Nuclear Winter, freeze all WHOIS projects.

While everyone is struggling with warnings from the EU Data Commissioners and the UN Rapporteur for the right to privacy during ICANN 58 in Copenhagen, we actually must look ahead.

As mentioned before, many of the ICANN policies rely on the WHOIS. Most likely this will turn out to be a single point of failure.

The current policies we will need to revisit them when we get more clarity, and it looks like ICANN is going to work on an update on the legal review from 2015. That review wasn’t too great, to begin with, but let’s not go there.

In no particular order, the following projects need to be frozen and see if the scope and the objectives are still correct.

  • Thick WHOIS Migration
    Translation and Transliteration of Contact Information
    WHOIS ARS
    Crossfield validation
    PPSAI

Thick WHOIS Migration
Though I do not think this one will ever happen, it is perhaps good to point out that Registrars outside of the EU but with privacy laws need to check if they can transfer data to the USA.
For example, Turkey has adopted privacy laws very similar to the EU GDPR in March 2016.
Given the current political climate, it seems like a country where breaking the law has severe consequences not only monetary ones.

Translation and Transliteration of Contact Information
Currently in the IRT phase. But how sound is translating WHOIS information to a public directory when publishing the original data is already illegal, provided it is personal information?
This project needs to be frozen till there is more clarity and have the scope adjusted.

WHOIS ARS
This project mandated by the GAC and in operation without a PDP in its current form is illegal.
ICANN uses several third parties to download WHOIS data from Registrar WHOIS servers and processes the data on several levels for data correctness.
ICANN emails and performs auto calls to Registrants, to verify data correctness.
Within the RAA 2013, ICANN can do this. However, due to the poor setup, several EU laws are being broken. These third parties are not privacy shield certified (just to name a problem), as such in the current state this project is illegal. Not to mention they most likely never looked at other countries who also have privacy laws.

To be clear here, this project can operate legally if ICANN complies with the EU law.
This project should be frozen till all the legal requirements have been met.

WHOIS Crossfield validation

https://community.icann.org/display/AFAV/Documents
Though most vendors proposed by ICANN are privacy shield certified, we need to know if they just comply on paper or also in reality. This is a big difference and fundamental to Privacy Shield.
Furthermore, we need to know if this is going to violate other countries privacy laws as most of them are modeled around the EU Directive 95/46/.

In addition to this. Afilias announced that since April 7, 2017, postal code is no longer a required field as there countries out there that do not have a postal code.

The Registry for Dot Africa states in their policies that, street address and postal code are optional. Most likely due to the fact, there are countries in Africa that do not have them.

This makes cross field validation nearly impossible, and most likely bad actors/cyber criminals will use this blind spot and provide registrant information from Africa to avoid cross field validation.

This project needs to be scrapped.

PPSAI- Privacy/Proxy Services Accreditation Implementation
On the one hand, I think this work should continue, on the other hand, we might face some huge changes.
What if we no longer publish personal data in a public directory? Then the entire business model for third party privacy providers goes under the bus, and there is no need for those folks.
What if we require third party privacy providers to be accredited and require annual fees paid to ICANN?
This would collide with the The Universal Declaration of Human Rights Article 12 the right to privacy. In this scenario how could these providers even charge money for their services?
Operating a privacy service simply costs money.

Perhaps it is best to freeze this one also, till we have more clarity.

Theo Geurts

Comment on the Transition NTIA’s Stewardship of the IANA Functions to ICANN

So ICANN wanted comments, we gave them one. While this was being drafted, Javier Rodriguez released a very interesting read, called 2050: The Internet Odyssey – How We Lost It and a Way to Get It Back. Interesting read right? Are we at the crossroads? Looks like it. However, it seems we got the message, yet tons of work ahead.  Guess I better get a few more wifi routers 😉 Cya folks at ICANN 50! Ping me if you want to meet.

Anyways here is our statement, signed by yours truly.

Late edit, I forgot to mention where one can find the comment URL.

http://mm.icann.org/pipermail/ianatransition/2014/date.html

Comments on the Call for Public Input: Draft Proposal, Based on Initial

Community Feedback, of the Principles and Mechanisms and the Process to
Develop a Proposal to Transition NTIA’s Stewardship of the IANA Functions

Date: 8 May 2014

Public Comment URL:
http://www.icann.org/en/about/agreements/iana/transition/draft-proposal-
08apr14-en.htm

The undersigned registrars (“Registrars”), some of whom may also present
individual comments, respectfully submit the attached comments on the Proposal
for the Call for Public Input: Draft Proposal, Based on Initial Community
Feedback, of the Principles and Mechanisms and the Process to Develop a
Proposal to Transition NTIA’s Stewardship of the IANA Functions

We thank the IANA Team for preparing this proposal.

The Registrar Stakeholder Group is currently reviewing this issue and discussing
the ways in which it may impact the global registrar community. We do, however,
have initial comments on specific points that have arisen as a result of the Call
for Public Input.

Several members of the Registrar Stakeholder Group believe that having two
Steering Group representatives for the GNSO will not be sufficient in ensuring
that the interests of all GNSO stakeholders are properly reflected. As the GNSO
is the largest and most diverse structure within ICANN, we find that a “one size
fits all” approach to delegation is not appropriate. Instead, we propose that each
SO/AC submit a number of representatives that it believes to be sufficiently
representative, but be encouraged to keep the number as small as possible.

With regard to the selection process, we recommend that delegates to The
Steering Group should not be selected, chosen or screened by ICANN Staff, as
we have seen recently with Expert Working Groups and Strategy Panels.

We propose that to ensure the most effective process, The ICANN Staff avoid
top-down engagement with the Steering Group. The Steering Group’s legitimacy
with Registrars and other stakeholders will depend upon its ability to choose its
own path forward (with public input) and need not accept the staff-produced
blueprint for developing a transition proposal. Ideally, the role of ICANN Staff
(particularly Executive Staff) would be limited to supporting this effort.

The Registrar Stakeholder Group would like to note that currently, there are three
issues are intertwined with this effort that must be considered dependent, or even prerequisite, issues:

First, the effort to review/improve Accountability Mechanisms must complete
before any transition can occur. There is a general belief that existing
mechanisms are ineffectual.

Second, we need to understand the technical & operational impacts of this
change. Recent events (CZDS outage, TAS “glitch”, etc.) clearly indicate that
ICANN is not up to the task of operating the Root Zone Maintainer function. Will
VeriSign retain this role? If not, who will fill it?

Third, the role of governments is an essential component of the NTIA plan,
however this presumes that the GAC’s structure and operation will be similar to
how it exists today. The transition proposal should ensure that any potential
structural changes by the GAC or other third-parties would not negatively impact
NTIA’s requirement that IANA control must not transition to a government or
inter-governmental organization.

We respectfully request that the above issues be taken into consideration before
a proposal to transition is completed.

Thank you,

Thomas Barrett, EnCirca
John Berryhill, Uniregistry
James Bladel, GoDaddy
Robert Birkner, 1API
Graeme Bunton, Tucows
Jeffrey Eckhaus, eNom
Theo Geurts, Realtime Register
Rob Golding, Astutium
Frédéric Guillemaut, Mailclub
Rob Hall, Momentous
Thomas Keller, 1&1 Internet
Louise Lentino, Instra Corporation
Michele Neylon, Blacknight
Chris Pelling, NetEarth One
Benny Samuelsen, Nordreg AB
Luc Seufer, EuroDNS
Dr. Michael Shohat, Cronon AG
Bruce Tonkin, Melbourne IT
Bob Wiegand, Web.com