back to article Who had ICANN suing a German registrar over GDPR and Whois? Congrats, it's happening

A fight over private information and the internet's domain name system is heading to a German court, in a proxy battle between European legislators and American intellectual property lawyers. On Friday – the same day that new European GDPR privacy legislation took effect – DNS overseer and US corporation ICANN filed a lawsuit …

  1. Anonymous Coward
    Anonymous Coward

    Merica f*ck yeah

    Where any innovation in anything is stamped on in the name of continued business.

    "you want us to reconsider our 20 year old policies in light of the changes to the internet... don't you understand this is america?"

    1. TheVogon Silver badge

      Re: Merica f*ck yeah

      "Fundamentally, ICANN is arguing that there are exceptions in GDPR that say data collection is allowed when it is a "necessity for the performance of a contract" – and the Whois clause in its contract qualifies for such a protection."

      Data collection might be. Publishing it without explicit opt in permission isn't.

      1. This post has been deleted by its author

      2. Alan Brown Silver badge

        Re: Merica f*ck yeah

        " Publishing it without explicit opt in permission isn't."

        ITYM Publishing personal data

        A lot of registrations use role accounts and those aren't personal data.

        The problem is that domain registrations (and WHOIS) requires actual legally serviceable registrant addresses (ie, ones that can be served with legal paperwork in the event of shit hitting fan) and the tech contacts are supposed to be there to ensure that someone can be contacted to try and shut the mess down if something goes nuts.

        ICANN hasn't been adequately enforcing accuracy requirements for 15-20 years (meaning that scammers have registered bogus addresses for kid porn domains that have had the wrong doors kicked in, etc etc) and scammers have spammed the living hell out of published email addresses, rendering the tech addresses useless/encouraging people to obfuscate or remove contact details.

        At this point, trying to argue that collecting the data is necessary falls flat on its face over the kerbstone of historic indifference to its accuracy and I'm fairly sure that german courts will point that out.

        Harder lines taken against network abuse and prioritising that over gross revenue maximisation would have prevented a lot of the issues that's got ICANN in court today. As it is, IMHO their actions have pretty much ensured that they won't prevail. (IANAL, YMMV, HAND)

        1. Doctor Syntax Silver badge

          Re: Merica f*ck yeah

          "At this point, trying to argue that collecting the data is necessary falls flat on its face over the kerbstone of historic indifference to its accuracy and I'm fairly sure that german courts will point that out."

          Sort of. The defendants might well point it out to the courts and the court would then note it in the judgement. Most likely the defence will point out that contract terms can't override legislation and here's a sling in which the court can hand ICANN its arse.

          1. Alan Brown Silver badge

            Re: Merica f*ck yeah

            "The defendants might well point it out to the courts and the court would then note it in the judgement."

            Yup - and from that point forward, even if ICANN tried to bring cases in non-GDPR jurisdictions they'd fail.

            You're absolutely right that contracts can't trump law and that would be the first plank of any defence, however pointing out that ICANN haven't historically been bothered about enforcing accuracy makes a mockery of their demands now - and that's a pretty good supporting plank.

  2. Sgt_Oddball Silver badge
    Facepalm

    U.S.A. U.S.A. U.S.A!

    Remeber kids the internet is not yours or mine, or everyone's.... it's uncle Sam's so their laws and rules. And if you don't like it, tough.

    What's that? Fines for silly amounts of money from somewhere that isn't the US? Sod em we'll just not bother paying..

    Is that about the long and the short of how this is going to be for the next few years?

    Time to invent some subscription system for popcorni think..

  3. Shadow Systems Silver badge

    I hope ICANN loses completely.

    I hope the German court finds that the ICANN contracts require the contracted parties to do illegal things & thus are Null&Void. Then when ICANN appeals (and appeals & appeals & appeals) it goes straight to the top court where it's summarily told in no uncertain terms "Tough shit, you lose, go fuck yourselves".

    Because ICANN has thumbed it's nose at everyone else's laws, ignored the requirements that were made policy over two years ago, has tried to weasel it's way out of doing it's damned job, so I hope the courts nail 'em to a wall & use 'em as a dart board.

