back to article Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year

On March 26 – two months before new privacy protections come into effect in Europe – Goran Marby, CEO of DNS overlord ICANN, sent a letter [PDF] to each of Europe's 28 data protection authorities (DPAs) asking them to hold off punishing it over Whois. Whois is a set of databases of domain-name owners, overseen by ICANN, and it …

  1. Anonymous Coward
    Anonymous Coward

    The other course of action would be for ICAAN to stick 2 fingers up at the EU and say, "No public details, no domains" and just ban anyone from the EU owning/registering a domain unless the issue gets solved.

    Sit back and wait for the explosions, pass the pop-corn someone please.

    1. Lee D Silver badge

      That's a good way to lose 50% of your revenue overnight, not to mention be involved in hefty lawsuits (with governments no less, let alone corporations), and to instantly lose your claim to being an international institution.

      You think that if they did that, the EU wouldn't be able to set up a bunch of rootservers overnight, inform all their registrars that they were the definitive rootservers for the EU domains now, and then ICANN wouldn't be forced to offload all queries for .uk, .eu, .fr etc. to those servers in order to restore connectivity?

      People forget just how large a market the EU is. In many cases it generates American companies more revenue than the continent of America itself.

      1. Anonymous Coward
        Anonymous Coward

        "People forget just how large a market the EU is."

        i.e. it has a greater GDP and a larger population than the USA,

        1. mutin

          The World is still bigger than EU

          Let EU do its own domains and the rest of the nworld will stick with the US. So far only EU rulers objected current system on the ground its own regulation. So, keep your regulation for yourself (EU) and do not disturb other people who are OK with the current system.

          1. JohnFen Silver badge

            Re: The World is still bigger than EU

            "keep your regulation for yourself (EU) and do not disturb other people who are OK with the current system."

            Just because someone isn't in the EU doesn't mean they're OK with the current system.

          2. Anonymous Coward
            Anonymous Coward

            Re: The World is still bigger than EU

            "Let EU do its own domains and the rest of the nworld will stick with the US"

            Far more likely the rest of the world would follow. The EU is after all a larger trading block with greater global influence.

      2. Anonymous Coward
        Anonymous Coward

        "People forget just how large a market the EU is. "

        "People forget just how large a market the EU is. " , let me re-phrase that for you ...

        Yanks are ignorant as to how large a market the EU is.

        Putting the obvious Brexit jest comments aside for a moment, I suspect you would not find many people outside the US who don't readily realise what a large market the EU is.

        The problem is yanks are brainwashed from a young age into some weird mid-20th century 1950's dreamland picture of America.... you know, the days when the president actually was a role model and deserved respect, when the economy was thriving, when America really *was* "the land of the free" and when people were actually nice to each other and didn't shoot each other every two minutes.

        The trouble is whilst America has been busy telling itself its the best, the world has moved on.

        America's attitude to this world ? Adapt ? Hell no. Let's just use what's left of our financial might to shit on everyone else's heads and bully them into submission. And that has never been more the case than with the current "America First" administration.

        Rant over !

      3. Doctor Syntax Silver badge

        "You think that if they did that, the EU wouldn't be able to set up a bunch of rootservers overnight"

        Well, just a single rootserver for all the domains, fragmentation wouldn't be good. And easy enough to stand one up. Just select one of the current mirrors and make that definitive. I doubt the EU itself would even need to do anything. If the European registrars haven't got together and hatched a contingency plan for this I'd be surprised. The old saying is that the internet routes round damage; ICANN is starting to look like damage.

        1. The Nazz Silver badge

          Just imagine if Domain Registry was a "sport"

          You would have several countries/cities/local councils (certainly here in the UK ) actually bidding obscene amounts of public money to be the special ones to *host* such a rootserver. Sod paying ICANN for the privilege.

          "ah, but it increases the local economy by £400m" they argue. Yep, a theoretical £400m that may or may not be spent in the area, and which, in fact, would more than likely have been spent away from the area in any event. Net gain < zero.

          For example, a midlands council having to outlay £400k of public money because a cycle race ( ha ha, a race indeed ), for the chosen 140 or so, passed along 6km of their area.

        2. Missing Semicolon Silver badge

          EU-only root servers

          While that allows EU citizens to look up EU addresses, .eu would cease to exist for the rest of the world. EU citizens would not be able to own .com addresses as the registrar would not be GPDR compliant.

          1. JohnFen Silver badge

            Re: EU-only root servers

            ".eu would cease to exist for the rest of the world."

            Only until the rest of the world updated their systems to query the .eu servers.

          2. Doctor Syntax Silver badge

            Re: EU-only root servers

            "While that allows EU citizens to look up EU addresses, .eu would cease to exist for the rest of the world"

            Who said anything about EU-only root servers? The rest of the world would be free to use them. And why would they set themselves up as just for EU domains? If the rest of the world decided to treat a non-US server as the definitive global root then either the US follows suit or .com etc, as you put it, ceases to exist for the rest of the world.

        3. Alan Brown Silver badge

          " ICANN is starting to look like damage."

          What do you mean "starting to", dear boi?

      4. mutin

        You simply do not understand how EU stuff works

        One cannot overcome a few people who think they are smart but were not smart enough to understand how what they invented will work. I mean GDPR and EU Commission. EU Commies are sitting on their hairs and feeling they are gods on Olympus. They expect everybody across EU and around the world will become compliant. Did they issue any recommendations how to do that in a form of a framework? No, they did not. But I DID. In 2012 when it was the draft. It is very complex implementation and 99% still have no clue that it is not about security controls but mostly about privacy controls. Very different story.

