EU GDPR, is consent the Silver Bullet for Domain Name Registrations?

Consent is often cited as the Silver Bullet to transfer data outside of the EU.The requirements, however, can be rather complex given the fact how registries/ICANN process and control the data.

The rules according to Art.6.1(b).

Data subjects are provided with a clear explanation of the processing to which they are consenting; The consent mechanism is genuinely of a voluntary and “opt-in” nature;
Data subjects are permitted to withdraw their consent easily;
The organization does not rely on silence or inactivity to collect consent (e.g., pre‑ticked boxes do not constitute valid consent);

  • Be specific and granular. Vague or blanket consent is not enough
  • Name any third parties who will rely on the consent
  • Make it easy for people to withdraw consent and tell them how
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity

Purpose
Consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes unless this would be unduly disruptive or confusing. As a minimum, consent must specifically cover all purposes.

Consent shouldn’t be.
Recital 32 also makes clear that electronic consent requests must not be unnecessarily disruptive to users. You will need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents.

Principles of data protection
In data protection, there is the fundamental principle which is unchanged even in the age of Big Data.

The data subject has to be in control of her/his data, which means for consent that you need consent for every each of the data processing activities (even for minor changes in the processing)

Scope

Considering that Registrars and Domain Name Resellers do business with more than 1000’s of TLDs located in more than 200 countries the complexity of getting consent “right” seems to be very difficult and complex and not recommended for domain name registrations.

The Right to be forgotten.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessarily about the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation

The above adds another layer of complexity. Some Registries will delete the data of the data subject; some don’t. Currently, it is unknown which policies the registries have in place. In short, consent adds a whole layer of organizational challenges. It is assumed that the withdrawal of consent does not automatically imply that the service can be terminated as consent was not ““freely given”, a requirement of the GDPR.

Given the fact how the public WHOIS system works it is unknown how the right to be forgotten should work in practice within the DNS.

More information about consent can be read here.

 

FAQ Privacy Protect support

1. What does privacy protect do?
2. Why should you offer privacy protect to your customers?
3. What are the benefits of privacy protecting?
4. How can I set all domains of a registrant contact to privacy protect?
5. Do I need to have consent of the registrant for privacy protect?
6. Do ALL TLDs allow privacy protecting?
7. How can someone get in touch with the registrant of a privacy protected domain?
8. Why should I set my customers domains on client transfer prohibited TRUE?
9. How about exposing registrant information through the other contacts?

1. What does privacy protect do?

Realtime Register privacy protect removes the exposed registrant information and replaces it by a default data set and email address related to the domain name.

Example whois output non-privacy protected domain

Registrant Name: John Johnson
Registrant Organization:
Registrant Street: 404 street name
Registrant City: Amsterdam
Registrant State/Province:
Registrant Postal Code: 1000 AA
Registrant Country: NL
Registrant Phone: +31.106660666
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: john@whatever.whatever

Example whois output privacy protected domain

Registrant Name: Privacy Protect
Registrant Organization: My Domain Provider
Registrant Street: Ceintuurbaan 32A
Registrant City: Zwolle
Registrant State/Province: 
Registrant Postal Code: 8024 AA
Registrant Country: NL
Registrant Phone: +31.382305013
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: domainname.extension@mydomainprovider.com


Where “domainname.extension” is replaced by the domain name of the whois output. If the  phone number is called a recorded message is played to contact the registrant through email.

To Top Of Page

2. Why should you offer privacy protect to your customers?

By exposing the registrant information, you might be in breach with the GDPR. Especially if you don’t have explicit consent to have the registrant information published in a public whois. And in addition, it’s a human right. As article 12 of the United Nations Universal Declaration of Human Rights states:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Every-one has the right to the protection of the law against such interference or attacks.

To Top Of Page

3. What are the benefits of privacy protecting?

  • It protects your customer’s privacy even more effectively
  • It prevents spam by email, phone calls or text messages to your customers
  • It is compliant with over 100 data protection laws worldwide.


To Top Of Page

4. How can I set all domains of a registrant contact to privacy protect?

For starters, make sure you have your customers consent for setting domains to privacy protect. You can do this by either explicit consent or through your terms of service. If you use the Realtime Register Domain Manager, we have a Privacy Protect step-by-step plan available for you. If you use the Realtime Register API, you can use the API commands set to privacy protect. However, even then you want to have a look at the Privacy Protect step-by-step plan.

To Top Of Page

5. Do I need to have consent of the registrant for privacy protect?

Yes, you need to have some form of consent, please have a look at item 4 of this FAQ.

