back to article Domain name sellers rub ICANN's face in sticky mess of Europe's GDPR

Internet domain-name sellers have turned the tables on global DNS overseer ICANN by using its own tactics against the hapless organization. In a letter [PDF] to the California-based organization sent the day before it finally approved a "temporary" policy for the Whois service to bring it into compliance with new European …

  1. Gene Cash Silver badge

    > there is very real risk that someone will formally complain about the Whois service

    You mean like El Reg...? Go git 'em!

    Any excuse to beat ICANN with a stick is a good one.

    1. Will Godfrey Silver badge

      Do we have to use a stick? The stick never did anything wrong. Can't we just use one of their own directors to whack then with?

      1. Danny 14 Silver badge

        anyone can do it. I can see facebook google icann etc all getting hit on the 25th May.

        1. Jamie Jones Silver badge
          Facepalm

          I had to re-read that. My first reaction was "Why would Facebook want to google icann?"

      2. ds6 Bronze badge

        I imagine a man in a suit being used as a baseball bat to hit ICANN out of the park.

        I have been told I had an active imagination as a child.

    2. 404 Username Not Found

      I have a .me private domain, and live in the UK.

      I'll do it.

  2. Anonymous Coward
    Anonymous Coward

    Popcorn time

    See title.

    1. Wensleydale Cheese Silver badge

      Re: Popcorn time

      This could tunr out to be an armchair sport we can all participate in.

      No time for popcorn, too busy pondering what we can complain about

      <evil grin>

  3. Duncan Macdonald Silver badge

    Turn off WHOIS

    With GDPR and the stupidity of ICANN, the only reasonable alternative for registrars in europe is to turn off WHOIS - cut the data feed or replace the data with dummy lines saying "Removed due to GDPR". If ICANN complains then inform them that laws trump their contracts.

    (If a WHOIS service uses cached data rather than the dummy data, the service would be the liable party - not the registrar.)

    1. Doctor Syntax Silver badge

      Re: Turn off WHOIS

      "the only reasonable alternative for registrars in europe is to turn off WHOIS - cut the data feed or replace the data with dummy lines saying "Removed due to GDPR"."

      No need. My domain's whois entry does give my name but gives Registrant type as "UK Individual" and presumably will also replace my name with something like that in a few days time. For address it says "The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."

      The TLD owner, Nominet, is quite OK with this. The Data validation field says "Nominet was able to match the registrant's name and address against a 3rd party data source". It's been like that for years.

      Other European TLDs can presumably adopt similar policies if they already haven't. I'd expect the US registrars to do so for European clients; their big problem would be with clients who have moved to Europe from elsewhere but not let the registrar know.

      1. Danny 14 Silver badge

        Re: Turn off WHOIS

        that wont work for a .com though. A .co.uk yes

        1. Doctor Syntax Silver badge

          Re: Turn off WHOIS

          "that wont work for a .com though. A .co.uk yes"

          That's up to the .com registrars. If they have registrants resident in the EU ther they're going to have to do something like that. It doesn't matter if the ICANN contract says they can't because statute law requirements override contract terms. It would not be lawful for the registrar to follow such a contract term.

        2. Dodgy Geezer Silver badge

          Re: Turn off WHOIS

          I have a .com. perhaps I should look into doing it? :)

        3. israel_hands

          Re: Turn off WHOIS

          that wont work for a .com though. A .co.uk yes

          It works fine for .com addresses. I've just confirmed it by checking my own. It was originally registered through GoDaddy and I just had to pay a few quid on top of the initial registration for in return for them obscuring my personal details. The only contact details listed on the site are GoDaddy's own. IF someone wants to contact me they've got to convince GoDaddy its legitimate first by contacting their abuse@ address. It was that or have every spammy twat out there being able to pull my details from a public registry.

          As of Friday I won't have to pay the extra, but it's always been possible to obfuscate domain ownership.

      2. Alan Brown Silver badge

        Re: Turn off WHOIS

        > For address it says "The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."