        So, shortly - one story it to write the regulation. Completely different story is to implement. Guys please come down to us from your EU Olympus and explain how to implement what you've invented.

        1. Doctor Syntax Silver badge

          Re: You simply do not understand how EU stuff works

          "Guys please come down to us from your EU Olympus and explain how to implement what you've invented."

          It's very simple. You do one of two things. One is you look at the rights it says data subjects should have and give the subjects those. The alternative is that you pay the fines.

          If you weren't abusing the data subjects in the past option one isn't that onerous. If you find it difficult it says a lot more about the operation you run than it does about the EU being out of touch.

    2. Warm Braw Silver badge

      ICANN don't register domains, the registrars contract with ICANN to offer that service to their customers.

      The GDPR will invalidate part of the contract between the registrars and ICANN insofar as it involves doing business in the EU - you can't be bound by a contract to break the law - but the rest of the registrars' contracts with their individual custmoers will remain in force.

      If the registrars fail to abide by the GDPR they will be prosecuted by the appropriate authority in the relevant EU country. If they withdraw their services they will be subject to claims for breach of contract by their customers and lose a significant part of their revenue.

      With luck, it will be ICANN that explodes, but the more useless and idle an organisation is, the longer it seems to persist in its irrelevance.

    3. Anonymous Coward
      Anonymous Coward

      The other course of action would be for ICAAN to stick 2 fingers up at the EU and say, "No public details, no domains"

      Right, right. Because Whois can't sort themselves let someone else fight over it.

    4. Anonymous Coward
      Anonymous Coward

      No public details, no domains

      That would make a good argument for the organisation to be disbanded and put under the control of a global body.

      1. Anonymous Coward
        Anonymous Coward

        Re: No public details, no domains

        I get a terrifying feeling of (inter)National Socialist deja Vu whenever I hear the phrase 'control of a global body'

        Having just finished reading 'Guns Germs Steel' the main conclusion is that Europe became dominant in technology because they were NOT under a single rule, Eurasia was the place where everything originated and spread, due to geography, but Europe was the place it carried on developing, because of geography.

        Its small countries separated by natural barriers.

        The EU is in fact counter evolutionary. It was the monolithic nature of Chinese bureaucracy and culture that allowed all the major inventions it made to be suppressed for millennia. We are seeing the same thing now with e.g. nuclear power in the EU.

        Wars push development at fearsome rates. The Internet is the response to a need for a missile proof command and control military network. The integrated circuit is the result of cold war missile development. So is GPS. The computer itself owes its origins to the need to crack advanced ciphers. The Jet engine to the need for advanced fighters and bombers.

        The EU likes to claim that it has kept the peace in Europe. But at what price? Europe is scarcely at the forefront of anything any more, except mass immigration.

        1. Pascal Monett Silver badge

          Re: "Europe is scarcely at the forefront of anything any more"

          Yeah, because having the most reliable and most powerful space launcher technology, which demonstrates a wide swath of technological and industrial expertise, counts for peanuts.

          Go back to your Fox News now, everything will be all right.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Europe is scarcely at the forefront of anything any more"

            Also, US has depleted the reserve of German scientists and engineers who propelled its technology in the 50s and 60s... the rest mostly came from UK.

        2. Anonymous Coward
          Anonymous Coward

          "Europe is scarcely at the forefront of anything any more,"

          Its ironic really that you put that phrase after a paragraph of American examples from the last century !

          The internet ? Last century.

          ICs ? Last century.

          GPS ? Last century.

          Jet Engine? Last century.

          I would say going by that list, the US is "scarcely at the forefront of anything any more" !

          And if you want to play the last century game, two can play at at that game:

          The internet is American you say ? Tim Berners-Lee, Calliau one or two others may wish to have a word.

          The LCD monitor you typed your comment on ? That would be a British invention.

          That ARM processor that's in any number of gadgets surrounding you? That would be a British invention.

          The space suit ? That was not invented on US soil.

          Cinematography ? The US may have Hollywood, but the Europeans invented the technology.

          Submarines ? The US boast about their submarines. The invention ? Yup, European.

          Telephones ? What's that ? You forgot about some Scottish chap called Graham Bell ?

          Loudpeakers ? That would be a European invention.

          Printing press ? That would be European.

          Glasses ? Contact Lenses ? Yup... European

          Parachutes ? Yup.. European

          Need I go on ?

          Oh, perhaps one more ....

          Irony of all ironies ....

          The bullet proof vest.

          That would be a European invention.

          1. Stoneshop Silver badge

            Re: "Europe is scarcely at the forefront of anything any more,"

            a paragraph of American examples from the last century !

            [...]

            Jet Engine? Last century.

            Eh, neither Frank Whittle nor Hans von Ohain were US citizens or even residents at the time they developed the first jet engines.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Europe is scarcely at the forefront of anything any more,"

              "Eh, neither Frank Whittle nor Hans von Ohain were US citizens or even residents at the time they developed the first jet engines."

              Thanks for the correction ! I kinda knew that in the back of my mind when I wrote the above reply, but the primary point I was making was about "last century". You are quite right though, I should have pointed it out.

              The Americans probably think they invented the English language too. ;-)

          2. Doctor Syntax Silver badge

            Re: "Europe is scarcely at the forefront of anything any more,"

            "Jet Engine?"

            Cough. Frank Whittle. Cough.

        3. Stoneshop Silver badge

          Re: No public details, no domains

          Its small countries separated by natural barriers.

