|
Late last week, ICANN published the guidance from the Article 29 Working Party (WP29) that we have been waiting for. Predictably, WP29 took a privacy maximalist approach to the question of how Europe’s General Data Protection Regulation (GDPR) applies to WHOIS, a tool widely used by cybersecurity professionals, businesses, intellectual property owners, consumer protection agencies and others to facilitate a safer and more secure internet. Unfortunately, comments submitted to WP29, and to Data Protection Authorities (DPAs) directly, detailing legitimate purposes for access to data that serve the public interest, and detailed proposals for accreditation and access to non-public data were largely ignored. The WP29 guidance seems to imply that a fragmented WHOIS system, with no reasonable way to access critical information to facilitate legitimate goals such as preventing fraud and the distribution of malware, is simply an inevitable consequence of implementing the GDPR.
Criticism from the United States Government, the cyber- and operational security community, and business community was swift. On Monday, United States Special Assistant to the President and Cybersecurity Coordinator, National Security Council Rob Joyce tweeted: “EU’s GDPR is going to undercut a key tool for identifying malicious domains on the internet. WHOIS database will be noncompliant, or have to purge the data that makes it useful to find bad actors… Cyber Criminals are celebrating GDPR”. Joyce’s criticism of WP29’s analysis echoes security professional Brian Krebs’ prediction from April 4, 2018, stating that “the volume of spam, phishing and just about every form of cybercrime is going to increase noticeably. New privacy rules coming out the EU are going to take away the single most useful tool available to security experts: WHOIS.” United States Secretary of Commerce, Wilbur Ross also weighed in, imploring the European Commission to take action.
Now that we know the thoughts of WP29, which, after May 25, 2018 (the date that the GDPR goes into effect) will become the European Data Protection Board (EDPB), it is time to fight back, and demand a balance of the right to protect personal information with other fundamental rights. ICANN is currently collecting comments from the community, in preparation for meetings with WP29 in Brussels on April 23, 2018.
Background
ICANN had asked WP29, the data protection and privacy advisory group made up of representatives from the DPA of each EU Member State, the European Data Protection Supervisor, and the European Commission, to give guidance on the “Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation,” (the “Model”) which was developed and published by ICANN earlier in the year. ICANN had presented the Model, and its detailed rationale, to WP29 along with an acknowledgment of areas of community divergence, with a special plea to WP29 to guide ICANN on these issues. Among the areas of divergence were prime points of concern raised by the Intellectual Property Constituency (IPC) and Business Constituency (BC) of ICANN, such as the need for continued publication of registrant email address, the global territorial application of the model even where no nexus to Europe exists, and other aspects of the Model which the IPC and BC have identified as being over-compliant with the GDPR. ICANN CEO Göran Marby acknowledged to the DPAs that many in the community provided extensive analysis and legal support to justify continued access to WHOIS for purposes of cybersecurity, consumer protection, and law enforcement and to prevent intellectual property theft, fraud and other malicious activity online.
The Advice
In its guidance to ICANN, WP29 deemed the purposes for WHOIS, as enumerated in the Model, to be insufficiently defined. In its letter, the group cited a previous opinion on purpose limitation, stating “WP29 has clarified that purposes specified by the controller must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards applied.” The community has acknowledged the need for data protection safeguards (via a Code of Conduct for access to non-public WHOIS, which ICANN has asked its Governmental Advisory Committee (GAC) to develop), but it is surprising to see WP29 call for data safeguards to be developed per every individual purpose - a burdensome exercise for legitimate requestors that would destroy much of the operational functionality of WHOIS.
