Nuclear Winter, freeze all WHOIS projects.

While everyone is struggling with warnings from the EU Data Commissioners and the UN Rapporteur for the right to privacy during ICANN 58 in Copenhagen, we actually must look ahead.

As mentioned before, many of the ICANN policies rely on the WHOIS. Most likely this will turn out to be a single point of failure.

The current policies we will need to revisit them when we get more clarity, and it looks like ICANN is going to work on an update on the legal review from 2015. That review wasn’t too great, to begin with, but let’s not go there.

In no particular order, the following projects need to be frozen and see if the scope and the objectives are still correct.

  • Thick WHOIS Migration
    Translation and Transliteration of Contact Information
    WHOIS ARS
    Crossfield validation
    PPSAI

Thick WHOIS Migration
Though I do not think this one will ever happen, it is perhaps good to point out that Registrars outside of the EU but with privacy laws need to check if they can transfer data to the USA.
For example, Turkey has adopted privacy laws very similar to the EU GDPR in March 2016.
Given the current political climate, it seems like a country where breaking the law has severe consequences not only monetary ones.

Translation and Transliteration of Contact Information
Currently in the IRT phase. But how sound is translating WHOIS information to a public directory when publishing the original data is already illegal, provided it is personal information?
This project needs to be frozen till there is more clarity and have the scope adjusted.

WHOIS ARS
This project mandated by the GAC and in operation without a PDP in its current form is illegal.
ICANN uses several third parties to download WHOIS data from Registrar WHOIS servers and processes the data on several levels for data correctness.
ICANN emails and performs auto calls to Registrants, to verify data correctness.
Within the RAA 2013, ICANN can do this. However, due to the poor setup, several EU laws are being broken. These third parties are not privacy shield certified (just to name a problem), as such in the current state this project is illegal. Not to mention they most likely never looked at other countries who also have privacy laws.

To be clear here, this project can operate legally if ICANN complies with the EU law.
This project should be frozen till all the legal requirements have been met.

WHOIS Crossfield validation

https://community.icann.org/display/AFAV/Documents
Though most vendors proposed by ICANN are privacy shield certified, we need to know if they just comply on paper or also in reality. This is a big difference and fundamental to Privacy Shield.
Furthermore, we need to know if this is going to violate other countries privacy laws as most of them are modeled around the EU Directive 95/46/.

In addition to this. Afilias announced that since April 7, 2017, postal code is no longer a required field as there countries out there that do not have a postal code.

The Registry for Dot Africa states in their policies that, street address and postal code are optional. Most likely due to the fact, there are countries in Africa that do not have them.

This makes cross field validation nearly impossible, and most likely bad actors/cyber criminals will use this blind spot and provide registrant information from Africa to avoid cross field validation.

This project needs to be scrapped.

PPSAI- Privacy/Proxy Services Accreditation Implementation
On the one hand, I think this work should continue, on the other hand, we might face some huge changes.
What if we no longer publish personal data in a public directory? Then the entire business model for third party privacy providers goes under the bus, and there is no need for those folks.
What if we require third party privacy providers to be accredited and require annual fees paid to ICANN?
This would collide with the The Universal Declaration of Human Rights Article 12 the right to privacy. In this scenario how could these providers even charge money for their services?
Operating a privacy service simply costs money.

Perhaps it is best to freeze this one also, till we have more clarity.

Theo Geurts

EU GDPR and the WHOIS, Radiation Fallout

So during ICANN 58 in Copenhagen, it became crystal clear, the WHOIS is a “nice to have” but not a “must have” for sure.

Sure there are folks that did not see the mushroom cloud, nor did they hear the thunder of the nuclear explosion, and being in denial is an option, but if you are hit with the radiation and fallout, denial is not a good option.

 

What is the WHOIS and what are Registrars doing? If you register a domain name say: yourname.biz, then Registrars register the domain name for you and the Registry for .biz publishes your personal information in a public directory/database; we call the WHOIS.

This was handy back in 1990 or so. Now the EU GDPR is coming in May 2018 and enforcement is most likely to happen (read huge fines). ICANN managed to ignore the problem and wanted to ignore the privacy problems even longer, but after ICANN 58 this is no longer an option.

The EU GDPR is global, every Registrar and Registry on this world who deals with European citizens have to comply with the EU GDPR. This makes the solution problematic.

In my opinion, there is only one solution. Shutdown all WHOIS servers and replace it with RDAP. In addition to this, storing personal info at the Registry to register a domain name should be not required, it serves no purpose.

RDAP will have two functions. It will serve as an internal network to make sure existing ICANN policies will remain to function, though policies like IRTP A-D and much more will need to re-written or scrapped.

The public output for RDAP should be very minimal; this is function two. The output will contain the Registry, Registrar, Reseller (if applicable), email alias of the Registrant and the name servers. The rest should be removed as there is no purpose.