    ICANN has told the rest of the world "fuck you" for far too long; it's about time the rest of the world bends it over a table & does obscene things to it in retribution.

    1. Len

      Re: I hope ICANN loses completely.

      I just wonder how long ICANN still exists in its current form. It will probably be replaced by something else (sitting under the UN and based in Geneva?) or slowly rendered irrelevant because the stopgaps to circumvent its issues keep chipping away at ICANN's authority until the collection of stopgaps is better organised than ICANN itself.

      1. Yes Me Silver badge

        It will probably be replaced by something else...

        Let's hope not, above all not by the ITU. I promise you, that would be a hundred times worse.

        What does "stopgaps to circumvent its issues" refer to, please?

      2. Mage Silver badge
        Thumb Up

        Re: probably be replaced by something else

        The UN took over oversight of the ITU created in the 1850s,

        There are issues with UN and ITU, but it was USA arrogance that DNS, IP assignments and Domain registration wasn't ITU from the beginning. Long before Web was added to the Internet. Possibly as soon as Arpanet was available outside Government & Universities.

        1. aks Bronze badge

          Re: probably be replaced by something else

          USA arrogance now being replaced by EU arrogance and attempting to export their regulations world-wide.

          1. David Nash Silver badge

            Re: probably be replaced by something else

            EU arrogance?

            The German registrar is operating in the EU and is therefore obliged to abide by EU rules.

            ICANN want them to NOT do that. Is that EU Arrogance?

          2. John Brown (no body) Silver badge

            Re: probably be replaced by something else

            "USA arrogance now being replaced by EU arrogance and attempting to export their regulations world-wide."

            ...except in this case, it's a standard of regulation many people in the USA would like, but their corporate overlords don't want it (and pay their politicians to say so for them)

        2. Alan Brown Silver badge

          Re: probably be replaced by something else

          "it was USA arrogance that DNS, IP assignments and Domain registration wasn't ITU from the beginning. "

          Huh?

          The ITU didn't _want_ to be involved in any of this stuff until relatively recently.

          In any case, ICANN has exactly as much power as people choose to give it. There have been alternative DNS systems and roots setup but they've all fallen over - largely due to ICANN being the monopoly, but secondarily due to ICANN playing 9000 pound gorilla and deliberately rolling out TLDs which conflicted with those of the alternates (they could and should have been charged with anti-competitive behaviour over that one and the decision to do it was _very_ deliberate)

    2. The Nazz Silver badge

      Re: I hope ICANN loses completely.

      "Tough shit, you lose, go fuck yourselves".

      I'd love to see the German word for that. Let's hope they use the "wrap text" format.

      1. The Dogs Meevonks

        Re: I hope ICANN loses completely.

        @The Nazz

        I think you'll find it's roughly

        "harte Scheiße, du verlierst, geh dich ficken"

        Sadly it's not a single long word as you were hoping. :(

        1. EnviableOne Bronze badge

          Re: I hope ICANN loses completely.

          That may be the litteral translation, but it doesnt have the right tone or severity of language, I hope a native german speaker can chip in, but rules of good etiquete prevent me from exploring the depths of my german vocab for a better phrasing.

      2. Grikath

        Re: I hope ICANN loses completely.

        @ the Nazz: the closest in German, when it comes to intent, would be:

        Gute Krokodilsträne....aber jetzt.... Bück dich!

      3. Sgt_Oddball Silver badge
        Coat

        Re: I hope ICANN loses completely.

        Unfortunately not one word...

        "Viel Glück, du verlierst, geh und fick euch selbst"

        Mines the one with the Hungarian Phrasebook in the pocket...

        1. Alan Brown Silver badge

          Re: I hope ICANN loses completely.

          "Mines the one with the Hungarian Phrasebook in the pocket..."

          And the eels in another?

    3. Yes Me Silver badge

      Re: I hope ICANN loses completely.

