Nuclear Winter, freeze all WHOIS projects.

While everyone is struggling with warnings from the EU Data Commissioners and the UN Rapporteur for the right to privacy during ICANN 58 in Copenhagen, we actually must look ahead.

As mentioned before, many of the ICANN policies rely on the WHOIS. Most likely this will turn out to be a single point of failure.

The current policies we will need to revisit them when we get more clarity, and it looks like ICANN is going to work on an update on the legal review from 2015. That review wasn’t too great, to begin with, but let’s not go there.

In no particular order, the following projects need to be frozen and see if the scope and the objectives are still correct.

  • Thick WHOIS Migration
    Translation and Transliteration of Contact Information
    WHOIS ARS
    Crossfield validation
    PPSAI

Thick WHOIS Migration
Though I do not think this one will ever happen, it is perhaps good to point out that Registrars outside of the EU but with privacy laws need to check if they can transfer data to the USA.
For example, Turkey has adopted privacy laws very similar to the EU GDPR in March 2016.
Given the current political climate, it seems like a country where breaking the law has severe consequences not only monetary ones.

Translation and Transliteration of Contact Information
Currently in the IRT phase. But how sound is translating WHOIS information to a public directory when publishing the original data is already illegal, provided it is personal information?
This project needs to be frozen till there is more clarity and have the scope adjusted.

WHOIS ARS
This project mandated by the GAC and in operation without a PDP in its current form is illegal.
ICANN uses several third parties to download WHOIS data from Registrar WHOIS servers and processes the data on several levels for data correctness.
ICANN emails and performs auto calls to Registrants, to verify data correctness.
Within the RAA 2013, ICANN can do this. However, due to the poor setup, several EU laws are being broken. These third parties are not privacy shield certified (just to name a problem), as such in the current state this project is illegal. Not to mention they most likely never looked at other countries who also have privacy laws.

To be clear here, this project can operate legally if ICANN complies with the EU law.
This project should be frozen till all the legal requirements have been met.

WHOIS Crossfield validation

https://community.icann.org/display/AFAV/Documents
Though most vendors proposed by ICANN are privacy shield certified, we need to know if they just comply on paper or also in reality. This is a big difference and fundamental to Privacy Shield.
Furthermore, we need to know if this is going to violate other countries privacy laws as most of them are modeled around the EU Directive 95/46/.

In addition to this. Afilias announced that since April 7, 2017, postal code is no longer a required field as there countries out there that do not have a postal code.

The Registry for Dot Africa states in their policies that, street address and postal code are optional. Most likely due to the fact, there are countries in Africa that do not have them.

This makes cross field validation nearly impossible, and most likely bad actors/cyber criminals will use this blind spot and provide registrant information from Africa to avoid cross field validation.

This project needs to be scrapped.

PPSAI- Privacy/Proxy Services Accreditation Implementation
On the one hand, I think this work should continue, on the other hand, we might face some huge changes.
What if we no longer publish personal data in a public directory? Then the entire business model for third party privacy providers goes under the bus, and there is no need for those folks.
What if we require third party privacy providers to be accredited and require annual fees paid to ICANN?
This would collide with the The Universal Declaration of Human Rights Article 12 the right to privacy. In this scenario how could these providers even charge money for their services?
Operating a privacy service simply costs money.

Perhaps it is best to freeze this one also, till we have more clarity.

Theo Geurts

Yoda says:”purpose you shall have.”

Or when I returned from Copenhagen ICANN 58, you shall have a purpose.

I have been struggling with the upcoming EU GDPR for a year now. Read the GDPR, read a few books and it just didn’t sink in, let alone I could figure out how to attack this thing on ICANN level or at the Registrar I work for.

For more than a year the RDS WG, the group that is working on a replacement for the WHOIS, has been collecting requirements on what is required for this RDS. The number of requirements we gathered is insane, over 1000 requirements.

We heard from about every stakeholder what they need, and in every discussion, privacy would come up, and how that should work, usually such discussion would look more like a trench war, as most folks think privacy does not equal the abuse problems we are facing.
But ICANN 58 a group of EU Data Commissioners assisted us, including the U.N. Special Rapporteur on the right to privacy and Caroline Goemans-Dorny INTERPOL’s data protection officer.

During the RDS session on Wednesday, something happened that provided me with total clarity. We were running out of time, and we did not really get into the question session we prepared. At one point the Chair of the RDS WG fired off like four questions at once, related to a thin WHOIS output that was shown on the slides.

The U.N. Special Rapporteur said:”I will answer all your questions, with one question,” what is the purpose?
This almost Yoda-like response gave me a real sense of clarity.
Why do we put an expiry date in the WHOIS?
Why do put a create date in the WHOIS?
Why do we put an update date in the WHOIS?

My cell phone subscription is not being published in a public directory, nor is it mentioned when I upgraded my cell phone subscription in a public directory. At that point, it was clear to me that this was not about thin or thick WHOIS, we put the cart before the horse.
I expressed my gratitude in public to the U.N. Special Rapporteur.
After the session I was having a smoke and saw the U.N. Special Rapporteur leave the building real quick, rushing to a taxi (busy person) and just when he hailed a taxi he spotted me, walked up to me, shook my hand and said:”Thank you for the support, and I have the feeling you now have a clear vision on what purpose is”.

I have it for sure, and the entire EU GDPR makes sense now. The EU GDPR is Europe setting a very high ambition trying to create logic in how you process or collect data. The EU GDPR text itself does not provide clear answers; it just shows ambition.