As simple as this sounds, it requires a lot of work and there will be moments when things will be in freefall, and we need to adjust procedures on the fly.

Registrars if applicable by law should display the Registrant in full when it is a company. The EU privacy is pretty clear about that.

All in all, this requires some out of the box thinking, but we should stop thinking regarding thin or thick, we must be aware on what we collect data wise and careful what we publish publicly and keep asking what the purpose is.

The current setup will create a huge problem when it comes to abuse. Not only will LEA’s be frustrated, but it will also create tons of overhead on the Registrar side and as such cost money and worse, abuse levels might even skyrocket.

RDAP allows for gated access. LEA’s must get access through a global framework to combat abuse. This also extends to these companies who are not LEA’s but fight spam and other nasty things that happen on the internet. This will require some heavy consulting with the EU Data Commissioners to set up a framework that has a purpose. I think this is doable, though it will require heavy monitoring when it comes to access to justify such access. Given the current levels of abuse, again I think it is warranted, not to mention the extremely short timeframe we have to get EU GDPR compliant.

Will this work? Most likely not. ICANN is a bottom-up driven community and not top down organized. Before we have everyone on board, we are most likely two years further in the process.

The alternative and there is no alternative, privacy is a right, it cannot cost money, it is not a service, as such I expect most Registrars will start offering privacy protect for free, send out a mailing informing everyone, they have done their duty. This will be a colossal mess and I am not sure how we should deal with domain transfers, this issue does not exist with most ccTLD’s as they have a more clean transfer process that does not rely on a system created by ancient Egyptians.

This article is work in progress.

Theo Geurts

Why the Thick WHOIS Migration will not happen.

UPDATE

Perhaps the migration is a means to an end after all.

As a wholesale Registrar our Resellers could request the following under the GDPR from the registrants, something like “I agree with the provision of my personal data being transferred to the US company XXX acting as Registry for this domain name category”. That does not solve the problem for a Registry. The only thing I am not sure of is who the hell should obtain the consent., the reseller, or the Registry? The GDPR says the party that is responsible…. that door could swing both ways in this scenario.

 

 

Well most likely, but this headline is not clickbait.
So now that the Registrars have been informed about the 1 August deadline when they should start implementing the Thick WHOIS policy, it gives me freedom to give some feedback here. I was one of the original IRT members who drafted this policy.

Thick WHOIS Migration. Registrars need to migrate 140+ million WHOIS records to Verisign for .com and .net. Including personal registrant data.

 

First of all, does a registry require registrant data to register a domain name? The answer is no.
This also shows that thick WHOIS Registries giving the current political and legal changing landscape is a no go. This also applies for ccTLDs.
Shooting personal information all over the globe to register a domain name is simply insane.

Moving registrant data from the EU to the USA, how legal is that?
Currently, it is legal under privacy shield.
Privacy Shield? According to the website, this is what PS does.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Sounds simple enough, and it is. If it weren’t for a few problems.
First of all Privacy Shield is currently being reviewed by the Irish Data Commissioner. Most likely Privacy Shield will be invalidated.

Privacy Shield is also up for its annual review.
Giving Presidents Trump actions over the last few months, it ticked off a lot of people. As such, this also will be a political review.

The review will NOT go smoothly.
In short, this migration hinges on the fact that Privacy Shield will stay up and running till the end of days, and it won’t.

Then there is the issue of self-certification.
To migrate the data to the Verisign servers, Verisign needs to be Privacy Shield certified.
As it is a self-certification, that is pretty simple, tick the boxes, and you are on your way.

However, the EU expects you offer an adequate level of data protection. Now that is pretty vague on what that requirement is. But we can be sure that publishing personal info into a public directory/database with zero protection is not an adequate level of protection.

So Verisign cannot even certify itself without exposing itself to major privacy issues. The EU GDPR contains some pretty hefty fines; you can be sure that Verisign will not expose itself to this.
Privacy Shield requires you to uphold the directives not just on paper but also in reality.

Then there is the other issue.
The IRT did not want to check all the privacy laws that are out there. Currently, 100 countries have privacy laws, so that was an impossible task. So the IRT recommended, Registrars, figure it out yourselves.
But, we should have realized that most of those privacy laws are modeled around the EU directives 95/46/ec. Most likely these countries will demand contracts with Registries that offer a decent level of data protection. So we can semi assume this is not the case.

In addition to this, currently 39 countries are drafting privacy laws modeled towards the EU GDPR.

Please raise your hand if you think this Thick WHOIS Migration to the USA will still be a go?

We really need to re-think this Thick WHOIS server strategy on a global level.
Today it’s Trump, last year it was the Brexit creating a lot of issues that still need resolving. Next week we will have another crisis on our hands that blocks us from sending data.

Theo Geurts ICANN Thick WHOIS IRT Member.

The law is the law.