      That would be a bad outcome, if you'd like the Internet to run smoothly. And it probably won't happen - ICANN isn't actually planning to violate GDPR by publishing private information. And there isn't redundancy in requesting three contacts: owner (the person ultimately responsible), admin (the person to pay any fees involved), technical (the person to fix operational issues).

      ICANN has been arrogant once in a while, but I don't think they've thumbed their nose at anybody's laws. As a corporation, they're bound by the law of their state of incorporation, which happens to be ca.us, but so is every corporation

      1. Frank Zuiderduin

        Re: I hope ICANN loses completely.

        "...I don't think they've thumbed their nose at anybody's laws."

        They have. Since 2003 actually, when they were first told they were breaking the data protection laws as they existed then.

      2. Anonymous Coward
        Anonymous Coward

        Re: I hope ICANN loses completely.

        "As a corporation, they're bound by the law of their state of incorporation"

        Wuuuuuut????? Err - no, not at all. As anybody, corporation or not, they're bound by the laws of the place they're operating in. Ie, they're doing business in the US, they follow US laws, they're operating in the EU, they follow EU laws.

        Or to take a different example, where the US is not the reference - do you believe that Chinese companies operating in the US follow Chinese laws only?

    4. Mage Silver badge

      Re: I hope ICANN loses completely.

      Backdated.

      This was always wrong. From the beginning.

    5. Anonymous Coward
      Anonymous Coward

      Re: I hope ICANN loses completely.

      But, logically, if the contract is declared null and void, ICANN will just cancel all the domains registered via that registrar and they will be up for anyone to buy, because there will be no contract any more.

  4. Anonymous Coward
    Anonymous Coward

    Should result in summary judgement...

    You can't contractually require anyone to break the law and the law is pretty damn clear from here, in America.

    1. veti Silver badge

      Re: Should result in summary judgement...

      What if the law itself explicitly says that "you can contractually require people to break this particular law"? Because that's basically ICANN's case.

      1. no_handle_yet

        Re: Should result in summary judgement...

        The exception clause applies to the relationship between the owner of the data and the entity providing a service to the data owner.

        In other words, if I apply to a bank for credit they can acquire, store and retain data necessary for the provision of that credit. If that bank has a separate contract with an advertiser to provide email addresses of anyone applying for credit then the necessity exception doesn't apply there. And contract terms can never override law. Any term in the bank to advertiser contract that breaks the law becomes void.

        So a registrar can collect data necessary for the provision of service to the end user but their contract to publish that data in whois is void as it compels them to break the law. That is exactly the position of EPGA and I would be very surprised if they do not prevail.

        If ICANN are pressing ahead with this challenge then one of two things has happened. Their lawyers know it will fail but they get paid anyway so what the hell, lets bilk our client (likely), or their lawyers think the law is worded sloppily and they can twist it to cover the third party contract which was actually what you were hinting it. That is less likely but still possible.

        1. Dave Bell

          Re: Should result in summary judgement...

          That's well-established, not just GDPR. It's explicit in GDPR, and lawyers like "explicit", but if you didn't have something like that it would be a breach for somebody to put your name and address on a letter they post to you. I've had GDPR opt-in emails warning me that I won't get any notifications of dispatch if I don't opt-in. Which means they're saying they can't fulfil a contract. without an opt-in to everything.

          How dodgy is that? A US service gave me a web page with default-on permissions for over 300 companies they share my data with. I tried to count them, as I clicked to "off", but lost track at over 270. As the Good Book says:

          "Three shall be the number thou shalt count, and the number of the counting shall be three. Four shalt thou not count, neither count thou two, excepting that thou then proceed to three. Five is right out."

        2. Alan Brown Silver badge

          Re: Should result in summary judgement...

          "if I apply to a bank for credit they can acquire, store and retain data necessary for the provision of that credit. If that bank has a separate contract with an advertiser to provide email addresses of anyone applying for credit then the necessity exception doesn't apply there."

          Which is what Experian and friends have been hoping you wouldn't notice for a long time.