WP29 also cautioned ICANN to ensure that legitimate purposes contained within its model for compliance relate to ICANN’s own mission, defined in its letter as “to coordinate the stable operation of the Internet’s unique identifier system.” They cautioned ICANN not to conflate its own purposes with the concerns and purposes of third parties, no matter how legitimate. This is, no doubt, a nod to the equally privacy maximalist statements on this issue from the International Working Group on Data Protection in Telecommunications (IWGDPT a.k.a. the “Berlin Group”), a privacy advocacy group made up of DPA representatives, NGO representatives, and members from civil society and the private sector. Last year, prior to the publication of any model for GDPR compliance, and referring to the then-fully-open WHOIS ecosystem, the Berlin Group had questioned whether the role of ICANN allows the organization to take into account any legitimate purpose related to law enforcement or security. Obviously many in the ICANN community are concerned about that statement, and WP29’s reliance on it, including the GAC’s Public Safety Working Group (PSWG), various security-oriented groups at ICANN, the IPC and the BC. The Berlin Group paper is misapplied to the Model, and is not authoritative. Further, ICANN’s role is much broader than that suggested in the Berlin Group paper and subsequently the WP29’s guidance. The full mission of ICANN can be found here, in the ICANN bylaws.
WP29 also gave advice related to accreditation for access to non-public WHOIS data, and again stressed the importance of clearly defined purposes with a specific legal basis for access to individual WHOIS data elements.
Notable in its absence, WP29 did not grant, or even mention a moratorium on the implementation of GDPR, which is understandably a primary focus of many within the community at this time, as well as ICANN itself. The May 25, 2018 deadline will remain the number one barrier to ensuring continued access to WHOIS data, as the contracted parties have indicated that the promise of hefty fines for not complying with GDPR will result in over-compliance, in the absence of a more nuanced model that can be quickly implemented. Some contracted parties have already indicated that any model which provides accreditation and layered/tiered access would be impossible to implement by May 25.
Also absent from WP29 guidance was any mention of the distinction between natural and legal persons, and the application of the GDPR in the Model to contracted parties and registrants that are not in the EU, both prime concerns of the IPC and BC.
The Fight
ICANN responded to WP29 just hours after their communication was made public last week, via a letter from Mr. Marby. The letter again stressed the need for a moratorium on GDPR enforcement, emphasized the negative consequences of a fragmented WHOIS system, and clarified the critical importance of ICANN’s role in coordinating the global WHOIS system on the overall security and stability of the Internet—an obligation that falls squarely within its mission. Mr. Marby pointed out that fragmented WHOIS would “have a detrimental impact on the entire Internet”, pointing out the concerns of law enforcement, cybersecurity processionals, consumer protection agencies, and IP owners. Mr. Marby further stated in his most recent blog that “ICANN recognizes the important of the GDPR and its goal of protecting personal data, but also notes the importance of balancing the right to privacy with the need for information.”
ICANN recognized that following the WP29 guidance would result in fragmentation and notably indicated that it is “studying all available remedies, in order to seek clarity in our ability to continue to properly coordinate this important global information resource without fragmentation” (emphasis added). This thinly-veiled threat of legal action is surprising, and welcome. Mr. Marby also wrote that ICANN implores WP29 to “spend more time balancing between the important right to privacy and the need for information,” further implying that ICANN is unhappy with the WP29 guidance, and may not intend to follow it blindly. Indeed, Recital 4 of the GDPR clarifies that the right to protection of personal data is not absolute, and must be balanced against other rights and the function of such data in society according to principles of proportionality.
As noted above, United States Secretary of Commerce Wilbur Ross also weighed in, in a recent letter to V?ra Jourová, Commissioner for Justice, Consumers and Gender Equality (European Commission), citing the importance of quick access to WHOIS data necessary for intellectual property rights enforcement, cybersecurity and law enforcement. Secretary Ross called for a temporary forbearance from GDPR enforcement on the processing of WHOIS data in order to address these goals.
ICANN is set to meet with the Technology Subgroup of WP29 to discuss these issues further on April 23, 2018. In the meantime, the community has been invited to comment on the WP29 guidance and to make further suggestions to WP29 about compliance with GDPR and accreditation and access to non-public data (including supporting a Code of Conduct which may address some of the DPA concerns about data safeguards). ICANN has assured the community that any information shared with ICANN will be provided to the DPAs, and has suggested that the community also send comments and analysis directly to the DPAs themselves. This response from ICANN indicates that the fight to preserve access to WHOIS data is far from over.
