Internet overseer continues wall-punching legal campaign

ICANN appeals its appeal and tells German courts yet again that they're wrong

The organization that oversees the internet's naming and numbering systems is continuing its embarrassing European legal campaign, insisting for a third time that the German courts have got it wrong.

On Friday, ICANN appealed [PDF] the latest court decision against it, this time insisting that the Appellate Court of Cologne, Germany made a mistake when it ruled the organization had not "sufficiently explained" nor provided a "credible reason" for seeking an injunction against German domain registrar EPAG.

It was the third time in a row that ICANN has lost a legal effort to force EPAG to gather additional personal information on anyone that registers a domain name. EPAG says that requirement breaks GDPR privacy legislation and so it would be breaking the law by doing so. ICANN insists the law is unclear and so EPAG has to keep requiring and storing the information if it wants to continue to sell internet addresses.

ICANN's legal campaign is an effort to re-impose its authority over contracts that cover the sale and registration of internet addresses, but its approach, attitude and increasing string of failures is starting to have the opposite effect.

Despite years of warnings, the organization failed spectacularly to update its contracts in the face of GDPR, leading to the extraordinary situation where it pleaded with data regulators to give it a special one-year exemption from the law: a request that they noted they were in no position to grant.

As a result, just before the new law kicked in, ICANN imposed an emergency temporary policy that had been rejected just months earlier, which in turn prompted many internet registries and registrars to go their own route.

Don't panic!

ICANN's response was to seek an emergency injunction against one registrar – German registrar EPAG – in an effort to set a precedent. But the courts have consistently found that the issue is not an emergency and so have refused to entertain ICANN's arguments.

When it lost the first time, ICANN appealed and insisted it was essential that a decision be made over how GDPR is interpreted when it comes to the Whois system. As such it told a regional court that it either had to decide on the legal interpretation or send it to the European Court of Justice to decide.

The court was unpersuaded and threw ICANN's case out again, noting that it didn't feel any need to refer the case to the ECJ because ICANN's interpretation of the law "was not material to the decision."

And so, given yet another opportunity to rethink its failed legal strategy, ICANN has responded by… appealing again. This time it insists that the regional court had also got it wrong. The arguments in its "Plea of Remonstrance" are, broadly, two fold:

First, that the court decided against ICANN on the grounds that its injunction was lodged out of concern for the impact it would have on the proper functioning of the domain name system. The court found there would be no impact, so rejected the injunction.

ICANN claims this reasoning was a mistake – that it had applied for a cease and desist injunction, not a functional injunction - and that it should have been warned that the court would view it in these terms.


"Nothing in the course of the proceedings enabled the Applicant to foresee the Appellate Court's reasoning," ICANN whines in its official appeal. "To the contrary, prior to the Appellate Court's decision, the Regional Court rendered two decisions in which the legal aspects that the Appellate Court now relies on have played no role at all."

In other words, ICANN felt blindsided by the fact that it lost on a different legal standard to the one it has already lost twice.

Its second broad argument is that the court's reasoning is wrong when it comes to the impact of not granting it an injunction.

ICANN says the court wrongly assumes that the data it wants gathered could be acquired at a later date (assuming of course that the legal system does subsequently decide that the data does not break GDPR). ICANN argues that if a domain is only registered for a year, by the time a legal decision in its favor kicks in, the information would be lost forever.

On a related note, ICANN argues that the court erred when it decided that the non-gathering of that information represented only an "abstract danger" i.e. ICANN was making a big fuss over nothing.

ICANN argues that even if the lack of data represents an abstract danger it should still get it anyway. "In particular, the legally protected interests involved in case of abusive practices in the present case are of such high significance that also abstract dangers justify a preliminary injunction."

What is extraordinary about those claims is that they demonstrate that ICANN is clearly not listening to what the German courts have repeatedly said in clear terms: that the Whois service is not as important as ICANN insists.


The data at the heart of the dispute is contact details for an administrative and technical contact for a domain name. Back when Whois was first introduced – in the early days of the internet – websites were relatively rare and required a lot of effort and knowledge to create. As a result, they often had named people to contact if someone had a problem.

But in 2018 – and, in fact, for the past decade – this situation simply doesn't exist. People can set up a website using a content management system like Wordpress within minutes. And they don't need special contacts: a fact confirmed by EPAG when it said in an early filing that "in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant."

The inclusion of the Admin and Tech contacts are just one sign of how hopelessly outdated the Whois service has become – which is precisely the point. But ICANN continues to insist, against its own industry, that it is vital those contacts be requested and stored. Why?