          Up until GDPR the only way to stop them selling your data to advertisers was an explicit DPA section 11 notice and they used all kinds of scare tactics to dissuade those including "this may affect your credit rating" (which they also used to frighten people into not being on the closed electoral register)

          These "credit rating agencies" actually make more money selling your data to marketers than they do from their supposed core business, so it's going to be interesting to see how many prosecutions result from GDPR breaches as they scramble to make up lost income by ignoring the laws.

          1. aks Bronze badge

            Re: Should result in summary judgement...

            Gathering data and making it available to others are two different issues.

            Making it available to the interested party for them to challenge and correct is sensible. Making it public is not.

            I wonder whether the UK government's policy of making the electoral register available is covered by GDPR. Until now, it has been made available to anybody who pays for it, after mandating its collection under threat of severe penalty to the individual if they refuse to supply it.

            1. Joeyjoejojrshabado

              Re: Should result in summary judgement...

              "I wonder whether the UK government's policy of making the electoral register available is covered by GDPR"

              It's not a government policy, it's a national law.

        3. Alan Brown Silver badge

          Re: Should result in summary judgement...

          "If ICANN are pressing ahead with this challenge then one of two things has happened."

          Past experience of dealing with the people involved is that they make up facts to suit themselves as they go along and don't take kindly to 3rd parties showing evidence that they were saying the exact opposite some months back (or made the exact statements they denied knowledge of, etc)

          Trump may be a sociopathic delusional con artist but the reason he's managed to get to that position is that this kind of personality has managed to find itself in charge of increasingly large tracts of business during the last 40 years.

          I wouldn't be at all surprised if their plan is to bring up the Chewbacca defense.

  5. /tmp

    At the heart of the issue is the fact that the Whois service was developed 20 years ago...

    https://tools.ietf.org/html/rfc812

    https://xkcd.com/1995

    1. EnviableOne Bronze badge

      Re: At the heart of the issue is the fact that the Whois service was developed 20 years ago...

      RFC 812 was obseleted twice, RFC3912 (the current whois Spec Published Sept 2004) states

      The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, Integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing.

  6. Len
    Holmes

    Quite smart to do it in Germany

    Considering Germany has probably some of the strictest privacy laws in the EU (apparently a lot of criticism of the GDPR in Germany is that it doesn't go far enough) it is quite clever to start this case in Germany. If ICANN's position holds up in a German court it will likely hold up in any EU court and perhaps even the CJEU.

    1. Richard 12 Silver badge

      Re: Quite smart to do it in Germany

      No, it's foolish because it's a slam dunk instant fail in Germany.

      ICANN will lose, instantly with no appeal.

      In other EU countries they might have stood a chance, but Germany have suffered the consequences of unnecessary data collection. Millions dead leaves a long shadow.

      1. John Brown (no body) Silver badge

        Re: Quite smart to do it in Germany

        "but Germany have suffered the consequences of unnecessary data collection. Millions dead leaves a long shadow."

        It does make me wonder if the ICANN people don't know their history and were working to the stereotype image of Germans being sticklers for the rules/law and hoped to bend the interpretation in a logical sounding way.

  7. Garymrrsn

    GDPR, by having the audacity to imply that humans are not a commodity to be bought and sold like so much grain, may have committed an act of war in the eyes of the internet's corporate powers.

  8. Anonymous Coward
    Anonymous Coward

    ICANN not understand how you wrote this article !!!???

    BBC are reporting on ICANN and their problems with an article that completely misses the issues and frames them as the victims !!!!

    http://www.bbc.co.uk/news/technology-44290019

    Must have a friend at the BBC or more likely yet, someone else who has been bamboozled by ICANN's version of reality !!!???

    No wonder the BBC is attacked on all sides when it cannot be bothered to get the facts straight before publishing an article.

