About Theo Geurts

EU ICANN Registrar RrSG Secretary ICANN IRT member

The EU GDPR, The wrong Equalizer?

We can predict with a large certainty the public WHOIS will be a thing of the past.

This will create issues for two group and a few more, but let’s focus on these two for now:
LEA’s (Law Enforcement Agencies)
Commercial cyber crime fighters, perhaps not the best choice to call them this but as they are very diverse, this seems to cover most of them.

The EU GDPR is somewhat (okay very often) characterized as the boogeyman invented by folks who are so pro-privacy that they lost sense with reality.
This is a misconception. Yes the EU GDPR has been created by an army of lawyers and legal folks that are downright scary in numbers, but they were very much in touch with reality during the process.

The EU GDPR has been forged by the EU directive 95/46/ec and has been challenged in court on a national level and European level by many times. The courts were always trying to strike a balance between privacy and the needs for LEA’s.
Cybercrime is not just something that only happens at the DNS level it is happening on all levels in our society.

Many companies outside of the DNS have been dealing with the EU directives for years and embedded them into their processes when it comes to data collection and data processing. And lets not forget they dealt with Cyber Crime and LEA’s, so far, nothing new.

During the creation of the EU GDPR, many LEA’s were consulted, and this is reflected within the EU GDPR.
For LEA’s there are enough provisions to continue their work.

Commercial cyber crime fighters, what about them?
At first glance and due to one-sided information it looks like these folks are screwed big time. However, this is not the case. The EU GDPR has room, but it requires a legal framework and contractual obligations. I keep this very broad as I am no lawyer, but when you dig through the EU GDPR, you will discover room to operate.

What Commercial cyber crime fighters should not do.
Look at ICANN for help or the EU Data commissioners.
ICANN has a horrible track record when it comes to privacy in general. Not intentional but due to circumstances, but it is what it is. So asking ICANN is not the solution, ICANN requires tons of help regarding the subject of privacy themselves. Like the blind leading the blind here.

EU Data Commissioners
From a high-level perspective, these folks and the Article 29 WG can help. But the problem is that we are dealing with very specific purposes and operational matters, and they cannot zoom into a micro level. And on a macro level, you get the idea that nothing is possible and privacy is blocking everything and anything.

What Commercial Cyber Crime fighters should do.
As a Registrar, we run into practical GDPR issues all the time. The solution? Consult a lawyer that is well versed when it comes to the GDPR and knows the DNS industry well.
Costs money for sure, but hey our business depends on it. And don’t forget many companies outside the DNS already did this in the past, again nothing new here.

The only thing that might be new here is the sudden change in thinking on an ICANN level and a boatload of people who are in desperate need for tailor-made solutions. Again ICANN will not help you out there, neither will the RDS WG at this stage. When it comes to the RDS WG, you will need to bring that knowledge to the table and the solutions. You might get lucky that someone will join us that has deep knowledge about fighting abuse on an operational level and has in-depth knowledge about the EU GDPR and knows exactly what to do.
Personally, I wouldn’t count on that; I would try to get ahead of this.

Personal Experience.

So far my interaction with several lawyers gave me a positive feeling when it comes to the EU GDPR. Just when you are about to smash your head against the wall while yelling:”this cannot be done! or this is going to cost us a fortune!” The lawyers so far always came up with a solution or interpretation¬†of the EU GDPR that turned the issue in a workable solution, ie the EU GDPR is not so black and white as it appears, it actually appears very well balanced, you just need to know the nuances.

If you need a lawyer that knows the EU GDPR and DNS drop me a line, I have worked with several of them over the last few years, not to mention the last few weeks ūüėČ

Theo Geurts ICANN Registrar.

The complete mess the WHOIS created, a Registrar perspective.

The public directory we call a WHOIS, where we publish registrant data of domain name owners, is a MESS.

 

Sure LEA’s and other crimefighters have a different opinion, and it is one I share in the sense, that abuse is a huge problem and abuse must be taken down. Often in these discussions, when we talk about the unlimited access to registrant data and that it also has to comply with privacy laws the discussion, usually goes the wrong way and often we can hear or read, the Registrars are pro-crime, or worse they condone child porn. Arguments to remain the current status quo, wich is understandable, but the reality is Registrars are mostly companies who try to run a business in a responsible¬†manner. And now and then this becomes acknowledged by parties who know we hate abuse just as everyone else.

So let me post some facts and leave the LEA arguments outside of this scope.

Publishing personal data or registrant info in a public directory creates the following issues we deal with on a daily basis.

To understand this better you have to realize that ICANN publishes zone files that contain newly registered domain names. There are folks who scrape this info and scrape WHOIS info on a fully automated basis and resell this info or use it for their shady practices. Yes, this includes personal information. And no, they have no right, but they ignore every privacy law that there is out there and every disclaimer a Registrar has in place about the terms of usage.

When you register a domain name and get yourself some hosting and other services not much later, you will get the following in your email box.

Domain name renewal notice. This is not a renewal notice at all; it is a shady SEO company that urges you to pay them money to get listed in some vague directory to boost your SEO. The result, confused registrant, calling their Registrar support desk. We are losing money here.

