back to article ICANN gives domain souks permission to tell it the answer to Whois privacy law debacle

Internet overlord ICANN has hit on an ingenious solution to the impending collision of the domain name system's Whois service and incoming European privacy legislation: let everyone else figure it out. Following a week of testy meetings in which domain registries and registrars complained they face business-destroying fines if …

  1. Keef
    Joke

    Leadership is needed here.

    As I understand it Benoît Battistelli will be available soon.

    Maybe ICANN should offer him a position, he'll sort it out.

  2. Doctor Syntax Silver badge

    Generally speaking, law overrides contract terms. If the ICANN contract requires the other party to do something illegal then surely that clause would be unenforceable.

    Now let's think about the more complicated aspects: if an EU citizen registers a domain with a non-EU registrar is that registrar obliged to follow EU legislation? If so how does the EU bring the registrar to account if it has no EU residency and how does the registrar discover that citizenship of the registrant?

    1. Alexander Hanff 1

      Not generally speaking - always (I can't think of a single situation where it doesn't) and in fact one of the explicit requirements for processing personal data in GDPR is that it must be "lawful" - in this situation it would not be lawful and thus the contract terms would be considered void.

      1. Doctor Syntax Silver badge

        "Not generally speaking - always (I can't think of a single situation where it doesn't)"

        If I'd said "always" some smartarse would come up with an exception. But, like you, I can't think of one.

    2. Anonymous Coward
      Anonymous Coward

      @Doctor

      "Generally speaking, law overrides contract terms. If the ICANN contract requires the other party to do something illegal then surely that clause would be unenforceable."

      They can easily make it legal. It all boils down to consent. So what would be easier than to add a checkbox in the domain registration process: "I give consent to add my details to the ICANN database". Problem solved.

      I don't have an opinion of good or bad here, but seriously: this law isn't going to change anything because it's so horribly easily diverted. Our tax dollars hard at work indeed.

      1. Aqua Marina

        Re: @Doctor

        "So what would be easier than to add a checkbox in the domain registration process"

        It would be very easy, however the issue is that people would opt out when purchasing domains within Europe, which isn't the desired outcome for the vested interests who don't want to change the status quo.

        The dutch have got it right, they have simply informed ICANN that the terms are invalid under EU law and have made the appropriate change, the problem has now been solved in the Netherlands.

        1. IanRS

          Re: @Doctor

          One of the nice things about GDPR (from the viewpoint of a person, not the data-holding corporation), is that data holding must not be opt-out, it must be opt-in. Shell..user had it correct: there must be permission explicitly given, and if it is not explicitly given then it is implicitly denied.

          Even systems which already hold data do not seem to be exempt - the data controllers are meant to come back and ask for permission anew.

      2. Doctor Syntax Silver badge

        Re: @Doctor

        It all boils down to consent. So what would be easier than to add a checkbox in the domain registration process: "I give consent to add my details to the ICANN database"

        Firstly, you can't pre-tick the checkbox. Secondly, you can't refuse the service if the checkox isn't ticked. So, although consent would allow the user details to be published, ICANN can't assume that it will be given and that they can enforce that term.

        1. phuzz Silver badge

          Re: @Doctor

          "Secondly, you can't refuse the service if the checkbox isn't ticked."

          Why not? There's plenty of businesses where if you don't sign their contract they won't do business with you, what's different in this case?

          (honest question, IANAL)

          1. Aqua Marina

            Re: @Doctor

            It's slightly misleading. A company can refuse to do business for any reason it wants as long as that refusal isn't illegal, i.e. the trader is racist and does not want to sell to anyone that is black.

            The issue here is that the law says that data must only be kept for the legal minimums, and additionally for a reason which must be stipulated via a policy explained up front. The policy will usually say that data is used for marketing. Now if upon reading the policy the customer has concerns, for example his name and email address will be shared with 3rd parties for advertising purposes, he can choose to opt out, and can choose to take his business elsewhere. Also the trader can legally refuse to do business and let the customer go elsewhere.