          If you look at the amount of trade and, with it, exchange of people and information that happened as far back as the 12th and 13th century[0], then those natural barriers apparently weren't as much of a hindrance as you think they were. And while there are some major natural barriers[1] between a couple of European countries, going by their borders at various times in history, barriers at least similar to those are often slap bang in the middle of several countries.

          [0] easily twice as far back as that colonisation stuff in what's now the US.

          [1] never mind that the technology that made those barriers much less of a bother has been doing just that for at least a century.

        4. Anonymous Coward
          Anonymous Coward

          Re: No public details, no domains

          The computer itself owes its origins to the need to crack advanced ciphers.

          Best we dig up Charles Babbage and let him know.

      2. Doctor Syntax Silver badge

        Re: No public details, no domains

        "That would make a good argument for the organisation to be disbanded and put under the control of a global body."

        That global body would be the ITU. There are a number of governments wanting to do just that with the internet. That should be enough to concentrate ICANN's mind. ICANN's mind? What a strange concept.

    5. Anonymous Coward
      Anonymous Coward

      They seemed to have missed the simplest solution - just turn off Whois. It's mostly just used by copyright cartels to sue people anyway.

      1. james_smith

        "They seemed to have missed the simplest solution - just turn off Whois. It's mostly just used by copyright cartels to sue people anyway."

        Seems to be mostly used to spam domain owners with dubious offers of web design and SEO work.

        Yes, I forgot to tick the privacy option for one of the domains I host. Doh.

      2. Doctor Syntax Silver badge

        "It's mostly just used by copyright cartels to sue people anyway."

        I think what you're saying is that you haven't worked out how to use it for your own benefit. E.g. to check on the origins of a suspicious email? If you haven't I can assure you many of us have. It belongs with ad-blockers and Noscript as part of our everyday internet security measures.

        1. Fazal Majid

          The public data in WHOIS is so often obfuscated as to be useless. Copyright lawyers have access to a private database with full details, that’s what this whole debate is about.

          ICANN’s delusion is because they are used to the capricious arbitrariness of (British-inspired) Common Law rather than the rules-based (Roman) Civil Law where judges don’t have the latitude to give their buddies or fellow members of the elite a break just for the asking.

        2. JohnFen Silver badge

          You actually trust the accuracy of the Whois database?

        3. Ken Hagan Gold badge

          "E.g. to check on the origins of a suspicious email? "

          Given the large numbers of people posting here who report that they've pushed complete crap into the WHOIS database and got away with it because there is exactly zero budget for checking user-submitted data, just exactly how do you use the information to check on anything? Particularly when the only thing you know about what you are checking is that is seems suspicious. It's like asking someone "Are you a crook?" and expecting a useful answer.

          1. Doctor Syntax Silver badge

            "just exactly how do you use the information to check on anything?"

            Big hint: you can whois IP addresses as well as domains.

        4. TheVogon Silver badge

          "you haven't worked out how to use it for your own benefit. E.g. to check on the origins of a suspicious email?"

          Seeing as the vast majority of dodgy emails originate from hacked boxes and botnets Whois is of close to zero value for that. Not to mention that much of the data is inaccurate, set to private, or simply resolves to large ISPs and hosting providers.

      3. Mark 85 Silver badge

        They seemed to have missed the simplest solution - just turn off Whois. It's mostly just used by copyright cartels to sue people anyway.

        Exactly. How hard can it be to turn of the display of the fields that need to be hidden? For those that get access to the full Whois, turn the fields on for them when they log in.

        I would think that if they had cut out a few trips to exotic locations for "fact finding" and "discussions" and then actually thought about it, that the problem would have been solved by now.

      4. Yes Me Silver badge

        ... mostly just used by copyright cartels

        It's mostly just used by copyright cartels to sue people anyway.

        No. It may well be used for that, since a lot of people seem to think that the copyright laws don't apply to them personally, but it's intended for use to fix operational problems by identifying the responsible operator for an address block or a domain. (As I said re a previous story, which people don't seem to get, judging by the number of downvotes.) It's true that you don't need a personal name to provide that; it could be BOFH@example.co.uk, but that hasn't been the historical approach since whois was invented 30+ years ago.

        Doesn't change the fact that ICANN is heading for a fall on this.

    6. james_smith

      "The other course of action would be for ICAAN to stick 2 fingers up at the EU and say, "No public details, no domains" and just ban anyone from the EU owning/registering a domain unless the issue gets solved."

      And cut off the US from the largest trading bloc in the world? (EU has a GDP of 20 trillion dollars, versus 19 for the US and 12 for China).

      1. Jaybus

        "And cut off the US from the largest trading bloc in the world?"

        It wouldn't cut anybody from anything. WHOIS could be turned off completely and hardly anyone would notice. They should just limit it to showing only the owner and registrar names. Nobody needs all the rest of the info anyway, and surely GDPR is not about secretly-owned domain names. If it is, then why should the rest of the World be subjected to this level of paranoia?

    7. Doctor Syntax Silver badge

      "The other course of action would be for ICAAN to stick 2 fingers up at the EU"

      Fair enough, but what does ICANN have to do?

    8. Stoneshop Silver badge
      FAIL

      The other course of action would be for ICAAN [sic] to stick 2 fingers up at the EU

      ICANN is essentially a US organisation, so that would be a single, middle, finger.

    9. Teiwaz Silver badge

      ICAAN to stick 2 fingers up at the EU and say...

      That would involve ICAAN actually pulling said fingers out of it's arse first.....

      Provided it manages to beg enough time to work out how.....