Hosting notice. Within a few hours, our customers get an email from a shady hosting company that offers 99 Cent Hosting with an uptime of 100%. Our support teams have endless discussions with our customers explaining why we charge more, why we have better service, and it is just unreal when you hear these conversations. Again money down the drain.

Spam lists. Your information will be resold, spammers will gladly scrape your info, and a day later your email box contains emails ranging from Viagra to shady investment deals and marriage proposals from Russia.

Phone calls. Later in the week, you will get robot¬†calls from companies trying to sell you whatever. Fake Microsoft employees are trying to trick you and a lot worse. And let’s not forget SMS messages.

Viri, malware, phishing. Enough said, hope you have a good virus scanner and let’s hope you do not get hit by some crypto locker ransomware. ¬†If your computer gets infected by ransomware it is best to pay according to the FBI.

ICANN and policies and the current issues.

  • As a Registrar, we have to verify your email address.
  • As a Registrar, we have to email you an FOA when you want to transfer your domain name.
  • As a Registrar, we need to email you if you want to change the ownership of your domain name for whatever reason.

In November 2015 Registrars were hit hard by phishing emails. These emails looked like real emails Registrars send for the above reason. However, these emails carried a payload in the form of Ransomware.

For years we, been educating our customers not to click the cute teddy bear in emails and throw away email if it looks suspicious.

Since November 2015 our means of communication have taken a huge hit, processes come to a total standstill, our support desks are dealing with increased overhead. And the phishing continues, and every few months some Registrar takes a hit from these targetted phishing attacks. Domain names get suspended as our communication is longer trusted. Mass frustration.

We implemented DKIM, we use PGP to sign our emails, but it is simply not working as most folks have no idea what PGP is.

I understand the LEA arguments, but the above is also a reality, and it is bad, it is ugly, and it is all due to the fact we have WHOIS system that shouldn’t have existed in the first place.

Perhaps ICANN should throw some money towards the abuse problem. As it is now, we have huge discussions, over what is, in my opinion, a penny war. But it is pennies what we earn, so let us take that issue out of the equation, and I am pretty sure the discussion with LEA’s and other parties will go much smoother.

 

 

 

 

EU GDPR and the WHOIS, Radiation Fallout

So during ICANN 58 in Copenhagen, it became crystal clear, the WHOIS is a “nice to have” but not a “must have” for sure.

Sure there are folks that did not see the mushroom cloud, nor did they hear the thunder of the nuclear explosion, and being in denial is an option, but if you are hit with the radiation and fallout, denial is not a good option.

 

What is the WHOIS and what are Registrars doing? If you register a domain name say: yourname.biz, then Registrars register the domain name for you and the Registry for .biz publishes your personal information in a public directory/database; we call the WHOIS.

This was handy back in 1990 or so. Now the EU GDPR is coming in May 2018 and enforcement is most likely to happen (read huge fines). ICANN managed to ignore the problem and wanted to ignore the privacy problems even longer, but after ICANN 58 this is no longer an option.

The EU GDPR is global, every Registrar and Registry on this world who deals with European citizens have to comply with the EU GDPR. This makes the solution problematic.

In my opinion, there is only one solution. Shutdown all WHOIS servers and replace it with RDAP. In addition to this, storing personal info at the Registry to register a domain name should be not required, it serves no purpose.

RDAP will have two functions. It will serve as an internal network to make sure existing ICANN policies will remain to function, though policies like IRTP A-D and much more will need to re-written or scrapped.

The public output for RDAP should be very minimal; this is function two. The output will contain the Registry, Registrar, Reseller (if applicable), email alias of the Registrant and the name servers. The rest should be removed as there is no purpose.

As simple as this sounds, it requires a lot of work and there will be moments when things will be in freefall, and we need to adjust procedures on the fly.

Registrars if applicable by law should display the Registrant in full when it is a company. The EU privacy is pretty clear about that.

All in all, this requires some out of the box thinking, but we should stop thinking regarding thin or thick, we must be aware on what we collect data wise and careful what we publish publicly and keep asking what the purpose is.

The current setup will create a huge problem when it comes to abuse. Not only will LEA’s be frustrated, but it will also create tons of overhead on the Registrar side and as such cost money and worse, abuse levels might even skyrocket.

RDAP allows for gated access. LEA’s must get access through a global framework to combat abuse. This also extends to these companies who are not LEA’s but fight spam and other nasty things that happen on the internet. This will require some heavy consulting with the EU Data Commissioners to set up a framework that has a purpose. I think this is doable, though it will require heavy monitoring when it comes to access to justify such access. Given the current levels of abuse, again I think it is warranted, not to mention the extremely short timeframe we have to get EU GDPR compliant.

Will this work? Most likely not. ICANN is a bottom-up driven community and not top down organized. Before we have everyone on board, we are most likely two years further in the process.

The alternative¬†and there is no alternative, privacy is a right, it cannot cost money, it is not a service, as such I expect most Registrars will start offering privacy protect for free, send out a mailing informing everyone, they have done their duty. This will be a colossal mess and I am not sure how we should deal with domain transfers, this issue does not exist with most ccTLD’s as they have a more clean transfer process that does not rely on a system created by ancient Egyptians.

This article is work in progress. Updated version at https://dataprotection.industries/index.php/2017/10/13/the-end-of-whois-where-are-we-at/

Theo Geurts