            At this point the customer could send the written policy to the ICO showing them that the company intends to, or is using data in an unreasonable way. The ICO would then investigate. If the ICO investigated and found that the company has indeed been using data in an unreasonable way, they would then prosecute. Or if they investigated and found that the data actually wasn't being used unreasonably then the trader has done nothing wrong.

            Where people get confused is in the middle ground, where either companies have existing data they are misusing, or they acquire new data without consent, or they use data in a way that contradicts the previous written policy, or they refuse to remove a customers data upon request. In these cases, the company could be breaking the law, but only an investigation could conclude that and the trader be prosecuted.

          2. Aqua Marina

            Re: @Doctor

            I'll quickly explain where the confusion arises. When written into law, there is a difference between the words "should" and "must".

            If the law said "You should not ask for data that is not required to operate the service", then the trader still could ask for an opt-in. Legally speaking the word "should" is a suggestion.

            If the law said "You must not ask for data that is not required to operate the service", then the simple act of asking for an opt-in would be illegal. The word "must" when appearing in a law means what is written is mandatory.

            The law actually says that (and I simplify) "you should not ask for data that isn't required to operate the service, and you must not use that data it if you have it without consent."

            It is this last example that has people thinking that you cannot refuse service if someone opts out. People are confusing the words should and must.

            1. Alexander Hanff 1

              Re: @Doctor

              Nah you are confused - you are reading the wrong part of the Regulation. Consent definition is covered under Article 4.11:

              "'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes...."

              The key part of the sentence is "freely given" - it has been determined by legislators that this means it can not be a condition of access to a service because then there is an imbalance in the relationship given that if the data subject does not give consent they cannot engage in that service, which means when you put this into the wider context data subjects would literally be excluded from digital society if they wanted to maintain their Art.8 fundamental rights because literally 99.9999% of digital services would eventually simply block access to anyone who does not consent.

              Under such circumstances it cannot be argued that consent is freely given and as such it was intended specifically during drafting and trialogue that such activities would be unlawful.

              This is also not new - the issue of freely given consent goes all the way back to Convention 108 in 1980 and is actually the same level of protection provided for in 95/46/EC (the previous Data Protection Directive) the problem is 95/46/was secondary legislation and therefore implemented in different ways in different member states, GDPR is primary legislation and has no such wriggle room.

              The new ePrivacy Regulation goes a step further in Recital 18 which states:

              "Consent should not be considered as freely given if it is required to access any service or obtained through repetitive requests. In order to prevent such abusive requests, users should be able to order service providers to remember their choice not to consent and to adhere to technical specifications signaling not to consent, withdrawal of consent, or an objection."

              So this also means that for example - if a data subject has denied consent (say through a Do Not Track signal) but a web site keeps showing those cookies banners over and over again - this would also not be considered as freely given consent.

              For -most- digital services it is likely that the ePrivacy Regulation will be the relevant Regulation as opposed to GDPR when it comes to consent - GDPR is more likely to apply to services which are non-digital (there will of course be some exceptions).

            2. This post has been deleted by its author

          3. Doctor Syntax Silver badge

            Re: @Doctor

            "Secondly, you can't refuse the service if the checkbox isn't ticked."

            Why not? There's plenty of businesses where if you don't sign their contract they won't do business with you, what's different in this case?

            From the ICO's site:

            Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.

            I doubt refusing to provide the service if consent isn't given constitutes "freely". Also not "separate from other T&Cs" - again you can sign the contract but refuse consent. I think anyone trying to make consent a condition for providing a service will find themselves answering to the ICO or equivalent in other jurisdictions.

  3. Alexander Hanff 1
    Coat

    Incorrect

    "The law also only affects European citizens so it is not necessary for, say, US citizens' details to be protected equally."

    This is not correct - GDPR applies to anyone who is located in the EU (even US citizens who happen to be on vacation) - not just EU Citizens. Article 3, Recitals 22 & 23 make multiple references to Data Subjects "in the Union". You can literally be passing through for the day and you are covered under GDPR for that single day.

    So for example, if an American happens to be on a trip to Berlin and registers a domain whilst they are there, they would be theoretically covered.

