An effort to resolve conflicts between upcoming European privacy legislation and the global Whois service for domain names has, predictably, failed, raising fears that cybercriminals will take advantage of the impasse.
At the end of a week of meetings hosted by domain-name overseer ICANN, the US-based organization’s proposed interim model lies in tatters, and there is no sign of a forthcoming solution before the May 25 deadline, when the General Data Protection Regulation (GDPR) comes into effect.
Industry insiders fear that, without agreement, the Whois service, which publicly lists full contact details of domain-name registrants, will effectively shut down in order to avoid fines and possible lawsuits under the Euro rules.
That would leave law enforcement and intellectual property lawyers, among others, unable to access registrant details, and potentially give cybercriminals a larger window to carry out crimes.
The biggest blow to ICANN’s last-minute proposal on how to make Whois GDPR-friendly – put out just one week before the meeting – came when the world’s governments refused to accept the role ICANN tried to place on its Governmental Advisory Committee (GAC). ICANN said it wanted to task the GAC with drawing up a system that would allow certain groups – cops, attorneys, and similar – unfettered access to Whois records. That plan was firmly rejected.
“The GAC does not envision an operational role in designing and implementing the proposed accreditation programs,” read an official statement from the GAC to ICANN’s board at the end of the meeting.
Such a rejection was entirely predictable, raising questions over why ICANN’s staff suggested it in the first place.
So, um, about your entire ethos
ICANN is designed to work as a “multi-stakeholder” decision-making model where everyone impacted gets a say in the solution, so the suggestion that just governments would decide on an accreditation model was greeted with some scorn, not least by the US government.
Argument over this aspect of the “interim model” took up so much time and energy that ICANN’s CEO Göran Marby pleaded with the internet community to focus on other aspects.
“There are still fundamental decisions to be made about the whole model,” he told a public forum. “Discussion seems to be focussing on the accreditation model, as if everything else with GDPR compliance for Whois is decided. It’s not.”
Marby also made a second desperate plea, this time to European GAC members, who he “humbly begged” to contact their data protection authorities to get “firm advice” on what needed to be done to the Whois system to bring it in line with Euro law.
That plea came after the GAC tore up another key part of ICANN’s proposed model: that all email addresses in domain ownership records be anonymized.
Knock, knock. Whois there? Get ready for anonymized email addresses after domain privacy shake-up
“A rationale is required for the decision to hide certain Whois data elements from the public database,” the GAC said in its communiqué [PDF], before schooling ICANN’s own Whois experts on what the actual GDPR legislation does and does not require.
“When it comes to personal data, the GDPR permits its processing, including publication, under certain circumstances… such as performance of a contract or the legitimate interests pursued by the controller or by a third party.
“In particular, publication of the registrant’s email address should be considered in light of the important role of this data element in the pursuit of a number of legitimate purposes and the possibility for registrants to provide an email address that does not contain personal data.”
The GAC also took issue with ICANN’s proposal to anonymize non-personal information – such as company names and the contact details of administrative and technical contacts – and pointed out that “legal entities are explicitly excluded from the remit of GDPR.”
In short, it argues that the changes proposed by ICANN “are not supported by the necessary analysis and supporting rationale which poses the question whether the choices reflected in the current proposal are required by the law.”
In other words, ICANN made bad decisions based on incomplete information and failed to explain how or why it arrived at those decisions.
The failure to come up with a solution could have dangerous knock-on effects, the GAC warned: “As it stands, the proposed system risks hindering the efforts of law enforcement, intellectual property and other actors in combatting illicit activities and mitigating DNS abuse.”
That message – that the failure to introduce a system before the end of May would make the internet a more dangerous place – was reiterated by law enforcement at the meeting, with Europol’s cybercrime center (EC3) being particularly vocal about the risks.
EC3 repeatedly pushed the idea that the companies that provide domain names to the public – registrars – be obliged to respond to “urgent” law-enforcement requests for Whois information within 24 hours.
That could be a possible short-term solution to the lack of a global Whois policy, but the idea was rejected by registrars who have consistently blocked any effort to make them accountable to third parties.
On the other side of the equation, civil society groups were actually happy with the idea of anonymized email addresses, noting that it would “go a long way to reducing spam and harassment that end-users face.”