Complying with the EU GDPR? Easy, skip ICANN.

So the preparations for the EU GDPR and Registries and Registrars are in full swing.
This week the Geo gTLD Group released a survey to involved parties, and the results will show us where we are at.

But do we need to do this and do we need to get ICANN in the mix?

Let’s go back in time.
In 2015 the Chinese regulator MIIT announced they were going to enforce the rules, created a decade ago. Now, where did we hear this before? Oh wait, the EU Directives, we ignored them as there was no enforcement.

Back in 2015 the RrSG went to the ICANN board and asked about their view when it came to what some called “draconian” regulations. The board listened, and the board said:”they were very aware, but it was an internal country matter, outside of ICANN.”
And that was that.

What was so “draconian”? For Chinese Registrants to register domain names through Chinese Registrars, the Registries had to jump through a ton of regulation hoops.
Get accredited with MIIT. Setup a presence in China. Escrow data to a Chinese Escrow Provider only. Deal with real name verification procedure.
So what did those non-Chinese Registries do? They looked at a huge market; they figured that these Chinese folks would not use Registrars outside China and most likely go for the Chinese gTLDS and .CN. Not a great prospect for the Registries.
Solution? They jumped through the hoops; some even created real name verification support through EPP to make registrations easy.

Every month I receive a newsletter or read a press release where a Registry proudly announces they are China ready and MIIT accredited. It’s like these guys won the Olympics. Granted going through that process is tough and congrats are in order.

The reality is, the real reality is, Registries are complying with the law in China. Awesome, how cool is that?! How about we go one step further and start complying with EU law?!

If we can do it in China, we can do it Europe right?
Want to do business with Chinese Registrants? Jump through the hoops.
Want to do business with EU Registrants? Jump through the hoops and stop discussing if EU law is a factor within ICANN.
The contracted parties are apparently perfectly capable of dealing with the national country law even if they are labeled as “draconian.”

Now the above carries some load of sarcasm. But if push comes to shove, contracted parties will become EU GDPR compliant no matter how many folks in the ICANN community are in denial.
No matter how hard folks in ICANN the community are trying to ignore the EU and keep on thinking this does not affect ICANN.

But cooperation and coordination with ICANN and within ICANN remains key in my opinion, to steer this and the policies in the right direction. This is a multi-stakeholder model for a bunch of good reasons, and everyone has a stake in this for the right reasons and balance.

Theo Geurts

 

Nuclear Winter, freeze all WHOIS projects.

While everyone is struggling with warnings from the EU Data Commissioners and the UN Rapporteur for the right to privacy during ICANN 58 in Copenhagen, we actually must look ahead.

As mentioned before, many of the ICANN policies rely on the WHOIS. Most likely this will turn out to be a single point of failure.

The current policies we will need to revisit them when we get more clarity, and it looks like ICANN is going to work on an update on the legal review from 2015. That review wasn’t too great, to begin with, but let’s not go there.

In no particular order, the following projects need to be frozen and see if the scope and the objectives are still correct.

  • Thick WHOIS Migration
    Translation and Transliteration of Contact Information
    WHOIS ARS
    Crossfield validation
    PPSAI

Thick WHOIS Migration
Though I do not think this one will ever happen, it is perhaps good to point out that Registrars outside of the EU but with privacy laws need to check if they can transfer data to the USA.
For example, Turkey has adopted privacy laws very similar to the EU GDPR in March 2016.
Given the current political climate, it seems like a country where breaking the law has severe consequences not only monetary ones.

Translation and Transliteration of Contact Information
Currently in the IRT phase. But how sound is translating WHOIS information to a public directory when publishing the original data is already illegal, provided it is personal information?
This project needs to be frozen till there is more clarity and have the scope adjusted.

WHOIS ARS
This project mandated by the GAC and in operation without a PDP in its current form is illegal.
ICANN uses several third parties to download WHOIS data from Registrar WHOIS servers and processes the data on several levels for data correctness.
ICANN emails and performs auto calls to Registrants, to verify data correctness.
Within the RAA 2013, ICANN can do this. However, due to the poor setup, several EU laws are being broken. These third parties are not privacy shield certified (just to name a problem), as such in the current state this project is illegal. Not to mention they most likely never looked at other countries who also have privacy laws.

To be clear here, this project can operate legally if ICANN complies with the EU law.
This project should be frozen till all the legal requirements have been met.

WHOIS Crossfield validation

https://community.icann.org/display/AFAV/Documents
Though most vendors proposed by ICANN are privacy shield certified, we need to know if they just comply on paper or also in reality. This is a big difference and fundamental to Privacy Shield.
Furthermore, we need to know if this is going to violate other countries privacy laws as most of them are modeled around the EU Directive 95/46/.

