ICANN't get no respect: Europe throws Whois privacy plan in the trash

Clueless DNS overseer sees lazy efforts torn apart – again

European data regulators have torn up the latest proposal by internet overseer ICANN over its Whois data service, sending the hapless organization back to the drawing board for a third time.

In a letter [PDF] to the US-based internet's naming and addressing systems, the chair of the European Data Protection Board (EDPB) makes it plain that even the organization's "interim" plan is fundamentally flawed.

Despite existing solely to develop rules for the internet's underlying infrastructure and possessing a $100m annual budget, ICANN has put itself in the position where it has effectively outsourced decisions over the critical Whois service to a group of bureaucrats in Brussels.

And on several critical issues, the data bureaucrats have gone directly against the stated positions of both ICANN and its most influential members, including its business constituency, intellectual property constituency, as well as external members including the US government and International Trademark Association (INTA).

In what is perhaps the greatest blow to ICANN's credibility, the EDPB undercuts ICANN's legal appeal to a ruling it lost last month in German court, stating clearly that it cannot force people to provide additional "admin" and "technical" contacts for a given domain name – something some were hoping would act as an effective workaround to the privacy law.

That appeal now looks dead in the water, contributing to a series of embarrassing failures on ICANN's part to regain control of its authority over the Whois service.

Here's another No for you

In addition, the EDPB shot down ICANN's argument that different rules apply when a domain name is registered by an individual or a legal entity like a corporation. Not so, said the EDPB, stating that if a personal email address is given for a corporate website it still falls under the GDPR privacy legislation.

On top of that, the letter puts a big question mark over ICANN's claim that it can retain domain data for far longer than the required two-year limit, saying that the organization would have to "explicitly justify and document why it is necessary to retain personal data for this period."


ICANN pays to push Whois case to European Court of Justice


And it shot down transparent efforts by ICANN and its US-dominated constituents to create an access model that would give intellectual property lawyers the right to see any and all Whois data by noting that "codes of conduct" and "accreditation" models are not a sufficiently strong model for accessing personal data and that ICANN and its registries and registrars will be held legally liable for any subsequent misuse of data.

Critically, however, the letter makes it plain that it has no time for ICANN's claim that it is not a "data controller." ICANN has tried to argue that, by including language in its contracts that force those signing it to say they are data controllers, that it somehow lifts legal obligations on ICANN.

It doesn't, the EDPB letter makes plain, and so ICANN is also on the hook for millions of dollars in fines if it is found not to be compliant with GDPR.

In short, for the third time in a row, ICANN's efforts to retain its existing system by relying on legally questionable, even laughable, arguments has failed. None of this should have come as a surprise to the non-profit organization based in California, but for some reason it has.

Not a new issue

European regulators first warned ICANN no less than 15 years ago that its Whois service needed to be updated to account for people's privacy. But ICANN has persistently failed to update the service, relying on the fact that it is operates under American law and for a long while existed under the direct protection of the US government.

However, the passing of the General Data Protection Regulation (GDPR) in the EU and the decision by the US government to grant ICANN autonomy have changed that dynamic.

GDPR was designed to deal with the massive market in the sale of personal data by internet giants like Facebook and Google, and imposes huge fines on companies that do not get their users' permission before selling personal data.

It should have been obvious that the legislation would also impact the Whois service, which requires anyone buying a domain name to provide their names, address and personal contact details – and then publishes it all on the internet for anyone to see. But having ignored European lawmakers for more than a decade, ICANN was blind to the issue.

It wasn't until a European registry under contract with ICANN simply refused to provide a Whois service – despite threats from the organization's legal team – that the organization finally woke up to the issue. The registry in question told ICANN that it considered the Whois clause in its contract "null and void" because it transparently broke European law.

That was in October 2017, leaving ICANN with just six months until the new law kicked in. Still convinced that European law couldn't impact it, ICANN hired a European law firm to report on the potential impact of GDPR on the Whois service and was stunned to find that it faced multi-million-dollar fines if it didn't make changes to its service.

Don't panic!

With only six months to devise a solution and its average policy making process taking 18 months, the organization embarked on a series of doomed efforts to effectively retain its existing system while claiming compliance with the new law.

None of them worked, leading to the ludicrous situation where ICANN's staff and board asked to be granted a special one-year exception to the law: a request that ICANN convinced itself was possible and started aggressively insisting on even as it became clear that the concept was no more than legal fantasy.

When the special "moratorium" request was dismissed (data regulators don't have the power to rescind or ignore existing legislation), ICANN's board then chose to impose a staff-developed "interim" policy that had been universally rejected just two months earlier.

When several large registrars then chose to ignore that enforced policy and implemented their own policies to come into compliance with the new law, ICANN responded by suing one of them in German court in what it hoped would serve as a test case and stamp its authority over the Whois service.


But that approach also backfired when the German court rejected ICANN's arguments, effectively undermining its ability to impose its contract.

Having tried and failed to create its version of Steve Jobs' "reality distortion field", ICANN was left with little choice but to ask the European data regulators that will enforce the law what their views are of Whois and how its fits with GDPR.

Those regulators have responded. No doubt ICANN's staff and board will now try to paint the annihilation of pretty much every position they have adopted as part of a healthy policy process, but the truth is that the chickens have finally come home to roost.

As the EDPB noted in its summary of the letter: "The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring Whois in compliance with European data protection law since 2003." ®

Similar topics

Other stories you might like

  • AI-powered browser extension to automatically click away cookie pop-ups now promised
    Tool disables non-essential tokens

    A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web.

    The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of choices in these online consent forms to disable all non-essential cookies on a website. The resulting software can therefore spare netizens from having to manually reject cookies presented by a website.

    When confronted with cookie popups, which are required by European law and other legislation, many users simply click "accept all," despite the fact that unnecessary cookies may compromise privacy, the project's paper stated. Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option, to discourage people from disabling tracking cookies.

    Continue reading
  • Big Tech revenues under threat from EU law proposals
    Digital Markets Act rules agreed, set to include fines of up to 10% of turnover and power to break up businesses

    Sanctions for non-compliance with new EU powers could hit tech giants with fines of up to 10 percent of their worldwide turnover – that's around $21 billion in the case of dominant online retailer Amazon.

    The political bloc's legislator has set out agreed rules to tackle dominance of big tech firms deemed "gatekeepers" because of their control over broad sets of services within their platforms.

    Under Digital Market Act (DMA) outlined last night, the European Commission will have powers to designate companies as gatekeepers following a market investigation.

    Continue reading
  • F-Secure spins out new enterprise security business: WithSecure
    CEO tells The Reg of new branding ahead of Finnish vendor's corporate split

    F-Secure's enterprise-facing business will have a new brand – WithSecure – and a sharpened focus when the company splits into two independent operations.

    The move comes a month after the security vendor's board of directors revealed that the 34-year-old Helsinki-based company would carve out the consumer security business from its enterprise unit. The consumer business will retain the F-Secure name.

    The final break will come this summer after a general meeting in May. The split is scheduled to complete on June 30.

    Continue reading
  • Android's Messages, Dialer apps quietly sent text, call info to Google
    Hashed text, phone call logs collected without opt-out nor specific notice

    Updated Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law.

    According to a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.

    "The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google."

    Continue reading

Biting the hand that feeds IT © 1998–2022