    1. Anonymous Coward
      Anonymous Coward

      Ambulance Chasing Intellectual Property Lawyers

      Organize their own GDPR False-Flag / Black-Ops tea-party.... This is just sick reporting... But you can bet some official has already bought it, and is phoning the EU right now to complain: 'won't someone think of the poor police and journalists' letting hackers simply escape. Talk about Fake-News reporting:

      "Whois... used by the police and journalists to check the legitimacy of websites... Police will be robbed of ready access to vital data drastically impeding their efforts shut down illicit activity. The regulatory rubric EU has created will make it harder than ever to catch computer hackers"

      1. Anonymous Coward
        Anonymous Coward

        Re: Ambulance Chasing Intellectual Property Lawyers

        You missed the bit that the BBC is reporting someone else's claim "In a letter to the Wall Street Journal entitled, The EU's gift to Cybercriminals, lawyers Brian Finch and Steven Farmer claim...."

    2. Anonymous Coward
      Anonymous Coward

      Re: ICANN not understand how you wrote this article !!!???

      If you are being attacked by all sides surely you're doing something right.

      The article could also just be ICANN's viewpoint. We might not agree with it but BBC is supposed to be neutral. Supposedly.

      1. Anonymous Coward
        Anonymous Coward

        Re: ICANN not understand how you wrote this article !!!???

        "If you are being attacked by all sides surely you're doing something right.

        The article could also just be ICANN's viewpoint. We might not agree with it but BBC is supposed to be neutral. Supposedly".

        There are two possible reasons to be attacked by all sides:

        1. You are generally neutral and 'all sides' are aggrieved at some point !!!

        2. You are slapdash and misreport both sides at times. !!!

        I leave the choice to you !!!

        If the article IS just one particular view it is usual to frame the piece with a disclaimer of some sort to make the basis clear.

        This is not the case with this article.

        It is simply a condensation of someones 'pitch' without balance or reference to another view.

        Lazy journalism to fill up space on the BBC News Website .... no more !!!.

        P.S.

        In case you wonder, I am the original AC and someone who supports the BBC and does 'generally' think they are balanced.

        I have never called then 'left' or 'right' biased as tends to be the case nowadays.

        I just dislike such lazyness.

    3. Teiwaz Silver badge

      Re: ICANN not understand how you wrote this article !!!???

      BBC are reporting on ICANN and their problems with an article that completely misses the issues and frames them as the victims !!!!

      To be fair, the BBC news site is edited down to such a bare minimum of facts and seems to be written with the intent of being understandable to anyone with an I.Q in the single digit range it's not a surprise it misses most pertinent facts or is vaguely anywhere close to the truth and not new for the fluffy mushroom heads and those that have dodgy living arrangements with seven bearded mining little folk.

    4. no_handle_yet

      Re: ICANN not understand how you wrote this article !!!???

      Thanks for that link. I can't remember reading a lazier piece of tech journalism than that. In fact, for all the good it will do, I'm going to write to them about it.

    5. Dave Bell

      Re: ICANN not understand how you wrote this article !!!???

      I have my doubts about the BBC on a lot of things, these days, but I fear it is a growing awareness of the crapitude of news media, rather than any change at the BBC.

      And when it is the frothing anti-EU loonies running the country, I find it hard to blame the BBC for being a bit circumspect.

      (The other angle is that, on technical issues, it only takes one journalist to skew things; no names, but there are people writing for The Register who have an obvious political bias on some issues.)

    6. Alan Brown Silver badge

      Re: ICANN not understand how you wrote this article !!!???

      "BBC are reporting on ICANN and their problems with an article that completely misses the issues and frames them as the victims !!!!"

      That looks like a lightly regurgitated press release, not actual journalism.

      1. Gordon 10 Silver badge

        Re: ICANN not understand how you wrote this article !!!???

        Link to complain about a BBC news article.

        http://www.bbc.co.uk/news/contact-us/editorial

      2. DropBear Silver badge

        Re: ICANN not understand how you wrote this article !!!???

        "That looks like a lightly regurgitated press release, not actual journalism."

        You mean news outlets* are supposed to do anything beyond regurgitating press releases in the 21st century? What a novel idea...! Has anyone told them...?

        * Present company excepted. Ish.

    7. Gordon 10 Silver badge

      Re: ICANN not understand how you wrote this article !!!???

      That's disgracefully one sided.

      1. John Brown (no body) Silver badge

        Re: ICANN not understand how you wrote this article !!!???

        "That's disgracefully one sided."

