) a proposed interim solution (see 1803120025). In an April 11 letter to ICANN President Göran Marby, Chairperson Andrea Jelinek said WP29 welcomes the move toward layered access to Whois data and an "accreditation program" for access to nonpublic Whois information, but it's still concerned about other aspects of the interim model.
Those concerns include: (1) The failure to detail explicitly the purposes and use for registrant data that will be collected. (2) The need for more clarification about the envisaged relationship between the legitimate purposes of processing Whois data and the legal bases on which they rest. (3) ICANN's proposal to allow access to fully nonpublic data via a whitelist of IP addresses in a central repository. The WP29 said providing such access on that basis "may not provide an appropriate level of security." Authorities also questioned ICANN's plan to allow registrars to continue to hold onto registration data for two years beyond the life of a domain name registration, saying the internet body must rethink its position and justify why such a long period is necessary.
In response, Marby stressed "the need for a moratorium on enforcement in order for us to act to protect Internet users globally." He also said "we may not have been clear enough in setting out the likely negative consequences that parts of the community have noted if WHOIS is fragmented," such as protecting the identity of criminals who might register hundreds of domain names specifically for use in cyberattacks or stymieing trademark holders from safeguarding their intellectual property rights. ICANN said it will continue its discussion with WP29 on April 23.
ICANN is "simply refusing to face facts," Georgia Institute of Technology School of Public Policy professor Milton Mueller emailed Marby and shared with us. ICANN is "issuing news releases that call Whois an 'important global information resource'" and telling the world "phony horror stories about the bad things that will happen if ICANN makes Whois compliant with GDPR." A "moratorium" isn't possible, he said: ICANN is "out on a very exposed, risky path" toward fines and litigation because the GDPR is a law that must be obeyed.
So what happens next? It depends on whether a top-level domain is generic (gTLD) or country-code (ccTLD), said Michele Neylon, managing director of Irish domain registrar and hosting company Blacknight Internet Solutions. Local laws mostly cover ccTLDs, which aren't subject to ICANN contracts or policies, and it appears that "most of them are going to reduce the amount of publicly accessible data as much as possible," he emailed. Registrants will have more privacy but the GDPR won't have much if any impact beyond that, and there won't be much impact on ccTLD registrars either for now, he said.
For gTLDs, "it's going to involve a lot more work and changes," probably through an iterative series of modifications, said Neylon: "I'm not 100% sure what it will end up like, but initially I suspect it'll be quite minimal." The data held could include the registrar of record; contact details for reporting abuse to the registrar, domain name and relevant nameserver. registration date and expiration date, he said. The new Whois would thus include the "thin" elements with a couple of extras, he said. Most gTLD registries operate a "thick" registry that collects, processes and publishes domain registration data in the public Whois; they will now have to decide what to do, he said. For VeriSign-run .com and .net, which have thin registries, the onus will fall on registrars to change how they display the data to the public, Neylon said. He dismissed the idea that GDPR compliance could jeopardize internet security, saying domain name system lookups "will always show you where a domain name is pointing, so mitigating various forms of DNS abuse will still be possible."
There are many competing interests in the debate. Registrars are in the most difficult position because they're caught between their contracts with ICANN and EU law, said Logan Circle Strategies President Shane Tews, who advises on internet policies including privacy and the GDPR. Registries and registrars want to have a say in the rules of the road they will have to enforce, and governments are feeling left out of the process, she said in an interview. In addition, "people's eyes are opening" to data protection issues, spurred by Facebook's congressional testimony and other events, she said. The idea is growing that ICANN isn't going to get away with doing nothing, she said. In addition, security professionals are warning that the DNS is on-ramp to the internet, so there can't be total anonymity, she said: These elements are all coming together into a "huge crash."
The availability of Whois data has "fueled 20 years of spam and scam," emailed former ICANN board member Karl Auerbach, now chief technology officer of computer networking products company IWL. He envisions a set of procedures that would create more balance by requiring those who want access to Whois data to identify themselves; show they've suffered harm that probably came from domain name owner; give notice to the owner; subject the information to a nondisclosure agreement and give third-party beneficiary rights of enforcement to the domain name owner. This sort of scheme "seems to be in rough conformance with the kinds of balanced procedures that the EU wants," he said.