        There are any number of scam domains/commercially active domains which have this in place too. I've been filing complaints with nominet about such things since around 2002-2003 when I first ran across them. (it takes all of 30 seconds to file a complaint by email).

        Invariably the scammy ones switch to a Mailboxes ETC address in the 14 days that Nominet give them to sort their shit out, which actually makes them even easier to track down, as MBE(*) franchise owners hand over _everything_ when served with a summons as the purported operator of the mailbox rather than become the target of a prosecution. It gets a little more complex in a criminal case, but in those, providing a heads-up to the boxholder would result in "attempting to pervert the course of justice" charge being added, so they're generally extremely cooperative when the police get involved.

        (Moral, hiding behind an anonymisation service draws attention and lowers protection levels)

        (*) There are other mailboxes services. They all roll over and play dead when the law gets involved. Their business model is frequently on the edges of legality and they can't afford to be shut down or have their customers investigated in depth.

    2. JoshRosen

      Re: Turn off WHOIS

      That is google's filthy sense of "compliance". They have shifted the responsibility to developers, so if there is something wrong they are not held liable and at the same time they continue collecting data and of course allowing the abuse by others, without the risk of being held responsible.

  4. John Crisp

    Piss ups and breweries

    Sorry but how long have they had to sort this out?

    Did someone say 2 years?

    Sympathy dial down to zero.

  5. Doctor Syntax Silver badge

    I like their style. After all they could simply have pointed out that statute law will overrule ICANN's contract clauses for data subjects in the EU and that's that. But throwing ICANN's language back at them is so much more satisfying.

    1. kain preacher Silver badge

      But with ICAAN stupidity they will either sue or terminate the contract.

      1. Doctor Syntax Silver badge

        "But with ICAAN stupidity they will either sue or terminate the contract."

        On what basis? That they want to enforce an illegal contract term. I said in an earlier thread that one remaining piece of information required was what the contract says about unenforceable terms: does it simply render the term unenforceable or does it negate the entire contract? Or, indeed, does it say nothing and how would a court interpret the resulting situation?

        1. kain preacher Silver badge

          Ha I nailed it. They are suing in Germany.

  6. J J Carter Silver badge
    Boffin

    In reality

    This says more about the unwanted and unnecessary GDPR regime dreamt up by Brussels pen-pushers and cheese eaters.

    1. Voland's right hand Silver badge

      Re: In reality

      A quick poll in the form of voting on your post will shortly inform you about wanted vs unwanted in the industry.

      Popcorn please.

    2. Dave Bell

      Re: In reality

      I think I prefer the EU attitude to personal data to that exhibited by the USA.

      I was around for the original green-card lawyers, and now I get spam emails begging me to let them send me spam. They have spent the years since the previous generation of EU law, implemented by the UK Parliament as the Data Protection Acts, finding new victims and new loopholes. And now they're going to have to do that all over again.

      'Bliss it was in that dawn to be alive

      But to be young was very heaven.'

      1. Alan Brown Silver badge

        Re: In reality

        " finding new victims and new loopholes."

        Royal Mail's loophole exploitation on optout of junkmail delivery (which expires after 2 years and is largely ignored by posties on orders from their managers) is so far holding up.

        That's one area which needs to be stomped on. It's the only remaining area where you have to opt out AND where the optout is time-limited.

    3. Anne-Lise Pasch

      Re: In reality

      Personally, I don't think GDPR goes quite far enough. But its a most excellent starting point, and much better protection than I expected.

    4. JoshRosen

      Re: In reality

      Unwanted? :D

      Are you a PII thief/broker?

      1. Charles 9 Silver badge

        Re: In reality

        I'm waiting to see what happens when the EU tries to levy a fine but can't due to a lack of EU presence and protection by foreign sovereignty. Will they order a blockade until they're forced to balkanize the entire Internet?

        1. Anonymous Coward
          Anonymous Coward

          Re: In reality

          “Foreign sovereignty” doesn’t seem to bother the US in the slightest when trying to take EU citizens’ data from data centres located in EU states.

