Berlin Group to ICANN, WHOIS is not your only GDPR problem

Just before ICANN 61, ICANN and its community received essential information regarding WHOIS and the GDPR and more.
The latest statement and recommendations are from the Berlin Group (International Working Group on Data Protection in Telecommunications and Media or IWGDPT).

The Berlin Group started out in 1983 on the initiative of some national data protection authorities; nowadays members include government agencies, representatives of international organizations and IT experts from all over the world.

So basically we have the opinion on ICANN and registrant data and WHOIS vetted by all the members of the International Conference of Data Protection and Privacy Commissioners from around the world (see https://icdppc.org/ ).
And let me put this into perspective for you as a reader. There are 122 countries with data protection laws, this opinion, is not just the opinion of a few EU DPA’s, far from it.

A few highlights from the report.

First, the report describes the current procedure for registrars regarding WHOIS and conflicts with data protection law. This procedure created in 2006 is currently not workable for registrars, and the report explains why it is barely used.

Moving on.
The report sets out that the data collection as required by the RAA 2013 (the contract between ICANN and registrars) appear to be excessive, disproportionate and obtained without free consent. My personal opinion, it is not a matter of appearance, it is the reality.

WHOIS
The Berlin group observes that publication of personal data in the WHOIS is a no go, and data gathered by service providers creates barriers for registrants to have their data removed. The examples cited are DomainIQ and Domain Tools. Anyone who knows a little about the DNS knows that it does not stop with those two companies, we are talking hundreds of companies who harvest WHOIS data.

Recommendations extracts.

1 All current WHOIS purposes for several stakeholders are not necessarily legitimate purposes and require remediation.

2 Purpose, purpose, purpose, only process data necessary for the registration of the domain name and not beyond.,

3 LEA’s should get access to a tiered WHOIS system.
Private sector security firms, to have access to such a tiered system seems to be very problematic.

4 Data retention requirements and the RAA 2013 should be re-examined.

5 Reverse WHOIS is not a given and so is bulk data capture in the new WHOIS/RDS

6 Transborder data flow.
This advice relates to the upcoming (but still in limbo) Thick WHOIS migration. The Berlin Group is somewhat skeptical here and recommends to limit data flows when necessary. In my opinion, there is zero reason to replicate data registrant databases and centralize them at registries. It is a data breach waiting to happen, and it will happen.

7 ICANN should take into account that data from small businesses, sole contracts, home businesses, start-ups may contain personal data.

There are several ICANN stakeholders, who push for a distinction between commercial and personal data.
The Berlin Group notes that there is a distinction, but it does not mean that it is up to ICANN or the WHOIS to make such a difference.
In most cases, if not all, regional law or national law requires companies to publish their contact data on their website(s) NOT the WHOIS.

8 There are, as mentioned earlier 122 countries with data protection laws, ICANN should make sure it is compliant with the highest data protection requirements.

Let us hope that ICANN takes the recommendations seriously and goes back to its core function.

The Berlin Group recommendations can be read in full here.

ICANN Registrars express GDPR concerns to ICANN

Today the Registrar Stakeholder Group (RrSG) has joined its colleagues in the Registry Stakeholder Group, Eco Association of the Internet Industry and the Internet Infrastructure Coalition in raising its concerns with ICANN about GDPR.

The letter was drafted last week and got so much support from the registrar members that we could officially support it as a stakeholder group. Realtime Register B.V. was one of the supporters.

The letter to the ICANN CEO located here, can be described as “spicy,” or “\strong.” And I think it is with good reason. Since March 2016 a dedicated small group of registrars and registries have been pouring countless of hours of time in supporting ICANN with this complex issue called the GDPR, I cannot recall how many telephone conferences I had since March 2017 till this very day, but most likely an insane number for sure.

The problem?

ICANN contractual obligations force registries and registrars to publish the personal data in a public directory called the WHOIS. The GDPR does not allow data being used beyond its original purpose, which is the registration of the domain name.
When you order a product online; you provide the shop with information so they can deliver/ship your product. It is not up to the shop to publish all your data in a public directory and mention what product you purchased. You rather not have such data released for obvious reasons, not the whole world has to know what you bought last weekend, right?
This example I guess, highlights the entire issue with the WHOIS and the tension it creates with many data protection and privacy laws.

I understand if this letter might come on strong for some folks at the ICANN organization and perhaps some stakeholders within the ICANN community, but it is ten minutes to midnight for sure, and as contracted parties, we are all liable when it comes to the GDPR, and its massive fines, and not the ICANN community. Every hour we delay will cause more issues for us registrars and our customers.