Put simply, it's because intellectual property interests see the Admin and Tech contacts as a way to bypass GDPR requirements. They recognize that they may not be given direct access to domain registrant details, due to GDPR, so argue that these more technical functions should be made accessible. They know all too well that in almost every case the details will be the same as the information they will be prevented from accessing.

That ICANN continues to push this line despite knowing the reality is just one more indication of how the organization continues to serve American intellectual property interests beyond its own industry and internet users.

The other argument – that the lack of such data will result in some kind of larger danger to the DNS – is precisely what the Regional Court looked into and dismissed. It specifically pointed out that ICANN had failed to make its case when it came to how important the Whois was.


And there's good reason for that. Because, despite a range of actors insisting that the lack of a Whois service – where people's personal contact details are posted publicly online – will cause an uptick in online crime, no one has yet to provide any evidence that that is the case.

Law enforcement continues to be able to access full Whois data by simply requesting that registries and registrars provide it to them. So the issue is really large American corporations who want full Whois access in order to chase down anyone potentially infringing their trademarks; access they are at risk of losing thanks to GDPR.

To such corporate minds, the loss of Whois data is a disaster. But few others agree, especially given the huge privacy implications for everybody else on the internet of having their name, phone number, and email and physical address posted online.

More importantly, Europe's data protections regulators have been extremely clear that they don't consider corporate interests as overriding citizen's privacy rights. In person and in writing, they have repeatedly warned ICANN that "purposes pursued by other interested third parties should not determine the purposes pursued by ICANN" and that ICANN should "not conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case."

Literally everybody within the DNS industry knows that that means American corporate interests should not be granted access to all domain name registrant information. But those same interests are not giving up and continue to try to find a way around the law. And US-based ICANN is doing everything in its power to assist them.


One way to get around the law is to require domain registrants to provide the obsolete technical and administrative contact details by pretending they are relevant to the functioning of the DNS. That is the fantasy that ICANN is still trying, and failing, to foist on the European court system.

The second main way around the law is to device an "access program" for specific groups to be granted access to Whois data and then devise the system in such a way that corporate interests are effectively viewed as equivalent to law enforcement.

That effort is being strongly pushed within ICANN's policy process and in a new working group that has been setup to develop a new Whois approach. But, as with every other previous effort, the likelihood of success is minimal.

The big difference this time around is that the powerful property interests that many blame for having undermined 20 years of efforts to update Whois want to change rather than retain the status quo.

We understand that internally ICANN is pitching its continued legal action as a way to appease such intellectual property concerns by showing the organization is supporting their interests, while holding on to the belief that the European court system will ultimately resolve the question of how GDPR relates to Whois - so it doesn't have to.

At some point, however, failed legal argument after failed legal argument starts to point to something much more concerning: that the organization in charge of overseeing the internet's naming and numbering systems is not capable of doing its job. ®

Similar topics

Other stories you might like

  • AI-powered browser extension to automatically click away cookie pop-ups now promised
    Tool disables non-essential tokens

    A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web.

    The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of choices in these online consent forms to disable all non-essential cookies on a website. The resulting software can therefore spare netizens from having to manually reject cookies presented by a website.

    When confronted with cookie popups, which are required by European law and other legislation, many users simply click "accept all," despite the fact that unnecessary cookies may compromise privacy, the project's paper stated. Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option, to discourage people from disabling tracking cookies.

    Continue reading
  • Big Tech revenues under threat from EU law proposals
    Digital Markets Act rules agreed, set to include fines of up to 10% of turnover and power to break up businesses

    Sanctions for non-compliance with new EU powers could hit tech giants with fines of up to 10 percent of their worldwide turnover – that's around $21 billion in the case of dominant online retailer Amazon.

    The political bloc's legislator has set out agreed rules to tackle dominance of big tech firms deemed "gatekeepers" because of their control over broad sets of services within their platforms.

    Under Digital Market Act (DMA) outlined last night, the European Commission will have powers to designate companies as gatekeepers following a market investigation.

    Continue reading
  • F-Secure spins out new enterprise security business: WithSecure
    CEO tells The Reg of new branding ahead of Finnish vendor's corporate split

    F-Secure's enterprise-facing business will have a new brand – WithSecure – and a sharpened focus when the company splits into two independent operations.

    The move comes a month after the security vendor's board of directors revealed that the 34-year-old Helsinki-based company would carve out the consumer security business from its enterprise unit. The consumer business will retain the F-Secure name.

    The final break will come this summer after a general meeting in May. The split is scheduled to complete on June 30.

    Continue reading
  • Android's Messages, Dialer apps quietly sent text, call info to Google
    Hashed text, phone call logs collected without opt-out nor specific notice

    Updated Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law.

    According to a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.

    "The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google."

    Continue reading

Biting the hand that feeds IT © 1998–2022