To Top Of Page

6. Do ALL TLDs allow privacy protecting?

Nope, I am sorry, however, privacy protect is allowed for practically all generic TLDs. Most ccTLDs don’t allow it. However, the ccTLDs that don’t allow privacy protect in general show very few information, so effectively it’s privacy protected.
For example; the Dutch .nl extension does not display the registrant name if there is no organization name added to the registrant information. As do other ccTLD registries like DNS BE, Eurid and Afnic.


To Top Of Page

7. How can someone get in touch with the registrant of a privacy protected domain?

Basically, in two ways by using a captcha-protected form at my domainprovider.com and sending an email to the domainname.extension@mydomainprovider.com email address.

  1. If the form at mydomainprovider.com is used, the email with optional attachment is directly send to the registrant’s email address in the registrant contact handle. Of course, the sender does not get to see the real address.
  2. If the mail is send directly to the email address in the whois, the behaviour depends on the status of the client transfer prohibited setting.
    1. If client transfer prohibited is TRUE, the sender gets an email to go to the mydomainprovider.com form. Effectively blocking spam bots from reaching the registrant.
    2. If the setting client transfer prohibited is FALSE, the registrant gets a standard email with a link to view the message. Attachments from the sender are discarded. This route ensures limited protection from spam though allows for transfer out FOA’s to reach the registrant.


To Top Of Page

8. Why should I set my customers domains on client transfer prohibited TRUE?

  1. It helps to prevent domain theft and unwanted transfers.
    • Even if someone of your staff has been socially engineered to provide an authorization code to an unauthorized person, it adds an additional threshold for transferring the domain away.
  2. It reduces spam reaching the registrant even better.
    • If the domain is privacy protected automated spam is unable to get in your customers mailbox.


To Top Of Page

9. How about exposing registrant information through the other contacts?

That is a tricky one, if you use different contacts with the registrant’s information you will end up exposing unwillingly contact information of the registrant. In general, there are two approaches:

  1. Change all admin, billing and tech contacts to a contact that has your brand information. As a nice side effect, your brand gets more exposure in the whois information.
  2. Change all contacts to the contact handle of the registrant. This way, these whois contacts will also display the privacy protect information.

It’s up to you, make your pick!

ICANN, Thick WHOIS Migration Delay & Pray

The migration of the Verisign Thick WHOIS has been delayed until 29th November.
This is a welcome change from the original migration data wich was set at 1-August-2017.

We at Realtime Register were not planning to migrate on this data anyways, as we are still reviewing the EU GDPR and its impact.

Currently, ICANN is collecting community input regarding the EU GDPR till September this year. In November ICANN will present the results wich will provide more clarity regarding the fact if ICANN is the data controller or not according to the EU GDPR. Furthermore, Registrars expect more clarity at this date regarding the output of personally identifiable data through the public WHOIS.

The EU GDPR will go into effect on 25-May-2018 and will severely impact your business.
A blog post regarding the EU GDPR and how it will affect you as a reseller will follow soon.

ICANN blogged about this migration delay here.

IRTP-C Newsletter

IRTP-C

On December 1, 2016, the Inter-Registrar Transfer Policy will be updated to IRTP-C. ICANN designed this policy to prevent domain name theft. We are not entirely satisfied how the policy has evolved. Because we made serious efforts to steer things in a better direction, the resulting policy offers some hooks to fit into daily operations.

This email covers the following topics:

Summary of the IRTP-C;
Key Concepts;
Affected Operations;
Required Actions;
IRTP-C maintenance window.

Summary of the IRTP-C

If the registrant data is changed in such a way that the ownership might transfer to another person and or organization, both old and new registered domain name holders are required to accept the changes first.

However, both old and new registrants can appoint a “Designated Agent” to act on behalf of the registrant. This consent must be given explicitly. The Designated Agent is authorized to approve a change of registrant. After this change is completed, a notification will be sent to the old and new registrant.

ICANN has published the official policy on their website: https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en
To top

Key Concepts

Both the registrar (Realtime Register) and the reseller (you) have to be compliant with this updated policy. In the implementation of the policy, we have strived to make this as uncomplicated and efficient as possible. However, it’s good to have an understanding of the key concepts of the new transfer policy first.

Old Registrant
The registered domain name holder(according to the WHOIS information) at the moment a contact update, domain update or (internal) transfer is requested.

New Registrant
The registered domain name holder after the contact update, domain update or (internal) transfer is completed.

Material Change of the registrants’ details
Any change to the registrants’ name, organization, or email. Other details, like phone, postal code or country. are NOT considered as material changes.

Designated Agent
An entity which has explicit permission from the old or new registered domain name holder (registrant) to change contact information at the registry on their behalf.