      1. I ain't Spartacus Gold badge
        FAIL

        ICANN tell you that...

        It's not ICAAN.

        The correct name of the organisation is ICAN'T

        Apperently just making it policy that the registrars aren't allowed to charge for the privacy policies they already offer is so hard that it's taken them years to fail to come up with as their new policy.

        I think it's all that first class air travel and free champagne does it. It rots the brain I tell you. That's why I stick to walking and Special Brew...

    10. JohnFen Silver badge

      "Sit back and wait for the explosions"

      What you'd hear wouldn't be the sound of explosions. It would be the sound of ICANN imploding.

      1. Anonymous Coward
        Anonymous Coward

        "Sit back and wait for the explosions"

        What you'd hear wouldn't be the sound of explosions. It would be the sound of ICANN imploding.

        Oh but I had the joy of hearing lots of explosions, what I really love is the whizzzzzzzzzzzzzz noise keys make as they try to break the sound barrier while exiting keyboards.

        The only pity is I hate popcorn, still can't have everything.

  2. LDS Silver badge

    Special process...

    I'd suggest to organize forcefully their next meeting in a Brazilian favela, or near a toxic dump in Africa, in a refugees center on some Mediterranean island, or in a base at the South Pole now that Winter is coming. And don't let them out until a solution is found. I'm sure they will come up with it in far, far less than one year.

    1. ArrZarr Silver badge

      Re: Special process...

      To be fair to ICANN, although god knows they don't deserve it, they have a solution already, it's implementation time that's the stickler.

      1. Doctor Syntax Silver badge

        Re: Special process...

        "it's implementation time that's the stickler"

        Just start proceedings next month and you'll be surprised how short implementation time can be.

      2. Stoneshop Silver badge
        FAIL

        Re: Special process...

        it's implementation time that's the stickler.

        Indeed, finding those particular printf statements so that private data is not printed, and replacing them with the registrar's contact data a Herculean task beyond the capabilities of the most competent programmers[0].

        [0] employed by ICANN, that is, as they're just a bunch of pen-pushers.

        1. Danny 14 Silver badge

          Re: Special process...

          NOMINET didnt seem to have any issues implementing a hide-from-public-but-not-from-law agencies. Not sure why ICANN cant do the same thing.

  3. ratfox Silver badge
    Happy

    We're going to need a bigger bag of popcorn

    It's always fun when organizations pretend that the law doesn't apply to them, and especially so when it's ICANN.

    1. Pascal Monett Silver badge

      Re: It's always fun when organizations pretend that the law doesn't apply to them

      Only when their fairy-tale comes back and smacks them in the teeth, which doesn't happen nearly often enough to ICANN.

      In fact, I do believe that this is the very first time ICANN has taken anything in the teeth. So to see it happen so very publicly and without any of the usual "don't care, we decide it doesn't apply to us" attitude is indeed very satisfying.

      1. I ain't Spartacus Gold badge

        Re: It's always fun when organizations pretend that the law doesn't apply to them

        I really hope the first European regulator gives them both barrels with the first fine. Normally I believe organisations should be given time to comply, and a recognition that they're working on a solution (if belatedly) does deserve to be taken into account.

        But in this case it's an organisation with a government advisory committee to tell it that they're doing it all wrong. Their really is no fucking excuse.

        Hitting their bonuses is probably the only way to make the ICANN Board sit up and take notice. Or perhaps a few swift punches to the face at the next ICANN meeting might be in order?

        1. EnviableOne Bronze badge

          Re: It's always fun when organizations pretend that the law doesn't apply to them

          They were given plenty of time, the Legislation was finalised on 25 may 2016, and comes into force on 25th of may 2018, so a nice two years they've been sitting on their thumbs!!!!

          I hope they get hit with the Max fine by all 28 Authorities for all domains owned by eu nationals.

          their T/O $256.7 million YTD (eo 3qY17) and Q4 is likley to add another $45 million to that.

          which would make their Max Fine just the stated 40Million Euros (4% of revenue is only $12m)

          or just under 50Million USD

          1. Anonymous Coward
            Anonymous Coward

            Re: It's always fun when organizations pretend that the law doesn't apply to them

            "the Legislation was finalised on 25 may 2016, and comes into force on 25th of may 2018"

            Strictly speaking they were almost certainly in breach of the DPD as well, and that particular piece of legislation was adopted in _1995_. ICANN have been repeatedly told time and time again by their European members that their data protection procedures were not up to scratch, since at least 2003.

            What has really changed is that now the EU data protection authorities have the power to fine ICANN rather a lot of money. This is really an illustration of why GDPR has the otherwise ridiculous scope and strength that it does - if it wasn't globally applicable and if the fines weren't huge, no one would give a shit.

        2. JohnFen Silver badge

          Re: It's always fun when organizations pretend that the law doesn't apply to them

          "Normally I believe organisations should be given time to comply"

          Me too. And ICANN had plenty of time to comply. They just decided waste the majority of that time doing nothing, and so they shouldn't be given any special consideration.

          If they had begun the effort in good faith and ran into some sort of implementation difficulties that delayed compliance, that would be a different matter, but this is just them getting tripped up on their own arrogance.

          1. Doctor Syntax Silver badge

            Re: It's always fun when organizations pretend that the law doesn't apply to them

            "They just decided waste the majority of that time doing nothing"

            I don't think they were doing nothing. I think they were actively pretending it didn't exist.