In addition to this. Afilias announced that since April 7, 2017, postal code is no longer a required field as there countries out there that do not have a postal code.

The Registry for Dot Africa states in their policies that, street address and postal code are optional. Most likely due to the fact, there are countries in Africa that do not have them.

This makes cross field validation nearly impossible, and most likely bad actors/cyber criminals will use this blind spot and provide registrant information from Africa to avoid cross field validation.

This project needs to be scrapped.

PPSAI- Privacy/Proxy Services Accreditation Implementation
On the one hand, I think this work should continue, on the other hand, we might face some huge changes.
What if we no longer publish personal data in a public directory? Then the entire business model for third party privacy providers goes under the bus, and there is no need for those folks.
What if we require third party privacy providers to be accredited and require annual fees paid to ICANN?
This would collide with the The Universal Declaration of Human Rights Article 12 the right to privacy. In this scenario how could these providers even charge money for their services?
Operating a privacy service simply costs money.

Perhaps it is best to freeze this one also, till we have more clarity.

Theo Geurts

The EU GDPR, The wrong Equalizer?

We can predict with a large certainty the public WHOIS will be a thing of the past.

This will create issues for two group and a few more, but let’s focus on these two for now:
LEA’s (Law Enforcement Agencies)
Commercial cyber crime fighters, perhaps not the best choice to call them this but as they are very diverse, this seems to cover most of them.

The EU GDPR is somewhat (okay very often) characterized as the boogeyman invented by folks who are so pro-privacy that they lost sense with reality.
This is a misconception. Yes the EU GDPR has been created by an army of lawyers and legal folks that are downright scary in numbers, but they were very much in touch with reality during the process.

The EU GDPR has been forged by the EU directive 95/46/ec and has been challenged in court on a national level and European level by many times. The courts were always trying to strike a balance between privacy and the needs for LEA’s.
Cybercrime is not just something that only happens at the DNS level it is happening on all levels in our society.

Many companies outside of the DNS have been dealing with the EU directives for years and embedded them into their processes when it comes to data collection and data processing. And lets not forget they dealt with Cyber Crime and LEA’s, so far, nothing new.

During the creation of the EU GDPR, many LEA’s were consulted, and this is reflected within the EU GDPR.
For LEA’s there are enough provisions to continue their work.

Commercial cyber crime fighters, what about them?
At first glance and due to one-sided information it looks like these folks are screwed big time. However, this is not the case. The EU GDPR has room, but it requires a legal framework and contractual obligations. I keep this very broad as I am no lawyer, but when you dig through the EU GDPR, you will discover room to operate.

What Commercial cyber crime fighters should not do.
Look at ICANN for help or the EU Data commissioners.
ICANN has a horrible track record when it comes to privacy in general. Not intentional but due to circumstances, but it is what it is. So asking ICANN is not the solution, ICANN requires tons of help regarding the subject of privacy themselves. Like the blind leading the blind here.

EU Data Commissioners
From a high-level perspective, these folks and the Article 29 WG can help. But the problem is that we are dealing with very specific purposes and operational matters, and they cannot zoom into a micro level. And on a macro level, you get the idea that nothing is possible and privacy is blocking everything and anything.

What Commercial Cyber Crime fighters should do.
As a Registrar, we run into practical GDPR issues all the time. The solution? Consult a lawyer that is well versed when it comes to the GDPR and knows the DNS industry well.
Costs money for sure, but hey our business depends on it. And don’t forget many companies outside the DNS already did this in the past, again nothing new here.

The only thing that might be new here is the sudden change in thinking on an ICANN level and a boatload of people who are in desperate need for tailor-made solutions. Again ICANN will not help you out there, neither will the RDS WG at this stage. When it comes to the RDS WG, you will need to bring that knowledge to the table and the solutions. You might get lucky that someone will join us that has deep knowledge about fighting abuse on an operational level and has in-depth knowledge about the EU GDPR and knows exactly what to do.
Personally, I wouldn’t count on that; I would try to get ahead of this.

Personal Experience.

So far my interaction with several lawyers gave me a positive feeling when it comes to the EU GDPR. Just when you are about to smash your head against the wall while yelling:”this cannot be done! or this is going to cost us a fortune!” The lawyers so far always came up with a solution or interpretationĀ of the EU GDPR that turned the issue in a workable solution, ie the EU GDPR is not so black and white as it appears, it actually appears very well balanced, you just need to know the nuances.

If you need a lawyer that knows the EU GDPR and DNS drop me a line, I have worked with several of them over the last few years, not to mention the last few weeks šŸ˜‰

Theo Geurts ICANN Registrar.