Nuclear Winter, freeze all WHOIS projects.

While everyone is struggling with warnings from the EU Data Commissioners and the UN Rapporteur for the right to privacy during ICANN 58 in Copenhagen, we actually must look ahead.

As mentioned before, many of the ICANN policies rely on the WHOIS. Most likely this will turn out to be a single point of failure.

The current policies we will need to revisit them when we get more clarity, and it looks like ICANN is going to work on an update on the legal review from 2015. That review wasn’t too great, to begin with, but let’s not go there.

In no particular order, the following projects need to be frozen and see if the scope and the objectives are still correct.

  • Thick WHOIS Migration
    Translation and Transliteration of Contact Information
    WHOIS ARS
    Crossfield validation
    PPSAI

Thick WHOIS Migration
Though I do not think this one will ever happen, it is perhaps good to point out that Registrars outside of the EU but with privacy laws need to check if they can transfer data to the USA.
For example, Turkey has adopted privacy laws very similar to the EU GDPR in March 2016.
Given the current political climate, it seems like a country where breaking the law has severe consequences not only monetary ones.

Translation and Transliteration of Contact Information
Currently in the IRT phase. But how sound is translating WHOIS information to a public directory when publishing the original data is already illegal, provided it is personal information?
This project needs to be frozen till there is more clarity and have the scope adjusted.

WHOIS ARS
This project mandated by the GAC and in operation without a PDP in its current form is illegal.
ICANN uses several third parties to download WHOIS data from Registrar WHOIS servers and processes the data on several levels for data correctness.
ICANN emails and performs auto calls to Registrants, to verify data correctness.
Within the RAA 2013, ICANN can do this. However, due to the poor setup, several EU laws are being broken. These third parties are not privacy shield certified (just to name a problem), as such in the current state this project is illegal. Not to mention they most likely never looked at other countries who also have privacy laws.

To be clear here, this project can operate legally if ICANN complies with the EU law.
This project should be frozen till all the legal requirements have been met.

WHOIS Crossfield validation

https://community.icann.org/display/AFAV/Documents
Though most vendors proposed by ICANN are privacy shield certified, we need to know if they just comply on paper or also in reality. This is a big difference and fundamental to Privacy Shield.
Furthermore, we need to know if this is going to violate other countries privacy laws as most of them are modeled around the EU Directive 95/46/.

In addition to this. Afilias announced that since April 7, 2017, postal code is no longer a required field as there countries out there that do not have a postal code.

The Registry for Dot Africa states in their policies that, street address and postal code are optional. Most likely due to the fact, there are countries in Africa that do not have them.

This makes cross field validation nearly impossible, and most likely bad actors/cyber criminals will use this blind spot and provide registrant information from Africa to avoid cross field validation.

This project needs to be scrapped.

PPSAI- Privacy/Proxy Services Accreditation Implementation
On the one hand, I think this work should continue, on the other hand, we might face some huge changes.
What if we no longer publish personal data in a public directory? Then the entire business model for third party privacy providers goes under the bus, and there is no need for those folks.
What if we require third party privacy providers to be accredited and require annual fees paid to ICANN?
This would collide with the The Universal Declaration of Human Rights Article 12 the right to privacy. In this scenario how could these providers even charge money for their services?
Operating a privacy service simply costs money.

Perhaps it is best to freeze this one also, till we have more clarity.

Theo Geurts

Yoda says:”purpose you shall have.”

Or when I returned from Copenhagen ICANN 58, you shall have a purpose.

I have been struggling with the upcoming EU GDPR for a year now. Read the GDPR, read a few books and it just didn’t sink in, let alone I could figure out how to attack this thing on ICANN level or at the Registrar I work for.

For more than a year the RDS WG, the group that is working on a replacement for the WHOIS, has been collecting requirements on what is required for this RDS. The number of requirements we gathered is insane, over 1000 requirements.

We heard from about every stakeholder what they need, and in every discussion, privacy would come up, and how that should work, usually such discussion would look more like a trench war, as most folks think privacy does not equal the abuse problems we are facing.
But ICANN 58 a group of EU Data Commissioners assisted us, including the U.N. Special Rapporteur on the right to privacy and Caroline Goemans-Dorny INTERPOL’s data protection officer.

During the RDS session on Wednesday, something happened that provided me with total clarity. We were running out of time, and we did not really get into the question session we prepared. At one point the Chair of the RDS WG fired off like four questions at once, related to a thin WHOIS output that was shown on the slides.

The U.N. Special Rapporteur said:”I will answer all your questions, with one question,” what is the purpose?
This almost Yoda-like response gave me a real sense of clarity.
Why do we put an expiry date in the WHOIS?
Why do put a create date in the WHOIS?
Why do we put an update date in the WHOIS?

My cell phone subscription is not being published in a public directory, nor is it mentioned when I upgraded my cell phone subscription in a public directory. At that point, it was clear to me that this was not about thin or thick WHOIS, we put the cart before the horse.
I expressed my gratitude in public to the U.N. Special Rapporteur.
After the session I was having a smoke and saw the U.N. Special Rapporteur leave the building real quick, rushing to a taxi (busy person) and just when he hailed a taxi he spotted me, walked up to me, shook my hand and said:”Thank you for the support, and I have the feeling you now have a clear vision on what purpose is”.

I have it for sure, and the entire EU GDPR makes sense now. The EU GDPR is Europe setting a very high ambition trying to create logic in how you process or collect data. The EU GDPR text itself does not provide clear answers; it just shows ambition.

All your current processes need to be re-evaluated, and you have to ask what the purpose is? If you have a clear purpose and you can motivate it, then most likely you are on the right track. The EU GDPR can provide more guidance.
If however you encounter a situation and you ask what the purpose is, and the answer is dodgy, shady or not clear, or the answer is, it is nice to have, then you are most likely on the wrong track.

How does this guide me when it comes to the RDS and the WHOIS?
Simple, the WHOIS is a “nice to have,” that completely spiraled out of control and has no place in this day and age.

RDS? Even though we are still in its early stages, it seems we are working on a compromise to keep everyone happy. Keeping everyone happy and yet complying with the law, is not possible, so the current purpose of RDS will turn into a failure.

Later this week I will go more into detail why RDS will never work and what is required and how we should combat abuse, though I did not figure out the abuse part, yet.

Theo Geurts ICANN RDS WG member.

This blog post was created while listening to:

ASOP Global Internet Pharmacy Safety E-Commerce Leadership Award.

And I won it, at ICANN 58 in Copenhagen.

And it did not cost me a much energy at all. That is the deciding factor how I won the award. Connecting key players (LEA’s), connecting key actors (Registries & Registrars) and as such the internet became safer, consulting, advising, participation, things, that give me energy. And if it gives one energy, it all becomes easy.

The award was handed to me by ASOP.EU. Their goal:

An early objective for the coalition will be to develop and issue a ‘call for action’ inviting the European authorities to evaluate policies and legal measures to tackle illegal online sales and launch a dialogue with key stakeholders including internet intermediaries to take action against illegal online pharmacies.  The coalition will play a valuable role in demonstrating broad-based support for urgent action to tackle this patient safety threat. It should rapidly become a trusted partner of the authorities as measures are developed to deal with illegal online pharmacies.

The award looks like this:

I guess the photo does not do complete justice to the award. It was however so large (and heavy) that I asked the hotel staff to have UPS ship it back to me, as there was no way it would fit in my carry-on luggage.

ICANN 58 took place in this great convention center, Bella Sky in Copenhagen. Expect more updates soon.

ASOP press release can be read here.