At a recent workshop on cybersecurity at Ditchley House sponsored by the Ditchley Foundation in the U.K., a primary topic of consideration was how to preserve the freedom and openness of the Internet while protecting against the harmful behaviors that have emerged in this global medium. That this is a significant challenge cannot be overstated... That these harmful behaviors can and do cross international boundaries only makes it more difficult to fashion effective responses.
The European Data Protection Board certainly has been keeping its records straight. Its 27 May statement starts with the following: "WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003." All internet users have dealings with the Internet Corporation for Assigned Names and Numbers, yet the vast majority have never heard of ICANN.
The need for an access model for non-public Whois data has been apparent since GDPR became a major issue before the community well over a year ago. Now is the time to address it seriously, and not with half measures. We urgently need a temporary model for access to non-public Whois data for legitimate uses, while the community undertakes longer-term policy development efforts.
Well amazingly, it's that time again. Next week, individuals from around the world with a keen interest in Internet policy will head to Panama City, Panama for the second ICANN meeting of the year. As always, Brandsight will be attending to follow all of the important policy work being carried out by the community. Before I head off to the meeting (which based on my research will actually be my 32nd ICANN meeting!), I'd like to share a preview of the major topics slated for discussion.
As I predicted ICANN is pursuing its case against EPAG. They're now not only appealing the case to a higher court in Germany but are also trying to get the entire thing referred to the European Court of Justice. In an announcement late last night ICANN made it very clear what their intentions are. While they're pursuing the appeal in the higher court in the German region, which makes sense at some level, it's also very clear that they're not taking "no" for an answer.
On May 25, 2018, the European General Data Protection Regulation (GDPR) came into effect, meaning that European data protection authorities (DPAs) can begin enforcing the regulation against non-compliant parties. In preparation, the ICANN Board passed a Temporary Specification for gTLD Registration Data - essentially a temporary policy amendment to its registrar and registry contracts to facilitate GDPR compliance while also preserving certain aspects of the WHOIS system of domain name registration data.
The suggestion was recently put to the GNSO Council: anyone who becomes a member of a proposed new Expedited Policy Development Process (EPDP) must be able to demonstrate that they have basic knowledge of privacy and data protection. This makes a lot of sense: Would you trust a lawyer who had never been to law school? Or a doctor who had never studied medicine? Of course not. Recently I asked members of our ICANN Community: have you had any GDPR training, classes, or certification?
German courts seem to be pretty fast, so instead of having to wait weeks or months to see how they'd rule, we've already got the answer. The German court in Bonn has ruled that EPAG (Tucows) is not obliged to collect extra contacts beyond the domain name registrant. The decision, naturally, is in German, but there is a translation into English that we can use to understand how the court arrived at this decision.
I've been ruminating on this for a while, this follow-up that was a decade in the offing. My article Trench Warfare in the Age of The Laser-Guided Missile from January 2007 did pretty good in terms of views since I wrote it. Less so in terms of how well the ideas aged or didn't, but that's the nature of the beast. Everything gets worse, and simultaneously, better, and so here we are: Using embarrassingly ancient approaches to next-generation threats. Plus ça change.
As I noted over the weekend, ICANN has instigated legal action against EPAG, an ICANN accredited registrar based in Germany that is part of the Tucows group. ICANN claims that the case is to "preserve WHOIS data", but Tucows asserts in their statement that the ICANN approach is flawed. It's not a frivolous statement, but one they've backed with fairly detailed rationale - and this is just their public statement and not a formal legal filing.