A draft of the new ICANN Whois policy was published a few days ago.
https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf
From that document:
"This Temporary Specification for gTLD Registration Data (Temporary
Specification) establishes temporary requirements to allow ICANN
and gTLD registry operators and registrars to continue to comply
with existing ICANN contractual requirements and community-developed
policies in light of the GDPR. Consistent with ICANN’s stated
objective to comply with the GDPR, while maintaining the existing
WHOIS system to the greatest extent possible, the Temporary
Specification maintains robust collection of Registration Data
(including Registrant, Administrative, and Technical contact
information), but restricts most Personal Data to layered/tiered
access. Users with a legitimate and proportionate purpose for
accessing the non-public Personal Data will be able to request
such access through Registrars and Registry Operators. Users will
also maintain the ability to contact the Registrant or Administrative
and Technical contacts through an anonymized email or web form. The
Temporary Specification shall be implemented where required by the
GDPR, while providing flexibility to Registry Operators and Registrars
to choose to apply the requirements on a global basis based on
implementation, commercial reasonableness and fairness considerations.
The Temporary Specification applies to all registrations, without
requiring Registrars to differentiate between registrations of legal
and natural persons. It also covers data processing arrangements
between and among ICANN, Registry Operators, Registrars, and Data
Escrow Agents as necessary for compliance with the GDPR."
I think this is the worst of both worlds. The data is basically still
public, but you cannot access it unless someone marks you as a
"friend".
This policy is basically what Facebook is. And how well it played out
once folks realised that their shared data wasn't actually private?
C.
The problem is that once the data gets out it's out and in many cases
such as this WHOIS data only stales very slowly.
So one malicious breach or outlaw/misbehaving assignee and you may as
well have done nothing.
I suppose one could /reductio ad absurdum/ and ask so therefore do
nothing?
No, but perhaps more focus on misuse would be more productive. The
penalties for violations of GDPR are eye-watering like 4% of gross
revenues. That is, could be billions of dollars (or euros if you
prefer.)
We know how well all this has worked in 20+ years of spam-fighting
which is to say not really well at all.
It relies on this rather blue-sky model of the problem which is that
abuse can be reigned in by putting pressure on people who actually
answer their phone rather than abusers who generally don't.
Another problem is the relatively unilateral approach of GDPR coming
out of the EU yet promising application to any company with an EU
nexus (or direct jurisdiction of course.)
In that it resembles a tariff war.
At this point if I were a registrar or registry doing business in such a way as to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for that purpose and leave it with minimal revenues and nothing to collect in the event of a lawsuit. Either that or simply stop doing business with Europeans until their government comes to its senses.
Fortunately For now I get to watch from the sidelines with amusement as this unfolds.
Owen
2018-04-19, The Guardian...
https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law
or
http://tinyurl.com/yaeqguhz
Headline:
Facebook moves 1.5bn users out of reach of new European privacy law
...
"The move is due to come into effect shortly before General Data
Protection Regulation (GDPR) comes into force in Europe on 25
May. Facebook is liable under GDPR for fines of up to 4% of its global
turnover – around $1.6bn – if it breaks the new data protection rules."
...
"The company follows other US multinationals in the switch. LinkedIn,
for instance, is to move its own non-EU users to its US branch on 8
May. “We’ve simply streamlined the contract location to ensure all
members understand the LinkedIn entity responsible for their personal
data,” it told Reuters."
* owen@delong.com (Owen DeLong) [Thu 17 May 2018, 03:19 CEST]:
At this point if I were a registrar or registry doing business in such a way as to be subject to gdpr, I’d seriously consider spinning up a subsidiary only for that purpose and leave it with minimal revenues and nothing to collect in the event of a lawsuit. Either that or simply stop doing business with Europeans until their government comes to its senses.
Fortunately For now I get to watch from the sidelines with amusement as this unfolds.
I'm happy as a European to finally do business with companies that will have at least a modicum of respect for my privacy.
We cannot escape UDRP but at least we now have a say in what we are forced to publish about ourselves.
-- Niels.
Agreed. This is garbage, un-needed legislation.
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed. These are great and necessary regulations.
I'm loving the flood of convoluted unsubscribe notices this month from companies that had stored PII for no reason.
-- Niels.
An article in The Register on the current status of Whois and the GDPR.
https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/
* Brian@ampr.org (Brian Kantor) [Thu 17 May 2018, 16:23 CEST]:
An article in The Register on the current status of Whois and the GDPR.
Whois privacy shambles becomes last-minute mad data scramble • The Register
My registrar already does all the things listed in this article that registrars supposedly don't yet do.
American companies that think they have a need, or even the right, to see the billing address for my personal domain can go pound sand.
-- Niels.
Dne 17/05/2018 v 15:03 Niels Bakker napsal(a):
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed.� These are great and necessary regulations.>
I'm loving the flood of convoluted unsubscribe notices this month from
companies that had stored PII for no reason.
Those who would give up essential liberty, to purchase a little
temporary safety(*), deserve neither liberty nor safety(*).
