Streamlining domain name abuse reports and disclosure requests

We released a few new features, one of them, RDAP reseller Vcard. 

To further streamline abuse reports & disclosure requests, Realtime Register introduces the Abuse Vcard. This Vcard will display your (reseller role) abuse contact details through RDAP. 

Showing your (external) abuse contact information will increase the speed of abuse reporting. 

Internal abuse email address/information. 

Resellers can also enter abuse contact information for our abuse & support staff. 

We are not setting requirements here for our resellers, but it would be good if this email address is monitored 24/7. We intend to use this info for emergency communications when dealing with security threats. 

Abuse Domain Manager

 

External abuse reporting address (RDAP). 

RDAP, the replacement of WHOIS, is role-based and supports Vcards. The general idea is that resellers supply their public abuse email address and Company name and telephone number. 

Once this information is present in our system, we will display the info through RDAP. We are confident that the use of this extra contact will streamline abuse reporting.  

Resellers can also assign an abuse contact information for sub-resellers or different labels using the branding management tool within the reseller account. 

At a later stage, we will incorporate such public abuse email addresses in our reseller lookup tool. 

Reseller lookup tool? Yes, just before the GDPR enforcement back in 2018, we introduced a reseller lookup tool to assist LEA’s and other third parties. 

https://www.realtimeregister.com/resources/locate-your-provider/

Reseller Lookup tool

For the reader who knows RDAP very well, yes, we are using the reseller role to display abuse contact information. 

We think that this a better use for now as we already have a reseller lookup tool. 

While RDAP supports many more roles, there is currently no standard for other roles. Once more roles are defined, we can add more info to RDAP. 

Data Protection Officer 

If your company has a DPO, please enter their contact information. While this would satisfy GDPR compliance requirements, there are multiple practical reasons: 

  • Registrant disclosure requests
  • More streamlined communication if there is a data breach. 
  • Improved communication if a data subject wants to exercise his or her rights provided by the GDPR. 

RDAP Output with Abuse Vcard

ICANN SSAD.

The ICANN community is still working on the Standardized System for Access and Disclosure (SSAD).

The details of how this is going to work are still being discussed.

 But we imagine that at some point, we want to automate disclosure requests as much as possible. 

The DPO contact role may, at some point, be used within the SSAD to send disclosure requests.

GDPR Art 27

For those of our resellers who need to comply with Art 27, you can now enter an email address of such a GDPR Representative.

Again this is to ensure better coordination between requestors and other third parties. 

The GDPR Representative data is not public in the WHOIS or RDAP. 

Please check our knowledge base on how to add this information to your into the Realtime Register Domain Manager.

Berlin Group to ICANN, WHOIS is not your only GDPR problem

Just before ICANN 61, ICANN and its community received essential information regarding WHOIS and the GDPR and more.
The latest statement and recommendations are from the Berlin Group (International Working Group on Data Protection in Telecommunications and Media or IWGDPT).

The Berlin Group started out in 1983 on the initiative of some national data protection authorities; nowadays members include government agencies, representatives of international organizations and IT experts from all over the world.

So basically we have the opinion on ICANN and registrant data and WHOIS vetted by all the members of the International Conference of Data Protection and Privacy Commissioners from around the world (see https://icdppc.org/ ).
And let me put this into perspective for you as a reader. There are 122 countries with data protection laws, this opinion, is not just the opinion of a few EU DPA’s, far from it.

A few highlights from the report.

First, the report describes the current procedure for registrars regarding WHOIS and conflicts with data protection law. This procedure created in 2006 is currently not workable for registrars, and the report explains why it is barely used.

Moving on.
The report sets out that the data collection as required by the RAA 2013 (the contract between ICANN and registrars) appear to be excessive, disproportionate and obtained without free consent. My personal opinion, it is not a matter of appearance, it is the reality.

WHOIS
The Berlin group observes that publication of personal data in the WHOIS is a no go, and data gathered by service providers creates barriers for registrants to have their data removed. The examples cited are DomainIQ and Domain Tools. Anyone who knows a little about the DNS knows that it does not stop with those two companies, we are talking hundreds of companies who harvest WHOIS data.

Recommendations extracts.

1 All current WHOIS purposes for several stakeholders are not necessarily legitimate purposes and require remediation.

2 Purpose, purpose, purpose, only process data necessary for the registration of the domain name and not beyond.,

3 LEA’s should get access to a tiered WHOIS system.
Private sector security firms, to have access to such a tiered system seems to be very problematic.

4 Data retention requirements and the RAA 2013 should be re-examined.

5 Reverse WHOIS is not a given and so is bulk data capture in the new WHOIS/RDS

6 Transborder data flow.
This advice relates to the upcoming (but still in limbo) Thick WHOIS migration. The Berlin Group is somewhat skeptical here and recommends to limit data flows when necessary. In my opinion, there is zero reason to replicate data registrant databases and centralize them at registries. It is a data breach waiting to happen, and it will happen.

7 ICANN should take into account that data from small businesses, sole contracts, home businesses, start-ups may contain personal data.

There are several ICANN stakeholders, who push for a distinction between commercial and personal data.
The Berlin Group notes that there is a distinction, but it does not mean that it is up to ICANN or the WHOIS to make such a difference.
In most cases, if not all, regional law or national law requires companies to publish their contact data on their website(s) NOT the WHOIS.

8 There are, as mentioned earlier 122 countries with data protection laws, ICANN should make sure it is compliant with the highest data protection requirements.

Let us hope that ICANN takes the recommendations seriously and goes back to its core function.