  4. mark l 2 Silver badge

    They keep rolling out the line about law enforcement requiring access to the Whois records, there is absolutely no reason why law enforcement can't see the owners of the domain even without a publc whois database, they simply have to get a court order and approach the registrar through the correct legal channels. Just as if they wish to find out who owns a mobile phone number they have to approach the telecoms provider for billing info.

    And getting the owner details for a domain direct from the billing information held by the registrar would give them more accurate information than what is in the whois anyway, since a lot of registrars offer privacy registrations where the owners info isn't published publicly.

    1. Gordon 10 Silver badge

      I doubt they even require a warrant -from a GDPR perspective at least - there are access clauses for Legal and Regulator Enforcement. I would also doubt WhoIS access ranks large on Plod evidence gathering lists - bar a few fraud and cyber crimes.

      1. Doctor Syntax Silver badge

        "I doubt they even require a warrant -from a GDPR perspective at least - there are access clauses for Legal and Regulator Enforcement."

        What's really upsetting their constituency - IP* lawyers - is that that's probably not going to allow fishing expeditions.

        * Not Internet Protocol!

        1. Stoneshop Silver badge
          Devil

          IP* lawyers

          * Immense Plonkers

      2. Anonymous Coward
        Anonymous Coward

        I would also doubt WhoIS access ranks large on Plod evidence gathering lists

        But it used to feature ... after all it was complaints from Plod that .co.cc Whois details were "inaccurate" (= largely fictitious) that got Google to voluntarily delist .co.cc from their search results with the intended effect that .co.cc should cease registrations. It duly collapsed.

        Very chipper from that success, Plod then announced that they were going after sub domains, and wanted full and truthful info in Whois for that as well. That seems to have stalled a bit!

        All domain registrars now have a paragraph in their Ts&Cs saying that to feed them porkies for the Whois info is a service terminating breach. I wonder why, if Plod isn't using the info.

      3. TheVogon Silver badge

        "I doubt they even require a warrant -from a GDPR perspective at least - there are access clauses for Legal and Regulator Enforcement."

        They likely will need to follow due process. The UKs current warrentless access to ISP records was found to break EU law this week.

  5. TrumpSlurp the Troll Silver badge

    Interesting wording

    Suggesting that as ICANN are proposing a viable fix the initial penalties might recognise this. Perhaps a smaller fine followed by a huge one if the miss the proposed timescales?

    1. Christoph Silver badge

      Re: Interesting wording

      "The GDPR does not allow national supervisory authorities nor the European Data Protection Board to create an 'enforcement moratorium' for individual data controllers,"

      I.e., no. They can't have the law bent for their personal convenience.

      1. Boothy

        Re: Interesting wording

        You seemed to have missed this bit:

        Quote: "Data protection authorities may, however, take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving such complaints."

        Which seems to imply that if ICANN can demonstrate they are actively working on compliance, even if not compliant yet, that would, or could, be taken into account.

        It also seems to indicate that they'd only start looking into this, after receiving actual complaints against ICANN. i.e If no one complains, then they won't do anything against ICANN.

        1. I ain't Spartacus Gold badge

          Re: Interesting wording

          That's a double meaning right there. We're taking into account your desperate efforts to comply vs. we're taking into account you pisspoor efforts at proper governance despite the fact we've been warning you about this since 2003! Because they've never been in compliance with previous data protection laws either, as the statement implies.

          Also there will be a complaint on day 1. Some campaigner will do a quick WHOIS search and send off his letter. In fact, I might consider it, just as revenge for the spam I've had to tidy up due to our registrar charging for anonymous details. It was the most minor of annoyances, because almost no spam makes my inbox, but that's not the point...

          1. Fazal Majid

            Re: Interesting wording

            Yes, many consumer groups like La Quadrature du Net have their class-action complaints ready for May 25, but their focus today is Facebook and Google.

        2. TheVogon Silver badge

          Re: Interesting wording

          "Which seems to imply that if ICANN can demonstrate they are actively working on compliance, even if not compliant yet, that would, or could, be taken into account."

          I dont think thats going to be accepted as a mitigation seeing as they had 2 years to be ready for this. And as its clear they now realise the implications of GDPR to carry on as is would likely be considered willful infringement.

    2. Doctor Syntax Silver badge

      Re: Interesting wording

      "Perhaps a smaller fine followed by a huge one if the miss the proposed timescales?"

      That would have to be decided by individual regulators on a case-by-case basis. But a general concept of a moratorium would be impossible for the simple reason that if you grant it to one you'd have to grant it to all. The date has been known for years in advance. Just because they chose to ignore it it doesn't go away and they've absolutely no excuses to ask for any leeway.

    3. TrumpSlurp the Troll Silver badge
      Holmes

      Re: Interesting wording

      Just to add that there seems to be a misunderstanding of the difference between a moratorium and enforcement with flexible fines.

      I would guess that this may be the preparation for a bit of political compromise where fines are levied to establish the validity of the new rules, but not at a level that is so immediately crippling as to permanently damage the whole infrastructure.

      Fines may even be levied then suspended (like a suspended sentence) on condition of good behaviour.

      The end game is to get the whole thing fixed, not just to revel in ICANN getting a very justified shoeing.

  6. Anonymous Coward
    Anonymous Coward

    Does this mean that any web site "guest book" cannot show people's email addresses - unless they have ticked a box when submitting the comment? That's easy enough to add.

    What about existing entries? Do they have to be redirected via the web master to forward any correspondence?

    Thinking here about non-commercial special interest sites.

    1. Gordon 10 Silver badge

      Most site that do that kinda stuff are posting out a re-register/opt out email.

