NordVPN Promotion

Home / Blogs

GDPR: Registries to Become Technical Administrators Only?

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]

On 11 December 2017, about 25 participants from Europe and the US attended the public consultation for the brand new GDPR Domain Industry Playbook by eco (Association of the Internet Industry, based in Germany) at the representation of the German federal state Lower Saxony to the European Union in Brussels.

The General Data Protection Regulation (GDPR) poses a challenge for the Registries, Registrars, Resellers and ICANN. By May 25, 2018, all parties need to be compliant, which means that not only contracts need to be reviewed, but also technical systems need to be revisited. To date, various legal memoranda have been shared, and several parties have worked on their own compliance, but no industry-wide proposal has been published that allows for a discussion of the respective roles and responsibilities of the parties involved as well as a review of data flows. The Playbook will facilitate the process of finding a commonly adopted data model to allow for compatibility of the technical, organizational and legal models the parties will use.

GDPR: Will Registars still deliver Registrant data to Registries

A significant part of the discussion concerned the topic whether the Registrars still are going to provide the Registries with the full Registrant data set (owner, admin and tech data) as their contract with ICANN and the Registries demands. There was a strong opinion of the Registrars present at the meeting (some of the top 5 globally): With GDRP in place we will not longer forward the domain name registration data to the Registries, as they do not need them to maintain their Registry function.

It seems that the Registrars are trying to use the GDPR to wipe out a decade-long multi-stakeholder discussion and consultation in the Internet Community which resulted in the thick Whois for all gTLDs. One reason why Thick Whois was introduced is the fact that ICANN terminates year by year dozens of bad actor Registrar going bankrupt or just out of business sometimes leaving millions of Registrants in the dark. Only thanks to those Registries which maintain a Thick Whois, the damage is limited. The bad actor Registrar problem will likely not be solved mid-term. And over-ruling the new Thick Whois quickly with Thin Whois again is also not a way that will happen, even with the GDPR.

In the present, the subparagraphs of the GDPR allow for transferring Registrant Data to the Registry if there is (a) Consent and for (b) Performance of a contract and for (c) Legitimate Interests. Let’s focus on the Legitimate Interest as (a) and (b) are somehow tricky or literally possible. If a Registry demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims, then the Registrant data would also be given to the Registry.

GDPR: A way out of the invidious Situation

At the meeting in Brussels representatives of Registrars and Registrars discussed the diverting interests regarding the Registrant data, but it came out that there a number of good reasons and legitimate interests according to GDPR why the Registries may need to have these data. The reasons why Registry should continue to maintain Registrant data are:

  • Registries are maintaining the central abuse contact point for domain name abuse such as spam, phishing, pharming, botnet activity. Multiple participants in the meeting noted from their experience that Registrars often not respond to abuse notifications. Especially if harm is obvious, Registries act quite quickly.
  • Registries are contractually obliged to run mandatory security checks on their domain name. This can only be done properly if Registrant data are available.
  • Registration requirements such as the local present, member of a certain community (e.g., language, culture) or industry sector (e.g., bank, insurance) require full access to Registrant data.
  • Especially geoTLDs need to fulfill contracts with their government.
  • Other reasons

Such legitimate interests should be fixed in an update of the Registry-Registrar-Agreement (RRA) and the Registry’s policy. By the way, the use of data just for marketing, market research or sales purposes is not justifiable under the GDPR.

In general, if Registries do not have access to Registrant data, an important part of their role as responsible gTLD manager may not be fulfilled anymore. Registries are ICANN’s contracted guardians of the generic top-level domains (gTLD) and being responsible for stability and security of the zone in the first instance, but also for the gTLD’s sustainable economic success. In opposite to Registrars, the Registries are monitored very closely by ICANN and are a hoard of stability in the domain name industry. Therefore the Registry needs to understand demographics, geographical distribution, business types and related data from the WHOIS to thrive and prosper its gTLD. Without WHOIS data the Registry would run its gTLD in a blind flight mode with a significant economic loss expected overtime—for Registries, and Registrars too. If Registrars are interested in Registries doing marketing in their gTLD community, they should together find a justifiable way for the data handling.

More about the eco Playbook at https://web.eco.de/themen/names-numbers/gdpr-domain-industry-playbook

By Dirk Krischenowski, Founder and CEO of dotBERLIN GmbH & Co. KG

Filed Under

Comments

Dozens of bad actor registrars year by year? Volker Greimann  –  Dec 12, 2017 5:25 PM

Hi Dirk, I am sure you are exaggerating when it comes to the utility of thick whois. In the past, there has been exactly one case where thick whois would have been useful to assist registrants in accessing their domains and that was the one with the fly. A much better tool against registrar failure or termination is the registrar data escrow program, which securely maintains the registrant data for just that case. Registries do not even play a role in that other than transferring the domains from the failed/terminated registrar to the new registrar.

I am also not aware that “ICANN terminates year by year dozens of bad actor Registrar going bankrupt or just out of business sometimes leaving millions of Registrants in the dark” is actually a fact. I certainly have not seen these cases in the numbers you describe, affecting the numbers of registrants you describe.

You are exaggerating! Not passing on private registrant information to registries will have no effect on the process to safeguard the interests of those registrants.