The Berlin Group recommendations can be read in full here.

Update on ICANN and WHOIS

Kevin Murphy from DomainIncite has written an excellent article about the all the ins and outs how WHOIS might look like in May this year, which you can read here.

I do not entirely agree with Kevin if privacy services are going to be free.
In the current setup, our privacy proxy service still has added value when it comes to spam prevention.
I think it is more accurate, that if ICANN no longer requires personal data to be displayed in the WHOIS the need use a privacy service to prevent such display of personal data becomes obsolete, after all that is what a privacy service does, replacement of personal data from the registrant through the use a privacy proxy service.
Many data protection laws have a data minimization requirement, which is absent in the ICANN proposal. The Realtime Register privacy proxy service makes sure that such condition is fulfilled. Of course, there is a chance that ICANN will stop with the Thick WHOIS requirements, but for now, the ICANN community is not ready for such chance.

The ICANN model still requires that the organization/company field should always be displayed.
I do not agree, while it is true that companies are exempt from the GDPR, it is not up to ICANN to make the distinction here and would go against the recommendation of the ICANN PPSAI working group. This group recommended that there is no distinction between natural persons and companies when it comes to the usage of privacy proxy services. Why ICANN thinks they are in charge to make the distinction is beyond me.
In most cases, if not all, regional law or national law requires companies to publish their contact data on their website(s) NOT the WHOIS.

My advice to our customers, use our privacy service (or data protection compliance service) at all times. You can read more regarding this service here.

With ICANN 61 starting this week, we will soon know more how the WHOIS will look like. ICANN still seeking input, so some of it is subject to change, though I think we have a rough outline now on how it will look like.

 

 

ICANN Registrars express GDPR concerns to ICANN

Today the Registrar Stakeholder Group (RrSG) has joined its colleagues in the Registry Stakeholder Group, Eco Association of the Internet Industry and the Internet Infrastructure Coalition in raising its concerns with ICANN about GDPR.

The letter was drafted last week and got so much support from the registrar members that we could officially support it as a stakeholder group. Realtime Register B.V. was one of the supporters.

The letter to the ICANN CEO located here, can be described as “spicy,” or “\strong.” And I think it is with good reason. Since March 2016 a dedicated small group of registrars and registries have been pouring countless of hours of time in supporting ICANN with this complex issue called the GDPR, I cannot recall how many telephone conferences I had since March 2017 till this very day, but most likely an insane number for sure.

The problem?

ICANN contractual obligations force registries and registrars to publish the personal data in a public directory called the WHOIS. The GDPR does not allow data being used beyond its original purpose, which is the registration of the domain name.
When you order a product online; you provide the shop with information so they can deliver/ship your product. It is not up to the shop to publish all your data in a public directory and mention what product you purchased. You rather not have such data released for obvious reasons, not the whole world has to know what you bought last weekend, right?
This example I guess, highlights the entire issue with the WHOIS and the tension it creates with many data protection and privacy laws.

I understand if this letter might come on strong for some folks at the ICANN organization and perhaps some stakeholders within the ICANN community, but it is ten minutes to midnight for sure, and as contracted parties, we are all liable when it comes to the GDPR, and its massive fines, and not the ICANN community. Every hour we delay will cause more issues for us registrars and our customers.

Lucky enough a significant deal of the GDPR issues can be mitigated with the free Realtime Register privacy proxy services. And while that is convenient for our customers, not every registrar offers these services and as such, are entirely depended on solutions created by ICANN.

More information regarding our privacy services can be read here.

 

 

Update on publication of personal data in the WHOIS / RDS

There has been a considerable debate whatever ICANN will enforce the contractual agreement between registrars and registries to display personal data in the WHOIS.

Publication of personal data in the WHOIS is usually in conflict with many data protection laws around the world.

The EU GDPR and its substantial non-compliance fines seem to sway the discussion into a direction where ICANN needs to come up with solutions. And they did: ICANN published several models that propose to limit the publication of personal data in the WHOIS. The next step is that the ICANN community analyzes these models.

The models created by the ICANN Organisation can be viewed through the link below.

interim-models-gdpr-compliance-12jan18-en

All the models published by the ICANN community are posted here.

The end of WHOIS?
The models proposed by the ICANN organization have limited personal info published in the WHOIS the two other models no longer publish personal data in the WHOIS.

The ECO model also has in common that there is no personal data published in the WHOIS.

So ultimately I think we are heading to a solution where registries and registrars no longer will publish person data in the WHOIS.
All models continue their support for data transfer to registries. In my opinion, this does not meet the EU GDPR data minimization principle, which I will explain in a future blog post.

Most beautiful model?
All models are not perfect, and to be used as a solution the following are of key importance.

  • Flexibility
  • Implementation time frame.

In my opinion, the ECO model fits those requirements.
In addition to this, the ECO model has the largest industry support, which is key critical for mass adoption.

The end of privacy protection services?
Should you still use the Realtime Register privacy protect service even when there will be no personal data published in the WHOIS in May 2018?
The short answer is, yes.

All proposed models might tackle the WHOIS issue; it does not address the issue of possible data breaches, increased legal requirements for you as a reseller, and other areas of GDPR noncompliance. Our privacy service does that, though perhaps we should rename our privacy service to Data Protection Compliance Services (DPCS).

Interim solutions.

Keep in mind the solutions proposed are interim solutions, I would urge the ICANN community to band together and start working on real lasting solutions, rather than attacking interim solutions.

Realtime Register is a supporter of the ECO model.