We suggest that businesses, intellectual property owners, consumer advocates, cybersecurity professionals and law enforcement and government representatives marshal additional comments to ICANN and the DPAs further illustrating and impacting the problems that a fragmented WHOIS system would create, and the negative impact it would have for consumers and other Internet users, the ecommerce ecosystem, and the Internet generally. Comments to ICANN can continue to be submitted to [email protected] and we encourage all community members to weigh in as soon as possible so that feedback can be taken into consideration during the next ICANN meeting with the DPAs on April 23, 2018.
Those affected by this issue should also consider additional steps to ensure continued access to WHOIS, including reaching out to Member States in Europe and other government representatives, considering other actions and remedies through courts and legislatures, and continuing to participate in developing an accreditation and access model for non-public WHOIS. The IPC and BC are holding another community-wide call to discuss the Accreditation and Access Model for Non-Public WHOIS data on April 24, 2018. Interested parties should sign up for that discussion by emailing [email protected].
The Intellectual Property Constituency is currently working on comments to ICANN and WP29, and contemplating other additional next steps.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byCSC
In categories of circumventing the GDPR or maintaining access, you are going to have a bad time. Start thinking in categories of how to make do with what you can have. Start looking at European ccTLDs like Nominet, Denic and Afnic to see how GDPR compliant access can work and use that as your new baseline, instead of clinging desperately to what you Had. The old baseline is gone forever come May 25 at the latest.
Volker, you must really enjoy watching old ladies getting mugged, saying "Not my problem" while throwing yet another proxy reveal request into your winter fire. Do you have a fiddle as well? This is posted by a consumer for consumers. Let's talk about malicious domains. Have you not learnt from history? How is Europe currently protecting it's citizens? What has Europe done to stop the scourge of loan scams from Benin, West Africa, targeting loan seekers in Europe? Answer: Nothing. Is that not the same they did when faced with the fake shop keeper gang using Heihachi? What did the German authorities do, despite victim Germans racking up record of amounts of complaints at authorities after being defrauded? Yet is was only two years later after the same gang spoofed Postbank that somebody at LE decided to look and got a shock. Then it took another year for LE to get an arrest. Was it not for consumers looking out for consumers, the losses would have been a lot higher. The Benin loan scam issue is heading the same way. When I tried reporting this syndicate to your authorities I got a cold shoulder. My own authorities outside the EU and US look at me as if I'm mad if I try and escalate this via them. Not their problem. When will the EU wake up? What are the EU authorities doing to proactively remove fake websites that defraud consumers? We are talking protection. Anything after the event of fraud is at best a knee jerk best effort reaction with little chance of success and not protection. Why worry and support GDPR / GRS processes if you wish to make registrants unaccountable? Societe Generale lodged two UDRPs against the Benin syndicate, one for ssgciib.com and one for cibsocietegenerale.com. No sooner did they win the last, than the same malicious registrant promptly registered a new Societe Generale spoof domain at Namesilo. Who cares, right? The Berlin group says "If I want addresses, look on the website". Sure dear ... like a malicious spoofing domain will publish their real details. Yet the client victim will be expected to submit all his personal details for the loan. This is just one type of fraud. Even now I'm doing my best to wake the EU LE up to a threat they do not understand, mis-classifying it and looking into the wrong place. Part of this is mass abuse of corporate identity theft and domains to defraud consumer and business. The problem is the GDPR fixes a small part causing a problem ten times worse for consumers. Privacy is needed, desperately. But it's clear privacy experts are not security experts.
Derek, look at the country of origin of industry members most supportive (it's the law, inevitable, etc.) of GDPR, then review the history of the EU. There is a message there.