  4. Mark 85 Silver badge

    Would it be possible for registrars to make it "opt-in" for making the info public at least in the EU? Or is that option illegal under the new rules? Just curious here.

    1. Criminny Rickets

      I was thinking along similar lines. Why not, when someone is registering a domain, have a clearly seen notice, notifying the person registering the domain of the following?

      By continuing the domain name registration process, you implicitly agree to allowing your personal information such as name, address and phone number, to be publicly available to look up, in conjunction with your domain name. If you do not agree, you may cancel the domain registration. In addition, if at any point after registering, you change your mind and wish to make your information private, you may submit a domain cancellation and personal information purge request to your registrar. It may take up to 7 business days for information to be purged, to allow for propagation through the Internet backbone.

      1. Paul Crawford Silver badge

        I am no lawyer, but I expect the incoming EU rules don't allow a privacy-breaking contract. I.e. you can ask if someone wants to allow something such as whois entry, but not prevent them from doing business if they demand their privacy is respected.

        So probably EU-based registrars could have an opt-in tickbox, but if you opt out then they still have to manage your domain but with a private registry entry. Which is sensible, but probably against what ICANN's lobbyists want.

        1. Doctor Syntax Silver badge

          So probably EU-based registrars could have an opt-in tickbox, but if you opt out then they still have to manage your domain but with a private registry entry.

          And they couldn't pre-tick the box either.

      2. Doctor Syntax Silver badge

        "Why not, when someone is registering a domain, have a clearly seen notice, notifying the person registering the domain of the following?"

        You can but you'd be lining yourself up for a big fine.

    2. Doctor Syntax Silver badge

      "Would it be possible for registrars to make it "opt-in" for making the info public at least in the EU? Or is that option illegal under the new rules?"

      It is.

  5. Long John Brass Silver badge
    Big Brother

    Not sure I understand

    The registrar for my domain has a paid for service whereby they load the whois info with details on how to contact the registrar. My name and details are never exposed in the public whois database

    I take it that if I'm a very naughty boy the powers that be would serve a warrant on said domain registrar to get that information. Now that might only be as complicated as a govt TLA going to the first floor bogs, ripping off a national security letter from the roll, wiping their arses with it and presenting that to said registrar. but hey; better than nothing right?

    What I don't understand is, is that still falling foul of the GDPR? Or does that fall foul of the ICANN rules?

    1. Aqua Marina

      Re: Not sure I understand

      What your registrar is doing is GDPR compliant, but against ICANN rules.

      1. Doctor Syntax Silver badge

        Re: Not sure I understand

        "What your registrar is doing is GDPR compliant, but against ICANN rules."

        And the latter are unenforceable.

        1. Aqua Marina

          Re: Not sure I understand

          It is enforceable. ICANN are well within their rights to refuse European registrars the ability to register domains as a sanction for not following their rules. They won’t, because money, but contractually they can.

          That is the predicament ICANN are in. Their contract stipulates the registrars must provide contact details of the owner. EU law now forbids that.

          The only way for ICANN to get what they want is to refuse to allow EU registrars service, and register domains with the end user direct, I.e. European customers buy domains themselves from America. Come brexit I think this will all become moot once the government realise that a trade deal with the US would be hindered by the GDPR. Then it would be recinded by parliament.

          1. Doctor Syntax Silver badge

            Re: Not sure I understand

            "That is the predicament ICANN are in. Their contract stipulates the registrars must provide contact details of the owner. EU law now forbids that."

            They have, as I understand it, a contract with the US authorities that stipulates they impose conditions on registrars. Those conditions, when imposed on EU customers contradict the new EU law. So they can impose the terms on the registrars as per their contract but as the terms are contrary to EU law. At the point where the contract chain hits EU law the term becomes unenforceable.

            I can understand that the US authorities with their concepts of global jurisdiction might not like this. However, if they want to keep the Privacy Figleaf in place they need to think very, very carefully about the wisdom of trying to enforce their own contract with ICANN. A graceful way round it would be for them to revise the ICANN contract with words to the effect of "where allowed by local law" slotted in.

