Domain name sellers rub ICANN's face in sticky mess of Europe's GDPR Internet domain-name sellers have turned the tables on global DNS overseer ICANN by using its own tactics against the hapless organization. In a letter [PDF] to the California-based organization sent the day before it finally approved a "temporary" policy for the Whois service to bring it into compliance with new European …
With GDPR and the stupidity of ICANN, the only reasonable alternative for registrars in europe is to turn off WHOIS - cut the data feed or replace the data with dummy lines saying "Removed due to GDPR". If ICANN complains then inform them that laws trump their contracts.
(If a WHOIS service uses cached data rather than the dummy data, the service would be the liable party - not the registrar.)
"the only reasonable alternative for registrars in europe is to turn off WHOIS - cut the data feed or replace the data with dummy lines saying "Removed due to GDPR"."
No need. My domain's whois entry does give my name but gives Registrant type as "UK Individual" and presumably will also replace my name with something like that in a few days time. For address it says "The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."
The TLD owner, Nominet, is quite OK with this. The Data validation field says "Nominet was able to match the registrant's name and address against a 3rd party data source". It's been like that for years.
Other European TLDs can presumably adopt similar policies if they already haven't. I'd expect the US registrars to do so for European clients; their big problem would be with clients who have moved to Europe from elsewhere but not let the registrar know.
"that wont work for a .com though. A .co.uk yes"
That's up to the .com registrars. If they have registrants resident in the EU ther they're going to have to do something like that. It doesn't matter if the ICANN contract says they can't because statute law requirements override contract terms. It would not be lawful for the registrar to follow such a contract term.
that wont work for a .com though. A .co.uk yes
It works fine for .com addresses. I've just confirmed it by checking my own. It was originally registered through GoDaddy and I just had to pay a few quid on top of the initial registration for in return for them obscuring my personal details. The only contact details listed on the site are GoDaddy's own. IF someone wants to contact me they've got to convince GoDaddy its legitimate first by contacting their abuse@ address. It was that or have every spammy twat out there being able to pull my details from a public registry.
As of Friday I won't have to pay the extra, but it's always been possible to obfuscate domain ownership.
> For address it says "The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."
There are any number of scam domains/commercially active domains which have this in place too. I've been filing complaints with nominet about such things since around 2002-2003 when I first ran across them. (it takes all of 30 seconds to file a complaint by email).
Invariably the scammy ones switch to a Mailboxes ETC address in the 14 days that Nominet give them to sort their shit out, which actually makes them even easier to track down, as MBE(*) franchise owners hand over _everything_ when served with a summons as the purported operator of the mailbox rather than become the target of a prosecution. It gets a little more complex in a criminal case, but in those, providing a heads-up to the boxholder would result in "attempting to pervert the course of justice" charge being added, so they're generally extremely cooperative when the police get involved.
(Moral, hiding behind an anonymisation service draws attention and lowers protection levels)
(*) There are other mailboxes services. They all roll over and play dead when the law gets involved. Their business model is frequently on the edges of legality and they can't afford to be shut down or have their customers investigated in depth.
That is google's filthy sense of "compliance". They have shifted the responsibility to developers, so if there is something wrong they are not held liable and at the same time they continue collecting data and of course allowing the abuse by others, without the risk of being held responsible.
"But with ICAAN stupidity they will either sue or terminate the contract."
On what basis? That they want to enforce an illegal contract term. I said in an earlier thread that one remaining piece of information required was what the contract says about unenforceable terms: does it simply render the term unenforceable or does it negate the entire contract? Or, indeed, does it say nothing and how would a court interpret the resulting situation?
I think I prefer the EU attitude to personal data to that exhibited by the USA.
I was around for the original green-card lawyers, and now I get spam emails begging me to let them send me spam. They have spent the years since the previous generation of EU law, implemented by the UK Parliament as the Data Protection Acts, finding new victims and new loopholes. And now they're going to have to do that all over again.
'Bliss it was in that dawn to be alive
But to be young was very heaven.'
" finding new victims and new loopholes."
Royal Mail's loophole exploitation on optout of junkmail delivery (which expires after 2 years and is largely ignored by posties on orders from their managers) is so far holding up.