(*) you can replace this word with comfort in this case without loosing
the point
This is what all the regulation fans still not understood.
Regards,
Zbynek
The privacy implications that WHOIS had for domain name registrants was not only acknowledged by Europe. For a long time we were in a battle to get minimum privacy for domain registrants and the privacy proxy services provided some sort of relief. But the intellectual property interest with the backing of governments always dominated the discussions. otherwise IETF had recognized the privacy issues of WHOIS as early as 2002 and protocols were recommended that could respect registrants privacy rights.
This was not solely a European issue. It was a global issue and with GDPR coming into effect it only made the process faster and diluted the power of ip people and those who were piggy backing on their power. It's time to move on. GDPR is not a great law but a community that for so many years violated the privacy rights of domain name registrants had to be somehow stopped. It's unfortunate that we didn't deal with this through innovative ways... But saying Europe and GDPR brought this upon us is false.
In a related note, I received a note from my registrar this morning telling me that, per current ICANN rules, I need to verify all the personal identifying information for the domains I control.
1. I checked WHOIS for all my domains, and they point to the proxy service that my registrar offers. So, I have no PII visible via WHOIS.
2. I checked the contact information page, and all my (hidden) PII is correct.
So, at least for my domains, everything is GDPR compliant as far as public display is concerned. The question about the proxy service providing an anonymous tunnel for, say, abuse e-mail is open to question. As well as all the other bells and whistles I've seen discussed.
By the way, setting up the proxy service just takes money, not time, in the old school.
The fines are heavy enough that the registrars can consider forcing proxy service on all domains, and figure out how to recoup the costs later. Months? I don't think so.
But then again, I'm not a registrar, only a customer of those folks.
Hi,
Dne 17/05/2018 v 15:03 Niels Bakker napsal(a):
* nanog@ics-il.net (Mike Hammett) [Thu 17 May 2018, 14:44 CEST]:
Agreed. This is garbage, un-needed legislation.
Disagreed. These are great and necessary regulations.>
I'm loving the flood of convoluted unsubscribe notices this month from
companies that had stored PII for no reason.
Those who would give up essential liberty, to purchase a little
temporary safety(*), deserve neither liberty nor safety(*).
But this regulation increases essential liberty for individuals, so I don't understand your argument...
Cheers,
Sander
If of use, last Monday I recorded and posted video of Jonathan Zuck's
briefing to NARALO on ICANN's interim plan .
Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
Hi,
But this regulation increases essential liberty for individuals, so I don't understand your argument...
No, it don't. It has two aspects:
1. It brings new positive defined rights. But as with any other positive
defined rights, it brings an obligation for anyone other to provide such
rights, it requires enforcement, inspections/whatever which anyone in
Europe must pay from taxes and it requires implementation of a lot of
rules, possible changing of existing internal systems etc. etc. in
companies which will be paid from their revenue, so again from consumer
money.
2. It would be the true in an ideal situation. In the real world, there
is no ideal situation. Accept the fact that if you would like to keep
any data private, you must not tell them to anyone. You. You are the one
who can decide about your data and who can really protect your data, no
one else, no government, no GDPR. There is a lot of anonymization
techniques, strong encryption and other things helping to cover who
used/published/steal your private data when it is done by experienced
professionals. It could help a little bit to keep private data protected
againest beginner and intermediate data thieves and perhaps againest
some kinds of stupid mistakes, maybe. Nothing more. Is it enough when we
mention all the costs, including hidden? I don't think so.
BTW, nobody told me he is going to propose such regulation before the
last EP elections, no party I have been able to vote has anything like
this nor oposing anything like this in their program.
What about my right to not have this crap on NANOG?
Just curious, what does UDRP have to do with any of this?
UDRP is an ICANN process which allows someone who believes they have
intellectual property rights in a domain to challenge an ownership.
Granted it's been abused (but so have baseball bats) creating the new
dreaded acronym RDNH (reverse domain name hijacking) but I don't see
how that's related.
Even under GDPR a litigant can get the owner's contact information or,
if the info is false or not practically available, pursue a default
judgement which if successful would result in the domain's transfer to
them.
FWIW for new TLDs (.RODEO or whatever) the equivalent process is URS.
Gratuitous Side Note:
One of the more publicized cases of late involved FRANCE.COM which
apparently the French govt seized ownership of via WEB.COM without any
UDRP process or notice to the owner.
Overview article, you can find others:
https://www.sgtreport.com/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/
Legal filing:
https://domainnamewire.com/wp-content/france-com.pdf
I don't. I have better things to do than babysit various accounts
I've signed up over the years. Just because someone signs up for an
account and forgets about it is not a good enough reason to have my
information DESTROYED WITHOUT MY PERMISSION if I do happen to be busy
that week to sign in somewhere to accept a legal disclaimer.
GDPR is touted as a policy to tackle the issue of the larger players
abusing their market positions and our trust; instead, so far, my lack
of response would just ensure that I am unsubscribed from my alumni
association in the UK; what good does it do to me?!
C.