ICANN
They keep getting slapped but are too stupid to know when to fall down. Sigh...
Global domain name system overlord ICANN’s latest attempt to deal with compliance with European data protection law has been dealt a blow after a German court rejected its request to force a registrar to keep gathering people’s information. The DNS overseer filed a lawsuit in Bonn against German domain registrar EPGA on Friday …
"He added: "ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services." "
Seems very clear to me - It must be an opt in service for anyone covered by GDPR. For those that decline i dont see why providing the details of the registry holding the domain registration data isnt an acceptable substitute. Not that you can't already get that from DNS.
This provides a route for police, security services and copyright cartels to go after data needed for legitimate purposes. If anything thats a better solution as registration data is often inaccurate or incomplete or private anyway. Especially when the domain is used for legally questionable purposes.
The reason that Icann are fighting this path as a tool of US interests - is that court orders would commonly be required in non US jurisdictions. And the US likes to pretend that US law has global reach.
Given their reactions so far - from Tronc having a hissy fit and blocking their various publications from being accessed from the EU at all, through the myriad websites like Forbes who only offer the options of data slurping or no service (ie no meaningful consent, so fail) - it seems that most American companies are having a hard time understanding that European laws apply in Europe.
"beggers belief how incompetent ICANN can be, two years notice and they still scew it up !"
To be fair on Icann, lots of powerful US interest groups were largely responsible for that. They were likely politically unable to effectively scrap Whois contractual obligations until it was clear that they had to.
"They were likely politically unable to effectively scrap Whois contractual obligations until it was clear that they had to."
They've had two years notice. That seems like quite a lot of time to take proper legal advice and frame the questions they wanted clarification on. Leaving it 'till the last few days and then launching legal action after the fact sounds more like incompetence than being politically unable to act.
They haven't screwed it up.... yet. All they've done is bury their head in the sand, occasionally scream, and then ignore the rule. Seriously, they need a year or two? I'd think a simple change to their web pages regarding signup and WHOIS would kill that info. Add in a select wipe of date from the database and job done.
Having said that, I know there's a lot of politics (and money) behind this or they wouldn't have been fighting/ignoring it for so long.
"At least Nominet complies with GDPR and ensures that REAL contact information is logged against a domain!"
All that Nominet do is ensure that the name and address likely exist. They don't even have to be linked. There is no validation that they have any relationship to the domain owner or to each other. It's just a close to valueless gesture.
ICANN just found out that european courts do not work like the US...
If it's *really* important, the courts can and *will* tell you your Hot Air is just that.... Within a week, no problem...
So... precedent set... ICANN slides to ICANN't. Done and dusted. NEXT!!
"...ICANN’s general counsel John Jeffrey said that the ruling “did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings”.
Translation:
I did not get the result I wanted, so we will continue to trawl the EU/German law books to find another basis to get our way !!!
(BTW: How much does it costs to get a ruling in MY favor in the EU !!!???)
Despite these comments, ICANN’s general counsel John Jeffrey said that the ruling “did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings”.
I'd say it provides excellent clarity. It shows that European registrars know what they're doing, know that some of the ICANN contract terms, being unenforceable in the EU, should be ignored and the business should proceed along legal lines. The sensible thing for Jeffrey to do would be to go back to his clients and tell them to let those registrars continue doing what the law says they should do.
But wow. That must have been one of the shortest times on record for a European court to give a US corporation a flea in its ear.
That must have been one of the shortest times on record for a European court to give a US corporation a flea in its ear.
German courts are famous for not taking certain forms of nonsense. They have form.
ICANN went to a German court, the first day of GDPR. That smells of jurisdiction-shopping. They wanted to lose, and they wanted a quick and clean loss. They got it. They even picked on a suitably deep-pocketed victim to be sure that being properly lawyered wouldn't cause undue pain and perhaps a perverse result (like going out of business).
Now they have a result they need to help deal with their own internal politics and shady lobbyists.
Over the years I've battled with domain registration hurdles despite, pretty much forever, having had a registration within the system. It's broken; shred the RFCs, they are just being used to extract money and prevent service.
Take a look at the whois information for apple.com; a company who, surely, would want to distinguish administrative and technical queries. This comes from:
https://www.whois.com/whois/apple.com
This is what you get if you copy'n'paste the email addresses (as plain text, without the HTML). I have javascript blocked by default and it is blocked on this page:
Registrar Abuse Contact Email: email@cscglobal.com
Registrant Email: email@apple.com
Admin Email: email@apple.com
Tech Email: email@apple.com
If you use a whois query directly, however (i.e. not a web browser, open a command line and type "whois apple.com"; I did this on a gentoo machine; OpenSUSE on Windows simply doesn't show the information) you get:
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrant Email: domains@apple.com
Admin Email: domains@apple.com
Tech Email: Apple-NOC@apple.com
You can see for yourself what they actually display as; the second list, not the first. The HTML reveals that the emails displayed are pictures, here is one:
https://www.whois.com/eimg/2/49/249f6ba0eb9411f5354b2db5f1351bfa006f5f7c.png
Well, ok, you can't see that can you! Clever trick eh? It exploits the ability of PNG images to encode semi-transparent images. The PNG image has two "colors" in it, one is black, the other is transparent. The transparent parts display the word "domains", but only if you view the image over a non-black background.
So why on earth would Apple/ICANN go to such lengths to obfuscate information that is readily available to someone like me who hasn't progressed out of the Bourne Shell?
Because they think they are really clever.
> If you use a whois query directly, however [...] you get:
Where are you based? In Europe, since last week you get this:
> whois apple.com
Domain Name: APPLE.COM
Registry Domain ID: 1225976_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2017-07-06T03:10:21Z
Creation Date: 1987-02-19T05:00:00Z
Registry Expiry Date: 2021-02-20T05:00:00Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: A.NS.APPLE.COM
Name Server: B.NS.APPLE.COM
Name Server: C.NS.APPLE.COM
Name Server: D.NS.APPLE.COM
Name Server: E.NS.APPLE.COM
Name Server: F.NS.APPLE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-06-03T01:01:29Z <<<
"But the court, noting that it was possible for a registrant to provide the same data for each of the three contacts - and that this had not led to a registration being denied."
Carefully saved in my doom survival toolbox, to be used in case I ever need to well and truly lock up a malicious hive mind or AI.