          1. Alumoi

            Re: In reality

            “Foreign sovereignty” doesn’t seem to bother the US in the slightest.

            Full stop. That's all.

        2. Dan 55 Silver badge

          Re: In reality

          Are you suggesting that they currently don't pay taxes due to a lack of physical presence and protection due to a foreign sovereignty?

          Ate you suggesting no American corporation has been fined before in Europe?

          Or maybe they do have to follow laws and can get fined.

        3. Alan Brown Silver badge

          Re: In reality

          "EU tries to levy a fine but can't due to a lack of EU presence and protection by foreign sovereignty."

          It hasn't stopped the USA when using their long-arm statutes to go after european entities (and collect) and blocking the EU in the other direction would have serious knock-on effects for the status of american long-arm statutes both within the USA (interstate commerce) as well as internationally.

          In reality as long-arm statutes have been upheld multiple times in the USA supreme courts any attempts to nullify european ones would likely fail - and any success would be instant tradewars material.

    5. Anonymous Coward
      Anonymous Coward

      Re: In reality

      @J J Carter

      > This says more about the unwanted and unnecessary GDPR regime dreamt up by Brussels pen-pushers and cheese eaters.

      The European Union is a bureaucratic tyranny run for the benefit of France and Germany. But even they, like a stopped clock, sometimes get things right.

      GDPR (and previously the DPD) are examples of that.

      1. Dan 55 Silver badge
        Meh

        Re: In reality

        Thatcher came up with the Single Market, so perhaps it was run for the benefit of the UK too.

        But now we've shat the bed, definitely not any more.

  7. Trollslayer Silver badge
    Mushroom

    The US empire is slowly crumbling

    Or maybe not slowly.

  8. Anonymous Coward
    Anonymous Coward

    How about Companies House?

    Many IT contractors have their own companies, registered with Companies House. On the CH website, not only do they give the current directors addresses, but all former directors'. The filing history also details change of registered address.

    I wanted my home address to be less traceable, so moved my registered address to that of my accountants. However, the previous address still appears, and there's no way of deleting that. Surely not GDPR compliant?

    1. Spanners Silver badge

      Re: How about Companies House?

      Agreed. Not compliant.

      Check on Friday and kick up if necessary.

      Tell us how it goes if you do. ☠

    2. eldakka Silver badge

      Re: How about Companies House?

      > their own companies, registered with Companies House. On the CH website, not only do they give the current directors addresses, but all former directors'.

      There are specific laws around companies and providing information on the directors of companies. Directors are statutory positions, a registered company must, by law, provide names and contact information of a minimum number of directors with specific statutory positions and duties (chairman, treasurer, etc.)

      Usually the directors provide business address/contact details, not personal ones.

      If, however, it is 'work from home' type company, where a directors business address and business telephone numbers are the same as the individuals home address and home number, then you are going to have a problem. IANAL, however I do not believe publishing a statutorily mandated position that must require contact details of that position to be published on certain public registries (as must happen with a registered company) would be in breach of the GDPR because the information being published is proportionate and required for legitimate purposes.

      Now if you, as a company director decided to run the company you are a director of from the same premises, and using the same number, as you also use for private purposes, I think this puts you in a problematic position - you have fucked it up.

      1. Anonymous Coward
        Anonymous Coward

        Re: How about Companies House?

        Many years ago, I ran a company that was wound up more than the statutory retention date for Companies House registration ago, so it is now no longer listed on the current register. On it, at one time, I had a telephone number which was for a dedicated line for the company (and only had a answering machine on it), but which only differed by one digit from the telephone number for my house.

        It did have the address of my house, however.

        I have in the period of time that the company been non-existant, received telephone calls from people looking for a local PC repairer (something that my company never did, it was listed as a "Computer Services Company, but which Companies House themselves merged categories some time ago).