            At some point the US does need to get off its high horse. Ultimately ICANN's only power is that it runs the root DNS. Would it really be impossible for the ROTW to get together, clone that root and regard the clone as authoritative? And if they did so the US would simply have to follow.

  6. David Harper 1

    What's the problem?

    I own a number of domains in .com, .co.uk and .eu, and my registrar hides my personal contact information for all of them.

    Indeed, my registrar's default position for all new domain registrations is to hide the owner's contact details, replacing them with a forwarding postal address and an email address which forwards to my private email but which changes every few days to foil spammers. They can harvest the address, but in ten days time, it will no longer be valid.

    1. Aqua Marina

      Re: What's the problem?

      There isn't a problem within Europe. Your registrar has solved the issue with a GDPR compliant work around. This workaround however is against ICANN rules. The problem is ICANNs, not yours or Europes.

  7. Doctor Syntax Silver badge

    It seems to be a characteristic of the the difference between European and US cultures. In EU terms it's quite obvious that the ICANN terms are unenforceable and in US terms it's incomprehensible.

    1. Frederic Bloggs

      I think you will find that it is only "incomprehensible" (or more accurately "unconscionable" ) to large US corporations that want to hoover up all this information because of "money". But it is probably true that parts of the US population also couldn't give a shit - neither, it has to be said, do I.

      1. Doctor Syntax Silver badge

        I think you will find that it is only "incomprehensible" (or more accurately "unconscionable" ) to large US corporations that want to hoover up all this information because of "money".

        "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

  8. EnviableOne Silver badge
    Holmes

    As i Said last week

    the solution is clear, its what Nominet (.uk registrar) have been doing for years, dont publish individuals details, except where they have explicitly requested it. Direct copy from my domain's whois entry-

    Results returned from whois.nic.uk:

    Domain name:

    enss.uk

    Registrant:

    Peter Marquis

    Registrant type:

    UK Individual

    Registrant's address:

    The registrant is a non-trading individual who has opted to have their

    address omitted from the WHOIS service.

    Data validation:

    Nominet was able to match the registrant's name and address against a 3rd party data source on 20-Jun-2013

    Registrar:

    Easy Internet Solutions Ltd [Tag = EASY-INTERNET]

    URL: https://www.freevirtualservers.com

    Relevant dates:

    Registered on: 31-Oct-2014

    Expiry date: 31-Oct-2020

    Last updated: 03-Oct-2017

    Registration status:

    Registered until expiry date.

    Name servers:

    ns1.afraid.org

    ns2.afraid.org

    ns3.afraid.org

    ns4.afraid.org

    WHOIS lookup made at 14:24:04 03-Nov-2017

  9. Alexander Hanff 1

    You are all missing the point

    The reason why ICANN do not want to change their contract is because if they do they will have to do it for the ENTIRE world. Registrars in countries outside of Europe are not going to be co-operative with ICANN if they are being treated differently to European Registrars - THIS is why ICANN has a problem. They want to continue to force public WHOIS for non-EU registrars.

    Of course this is already doomed to failure and they know it (the public WHOIS system globally will die in May 2018 or shortly after) but they are (as usual) behaving like a petulant teenager screaming that white is blue and stamping their feet until eventually they will be forced to comply - at which point they will go sulk for a while and then come back with the attitude that it was always supposed to be this way and they have no idea why everyone is making such a fuss; that it was not their idea to have a public WHOIS in the first place and they always opposed it...

  10. Gary Bickford

    Domain privacy is available from Registrars I, familiar with - why is this still a problem?

    Except for certain TLDs such as .us, every registrar I know of offers privacy at extra cost. This works by providing a special contact cod3 that can be used by law enforcement with proper court papers to identify the real person. So worst case, it seems to me that this system could be made free, with or without default. Why is this insufficient?

  11. hobbified

    The obvious solution is: no registrar *has* to sell to EU entities. Let every European website fall off of the internet over the next few years, and see how Brussels likes the GPDR then. Any other solution is sidestepping the problem by allowing GPDR to continue to exist.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020