>A much better tool against registrar failure Charles Christopher  –  Dec 12, 2017 7:05 PM

>A much better tool against registrar failure or termination is the registrar data escrow program The data escrow programs allows submission of privacy whois. Thus the data escrow program protects registrants from HONEST registrars, of which they need no protection from. It does not, by itself, protect registrants from evil registrars. I was one of the people affected by RegisterFly. In fact I had a whois monitoring system in place at the time for my domains and called RegFly twice about their changing my whois to a University student address and email address. And if that was the data in their escrow submissions (not implemented at that time), which IS the escrow requirement, who would have received the domain after they were closed by ICANN??? Not me! After the second call I transferred my domains out and posted a warning to others in DomainState as to what I was observing and suggesting others to moved their domains out ASAP. Soon after that I became a registrar at it seemed the only way to be able to effectively manage thousands of domains and protect them from evil registrars. Fact is the average registrant is clueless and likely knows NOTHING about domain name whois and thus never even bothers to check its accuracy! With it gone they will not even be able to verify their registries believe of ownership. And it is belief as reseller accounts have been a historical way to steal domains as the registrant THINK they are dealing direct with the registrar without realizing their is an intermediary with full control of their domain name. Add to that Verisign implementation of the transfer lock as policy and not hard coded technology and the thief takes the domain on a "transfer trip" through a few registrars in foreign countries .... And with no provable ownership records the registrant will NEVER get the domain back. http://www.circleid.com/posts/20170326_a_case_to_further_dns_registrar_industry_self_regulation/ >leaving millions of Registrants in the dark" I am not aware of any either. However it does not take millions to be a problem. Loss of a domain name control could quickly destroy an online business. The the number really does not matter, we are all very dependent on consistency of behavior of our domains and dns. Any loses are a problem, especially to the one affected. Thus the goal must be in the direction of registrant empowerment not away from it. Clear instantiation of domain ownership via pubic whois, is foundational to consistent domain behavior. Here is were domainers are likely the leading experts on such issues. Domainers for almost 2 decades now have learned, just by looking at whois, what a domain's status likely is, and do this with great precision. And frankly, many lawyers use those domineers to help them establish that status. I hope, when the first few domain are successfully stolen since "proof of ownership" no longer exists (but was reasonably assumed to be in place), the politicians involved with GDPR are personally sued. Maybe then will win the case, but its the ride they go on that will be most important. Meanwhile, back in the real bricks and mortar world: https://e-justice.europa.eu/content_land_registers-107-en.do "Land registers are a very important source of information due to their legal nature." "Land registers help to facilitate land-related administrative tasks of citizens, legal professionals, state authorities, private companies and other interested parties. The official register information is open (in a majority of EU countries) to banks, creditors, business partners and consumers in order to enhance transparency and legal certainty in European Union markets." But lets not let hundreds+ of years of land registration experience across the planet work its way into internet management .... That would be silly, wouldn't it?

I don't know about you, but several Todd Knarr  –  Dec 12, 2017 7:14 PM

I don't know about you, but several times a year I run into someone I know of who's having a registrar hold their domain hostage (usually the registrar's one that I'd've avoided on principle but they were cheaper than the alternatives so the registrant went with them not knowing of the red flags) and where I can authenticate the person's ownership of the domain. If I'm seeing it that often, there's no way it's a rare occurrence. As far as "no effect" goes, how does a registrant force a domain transfer when the current registrar denies the request to transfer? Doing that requires proving that the entity requesting the transfer is the registrant, but how does the registry verify that when they don't have a copy of the registration information and the registrar won't release the information? There's a similar problem when a "domain privacy" service suddenly won't put the actual registrant information back and won't listen to requests from the registrant, so the situation is hardly unprecedented. At least there though the registrant has the option to not use a "domain privacy" service in the first place, avoiding the issue. Here the registrant wouldn't have any such option.

>I don't know about you, but several Charles Christopher  –  Dec 12, 2017 7:26 PM

>I don't know about you, but several times a year I run into someone >I know of who's having a registrar hold their domain hostage Excellent point! So lets break it out for those without experience: Person or company has NO CLUE about domain management or building websites. But they know they need a web site. They then hire someone to do it for them. Typically the service paid for is domain registration, web authorship, and server hosting. All paid as one. The consultant may or may not bother to put their client in the whois record, and certainly will NOT provide the client access to the domain management account at the registrar. In this case the registration ownership does have an ambiguity the consultant takes advantage of. The consultant knows FULL WELL the domain name registration is the primary leverage point to getting paid. Use of this to hold clients hostage is well known and why most of us tell people NEVER EVER allow a web site consultant to manage or control your domain name. You control the domain, they control the website. This "opportunity" to hold a customer hostage has in fact moved to the registrar level. But when we have registrar terms of service that say: "we reserve the right to change our terms of service at any time, for any reason, without notice to you" What can we possible expect? And note well that quoted text HAS appeared in registrar terms of service as written. I've no doubt lawyers have become more creative in expressing it more opaquely these days.

Another useful data point.After the .INFO land Charles Christopher  –  Dec 12, 2017 8:07 PM

Another useful data point. After the .INFO land rush I had a registrar attempt to steal 2 of my 3 letter domain wins. I detected this by watching the whois. I think it was a day or two after Afilias added the domains to their backend the registrar changed the whois. The registrar's contract stated whois shall not be changed in the first 30 days (maybe 60, too long ago for me to recall). I contacted Afilias, they looked it up and saw the whois had changed. Afilias forced the registrar to change the whois back to me. Afilias also made it very clear to me that their lawyers would be having a very long legal discussion with that registrar. I can't recall the registrar, only that they went out of business a year or two later, what a surprise. Had there been no public whois I would have lost the domain and the registrar would have kept my significant landrush catch fees as well.

Hi Volker, the bad actor registrar issue Dirk Krischenowski  –  Dec 13, 2017 10:03 AM

Hi Volker, the bad actor registrar issue was raised by lawyers and others that were present at the meeting. I just reported what has been said.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

NordVPN Promotion