        I tracked down the issue to one of the companies that offers Companies House lookup information on the Internet, which had not only not noticed that the company was no longer trading (nor when it was deleted), but had 'corrected' the telephone number to my home number.

        I went through their complaints and corrections process, but last time I checked, the information was still being offered.

        If GDPR gives me some means of finally removing this information, then I will be very glad, although I do think that some of the GDPR regulation (particularly about correcting all archived and backup copies of data) are effectively unworkable within the statutory retention period of UK financial regulations, amongst others.

        1. Doctor Syntax Silver badge

          Re: How about Companies House?

          "If GDPR gives me some means of finally removing this information, then I will be very glad, although I do think that some of the GDPR regulation (particularly about correcting all archived and backup copies of data) are effectively unworkable within the statutory retention period of UK financial regulations, amongst others."

          I'm probably in the same position as you and I'll start giving some of these sites grief if they don't smarten up.

          However if you read up about the deletion it does refer to what's technically possible. You don't have to delete from the backup. However it would be smart to retain the deletion request so if you restore from the backup you can redo the deletion from the restored data. Once you've replaced the backup with a post-deletion one you'd then no longer need to retain the request.

          1. Adam 52 Silver badge

            Re: How about Companies House?

            "However if you read up about the deletion it does refer to what's technically possible. You don't have to delete from the backup. However it would be smart to retain the deletion request so if you restore from the backup you can redo the deletion from the restored data."

            Do you have any citations for this position please? It's the one I'm taking and the one our lawyers approved in February but the lawyers have been back-pedaling recently.

            1. Diginerd

              Re: How about Companies House?

              @adam52 It’s (a bit) tricker than that...

              Here’s the guidance we got (of course I would recommend you call the ICO’s anonymous info line to confirm this - be prepared for about an hour on hold, but they’re on the ball when you speak to someone).

              Anyway..

              To comply with the law and the data subject’s right to be forgotten you can’t simply store the deletion request as the request itself contains their PI...

              Basically you need to store the GUID/Key value that points to the deleted PI on a “list of forgotten entries”

              Should the data base be restored from backup run a job that checks that list and and deletes any matches in the restored data.

              There’s other gotchas sureounding confirming the validity of the request in the first place (make sure you confirm who they are, as inappropriate LOSS of a data subject’s data is ALSO a violation)

              TL;DR. Yes. Yes it is.

              PS make sure you scrub ALL your databases - dev test too.

        2. Alan Brown Silver badge

          Re: How about Companies House?

          "I tracked down the issue to one of the companies that offers Companies House lookup information on the Internet, which had not only not noticed that the company was no longer trading (nor when it was deleted), but had 'corrected' the telephone number to my home number."

          You went about trying to get the incorrect information removed the wrong way.

          A DPA section 11 notice works wonders for that kind of thing and after failure to comply it's a simple court filing to wake them up to their responsibilities (If a bailiff is going in to seize things, always tell them to target the communications/networking equipment to take first, not things like TVs. It has a galvanising effect on getting attention to find the most critical piece of equipment and remove it.)

    3. Doctor Syntax Silver badge

      Re: How about Companies House?

      "However, the previous address still appears, and there's no way of deleting that. Surely not GDPR compliant?"

      Yet again we have to explain. Companies House information is a requirement in statute law. GDPR does not apply in such situations. As CH data includes past as well as current data on officers you aren't going to disappear that easily. You could close the company and open a new one giving your accountant's address for the director's address (assuming the accountant consents). You then have to wait until the old company disappears from the record. I'm not sure how long that takes but the perpetual beta site seems no to have my old company there but that was closed over a decade ago.

      1. Claverhouse Bronze badge

        Re: How about Companies House?

        Indeed. And stretching my powers of full and utmost sympathy to all to the maximum extent, I don't think I would want to deal with any registered company that didn't have a real, non-virtual, address in existence.

  9. Craig100

    Why bother

    Why does a company based outside an EU entity even have to bother? If the EU wants to fine them, surely they can just give them the middle finger?

