ICANN and GDPR on data protection!
Two authorities have been tearing each other apart about the protection of personal data rules: GDPR & ICANN.
Two authorities have been tearing each other apart about the protection of personal data rules: GDPR & ICANN. What are the main points of contention? What are the consequences? Details and information below!
Let’s take a look back to the WHOIS’ origins and the discordance with the actual GDPR legislation.
The WHOIS is basically a domain’s passport. It gives you information about the Registrar in charge, the key dates, but also the owner’s personal data such as the first and last name, postal address, email address…
This data was required and available online for everyone to see. Therefore, it was a major point of contention. The information requested was concerning the owner, administrative and technical contact information. Those contacts were most of the time a natural person.
A variety of information that was leading to a commercial exploitation without the prior agreement of the concerned person.
We therefore have a first issue with the protection of personal data.
Let’s go back a few years back in 1982 when the WHOIS was first created. At that time, the WHOIS was only reserved to ARPANET users. It contained information and contacts of those users like it does today. The only difference is the number of people being eligible to access this platform.
With the growth of internet, a lot of other people got into those databases: domain names’ owners for example.
It is only in 1988 that the ICANN took over the WHOIS. Quite quickly the ICANN delegates the registration of domain names to other entities such as the Registries and Registrars. Those companies are now responsible for filling the WHOIS and keep it up-to-date.
Therefore, we have a second issue: under which legislation are those companies falling?
To be fair, before 2018 the point did not arise since no law were superseding the ICANN regulations.
GDPR and ICANN blow shifting winds…
It’s only in May 2018 that the European Parliament published the General Data Protection Regulation (GDPR). It’s in the fifth Article that lays the actual central issue. This Article defines the quality expected in the processing of personal data.
Here are the most important extracts:
- “Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”
- “Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
- “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing”
To sum up, it is a condensed version of good practices: loyalty, transparency, minimised data, whose conservation are limited in time and confidentiality insured.
it is only in the last section that the question of responsibility is asked. The question of responsibility is fundamental for this regulation because it makes it possible to highlight who is responsible for complying with those criteria.
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
This paragraph is leading the Member States to stop reporting to control authorities (such as ICANN) because they will be the one responsible for the non-application of the European regulation.
How do Registries and Registrars adapt to these two regulations that are contrary to each other? A German Registrar made a strict interpretation of the fifth Article and stopped collecting information for the WHOIS, judging that it was going against the GDPR.
ICANN’s reply was not long awaited as it began legal proceedings before the Bonn Court in order to further the collection of information. The request having been rejected at first instance, ICANN referred for appeal but must admit, in spite of everything, that the WHOIS will have to comply quickly.
WHOIS evolution: key moments of compliance
Let us first go back to the primary interest of WHOIS in order to better understand the changes offered by ICANN.
Originally, this database ensured that the authorities had physical contact behind a dematerialised entity, such as a website. Cybercrime is an increasingly important issue in our daily lives and it is important to identify individuals behind URLs.
It is understandable that the disappearance of the WHOIS is difficult to understand for some protagonists who find themselves deprived of their only ability to identify fraudulent individuals.
The protection of personal data obliges ICANN to present different plans to revise the existing model.
Several projects were successively presented:
-
The calzone model, presented on February 28, 2018 as a draft WHOIS model.
This model limits the amount of publicly shared information. They include: the domain name itself, the administrative and technical information (in particular the date of registration, the name of the registration office), the country holding it, a means of contacting the owner of the domain name (contact form or anonymous email).
The aim is to limit access to other information (including telephone numbers, postal addresses, email addresses etc.) to accredited users. These restricted users would be police and judicial authorities, among others.
The accreditation criteria are still quite vague, since the European Data Protection Committee rejected ICANN’s proposals.
-
The Temporary Report, presented on 17 May 2018, summarised the guidelines of the “calzone Model”.
It highlights the restriction of access to personal data by accredited entities. It also defines more specifically the role of the Registrar and Registries in the collection of data.
For example, it highlights the responsibility of Registrars to offer registrants (domain name owners) when registering an option to make their data public.
As a matter of fact, they will be private by default but the option must be offered. Similarly, Registrars would be required to create an anonymous contact form in order to contact the registrant.
If you want to know more about the differences between these two models click here!
In addition to the problems of legislation on the protection of personal data, technical malfunctions within WHOIS had already been noted for some years. A technical and innovative response was therefore proposed: the RDAP.
The RDAP (Registration Data Access Protocol), a response to the technical problems of the WHOIS
For some time now, many experts have demonstrated the obsolescence of the WHOIS. The main issue is its delay in meeting the current requirements of the web. The WHOIS does not support, for example, non-Latin fonts. It also does not offer a secure connection or a possibility to set up a regulated access.
Several versions have been produced, the WHOIS ++, the Denis IRIS protocol (Internet Registry Information Service). But these versions brought a quick revision of some defects without really rethinking the WHOIS.
RDAP (Registration Data Access Protocol) is a real improved version of WHOIS. The group in charge of its design focused on the weaknesses of the WHOIS in order to propose a version based on three pillars: security, structuring and internationalization.
Some of the proposed innovations include:
- Secure access to requested coordinates (HTTPS for example)
- Web Based (HTTP)
- Standardised transmission of requests
- Possibility of granting differentiated access to contact data
The new model is expected to be implemented on August 26, 2019 with Registrars and Registries.
What now about the GDPR?
On 25 May 2019, the temporary model proposed by ICANN will expire and must therefore be replaced by another. With the deadline approaching, which model will be applied?
The committees have succeeded one another in trying to reconcile the fight for data protection (GDPR) with the fight against cybercrime. The EDP [committee in charge of the accelerated policy development process] was asked to propose a permanent model as soon as possible.
Meeting at ICANN 63 in Barcelona, the various stakeholders continued the discussions. Several models (relatively similar to the temporary model) were presented to the members of the commissions but also to the public so that everyone could give an opinion.
What about Netim?
It goes without saying that the subject is far from being closed and the major problem is the heterogeneity in the application of those new regulations. Therefore, some Registries or Registrars have simply deleted all the data from the WHOIS, others have stopped collecting it and some continue to disclose the information to the public.
A disparity that serves neither the fight against cybercrime nor the protection of personal data.
Netim aims to comply with the GDPR, our WHOIS are anonymised in order to protect the personal data of our customers.
We will, of course, keep you informed of the events and remain at your disposal if you have any question.