The EU GDPR, The wrong Equalizer?

We can predict with a large certainty the public WHOIS will be a thing of the past.

This will create issues for two group and a few more, but let’s focus on these two for now:
LEA’s (Law Enforcement Agencies)
Commercial cyber crime fighters, perhaps not the best choice to call them this but as they are very diverse, this seems to cover most of them.

The EU GDPR is somewhat (okay very often) characterized as the boogeyman invented by folks who are so pro-privacy that they lost sense with reality.
This is a misconception. Yes the EU GDPR has been created by an army of lawyers and legal folks that are downright scary in numbers, but they were very much in touch with reality during the process.

The EU GDPR has been forged by the EU directive 95/46/ec and has been challenged in court on a national level and European level by many times. The courts were always trying to strike a balance between privacy and the needs for LEA’s.
Cybercrime is not just something that only happens at the DNS level it is happening on all levels in our society.

Many companies outside of the DNS have been dealing with the EU directives for years and embedded them into their processes when it comes to data collection and data processing. And lets not forget they dealt with Cyber Crime and LEA’s, so far, nothing new.

During the creation of the EU GDPR, many LEA’s were consulted, and this is reflected within the EU GDPR.
For LEA’s there are enough provisions to continue their work.

Commercial cyber crime fighters, what about them?
At first glance and due to one-sided information it looks like these folks are screwed big time. However, this is not the case. The EU GDPR has room, but it requires a legal framework and contractual obligations. I keep this very broad as I am no lawyer, but when you dig through the EU GDPR, you will discover room to operate.

What Commercial cyber crime fighters should not do.
Look at ICANN for help or the EU Data commissioners.
ICANN has a horrible track record when it comes to privacy in general. Not intentional but due to circumstances, but it is what it is. So asking ICANN is not the solution, ICANN requires tons of help regarding the subject of privacy themselves. Like the blind leading the blind here.

EU Data Commissioners
From a high-level perspective, these folks and the Article 29 WG can help. But the problem is that we are dealing with very specific purposes and operational matters, and they cannot zoom into a micro level. And on a macro level, you get the idea that nothing is possible and privacy is blocking everything and anything.

What Commercial Cyber Crime fighters should do.
As a Registrar, we run into practical GDPR issues all the time. The solution? Consult a lawyer that is well versed when it comes to the GDPR and knows the DNS industry well.
Costs money for sure, but hey our business depends on it. And don’t forget many companies outside the DNS already did this in the past, again nothing new here.

The only thing that might be new here is the sudden change in thinking on an ICANN level and a boatload of people who are in desperate need for tailor-made solutions. Again ICANN will not help you out there, neither will the RDS WG at this stage. When it comes to the RDS WG, you will need to bring that knowledge to the table and the solutions. You might get lucky that someone will join us that has deep knowledge about fighting abuse on an operational level and has in-depth knowledge about the EU GDPR and knows exactly what to do.
Personally, I wouldn’t count on that; I would try to get ahead of this.

Personal Experience.

So far my interaction with several lawyers gave me a positive feeling when it comes to the EU GDPR. Just when you are about to smash your head against the wall while yelling:”this cannot be done! or this is going to cost us a fortune!” The lawyers so far always came up with a solution or interpretationĀ of the EU GDPR that turned the issue in a workable solution, ie the EU GDPR is not so black and white as it appears, it actually appears very well balanced, you just need to know the nuances.

If you need a lawyer that knows the EU GDPR and DNS drop me a line, I have worked with several of them over the last few years, not to mention the last few weeks šŸ˜‰

Theo Geurts ICANN Registrar.

Why the Thick WHOIS Migration will not happen.

UPDATE

Perhaps the migration is a means to an end after all.

As a wholesale Registrar our Resellers could request the following under the GDPR from the registrants, something like “I agree with the provision of my personal data being transferred to the US company XXX acting as Registry for this domain name category”. That does not solve the problem for a Registry. The only thing I am not sure of is who the hell should obtain the consent., the reseller, or the Registry? The GDPR says the party that is responsible…. that door could swing both ways in this scenario.

 

 

Well most likely, but this headline is not clickbait.
So now that the Registrars have been informed about the 1 August deadline when they should start implementing the Thick WHOIS policy, it gives me freedom to give some feedback here. I was one of the original IRT members who drafted this policy.

Thick WHOIS Migration. Registrars need to migrate 140+ million WHOIS records to Verisign for .com and .net. Including personal registrant data.

 

First of all, does a registry require registrant data to register a domain name? The answer is no.
This also shows that thick WHOIS Registries giving the current political and legal changing landscape is a no go. This also applies for ccTLDs.
Shooting personal information all over the globe to register a domain name is simply insane.

Moving registrant data from the EU to the USA, how legal is that?
Currently, it is legal under privacy shield.
Privacy Shield? According to the website, this is what PS does.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Sounds simple enough, and it is. If it weren’t for a few problems.
First of all Privacy Shield is currently being reviewed by the Irish Data Commissioner. Most likely Privacy Shield will be invalidated.

Privacy Shield is also up for its annual review.
Giving Presidents Trump actions over the last few months, it ticked off a lot of people. As such, this also will be a political review.

The review will NOT go smoothly.
In short, this migration hinges on the fact that Privacy Shield will stay up and running till the end of days, and it won’t.

Then there is the issue of self-certification.
To migrate the data to the Verisign servers, Verisign needs to be Privacy Shield certified.
As it is a self-certification, that is pretty simple, tick the boxes, and you are on your way.

However, the EU expects you offer an adequate level of data protection. Now that is pretty vague on what that requirement is. But we can be sure that publishing personal info into a public directory/database with zero protection is not an adequate level of protection.

So Verisign cannot even certify itself without exposing itself to major privacy issues. The EU GDPR contains some pretty hefty fines; you can be sure that Verisign will not expose itself to this.
Privacy Shield requires you to uphold the directives not just on paper but also in reality.

Then there is the other issue.
The IRT did not want to check all the privacy laws that are out there. Currently, 100 countries have privacy laws, so that was an impossible task. So the IRT recommended, Registrars, figure it out yourselves.
But, we should have realized that most of those privacy laws are modeled around the EU directives 95/46/ec. Most likely these countries will demand contracts with Registries that offer a decent level of data protection. So we can semi assume this is not the case.

In addition to this, currently 39 countries are drafting privacy laws modeled towards the EU GDPR.

Please raise your hand if you think this Thick WHOIS Migration to the USA will still be a go?

We really need to re-think this Thick WHOIS server strategy on a global level.
Today it’s Trump, last year it was the Brexit creating a lot of issues that still need resolving. Next week we will have another crisis on our hands that blocks us from sending data.

Theo Geurts ICANN Thick WHOIS IRT Member.

The law is the law.

ICANN wants to destroy privacy protect services for domain names.

Privacy for Business

Privacy for Business (Photo credit: Wikipedia)

And that could be read many times, on tons of websites.

The truth is/was that the workgroup (I am a member of the PPSAI WG) is divided. So a few folks wanted a footnote that said commercial websites could not use P/P services and another group wanted a footnote in the report they opposed to that idea.

All good and fine till social mediaĀ spun it their way. And now we got over 14k comments to look at. Since most of them where submitted came fromĀ SaveDomainPrivacy.org the comments are generic.

Still, we got tons of good comments and will keep us busy.

The report can be read here:Ā https://www.icann.org/public-comments/ppsai-initial-2015-05-05-en

Funny how things went out of control. I am pretty sure we gonna have a hard time when this needs drafting. Currently, I am working on IRTP C, change of control and it has proven to be a nightmare.