        Yeah, it's not what we've come to expect from the liberal lefty BBC they are usually accused of being :-)

    8. David Nash Silver badge

      Re: ICANN not understand how you wrote this article !!!???

      To be fair, the BBC article does mention that they had years to prepare, and also finishes by saying

      "cyber-criminals were never likely to have provided accurate contact details for their scam websites, and highlight that the law does provide added protection for legitimate registrants."

  9. Nate Amsden

    mis worded?

    The organization that registers .de domains has to have personal info. They restrict who can register .de domains to people that live in germany. I had a .de vanity domain about 17 years ago, had it for probably 2 years then the .de folks took it back(I didn't know the "rules" at the time). Just checked again and the rule is the admin contact must be an address in germany.

    1. LenG

      Re: mis worded?

      So what? If the registrar needs that information to determine eligibility then it is entitled to collect it. But if the only reason for obtaining the info is for that determination then it is not entitled to use it for other purposes without setting out those purposes. Nor is it entitled to pass that info on to a third party without the permission of the registrant.

  10. Neoc

    The only proper response from the German court would be a swift:

    (1) "No contract may force a company to break the laws of the land"; and

    (2) "Since, by bringing this to us, you insist on forcing companies to break the law, let us slap you with fine".

  11. davenewman

    The court needs a technical advisor

    Since the litigrants may try to bamboozle the court with technical inaccuracies, the court should employ a technical advisor - Max Schrems, of course.

  12. Anonymous Coward
    Anonymous Coward

    GDPR False-Flag / Black-Ops

    Look at this slanted POS reporting from the Beeb. What's the next line, intellectual property lawyers champion 'won't we think of the children'. This is totally False-Flag-GDPR-Black-Ops from ambulance chasing lawyers:

    -----------------

    "Whois... used by the police and journalists to check the legitimacy of websites... Police will be robbed of ready access to vital data drastically impeding their efforts shut down illicit activity. The regulatory rubric EU has created will make it harder than ever to catch computer hackers"

    -----------------

    GDPR 'risks making it harder to catch hackers' - BBC News

    https://www.bbc.co.uk/news/technology-44290019

    1. Anonymous Coward
      Anonymous Coward

      Oops... Seems I was Ninja'd by fellow AC above

      Oh well! But you know what, its such god-awful reporting by the Beeb its worth the risk of repeating. Should win a Jorno-Razzie!

    2. TheVogon Silver badge

      Re: GDPR False-Flag / Black-Ops

      "GDPR 'risks making it harder to catch hackers' - BBC News

      https://www.bbc.co.uk/news/technology-44290019"

      Because hackers always publish their personal websites and use genuine registration details?!

  13. Anonymous Coward
    Anonymous Coward

    Meh; my registrant information is, IIRC, filled with (mostly) inaccurate information, because I don't like spam.

    anon for obvious reasons. :)

    1. Ian Michael Gumby Silver badge

      @AC ...Re: Meh

      And if you're caught, they can drop your ownership of the domain ASAP. (Dropping your domain)

      Keep in mind... Domains were meant for businesses and not personal use.

  14. Peter Prof Fox

    An injunction to break the law?

    Any old contract won't stand up against GDPR, otherwise anybody could add a contract condition 'ignore GDPR'.

    So, given this suicide-bomber on a desert-island approach, what is the alien intelligence (I-word used advisedly) trying to achieve? Perhaps, like Duck Turd, they already know they're a laughing stock but so far nobody has found the right stick to beat them with.

    Anyway, as they're so keen for a tussle perhaps the big regs will respond in kind and lots of $$$ will start to pile up on ICANN's doorstep.

    1. Dave Bell

      Re: An injunction to break the law?

      I've seen several examples recently with a pattern of US lawyers with limited experience of a field of law collecting large fees for rather feeble cases. Most recently, it was a personal-injury specialist from Texas taking on a Federal Trademark case, and trying to dodge the whole Trademark Registration procedure with a court case. The laughter from IP lawyers was muted, but unmistakable. The style is very different.