Lucky enough a significant deal of the GDPR issues can be mitigated with the free Realtime Register privacy proxy services. And while that is convenient for our customers, not every registrar offers these services and as such, are entirely depended on solutions created by ICANN.

More information regarding our privacy services can be read here.

 

 

Why Registrars require an EU based Escrow provider

Domain names, registrant data and data protection, they all have a long history in the ICANN universe. Let’s do some time traveling and let me take you back in time, starting a decade ago…

March 2007
ICANN de-accredits RegistryFly, this disaster demonstrates clearly that Registrars should escrow registrant data to an escrow provider in case a registrar goes “down.”

To counter the RegistryFly disaster, ICANN introduced escrow requirements, ICANN picks up the bill, but of course, indirectly the registrars are paying for it, how much is unknown though, as we do not know how much ICANN is paying Iron Mountain USA.

October 2015
The escrow of data to the USA went on for years without problems, until October 2015, when the CJEU invalidated Safe Harbor. Most companies, registrars included relied on Safe Harbor to transfer data to the USA. But all of the sudden this was no longer an option.

This raised awareness among registrars. Our contractual ICANN obligation to escrow data was no longer an option as it was deemed illegal by the CJEU.

ICANN had appointed more escrow providers during the years including the EU. The problem, these escrow providers are not funded directly by ICANN. The prices are high, up to 2500 Euros a month.

This means that registrars using another provider would pay twice, first the provider of their choice and second Iron mountain through the ICANN fees. Effectively this means you’re sponsoring the competition, which is insane.

Further developments………

November 2015
The invalidation of Safe Harbor demonstrated another issue; legal agreements could be here today and gone tomorrow.
Realtime Register entered into a contract with Iron Mountain using a so-called SCC aka Model Contract. This solution provided us an option to continue our escrow obligations.

July 12, 2016
The European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

Realtime Register continued to use the SCC as it provided more safeguards for registrants compared to Privacy Shield, which was deemed invalid by legal experts the moment it was released.

August 2017
Denic the German ccTLD Registry for .DE informs ICANN registrars their far developed plans to become an ICANN designated escrow agent. ICANN acknowledged that EU Escrow providers would get the same treatment funding wise like Iron Mountain USA. Next year this treatment will be available to other escrow providers like for example China, China has very strict privacy laws.

Most recent developments……………

October 3, 2017
The Irish High Court rules on Facebook surveillance case:
Irish DPC has “well-founded concerns” over US surveillance of Facebook.
EU-US data transfer complaint referred to European Court of Justice for the second time.
The court found that the DPC has “well-founded concerns” that the SCC Decision by the European Commission (2010/87/EU) may be invalid.

11 October 2017
Realtime Register submits a letter of intent supporting Denic and urges ICANN to make haste.letter of intent

Looking ahead…………

Future
Most likely the CJEU will rule that SCC’s can no longer be used in the future. Privacy Shield will most likely be invalidated (again), causing massive operational and legal problems for registrars. ICANN should push forward with the Denic proposal as soon as possible.

Eurid Q4 results.

Eurid just released their Q4 results of 2011.

.EU has matured as an extension. This was demonstrated by .eu consumer loyalty,shown in the robust and stable registration renewal rate.In 2011, 81.6% of .eu domain names were renewed which was consistent with 2010’s renewal rate (81.7%) and above the industry average.

Eurid 2011 Highlights. 

  • In 2011 Eurid reached a total registrations of 3.51 million .EU domain names.
  • DNSSEC rollout started
  • Website usage research. This study revealed that 31.4% of the .EU websites are being used for business usuage. Full report here.
  • Eurid closed the case on sex.eu

Number crunching.

During Q4 2011, the number of .eu registrations increased by 100 802 domain names, or 3.0%, to 3.51 million. The total number ofregistrations at the end of Q4 represented an increase of 5.5%, or 182 275 registrations, when compared with the total number at the end of Q4 2010.

IDN registrations reached a total of 67074 registrations wich is about the same as with other ccTLD registries that offer IDN according to Eurid.

Deletions : During Q4 2011, there were 166 309 deletions.

Domain disputes. Eurid offers an alternative dispute system (ADR) and received 12 cases in Q4, wich is the same amount as in Q3 2011. This trend is comparable with the amount of cases that WIPO received.

For more info about the Q4 2011 results download the PDF here.