      1. Anonymous Coward
        Anonymous Coward

        "Most site that do that kinda stuff are posting out a re-register/opt out email."

        Our old school Guest Book entries go back nearly 20 years. Many of the email addresses will have long since changed - or their owners are dead.

        I'll probably redirect the links to the web master with a suitable subject and content identifier. Should anyone ever want such a contact - then I can see if the original form email is still in the off-line audit trail.

        1. EnviableOne Bronze badge

          Ahh but GDPR states that the controller has to kepp info acurate and up to date.....

          1. Richard 12 Silver badge

            Or just delete it

            Seriously, if it's that old then it's worthless anyway so just delete it.

    2. Doctor Syntax Silver badge

      "Thinking here about non-commercial special interest sites."

      You're right. If this option isn't a provided for in the S/W running them either the S/W is going to need an update or that feature will need to be turned off. The BT community kit which is one option for this sort of site has a tick-box for this.

    3. TheVogon Silver badge

      "What about existing entries?"

      GDPR means they have to seek informed consent for all data and opt in by default is not permitted. One nice side effect of that is all those ticked by default "please fill my inbox with spam and sell my data to anyone that wants it" tick boxes on ecommerse sites - that often retick themselves everytime you change anything on the page are now illegal.

      1. Anonymous Coward
        Anonymous Coward

        And by now, we mean 25th May.

  7. Terje

    Why on earth would someone wave around the fact that they have been general manager of the Swedish Post and Telecom Authority as something positive? The only times I ever hear about them is because they are failing miserably to do what they are supposed to. But I guess moving from one malfunctioning organization to another is not such a big step.

  8. Comedy of Errors

    What's the problem?

    I feel I am missing something. Just replace all the existing email addresses with an ID number. That ID relates to a list of real emails in a private database. Job done.

    They can worry about who gets access to it later.

    1. Steve K Silver badge

      Re: What's the problem?

      Which is what you have been able to do for a long time for personal (i.e. non-business) domains - for an additional fee - with many registrars

    2. Anonymous Coward
      Anonymous Coward

      Re: What's the problem?

      It's not as simple as masking the public email address. They need explicit consent to hold the email address in the first place, regardless of how it can or cannot be accessed, as well as explicit consent to hold all the other personal data they have such as names, addresses, etc.

      1. Gordon 10 Silver badge

        Re: What's the problem?

        Thats also fairly simple to resolve. You just mail the Domain admin and ask them for consent, and move no-replies to a parking lot with generic information.

        Very little Data Privacy legislation requires an explicit delete. (i.e. see Windrush), just that you have made reasonable attempts to comply. As long as you can show it was done on risk based approach with a decision framework you will be fine. ie the Owners potential loss on the deleting their data and registration was greater than their loss of fairly low risk PII.

      2. Doctor Syntax Silver badge

        Re: What's the problem?

        "They need explicit consent to hold the email address in the first place"

        The email address would be needed as part of the provision of the service to communicate with the registrant. It's making it public that's the crux.

      3. Chris 3

        Re: What's the problem?

        Having at least one contact for the domain sounds to me as if it is fundamental to the business of running the domain, so the lawful basis for collection wouldn't be consent - it would be contract:

        * Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

        Consent would be required for public display of the data.

  9. James Anderson

    I don,t get it.

    When you register a company you need to list the directors and shareholders at companies house (or equivalent) and this information is available publicly, as, the public has a right to know who they are dealing with.

    Why is domain name registration any different? Surely I should have the rght to know who actually owns a domain name so I can report them if I believe thier activities to be illegal?

    1. Christoph Silver badge

      Re: I don,t get it.

      If their activities are illegal then presumably law enforcement can apply to the registrar for the ownership details once you have reported them?

    2. illuminatus

      Re: I don,t get it.

      The problem is leglisative:

      Companies are not "natural persons". But their directors are. However, the details of directors (or at least name and a given point of contact) must be provided to Companies House, which is public, to comply with the terms of company law, and GDPR allows such information to be published if it is to comply with specific legislative requirements

      Domains may be be registered by companies, but also to individuals.They are "natural persons" under GDPR. For instance, I own a domain. When I look my information up on whois, my name is exposed, but my address is not, because as an individual, I could choose to have Nominet screen my address out.

      For a company, the contact need not necessarily be an individual, but a role. within an organisation, and that information would need to be exposed, because it's not for a "natural person", but a role.

    3. The Mole

      Re: I don,t get it.

      Because a domain name registration isn't a a company.

      Registration and accounts need to be given to companies house primarily so people can make significant financial decisions based on that knowledge (giving credit, paying up front) in b2b type relationship. It isn't typically intended for end consumers as typically consumers don't use it. For doing business with websites you don't need the whois information. it is already the law that companies must display their contact details and registration on the website. For the remaining websites then this is no different to interacting with market traders, Jo Bloggs at a car boot sale or that guy in the pub, they don't need to register at companies house and there is no reason why you should know where they live. Also note companies house doesn't require direct contact information, typically it will be to a registered office at a law firm or office space.

    4. Doctor Syntax Silver badge

      Re: I don,t get it.

      Very simple.

      Companies House data is statutory and statutory data isn't covered by GDPR.

      Whois data isn't statutory data and is covered by GDPR.

      Sigh. Not the first time I've posted this and I don't suppose it will be the last.

    5. JohnFen Silver badge

      Re: I don,t get it.

      "Why is domain name registration any different?"

      Because domain name registration is a different thing than starting a corporation. A corporation is a grant of special governmental privileges. Registering a domain name is linking a human-readable name to an IP address.