      Are ICANN that stupid? You would think they would at least have involved a competent German lawyer. Some of the labels and concepts are different, but this is part of the point of having Barristers in the UK. The boundaries have blurred, some solicitors can now do jobs that only used to be open to Barristers, but this does look like what you get if you ignore competent and relevant legal advice.

      Though there might have been some time pressure. Things do, generally, look a bit too last-minute on GDPR, and not just because the UK government is running around like a headless chicken on anything to do with Europe. But how much of that is wilful American-led blindness?

      1. Anonymous Coward
        Anonymous Coward

        Re: An injunction to break the law?

        You do realize that ICANN can drop all of .de off the face of the earth, right?

        Do you realize the chaos it could cause?

        Some of us have been online using the 'net since the 80's. Back then we had USENET and stuff.

  15. Stork Silver badge

    Sounds risky to file this in Germany

    The last many years, German courts have given much importance to privacy legislation (for obvious reasons)

  16. T. F. M. Reader Silver badge

    "The vast majority"...

    I am not arguing against GDPR, for ICANN, or in favor of US laws superseding European or German ones. Not at all. Having said that, Tucows' argument that for "the vast majority" of registered domains owner, admin, and tech contacts are the same and thus there is no need to collect all three seems strange. Even if those are different only in a small fraction of cases, it seems to me there may well be reasons for them to be different, and thus they need to be collected for legitimate operational purposes.

    E.g., imagine an organization that wants to register a .de domain. Someone else here has already pointed out that one needs to be in Germany and have a German address to do that. That's the "owner", right? However, for administrative purposes, e.g., billing, someone else, maybe the company's finance department in another country, should be contacted (surely you've provided a separate "billing address" many times). That's a separate "admin" contact then. And technical/operational issues are handled by a third party - hell, the organization may not even have IT staff but still needs internet presence. That's a "technical contact", separate again. It does not seem to be far-fetched at all...

    The registration procedure may have checkboxes saying "use the above address as your admin/tech contact" to avoid duplication (IIRC, this is similar to what AMZN do when you buy something from them - there is a checkbox to indicate that the billing address is the same as the delivery address), but in principle it makes perfect sense to me that the three contacts are logically independent and all are needed to complete the registration.

    1. Matthew Brasier

      Re: "The vast majority"...

      Its not really the collecting of the technical and admin contacts that is the issue, it is the publishing of them in the whois database. If they were collected by the registrar, and kept private by the registrar except in the case of a court order or other legal mechanism (as nominet is doing with .co.uk addresses) there isn't an issue - the registrar has the data that it needs to perform its contract, and can provide that information where there is a legal basis to do so.

      The issue is that while ICANN claims to operate in the interests of the domain registrars, its main objective here is to ensure that IP lawyers can continue to use the whois database to identify where domains may sound vaguely similar to a well-known brand, and then charge the well-known band thousands of pounds to hound the owner of the domain until they give it up.

  17. I Am Spartacus
    Thumb Up

    My registrant info has changed

    Just checked my domains WHOIS info, and the three contacts have changed to point to Nominet, the register os may domain.

    So, I suppose Nominet is now in breach of ICANN, but is correctly interpreting UK Law.

  18. Tom Kelsall

    "Necessary for performance of a contract"

    Yes, there is that provision within GDPR. However; the data collected/published has to have a lawfully justifiable PURPOSE, and the PURPOSE has to have a LAWFUL BASIS FOR PROCESSING - in other words they are using circular logic to try to confuse and I don't think the Courts are that thick.

    The contract you're trying to use as a Lawful Basis for Processing has to be a legally binding contract and when it isn't, any clauses which are not lawful are discarded as if they're not there; THAT much is written into Contract Law and backed up by relevant Case Law.

    ICANN have been lazy and they ARE going to pay the price for that. If I as a layperson can understand this, so can they - and I hope their attempts at obfuscation and delay are rewarded with a robust legal response.