60-day lock, opt out
After a material change of the registrant information, the domain names affected by this change are under a 60-day transfer lock. During this period, the domain names cannot be transferred to another registrar. However, the old registrant can choose to not use this lock (opt out).

Notification email
An email that is sent to the new and or old registrant to inform them about the material change of the registrant information. Realtime Register customizes this notification email in such a way that it matches the contacts’ brand.
To top

Affected Operations

  • The IRTP-C applies to the following operations:
  • Update contact request;
  • Update domain request;
  • Transfer in request;
  • Transfer in request (internal).

Simplified flowchart of the IRTP-C affected operations
Simplified flowchart of the IRTP-C affected operations

Required Actions

First, decide whether you will act as designated agent or not. As a designated agent you need to have explicit consent from your customer (the old and or new registrant) to transfer and or trade the domain or update the registrant information on their behalf.

If you aren’t a designated agent and you initiate material changes at some point, the registrant will receive branded emails with a request to accept the changes on a branded mydomainprovider.com page.

If you are acting as designated agent:
Make sure you get consent from your customers, either through your contract or through a secure web interface.
Resellers using the API integration, need to add an optional flag for the affected operations.
Resellers using the domain manager can tick the box in the applicable forms.

If you are NOT acting as the designated agent
Make sure to update the new and changed branding templates.

Please visit our blog post Get ready for the IRTP-C with detailed information to prepare for the new policy.

IRTP-C maintenance windows

To prepare our systems for the policy and the new API commands, we have planned maintenance windows for the OT&E and production environments.
 
The OT&E environment will be updated on Monday, November 21st, from 10:00 until 10:30 UTC. Within this period, the services of the OT&E environment will be interrupted. This will have no consequences for the production system. The IRTP-C policy will be activated during the release for testing purposes.

The production environment will be updated on Tuesday, November 29th, from 6:30 until 7:00 UTC. Within this period, the services for Realtime Register will be interrupted. DNS resolution will NOT be interrupted. The IRTP-C policy will NOT yet be activated during the release. You can start using use the designated agent parameters, these will be ignored until the IRTP-C policy is activated.
 
The IRTP-C policy will be activated on production Thursday, December 1st 00:00 UTC.

The ICANN GDD summit 2016 kicks off in Amsterdam, May 16-19, 2016

Not your usual suspects

This summit has a different setup compared to regular ICANN meetings. The main difference is that only the contracted parties will be engaging, i.e. Registrars and Registries and of course ICANN, allowing us to deal with topics that normally aren’t on the agenda.

English: This is a logo for ICANN. Magyar: ICA...

English: This is a logo for ICANN. Magyar: ICANN logo (Photo credit: Wikipedia)

What’s on the menu?
A whole array of topics will be discussed during these three days. Let me give you a little background information regarding some of the sessions.

TLD & Universal Awareness, not to be confused with Universal Acceptance.
Reality has kicked in for the Registries: the registration projections for the new gTLDs have now been replaced by more realistic numbers and everyone agrees that the new gTLDs are in for the long haul. This session, led by the Domain Name Association (DNA), will discuss how we can all create more awareness.

New gTLDs: Getting to the next round
That’s right: there will be a next round. I predict that, somewhere around 2020, you can apply for new TLDs again. There is some talk that this round will be mostly used for brands to apply for their own TLD. On the other hand, ICANN warned 200 brand owners to move ahead with their TLDs as they have made zero progress in the current round. All things considered, it will be an interesting discussion for sure.

Healthy Domains Initiative (HDI)
Botnets, malware, phishing: abuse comes in many forms and is becoming a threat to our industry. The threat being that governments will try to get a grip on this. Governments are usually not technical driven organizations and, even worse, often do not understand technology. In my opinion this makes them the least likely candidate to deal with this “abuse” problem. In conclusion: we need to get ahead of this issue.

Universal Acceptance (UA)
In my opinion this might be the most important topic of the summit. Let me explain the issue with an example.

The TLD .SOCIAL suddenly became very popular in South America a year ago. A lot of people there registered .SOCIAL only to discover that the Internet Service Providers (ISP) in South America where not supporting .SOCIAL. In fact, .SOCIAL was not working at all. Moreover, most of the ISP operators had no idea that a lot of new extensions had been released, causing major problems in all layers of the networking infrastructure.

This problem is still ongoing and ranges from apps not supporting new gTLDS to email servers not delivering email. Even though ICANN cannot solve this problem, the corporation does support the Universal Acceptance Group by any means to get this issue under control.

Room for more.

There is more on the menu during the summit for sure, but in my opinion, the topics mentioned above are the most interesting ones. Nevertheless, I expect the rest of the topics to be pretty good as well. Stay tuned for an update after the summit. Interested in all topics? You’ll find the complete agenda here.