This is a translation of a Heise article written in the German language by Monika Ermert and first published on heise online on 25.02.2018.
Domain registrars and registries are preparing themselves for radical restrictions in the collection of WHOIS data. Criminal prosecutors and IP attorneys are trying to steer the ship around at the last minute.
Parties are whetting their knives and brandishing sharpened sabers as they enter the fray surrounding the new WHOIS. Not all participants at the Domain pulse – the German-speaking registries’ conference in Munich – formulated it in such martial terms as those used by Key-Systems lawyer Volker Greimann. But the domain providers were unanimous on the point: The implementation of the General Data Protection Regulation (GDPR) is flowing anything but smoothly, especially for registries and registrars contractually bound to the “Internet Corporation for Assigned Names and Numbers” (ICANN).
Just three months before the entry into force of the GDPR, registrars such as Key-Systems or Tucows are still waiting to see what personal data on domain holders they will have to provide to registries in the future. In turn, the registries for ICANN-approved top-level domains from “.org” to “.Saarland” or “.berlin” are waiting on ICANN. The private domain names administration has not yet determined which personal data should be entered in the domain owner database, the so-called WHOIS, which is accessible to everyone.
According to Greimann – who, through Key-Systems is familiar both with the registry (.saarland) and the registrar perspectives – a signal should have been forthcoming at the start of the year from the meeting in Marina del Rey at the latest. Ashley La Bolle of the Tucows subsidiary EPAG confirmed that in order to be legally compliant, ICANN’s Contracted Parties would be required in the first stage of implementation to violate their ICANN contracts. “We will initially deliver blank data to the registries for all personal data fields”, she said. In Munich, Denic eG reported on what a public WHOIS will look like in the absence of any personal data (see interview in the German language with Denic Managing Director Jörg Schweiger). Country code domains do not have to comply with ICANN specifications.
ICANN‘s three models
Thomas Rickert of the eco Association anticipates that ICANN might commit itself in the next few weeks to at least a preliminary roadmap and one of the three WHOIS models published earlier this year. The three models range from the publication of a slightly trimmed-down set of personal data, to the publication of less administrative email contacts, through to a variant that bans personal, but not all company, data from the public WHOIS.
In the view of lawyer Rickert, ICANN has fallen far too short of what is required. Not only has ICANN simply put the question of what data can legally be collected on the back burner – the ICANN lawyers have also not addressed questions concerning which data collected by registrars worldwide may be moved beyond borders into third countries such as the USA, how to deal with the obligation for backups from so-called Escrow Providers, or what to do with the central public WHOIS query, which is set up by the private Internet administration secretly without the consent of domain holders.
In its GDPR Playbook, eco considered WHOIS as part of the overall complex comprised of GDPR and domain registration and recommended restrictions which would apply not only to the publication, but also to the collection of data. ICANN’s current proposals are at best “rough sketches” that do not represent a worked-out and realizable solution, Rickert wrote after the Marina del Rey meeting.
Could we not have a little less data protection?
In an ironic twist, opposition to the scaling back of the data sets (inflated by ICANN in recent years to 50 individual data sets), as well as to the relocation of data without the knowledge of users and to the regular mass sale of zone data, is now coming from the public sector. The implementation of the EU-approved GDPR is now causing a stir, not just for the ICANN Government Advisory Committee (GAC), but also for the EU Commission and EU Council: In a number of letters (read examples here and here), they demand that as much data as possible be kept in WHOIS.
The EU Commission categorically rejects the idea of data collection as an optional provision and demands that the “maximum permissible amount of data” be collected and that “third party users” be borne in mind in deciding on its intended purpose. Europol’s paper demands access to the maximum WHOIS data, not only for itself but also for cyber security authorities, private companies and academics, consumer protection authorities, and trademark owners.
The Europol submission to the Council states that access to data which will no longer be published in the future should under no circumstances be made subject to judicial orders and, moreover, that investigators want to remain unobserved and anonymous. Likewise, the brand owners protected by Europol and security researchers – for example, the renowned Brian Krebs – express concern. Krebs extolls the virtues of WHOIS, citing it as being one of the most important resources for his work.
Domain owners equal brand owners
The ICANN Governmental Advisory Committee’s demands go one step further. Like other public advocates, it emphasizes that the purpose of WHOIS is to facilitate law enforcement and the combatting of cyber crime in general.
So why delete the WHOIS data collections so precipitously? To the government representatives, five years of storage after the end of the contractual relationship seems safer. Self-certification for prosecutors and other security researchers who want access to non-public data – from an at least temporarily necessary central WHOIS operated by ICANN – would make everything easier, they say. And finally, as posited in the GAC position, is the publication of a private email address of the domain holder really so bad? Ultimately, the EU and non-EU GAC members share the view of ICANN’S lawyers: that WHOIS is nothing more than a database of brand owners.