    1. SPiT

      Re: "Necessary for performance of a contract"

      I would have said that the ICANN argument has got to be along the lines of the fact that the provision of a domain requires registration with world DNS and a condition of this is provision of data to the whois service. This creates an argument that the contract between the site owner and the German registrar allows this because the German registrar isn't allowed to set up the domain without passing the information on. This then leads to a situation where the German registrar is the data controller but ICANN has status as a data processor and needs to comply with GDPR. It does muddy the waters but since the public availability of whois has not practical benefit to the discharging of any contractual obligations and only serves as a convenience I can't see any argument for allowing it other than ICANN claiming that their contract is not subject to GDPR and is covered by US law. That would then mean that no company can legally operate as a registrar in Europe and probably then goes on to the full enforcement of GDPR meaning that no personal data of a European can be passed to/through the USA or be held by a US or US owned company.

      I really hope this doesn't turn into the equivalent of a nuclear exchange as it will devastate the world economy but that seems to be the stance ICANN are taking.

  19. graeme leggett

    Are ICANN going to play "legitimate interest" card

    Because among the reasons under Lawful basis you can give for processing Personal information within GDPR is "legitimate interest"

    It's less box-ticky than contract, opt-in permission, etc but if you can frame the processing correctly then you're in.

    As ICO puts it "It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing"

  20. Noonoot

    Because ICANN

    Who said so? Remember that without the Europeans Uncle Sam wouldn't exist. Show some respect for your elders.

  21. EnviableOne Bronze badge

    Controller and Processor

    I think many are missing the point ICANN are the controller in this case, and tucows (and their subsiduary) the processor.

    ICANN contracts tucows to run the .de registry

    ICANN contract requires they collect the said information

    Tucows as processor must perform the duties they are requested by the Controller.

    What ICANN does with that information, is not Tucows responsibility, however dodgy and against the law it is.

    It is the responisbility or the registrant to gain Consent from the technical and admin contacts to publish this information.

    I agree ICANN need hauled over the coals for the privacy implications in Whois, but this case isnt about WHOIS and GDPR, its about contracts.

    1. Richard 12 Silver badge

      Re: Controller and Processor

      If ICANN are the controller, then they are wilfully breaching the GDPR and admitting it by bringing the case.

      If that's the argument they bring, then they are asking the German regulator to immediately impose the highest possible fine.

      Howvere amusing that might be, the last missive sent out by ICANN specifically stated that the registrars - in this case Tucows - are the data controllers.

  22. Anonymous Coward
    Anonymous Coward

    Decentralised DNS NOW!!

    This is why we need decentralised DNS Instead of letting the yanks impose their rules & regulations on an international network.... Put an end to US supremacy of the internet. It's not up to them to tell the world how to do business.

  23. Cynicalmark
    Devil

    Delaying tactics

    File a case involving GDPR and subsequently remove eyes from the real issue that the muppets in ICANN make breathing room to sort out the mess in their own backyard (presumably destroying evidence). It’s a classic tactic used in US court but doesn’t work in Europe all that well.

    I’m quite sure this may result in a splinter of control and someone sulking in the corner muttering that they no longer want to play and its their ball. If they win - well give it a few years and some bright spark will come up with a better system to communicate and shaft them royally.

    Time for our American cousins to grow up a little. There is always a bigger fish.

  24. gnarlymarley Bronze badge
    WTF?

    Interesting that the government is going to want that contact information when they find lawbreakers now using GDPR to hide, and yet the common folks are not allowed to have that contact information. I guess they would want it so they could spill it, and since they are the government, will not get caught. What a two-faced law GDPR is.

  25. Ian Michael Gumby Silver badge
    Boffin

    ICANN will win

    Hey commentards...

    Does GDPR cover businesses?

    How does it handle regulatory filings?

    When you start to consider the details that you provide... you have no privacy because you're providing necessary contact details.

    Its when those details are fake that you run in to problems.

    If you've ever had to run a domain... and you trace back bad behavior to another user on another domain, what do you do? In the past, you look at the whois information and you contact their admin.

    Now, I guess you just spin up a DDOS cloud and retaliate or some other immature stunt.

  26. Nanook

    The solution to EU's insistence of anonymity (privacy) is simple, disconnect them from the Internet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019