      And what about domain names that aren't for commercial purposes? I have a number of domain names myself -- none of them for commercial purposes -- and if my real name and address were publicly available, then I can be put in real danger by putting something up on my web site that angers a psychopath.

    6. Graham Cobb

      Re: I don,t get it.

      Why is domain name registration any different?

      Because a domain name is not a company. It is an address. I do not need to display my name and phone number as I walk around or put my name on my front door. I don't even need to tell them to someone who talks to me in the street (or someone I telephone). Why should I need to tell them to someone who talks to me on the internet?

      1. Jaybus

        Re: I don,t get it.

        OK. But it is a two-way communication, so more like a phone number than a street address. If someone you don't know walks up to you on the street and starts talking to you, what is the first thing you ask? Probably "Who are you?" Same thing when someone you don't know phones you, emails you, messages you, etc. I see no reason for anonymous domain names. Just the name, mind you. The myriad other info is not needed and shouldn't exist in public WHOIS.

  10. }{amis}{ Silver badge
    Thumb Up

    Best Outcome

    I look forward to ICANT violating the GPDR i hope they get smacked with the maximal fines.

    That way the current crap heap of a company goes under and a proper international origination can be set up in its place.

    How the hell a private company ended up even more bureaucratic and useless then a episode of "Yes Minister" I hope I will never know.

    1. Doctor Syntax Silver badge

      Re: Best Outcome

      "a proper international origination can be set up in its place."

      Be very careful what you ask for. That "proper international organisation" is waiting in the wings. It's the ITU. Lots of governments would like to get their hands on control of the internet and this would be how they'd do it. An arm's length organisation like ICANN is better than that although what's needed is an arm's length organisation unlike ICANN. Or even a completely independent organisation.

    2. Alphebatical

      Thanks, Obama!

      ICANN was under the United States Department of Commerce until just a few years ago. It might not have formally been a government agency in and of itself, but it might as well have been. Since it was never hurting for money, there was never any real reason for it to change until this particular hammer fell and reminded them that governing the internet doesn't insulate you from the will of government bodies.

      That said, I've gotten the impression that we wouldn't be having this conversation if ICANN were still owned by the USDOC, since they could make an argument that they were an official regulator. It certainly would've been more entertaining to watch, at least.

  11. EastFinchleyite

    Ring any bells?

    This account is strangely reminiscent of the Brexit negotiations. Underlying what is going on is the view on ICANN's part that better negotiation tactics, and changed wording of your demands and objectives will somehow achieve what has previously been refused. The UK Government is following the same course with the EU over Brexit. I suspect that the idea that Politics is just another form of Business and you can be a "winner" by better negotiating is the cause of the problem.

    In this case GDPR requirements and ICANN objectives are incompatible. One will have to give and the EU DPAs have said that it isn't going to be them. To call ICANN's response Ostrich-like head-in-the-ground would be unfair to Ostriches.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ring any bells?

      "Underlying what is going on is the view on ICANN's part that better negotiation tactics, and changed wording of your demands and objectives will somehow achieve what has previously been refused."

      Errm....

      Not really.

      Brexit is a negotiation over an undefined matter.

      GDPR is something that was first well defined in Brussels, and then further well defined and enshrined into law in all the European countries.

      One is negotiable. The other isn't.

      1. Rob D.
        Facepalm

        Re: Ring any bells?

        > Not really.

        The similarities are beautifully striking though - faced with a set of established constraints (GDPR or the continued existence of the EU to the benefit of it's members), a party at risk of being outside and on the receiving end of the negatives/penalties (ICANN or the UK), said party decides to start making fanciful, inconsistent requests (moratorium or cake-and-eat-it) solely for its own benefit through some assumed superiority and those requests just get laughed out of court.

  12. mikecoppicegreen

    Deadlines

    "I just love deadlines, I love the rushing sound they make as they dash past" - to quote Douglas Adams!

    1. Stoneshop Silver badge
      Pirate

      Re: Deadlines

      Well, it looks like this particular deadline isn't going to whoosh past, although ICANN would very much like it to. Instead it's heading straight for their private parts at considerable speed.

    2. David Nash Silver badge

      Re: Adams on Deadlines

      Nearly.

      5 seconds on Google found the actual quote:

      “I love deadlines. I love the whooshing noise they make as they go by.”

  13. Camilla Smythe

    SEO spam..

    I registered a .co.uk and did not pay for 'privacy protection', that's probably a scam in itself. I discovered later that you can do it for free via Nominet. Unfortunately the e-mail used to register the name was no longer valid so I would have to pay Nominet a fee to confirm my identity. Too much faffing about and I was not really bothered.

    Of course as a result I get occasional SEO spam where it is obvious that my details have been scraped from WHOIS. They generally get sent off to SpamCop but there was one that came from what appeared to be a UK based company.

    So I use WHOIS to, cough cough, get the contact details and the owner lives in the same town as I do. I phone him up and ask him where he got my details from to which he replies from WHOIS. I ask him if he does not read the Terms of Use and he proudly tells me that he has written a program that automatically scrapes WHOIS so he does not get to see that so I read them to him. Basically 'Not for Marketing'...'No automated tools'.

    He says he will remove my details from his database. I've already looked up his 'company' on Companies House Beta. He is 19 and the company was registered 2 months ago. I suggest to him that things don't work like that and he should delete his database and find some other get rich quick scheme and leave this one to the Indians who are just as bad as he is in respect of spewing irritating spam but better at hiding their details.

