With the implementation of the European General Data Protection Regulations (GDPR) effective 25 May 2018, access to some gTLD Domain Name registrant information (WHOIS) is being restricted. Traditionally, for a registrant who did not use a proxy service a WHOIS Query would reveal their full name, address, phone number and e-mail address. If you do a lookup for one of my addresses today you will see almost nothing! Try looking up alangreenberg.org at https://whois.icann.org.
This increases privacy for some registrants and also makes information harder to access for those who currently use WHOIS.
There are serious monetary fines associated with GDPR, so compliance is important.
In addressing the new regulations, there has been a lot of discussion within ICANN over the last year. A GNSO Policy Development Process (PDP) started about 2 years ago which should have provided a new system (now called a Registration Directory Service (RDS) instead of WHOIS), but unfortunately that process has not completed in sufficient time.
As a result, to meet the GDPR deadline of 25 May 2018, the ICANN Board implemented a Temporary Specification Policy to allow us and our contracted parties (Registrars and Registries) to be GDPR-compliant. That temporary policy must be replaced by a permanent one within one year - a VERY short time for ICANN policy development.
The GNSO is starting an Expedited PDP which can complete faster than a regular PDP. The ALAC is being given two Members in the this group. We need to establish what our guiding principles are.
In order to understand what we need to push for in the EDPD, we need to understand why this matters to Users and thus to At-Large, which is charged with representing user Interests in ICANN.
Please add your thoughts as comments here.
From this, we will be able to build the principles that will guide our participation.
27 Comments
Alan Greenberg
When asked why users should care about GDPR, the first answer is often "Because they may want to use WHOIS to find out who they are dealing with on a particular web site or e-mail.
My reaction to this is three-fold:
So why do we care?
I believe the reason is that virtually every user depends heavily on various services that, unknown to most of them, are helping to reduce the amount of spam they get (and thus exposure to phishing and malware), on reputation services that every browser users to warn users about dangerous sites, and on the work of cybersecurity workers who are fighting all of these evils. All of these depend to one extent or another on access to WHOIS data and in some cases access to bulk WHOIS data that allows them to correlate findings and find patterns.
Without such access spam, phishing and malware are going to increase. Perhaps a lot - we really don't know how much.
Looking at spam gives one some idea. Today most of us get relatively little spam. In my case, it is probably in the range of a few dozen a day. But anyone who runs an unfiltered e-mail server will tell you that the vast majority of mail that transits the Internet is spam. But most of it never gets to us!
Carlton Samuels
Daniel Khauka Nanghaka
Carlton, here it varies on who makes the request for the data? What is the data used for?
Probably there is a need to create more awareness of the whois - we should know that there are lots of companies who drill down the records and make money from the whois records. This is where end-user protection comes in and need to review data accessibility procedures which may be a little ambiguous.
Holly Raiche
Absolutely true that the data is used - and misused - by corporations. Indeed, that would be one of the primary contexts in which the GDPR was developed. And there is also no question that there are many within the GNSO (NPOC and the NCSG) who are well across GDRP requirements - as well as some in the ALAC. Is is equally clear that whatever the EPDP produces, it will have to conform to GDPR requirements. That said, as with any legislation, there is scope for interpretation of those requirements. And the point being made is that the ALAC - representing not just registrants (although they are also end users) but the broader end user category - should make sure that the interests of end users are argued for.
Alan Greenberg
This issue of registrant vs Internet users has come up again. Many years ago, this was debated in the ALAC and we came to two conclusions:
Perhaps it is time for the ALAC to discuss this again and take formal action to establish its position. How we view this is critical to how we approach the EPDP.
Daniel Khauka Nanghaka
I think some of these discussions will rise again in the EPDP, Can we have the achieved milestones of the GNSO RDS WG since you have been on the RDS Review, this will greatly impact some of the works of the EPDP and probably avoid replication of efforts.
In the GNSO RDS, we discussed a lot of registrants, data handler, and gated access. To reconfirm ALAC position, we need to protect the end users. Will the ALAC Discussion create a new position or there was no position that the ALAC came up with after discussion?
As we dive into the EPDP, I suggest that ALAC has a common position that we have to base on to strengthen our position in the EPDP.
Holly Raiche
The whole purpose of this wiki page is exactly that - to have ALAC discuss the issues and come to common understandings that can be brought into the EPDP
Isaac Maposa
Alan, I do agree with you on the fact that we have to establish our position between Registrants vs Internet Users. As INDIVIDUAL registrants are users too. These INDIVIDUAL Registrants would want to keep their data from SPAMMERS and scammers who use their WHOIS data to spam and to try and scam them. I have seen several times when INDIVIDUAL Registrants just register a domain and within the same day some emails from spammers come in trying to sign them up for some services they do not understand. On the other hand we have the general Internet users who are not domain registrants who need to know who is behind the web resource they are accessing, but as you alluded, very few do know how to do a WHOIS query and this is usually done by informed users who have some knowledge about DNS.