That's one area which needs to be stomped on. It's the only remaining area where you have to opt out AND where the optout is time-limited.
"EU tries to levy a fine but can't due to a lack of EU presence and protection by foreign sovereignty."
It hasn't stopped the USA when using their long-arm statutes to go after european entities (and collect) and blocking the EU in the other direction would have serious knock-on effects for the status of american long-arm statutes both within the USA (interstate commerce) as well as internationally.
In reality as long-arm statutes have been upheld multiple times in the USA supreme courts any attempts to nullify european ones would likely fail - and any success would be instant tradewars material.
@J J Carter
> This says more about the unwanted and unnecessary GDPR regime dreamt up by Brussels pen-pushers and cheese eaters.
The European Union is a bureaucratic tyranny run for the benefit of France and Germany. But even they, like a stopped clock, sometimes get things right.
GDPR (and previously the DPD) are examples of that.
Many IT contractors have their own companies, registered with Companies House. On the CH website, not only do they give the current directors addresses, but all former directors'. The filing history also details change of registered address.
I wanted my home address to be less traceable, so moved my registered address to that of my accountants. However, the previous address still appears, and there's no way of deleting that. Surely not GDPR compliant?
> their own companies, registered with Companies House. On the CH website, not only do they give the current directors addresses, but all former directors'.
There are specific laws around companies and providing information on the directors of companies. Directors are statutory positions, a registered company must, by law, provide names and contact information of a minimum number of directors with specific statutory positions and duties (chairman, treasurer, etc.)
Usually the directors provide business address/contact details, not personal ones.
If, however, it is 'work from home' type company, where a directors business address and business telephone numbers are the same as the individuals home address and home number, then you are going to have a problem. IANAL, however I do not believe publishing a statutorily mandated position that must require contact details of that position to be published on certain public registries (as must happen with a registered company) would be in breach of the GDPR because the information being published is proportionate and required for legitimate purposes.
Now if you, as a company director decided to run the company you are a director of from the same premises, and using the same number, as you also use for private purposes, I think this puts you in a problematic position - you have fucked it up.
Many years ago, I ran a company that was wound up more than the statutory retention date for Companies House registration ago, so it is now no longer listed on the current register. On it, at one time, I had a telephone number which was for a dedicated line for the company (and only had a answering machine on it), but which only differed by one digit from the telephone number for my house.
It did have the address of my house, however.
I have in the period of time that the company been non-existant, received telephone calls from people looking for a local PC repairer (something that my company never did, it was listed as a "Computer Services Company, but which Companies House themselves merged categories some time ago).
I tracked down the issue to one of the companies that offers Companies House lookup information on the Internet, which had not only not noticed that the company was no longer trading (nor when it was deleted), but had 'corrected' the telephone number to my home number.
I went through their complaints and corrections process, but last time I checked, the information was still being offered.
If GDPR gives me some means of finally removing this information, then I will be very glad, although I do think that some of the GDPR regulation (particularly about correcting all archived and backup copies of data) are effectively unworkable within the statutory retention period of UK financial regulations, amongst others.
"If GDPR gives me some means of finally removing this information, then I will be very glad, although I do think that some of the GDPR regulation (particularly about correcting all archived and backup copies of data) are effectively unworkable within the statutory retention period of UK financial regulations, amongst others."
I'm probably in the same position as you and I'll start giving some of these sites grief if they don't smarten up.
However if you read up about the deletion it does refer to what's technically possible. You don't have to delete from the backup. However it would be smart to retain the deletion request so if you restore from the backup you can redo the deletion from the restored data. Once you've replaced the backup with a post-deletion one you'd then no longer need to retain the request.
"However if you read up about the deletion it does refer to what's technically possible. You don't have to delete from the backup. However it would be smart to retain the deletion request so if you restore from the backup you can redo the deletion from the restored data."
Do you have any citations for this position please? It's the one I'm taking and the one our lawyers approved in February but the lawyers have been back-pedaling recently.
@adam52 It’s (a bit) tricker than that...
Here’s the guidance we got (of course I would recommend you call the ICO’s anonymous info line to confirm this - be prepared for about an hour on hold, but they’re on the ball when you speak to someone).
Anyway..