    I also tell him I am not going to report him and what the consequences might be if I did but, if he does not change his ways, someone else might not be so kind. I leave it at that and have no idea whether he dropped the idea or continued but made a better effort to conceal his identity and carry on.

    1. I ain't Spartacus Gold badge
      Happy

      Re: SEO spam..

      You could at least have signed him up for the Watchtower...

      Ordering a pizza on the hour, every hour, for 24 hours would probably be going a bit far.

    2. Anonymous Coward
      Anonymous Coward

      Re: SEO spam..

      Well its nice to know what the bad thing from WHOIS is that GDPR is saving us from. Helps put it all in some perspective.

  14. Spudley

    Lots of ranting here about ICANN and Europe, but relatively little about the GDPR itself. Interesting.

    It is true that ICANN are looking pretty bad here; they've basically set themselves up as a big target for mockery (and potentially worse once GDPR kicks in) because they've had plenty of time to resolve the problem but have ignored it until it's too late to fix it in time.

    The thing is, they're not alone. They're the ones getting the press (at least here on El Reg), but there are thousands of organisations big and small that are going to fail at GDPR. Even many of the ones who are sitting smugly thinking they've got it sorted are going to fail.

    If the lack of preparation that I've seen is representative, then the world is going to be in for a massive wake-up call when the first fines start getting levied. With the level of fines available and the number of organisations out there that are completely ignorant of GDPR, I reckon the EU could probably cover it's entire annual budget just through fines if it wanted to.

    That's obviously not going to happen (not least because it would have a massive economic impact), but what I would say is that there is a clear need for a moratorium on fines, at least to begin with. ICANN might be making themselves look foolish, but looking at the broader picture, they do actually have a point.

    1. Stoneshop Silver badge
      Mushroom

      ICANN might be making themselves look foolish, but looking at the broader picture, they do actually have a point.

      No they don't. They've been plain ignoring the requirement for GDPR compliance, wishing it away by pretending it wouldn't apply to them, then latching onto a baseless belief they'd be granted an exemption. And now, with just a month to go, it's "Waaah, we can't fix this in so little time. Please don't punish us, ahplease.".

      They need to suffer the consequences of their attitude and lack of action. Whether, and to what extent other organisations are trying to be in compliance or not is not relevant.

      1. Spudley

        No they don't. They've been plain ignoring the requirement for GDPR compliance, wishing it away by pretending it wouldn't apply to them

        Yes you're right, they have. But so have many *many* others. And many others just don't even realise it applies to them. And many more think they're okay but aren't.

        It's going to be a mess, and there really does need to be some kind of grace period where companies can get caught and told to sort things out, but not necessarily get stung for the fine, because those fines could cause some serious damage if they're doled out to every offender from day one.

        1. Doctor Syntax Silver badge

          "It's going to be a mess, and there really does need to be some kind of grace period where companies can get caught and told to sort things out, but not necessarily get stung for the fine, because those fines could cause some serious damage if they're doled out to every offender from day one."

          In practice regulators aren't going to be able to follow up all complaints so they'll have to make choices. Hopefully it'll be a case of chase a few particularly egregious examples first and have a warning letter system for the small fry. When they have the resources they can then follow up on the warning letters and see if they've got into compliance.

          But on the wider issue of not being aware etc. companies, charities, societies etc. generally have a good idea of the accounting, statutory reporting and other rules that apply to them. When you ignore the hype this is just another of those rule sets to be incorporated into BAU. As with the other rules some organisations will fail, deliberately or otherwise; of those that fail some, as with the other rules, will get lucky and not be caught while others are penalised. It will all become the new normal.

  15. Jonathan Richards 1

    Contact email

    > an anonymized email address for every domain name owner so people's real email addresses are not published online.

    Isn't that just postmaster@example.com (SMTP) or webmaster@example.com (HTTP, HTTPS) ?

    RFC 2142: MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS IETF, May 1997 (emphasis added)

    1. JohnFen Silver badge

      Re: Contact email

      It should be, but a large percentage of domains don't implement those email addresses.

  16. kain preacher Silver badge

    Me personally there was never a need to make this info public If you need to get a hold of the owner of a domain contact the people that registered it. If there is a legit need then pass it on to the owner. This smacks of well this is how we always did it(tradition) and now one is going to make us change.

  17. Anonymous Coward
    Anonymous Coward

    Yes,but no, but...

    The GDPR does not prohibit publishing personal data without consent. It requires a legal basis for processing. ICANN WHOIS has to rely on “legitimate interests” of 3rd parties because it has no statutory basis. EURID WHOIS can rely on “public function” because it does.

    Eurid carried out the balancing exercise between individual and collective interests (in consultation with the Commission and the Belgian DPA) and announced their new policy which includes email addresses on the same day WP29 told ICANN thry could not. ICANN had repeatedly ignored the requests of WP29, the EU, GAC and others to carry out such an impact assessment.

    DPAs are interpreting the text, not making the law. DPAs have been wrong before and will be wrong again. Courts decide. Politicians respond. DPAs take note. Reread the journey of the US-EU privacy shield.

    believing that salvation lay with the DPAs was indeed magical thinking. ICANN’s responsibility was to stand up for a position and thereby defend the multi-stakeholder model. That has been their real failing beyond being 6 years late to look outside its bubble. They are not alone in the latter.

    The USG has some responsibilty for not being firmer sooner. Given dot US is not heavily used, the prospect of dot com having to change against USG express wishes because of EU rules and their interpretation looks again like they need to dust down the “privacy shield” playbook use to fix the broken “safeharbor”.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019