Bastiaan Goslings
This is indeed a fundamental question which we might need to revisit and discuss. The two previous 'conclusions' imply to me, and apologies if I am oversimplifying things, that in this particular EPDP prep-case we would put more emphasis (‘why do we care’) on the (gated access) availability to Thick WHOIS data for law enforcement (public interest) purposes than on the privacy interests of registrants. Without taking a position on that one, I do want to reiterate a previous comment I made, and I will now quote the entire paragraph from page 2 of the https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf
’The EDPB considers it essential that a clear distinction be maintained between the different processing activities that take place in the context of WHOIS and the respective purposes pursued by the various stakeholders involved. There are processing activities determined by ICANN, for which ICANN, as well as registrars and registries, require their own legal basis and purpose, and then there are processing activities determined by third parties, which require their own legal basis and purpose.’
The EDPB therefore reiterates that ICANN should take care not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.’
The way I read that is that the current temp specification, including the purposes defined to continue to require the collection of full Thick WHOIS data, is _not_ compliant with the GDPR. I think that is a (the?) problem that needs to be dealt with.
(From the intro on this wiki page: ‘As a result, to meet the GDPR deadline of 25 May 2018, the ICANN Board implemented a Temporary Specification Policy to allow us and our contracted parties (Registrars and Registries) to be GDPR-compliant. That temporary policy must be replaced by a permanent one within one year)
Alan Greenberg
In your first paragraph, I would include cyber-security folks with law enforcement.
My issue with the EDPB letter is that they do not seem to understand that ICANN's mission is to ensure a stable, secure and trusted DNS. ICANN's is generally not in the business of fighting malware spam, phishing and other forms of mis-behaviour including DDoS attacks. But it MUST be in the business of facilitating those who do those things. It is certainly up to those professionals to justify why they need access to otherwise private WHOIS information - ie to provide the legal basis. But It is ICANN that specifies what must be collected (and collection is a form of processing). If ICANN does not ensure that critical data for law enforcement and cyber-security people is collected, it will not be there for these third parties to justify its release to them.
Whether you or I believe that the collection of Thick-Whois information is GDPR compliant or not really does not matter. Neither of us are in a position to put OUR beliefs into effect (I am certainly not a data commissioner, and I don't think you are either). As defenders of the needs of the 4B Internet users, I believe OUR job is to work to keep the Internet safe and trusted for them. And in this case, I think that means helping to make the case that those who do secure the Internet have the tools to do so.
Bastiaan Goslings
Thanks for pointing to the interests of cybersecurity folks, I agree with you there. I should have been more specific, i.e. law enforcement was an (important) example. See e.g. the IPC/BC Accreditation & Access Model for Non-Public Data for other stakeholder groups with potentially legitimate interests for (gated) access to full WHOIS data.
I understand your line of reasoning, and as I said I am not taking a position here myself. However if its true that the EDPB lacks understanding of what ICANN stands for then that means ICANN has to to a better job explaining it to them. Which also implies, if I understand you correctly, that in terms of being/becoming GDPR compliant ICANN has to be able and needs to justify that continued collection of full Thick WHOIS data is a.o. necessary because of law enforcement’s and cybersecurity folks’ legitimate interests. Whether I think that can be done is irrelevant - you're right, I am not a data commissioner nor an expert like the EDPB’s members, only someone who lead the GDPR compliancy project for his small size employer and who has recently been appointed as their DPO. But as we are embarking on this EPDP, trying to frame ‘why we care’, I think it is imperative to keep the compliancy objective in mind. If it were not for that we would not be in this position in the first place, right? So when someone has doubts, based on expert opinion(s), as to whether the temp specification, starting point for the EPDP, is indeed GDPR compliant, I do think that ‘matters’…
Jonathan Zuck
It matters to the process, but not to us. Our job is simply to represent the interests of end users who do not have other representation in the EPDP, NOT to represent the interests of European Data officers or to second guess what our success will be. Instead, we need to help ICANN push back on the EDPB, not simply accept its advice and, if we fail, we need to work to find a creative alternative solution within the ICANN context if we can. Our job right now is to come up with the guiding principles for those who participate in the EPDP FROM At-large, not the charter of the EPDP. that make sense?
Bastiaan Goslings
Thanks - & if that makes sense? Yes and no...