At least it does in civilized countries like Italy, the United Kingdom, France, the EU, and other countries that redact whois data by default. None of these TLDs are grave security threats or havens of scum and villainy. Private information must be protected to protect the data subjects from abuse. And guess what, there will still be access for thise that have a right to access such data, like LEAs or rights holders. It will be less immediate access, but heck, that is just adopting the way this works in most other industries, offline or online. When you want to know who is using a certain hosting rescource of any hosting provider, there is no public whois! Neither is there a public whois for internet users. If you want to know who owns a certain car registration, there is differentiated access for that too. The world will not end and legitimate interests will still be able to pursue them. Life always finds a way... As for learning from history, i think noother country has learned as much as the one I am from and that is precisely why I feel that less private data being made public is the right thing to do. Without data IBM would have been less helpful to the Nazis in rounding up Jewish citizens.
Thanks for that bit of mistaken insight. " None of these TLDs are grave security threats or havens of scum and villainy." Quite funny that right now we are tracking domains using at least two .EU ccTLDs used as name servers attributable to a certain party. While Europol becries the fact of how difficult it is to track these parties involved in romance fraud, they only have to look right into two .EU ccTLDs to see how romance fraud is facilitated using these two .EU domains. Of course the WHOIS data is not real, but the domains were found after verifying suspicions. Armed with what was found at EurID, linked to other known facts, I can give you a photo, name and address in Nigeria of a short little pompous suspect making a living off abusing the DNS / Domain system as a reseller: https://blog.aa419.org/2017/12/19/the-faker-maker/ More so, we should now ask: Do we protect him, or his lady victims believing the are talking to a soldier (military romance scam) whose private details he so trivially leaks out in fake bank websites and fake couriers. You cannot have it both ways. Victims reporting after being defrauded (if at all and not going into hiding), is NOT consumer PROTECTION. Law enforcement engages AFTER the fact of the fraud if at all. If you want to see what these "nice" people do, nasty stuff not normally published in the newspapers as it may upset certain peoples' sensibilities: http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2018/D04-16/C:17-1299:J:Bauer:aut:T:fnOp:N:2140267:S:0 This is just ONE type of fraud victims are subjected to. Also tell me these people do have rights please? Do we not have a moral obligation to protect good people against this? You can fine Google, Facebook, Microsoft if they violate consumer's privacy rights. But what about fraud? Already Europol said it's extremely difficult to deal with. Yet these massively deprive consumers of their privacy, abusing it in all types of ways with malicious intent. And how do we protect relying solely on the authorities? Well, UK is doing a better job than most with alerts and trying at least. Result? http://www.dailymail.co.uk/news/article-5570959/Just-one-100-crimes-web-ends-conviction.html "Only one in ten cases of cyber crime is investigated by police and 99 per cent of crooks escape justice". But that is only for reported cases. "Official" stats also says that only one in ten victims report being defrauded. Those stats may well be wrong. In one case in the Far East, we have over 10,000 victims. Only four reported it! The syndicate uses romance scams as the scam type targeting children (one young girl was ~12 yrs old) and young single mothers. They use domains for fake couriers and fake banks, while impersonating the Royal Malaysian Police as well in emails. Any coincidence that the main facilitator abused two domain reseller accounts? Nothing new. He since went to a registrar that tolerates these shenanigans with privacy "über alles" attitudes. Guess what, we once again see victims. The authorities in the responsible county are still parading around in their new uniforms. But do these people also not have rights, or just European people? That does sound a bit at odds with the "basic human right, privacy", that is now being abused in an attempt to undermine many other human rights globally. How would you feel if you had to reply on looking at a website for a companies details without being able to verify the company's authenticity? We cannot argue that the best protection for private users is for users to protect themselves. After all, we are talking about consumers in the GDPR. Yet now intend depriving consumers of that right. We need to consider we have three groups of internet consumers: Government, commercial and private user. The first two are in a massive fight to protect their arenas with big budgets and nearly unlimited resources, yet are having a hard time. Some of these interests overlap and yield better results. Yet some of the threats have no commercial or governmental impact. The consumer is extremely vulnerable in these areas. No concerted effort is made to address these. No anti-virus will cut it. As such this rather flippant attitude that I'm seeing from privacy experts with no security foundation, is rather disturbing. As Agela Gunn said: "Europe's led the world on data privacy protections for years, but the GDPR treats WHOIS as just another dataset, rather than as an integral part of how the net itself works. That's incredibly short-sighted, especially when we're asking internet users to be better informed about where their information comes from."