    1. Ole Juul Silver badge

      Re: Why bother

      You might want to check out what ICANN actually does. Although they don't actually do what they're supposed to do, it seems.

      1. Charles 9 Silver badge

        Re: Why bother

        Point is, what can the EU do to a firm they have no legal authority to fine? It's a sovereignty clash, and about the only option left is to refuse to recognize the offender by ordering a blockade of some sort.

    2. Lee D Silver badge

      Re: Why bother

      They say "Your nameservers operating throughout Europe will be blocked. All .eu, .uk, .fr, etc. domains will come under our control. You will therefore lose 50+% of your revenue overnight because nobody will have to pay you a damn thing. P.S. please list the TLD nameservers as our own, if you fail to comply we will initiate legal action, seek redress from the WTO and block access to all non-EU domains".

      You can't claim to be operating TLD naming and then not listen to the countries that control those domains.

      P.S. That won't happen precisely BECAUSE they are operating in the EU, and claiming to represent it to. They are basically doing business with the EU. So, yes, you actually CAN fine them into oblivion, severely restrict their trade, freeze their European assets and arrest their directors if they ever visit the continent or apply for extradition.

      Nobody says that it will get that far, but they are far from immune. And they could lose half their business overnight by failing to comply.

    3. Doctor Syntax Silver badge

      Re: Why bother

      "Why does a company based outside an EU entity even have to bother?"

      If they don't want to do business there then they don't need to bother. Why do you think you shouldn't obey the laws of a country where you want to do business.

      What do you think would be the result of giving them the finger? Probably a bigger fine, one enough to make an example of you. You think the country would be powerless? What do you think would happen if the law enforcement of the country then gets in touch with the offender's bank looking for payment of the fine. The company may not have a foothold in the country; their bank almost certainly does and they're not going to fight the law on behalf of a tuppenny-ha'penny scoff-law. Most likely the account would get suspended until payment was arranged.

    4. Claverhouse Bronze badge

      Re: Why bother

      Certainly: many internet companies are based in countries like Nigeria, Indonesia and the USA, who will all angrily reject EU regulation.

  10. Ole Juul Silver badge

    Epic incompetence

    I could go on.

  11. Alan Brown Silver badge

    Whois necessity

    Whois was originally intended to ensure that entities holding domains were legally serviceable (as in being able to be hit with legal paperwork)

    ICANN willingly facilitated the current mess where scammers get away with anything that destroyed the usefulness of Whois many years ago.

    GDPR is one thing, but the simplest way of ensuring privacy in the face of no whois will simply be to start serving registrars with legal proceedings instead of domain holders if the ownership is obscured.

    1. Lee D Silver badge

      Re: Whois necessity

      Given the amount of C/O GoDaddy/Tucows/etc. entries on WHOIS, I imagine that's all they ever do anyway.

      I could say I'd Fred Bloggs and register a domain, it doesn't mean I actually am them. But if you needed to establish the legal owner, someone somewhere paid on a credit card, and only the registrars knows what card, and only the banks can link that to an account, and only all of those taken together will tell you who actually is responsible.

      Hence WHOIS lost its purpose many years ago, the second they allowed C/O entries, or didn't verify that the domain owners are who they say they are. Which was basically day one.

      Try it. It doesn't take long to register a domain and put the registration info as Microsoft (UK) Ltd. or anything else you care to make up. It doesn't mean they're responsible for it.

      1. onefang Silver badge

        Re: Whois necessity

        "someone somewhere paid on a credit card"

        Er my registrar accepts PayPal, BitCoin, and other non credit card payment types.

  12. Scott Marshall
    FAIL

    ICANN

    ICANN'T

  13. Missing Semicolon Silver badge
    Unhappy

    What happens for EU citizens who own non-EU domain names?

    .. through non-EU registrars?

    For example, GoDaddy publish the full contact information for all .com domains, even if owned by EU citizens. So far, I've heard crickets from Godaddy about how they intend to handle EU customers post-26th.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019