While I agree that 'Our job is simply to represent the interests of end users who do not have other representation in the EPDP', I NEVER suggested that we 'represent the interests of European Data officers or to second guess what our success will be'. And I do not think 'we need to help ICANN push back on the EDPB', as ICANN is the one who went to them for expert advice.
'Our job right now is to come up with the guiding principles for those who participate in the EPDP FROM At-large, not the charter of the EPDP': yep, I am with you on that one. Maybe I have a too legalistic viewpoint, so apologies for that, but as we are talking about a (EPD) 'process' that needs to be finished within a year and that is meant to ensure ICANN is GDPR compliant in the long run, IMO 'it matters to us' and I would make the intent to become compliant and reach consensus on the how etc at least part of the guiding principle set. In our case obviously with the interests of end-users as a priority.
Anyway. I will leave this discussion, as I will just be repeating myself and people are not agree anyway. No harm done.
Jonathan Zuck
I certainly didn't mean to chase you away from the discussion. I agree that EVERYONE's purpose for being there is to get to a place of compliance. I was simply arguing that our UNIQUE purpose in being there was to represent the interests of end users who are not otherwise represented. Otherwise, there is no inherent purpose in representatives from the at-large to participate. Does that make more sense?
Bastiaan Goslings
Thanks again, Jonathan - yep that definitely makes sense, I totally agree that 'our UNIQUE purpose in being there is to represent the interests of end users who are not otherwise represented'.
Holly Raiche
I agree with Jonathan here - and Bastiaan. The goal - a place of compliance that replaces the existing ICANN policy with one that registries and registrars can comply with that does not put then in breach of their national laws. Within that framework, our task is to identify and argue for the interests of internet users
John Laprise
Point of note: WHOIS as we know it may not be long for this world which will have significant impact on the ePDP & TempSpec https://regmedia.co.uk/2018/07/05/edpb-icann-whois.pdf
Holly Raiche
Great link John
Tijani Ben Jemaa
Alan, I fully agree with your first comment. I believe we are also to take care of the users privacy and the abusive use of their data. Don't forget the story of Facebook and the American Election.
Of course, any criminal use of the domain names against users is our top concern, and so is the abusive use of users' data. Let's not negligt one or the other.
Alan Greenberg
Tijani, of course we are concerned with users privacy and abuse of their data. But sometimes multiple concerns conflict with each other and choices need to be made. In an ideal world that might not happen, but this is the real world where there are conflicts.
I do not see how we can discard the needs of 99+% for those of a relatively small handful.
As you may note from the new quotas of Members for the EPDP, the NCSG has SIX members. We will have TWO. You know that the NCSG is going to be fighting for registrant privacy. WHO WILL BE FIGHTING FOR THE REST OF THE 4,000,000,000 INTERNET USERS?
Jonathan Zuck
I'm inclined to agree with Alan, Maureen and Carlton on this one. "End user" is a set of activities in which we all engage and it is the interests of people engaging in those activities, making airline reservations, buying stuff, doing email, etc." that we must represent in a gathering such as the EPDP.
I also disagree that it's the job of the at large reps to the EPDP to represent ALL of the opinions that come out of the at-large. Instead we might do the hard work of forming some principles and sticking to them. Let's give it a shot.
Isaac Maposa
Jonathan on your second note, I am not sure if I missed this or it's already in the pipeline. Wouldn't it be a great idea to have sort of a working group that helps refine contributions coming from the At Large community and work with our two Reps to the EPDP and this might make the work for our Reps lighter and helps making sure the true view of the At Large community is brought up?.
Jonathan Zuck
Alan Greenberg
Daniel Khauka Nanghaka
The discussion about GDPR is more of user privacy and protection of EU Citizen data. As I look deeply we have to put more focus on what does the Internet user wish to see. What are the criteria for accessing user data? Who is accessing the data? etc and this strikes back to the RDS discussions where we were undergoing deliberations. As for the EPDP, there is going to be strong need of driving consensus in the shortest period of time. The fact that only 2 members are required from ALAC, there has to be constant communication and seeking of a common position in driving consensus.
We cannot justify the outcome of the EPDP though the At-Large Reps have to report and seeking discussion for common ground in the PDP.
Alan Greenberg
Daniel, you say " What are the criteria for accessing user data? "
Exactly what user data are you referring to? WHOIS contains data on gTLD registrants which may of may not be viewable under some conditions, but what data from regular users are you referring to?
GDPR in general affects all sorts of data related to Internet users, but that is a different topic than WHOIS.
Alan Greenberg
I call your attention to SAC101: SSAC Advisory Regarding Access to Domain Name Registration Data (14 June 2018).
I believe it relates very closely to issues that are of importance the At-Large as we enter into the GNSO EPDP.
It can be found at https://www.icann.org/en/system/files/files/sac-101-en.pdf.