>None of these TLDs are grave security threats >or havens of scum and villainy. https://www.spamhaus.org/news/article/724/ongoing-abuse-problems-at-nic.at-and-denic 2015-08-19 14:27:31 UTC, by The Spamhaus Team "If Switzerland and Russia are able to implement appropriate mechanisms in their regulation and/or registrar agreement to fight malicious domain names, it shouldn not be too difficult for Austria and Germany to do the same. If Nic.at or DENIC are not willing or allowed to implement appropriate mechanisms to deal with abuse of the scale we see, they should present the need for an urgent change to the appropriate regulatory bodies within their countries. In the end, both Nic.at and DENIC - as every other organisation, service provider and internet user - should accept their responsibility to make the internet a safer and civilized place, and to protect the reputation of their own national ccTLD. We hereby urge Nic.at and DENIC to finally take the appropriate actions to battle fraudulent and illicit domain name registrations within their domain name space (ccTLD) by: Providing the name of the sponsoring registrar of a domain name in the whois service, including a valid and working abuse reporting address of the sponsoring domain registrar. Implementing a secure and fast mechanism to suspend malicious domain names identified by security researchers at both the registrar and registry level. Revising the registry policy / registrar agreement appropriately so that abuse problems can be dealt with promptly."
“They cautioned ICANN not to conflate its own purposes with the concerns and purposes of third parties, no matter how legitimate.”
https://thelawdictionary.org/legitimate/
legitimate —> To make lawful
In other words law is what the EU says, and the rest of the world can go pound salt.
The most logical organization to ask for industry guidance, ICANN, gets a back hand slap. That is not a response of an entity re-presenting privacy concerns of others, its the action of a bully, a bully that is achieving success destroying the sovereignty of other nations. After others HAVE addressed the issue for 16 years, and I have NEVER seen any complaints about it other than it WORKING TOO WELL at preserving privacy. Never let facts get in the way of a good story ....
Add to this, sovereign nations are actually bowing a knee to the EU. As if the EU can write the laws of other nations. We should be getting upset that our own governments are bowing to the EU.
There is very important history here, for those willing to learn .....
This will not end well. This is the slippery slope. This will embolden the EU to pass other “laws”, the illusion of which will be the rest of the world must follow.
It would be one thing if in fact the domain name industry HAD IGNORED privacy of registrants. But it did just the opposite. Of course the EU refuses to respond because it would expose their fantasy, and the foolishness of others bowing to it.
If the world actually allows the EU to define the laws of the world, you will not like how this ends ... National borders exist because we do NOT all think the same way, and that is actually a necessary condition for humanity to be at peace.
Going back a couple thousand years, what is the difference between the Old Testament and the New Testament? Universal laws don’t work, only freewill expressed as individuality works if and only if you accept personal responsibility (such as national sovereignty). And that is a foundation of national sovereignty, being separate, thinking differently, offerings different views and solutions (Privacy Whois). EU, do what you want, don’t expect us to follow your lead. We have a solution even though you conveniently CHOSE to ignore this fact, you’re crafty (a word I choose with great intent) not stupid.
It’s not true that WP29 ignored the comments; they just chose to not incorporate those suggestions into their guidance.
On WHOIS fragmentation, WHOIS is already fragmented as it is. Actually, ICANN interim model might make gTLDs look more similar to ccTLDs and RIRs WHOIS services… in a minimalist way. The real question is where the information there is excessive or proportionate, a line that every one seems to draw at a different measure.