All your current processes need to be re-evaluated, and you have to ask what the purpose is? If you have a clear purpose and you can motivate it, then most likely you are on the right track. The EU GDPR can provide more guidance.
If however you encounter a situation and you ask what the purpose is, and the answer is dodgy, shady or not clear, or the answer is, it is nice to have, then you are most likely on the wrong track.

How does this guide me when it comes to the RDS and the WHOIS?
Simple, the WHOIS is a “nice to have,” that completely spiraled out of control and has no place in this day and age.

RDS? Even though we are still in its early stages, it seems we are working on a compromise to keep everyone happy. Keeping everyone happy and yet complying with the law, is not possible, so the current purpose of RDS will turn into a failure.

Later this week I will go more into detail why RDS will never work and what is required and how we should combat abuse, though I did not figure out the abuse part, yet.

Theo Geurts ICANN RDS WG member.

This blog post was created while listening to:

ASOP Global Internet Pharmacy Safety E-Commerce Leadership Award.

And I won it, at ICANN 58 in Copenhagen.

And it did not cost me a much energy at all. That is the deciding factor how I won the award. Connecting key players (LEA’s), connecting key actors (Registries & Registrars) and as such the internet became safer, consulting, advising, participation, things, that give me energy. And if it gives one energy, it all becomes easy.

The award was handed to me by ASOP.EU. Their goal:

An early objective for the coalition will be to develop and issue a ‘call for action’ inviting the European authorities to evaluate policies and legal measures to tackle illegal online sales and launch a dialogue with key stakeholders including internet intermediaries to take action against illegal online pharmacies.  The coalition will play a valuable role in demonstrating broad-based support for urgent action to tackle this patient safety threat. It should rapidly become a trusted partner of the authorities as measures are developed to deal with illegal online pharmacies.

The award looks like this:

I guess the photo does not do complete justice to the award. It was however so large (and heavy) that I asked the hotel staff to have UPS ship it back to me, as there was no way it would fit in my carry-on luggage.

ICANN 58 took place in this great convention center, Bella Sky in Copenhagen. Expect more updates soon.

ASOP press release can be read here.

 

Comments on the Proposal for a Specification 13 to the ICANN Registry Agreement to Contractually Reflect Certain Limited Aspects of “.Brand” New gTLDs

It’s been rather busy so not many updates lately.

ICANN 45 Toronto

ICANN 45 Toronto (Photo credit: veni markovski)

One I wanted to share is the one below regarding Registry agreements when it comes to the so-called bTLD’s (no I did not make the one up).

The statement is from the Registrar group, and I am one of the folks who signed it since I support the statement.

The statement can be viewed here: http://forum.icann.org/lists/comments-spec13-06dec13/msg00040.html

The statement in text format below:

 

Comments on the Proposal for a Specification 13

To the ICANN Registry Agreement to Contractually Reflect Certain Limited Aspects of “.Brand” New gTLDs

Date: 30th January 2014
Public Comment URL:!http://www.icann.org/en/news/public-comment/spec13-06dec13-en.htm
The undersigned registrars (“Registrars”), some of whom may also present individual comments, respectfully submit the attached comments on the Proposal for Specification 13 to the ICANN Registry Agreement to Contractually Reflect Certain Limited Aspects of “.Brand” New gTLDs and are available to engage with any questions or comments.
We thank the Brand Registry Group (BRG) for preparing this proposal and look forward to future collaborations with this new organization.
Registrars welcome the concept of a TLD operated by a brand owner for their exclusive use and recognize that these TLDs have distinct needs that may differ from those of general use TLDs. However, we cannot support several sections of the draft proposal as currently written, as we believe it creates the potential for abuse in the new gTLD program. Of particular concern are Section 3 and Section 5 of the Specification.
Regarding Section 3, while we do not object to the proposed language and recognize that it may not be appropriate for some TLDs to be re-delegated by ICANN following a termination of the registry agreement, we propose that the TLD operator should be obligated to take steps to notify affected third parties, such as operating system vendors, browser developers, SSL Certificate Authorities, major ISPs, and other relevant industries or organizations.
Our overall concern with the proposed language in Specification 13 is that if this proposal were adopted as written, it could re-introduce the concerns of equal registrar access and undermine the registry-registrar model for domain names. This could give rise to TLDs where the registry, registrar, and registrant (or a subset of those roles) are the same entity, and the beneficial user of the domain name lies with another party.
For example, a broad interpretation of 5.1(ii) and 5.2 would seem to imply that the TLD could offer a limited license to its trademark to unaffiliated parties, and then permit these licensees to register or use domain names in the TLD. These licensees would behave like registrants but without the rights or responsibilities currently provided for under the RAA and ICANN Consensus Policies. For this problem to be addressed in the current proposal, we recommend the phrase “Trademark Licensee, ” and the entirety of Section 5.2 be struck.

 

Finally, we would also like to note that there is a mechanism already in place to request and grant an exemption/waiver from the Registry Operator Code of Conduct (Specification 9). Knowing this, we respectfully request that the BRG outline its specific concerns with the existing process, and articulate why it would fail to provide for the needs of their TLD.
Thank you,

 

Luc Seufer, EuroDNS
James Bladel, GoDaddy
Bob Wiegand, Web.com
Jeff Eckhaus, enom / Name.com
Volker Greimann, Key Systems
Theo Geurts, Realtime Register
Chris Pelling, NetEarthOne
Oliver Hope, HostEurope Group
Rob Golding, Astutium Ltd
Benny Samuelsen, Nordreg AB
Michele Neylon, Blacknight Internet Solutions Ltd