To comply with the law and the data subject’s right to be forgotten you can’t simply store the deletion request as the request itself contains their PI...
Basically you need to store the GUID/Key value that points to the deleted PI on a “list of forgotten entries”
Should the data base be restored from backup run a job that checks that list and and deletes any matches in the restored data.
There’s other gotchas sureounding confirming the validity of the request in the first place (make sure you confirm who they are, as inappropriate LOSS of a data subject’s data is ALSO a violation)
TL;DR. Yes. Yes it is.
PS make sure you scrub ALL your databases - dev test too.
"I tracked down the issue to one of the companies that offers Companies House lookup information on the Internet, which had not only not noticed that the company was no longer trading (nor when it was deleted), but had 'corrected' the telephone number to my home number."
You went about trying to get the incorrect information removed the wrong way.
A DPA section 11 notice works wonders for that kind of thing and after failure to comply it's a simple court filing to wake them up to their responsibilities (If a bailiff is going in to seize things, always tell them to target the communications/networking equipment to take first, not things like TVs. It has a galvanising effect on getting attention to find the most critical piece of equipment and remove it.)
"However, the previous address still appears, and there's no way of deleting that. Surely not GDPR compliant?"
Yet again we have to explain. Companies House information is a requirement in statute law. GDPR does not apply in such situations. As CH data includes past as well as current data on officers you aren't going to disappear that easily. You could close the company and open a new one giving your accountant's address for the director's address (assuming the accountant consents). You then have to wait until the old company disappears from the record. I'm not sure how long that takes but the perpetual beta site seems no to have my old company there but that was closed over a decade ago.
They say "Your nameservers operating throughout Europe will be blocked. All .eu, .uk, .fr, etc. domains will come under our control. You will therefore lose 50+% of your revenue overnight because nobody will have to pay you a damn thing. P.S. please list the TLD nameservers as our own, if you fail to comply we will initiate legal action, seek redress from the WTO and block access to all non-EU domains".
You can't claim to be operating TLD naming and then not listen to the countries that control those domains.
P.S. That won't happen precisely BECAUSE they are operating in the EU, and claiming to represent it to. They are basically doing business with the EU. So, yes, you actually CAN fine them into oblivion, severely restrict their trade, freeze their European assets and arrest their directors if they ever visit the continent or apply for extradition.
Nobody says that it will get that far, but they are far from immune. And they could lose half their business overnight by failing to comply.
"Why does a company based outside an EU entity even have to bother?"
If they don't want to do business there then they don't need to bother. Why do you think you shouldn't obey the laws of a country where you want to do business.
What do you think would be the result of giving them the finger? Probably a bigger fine, one enough to make an example of you. You think the country would be powerless? What do you think would happen if the law enforcement of the country then gets in touch with the offender's bank looking for payment of the fine. The company may not have a foothold in the country; their bank almost certainly does and they're not going to fight the law on behalf of a tuppenny-ha'penny scoff-law. Most likely the account would get suspended until payment was arranged.
Whois was originally intended to ensure that entities holding domains were legally serviceable (as in being able to be hit with legal paperwork)
ICANN willingly facilitated the current mess where scammers get away with anything that destroyed the usefulness of Whois many years ago.
GDPR is one thing, but the simplest way of ensuring privacy in the face of no whois will simply be to start serving registrars with legal proceedings instead of domain holders if the ownership is obscured.
Given the amount of C/O GoDaddy/Tucows/etc. entries on WHOIS, I imagine that's all they ever do anyway.
I could say I'd Fred Bloggs and register a domain, it doesn't mean I actually am them. But if you needed to establish the legal owner, someone somewhere paid on a credit card, and only the registrars knows what card, and only the banks can link that to an account, and only all of those taken together will tell you who actually is responsible.
Hence WHOIS lost its purpose many years ago, the second they allowed C/O entries, or didn't verify that the domain owners are who they say they are. Which was basically day one.
Try it. It doesn't take long to register a domain and put the registration info as Microsoft (UK) Ltd. or anything else you care to make up. It doesn't mean they're responsible for it.
.. through non-EU registrars?
For example, GoDaddy publish the full contact information for all .com domains, even if owned by EU citizens. So far, I've heard crickets from Godaddy about how they intend to handle EU customers post-26th.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
