Why the Thick WHOIS Migration will not happen.

UPDATE

Perhaps the migration is a means to an end after all.

As a wholesale Registrar our Resellers could request the following under the GDPR from the registrants, something like “I agree with the provision of my personal data being transferred to the US company XXX acting as Registry for this domain name category”. That does not solve the problem for a Registry. The only thing I am not sure of is who the hell should obtain the consent., the reseller, or the Registry? The GDPR says the party that is responsible…. that door could swing both ways in this scenario.

 

 

Well most likely, but this headline is not clickbait.
So now that the Registrars have been informed about the 1 August deadline when they should start implementing the Thick WHOIS policy, it gives me freedom to give some feedback here. I was one of the original IRT members who drafted this policy.

Thick WHOIS Migration. Registrars need to migrate 140+ million WHOIS records to Verisign for .com and .net. Including personal registrant data.

 

First of all, does a registry require registrant data to register a domain name? The answer is no.
This also shows that thick WHOIS Registries giving the current political and legal changing landscape is a no go. This also applies for ccTLDs.
Shooting personal information all over the globe to register a domain name is simply insane.

Moving registrant data from the EU to the USA, how legal is that?
Currently, it is legal under privacy shield.
Privacy Shield? According to the website, this is what PS does.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Sounds simple enough, and it is. If it weren’t for a few problems.
First of all Privacy Shield is currently being reviewed by the Irish Data Commissioner. Most likely Privacy Shield will be invalidated.

Privacy Shield is also up for its annual review.
Giving Presidents Trump actions over the last few months, it ticked off a lot of people. As such, this also will be a political review.

The review will NOT go smoothly.
In short, this migration hinges on the fact that Privacy Shield will stay up and running till the end of days, and it won’t.

Then there is the issue of self-certification.
To migrate the data to the Verisign servers, Verisign needs to be Privacy Shield certified.
As it is a self-certification, that is pretty simple, tick the boxes, and you are on your way.

However, the EU expects you offer an adequate level of data protection. Now that is pretty vague on what that requirement is. But we can be sure that publishing personal info into a public directory/database with zero protection is not an adequate level of protection.

So Verisign cannot even certify itself without exposing itself to major privacy issues. The EU GDPR contains some pretty hefty fines; you can be sure that Verisign will not expose itself to this.
Privacy Shield requires you to uphold the directives not just on paper but also in reality.

Then there is the other issue.
The IRT did not want to check all the privacy laws that are out there. Currently, 100 countries have privacy laws, so that was an impossible task. So the IRT recommended, Registrars, figure it out yourselves.
But, we should have realized that most of those privacy laws are modeled around the EU directives 95/46/ec. Most likely these countries will demand contracts with Registries that offer a decent level of data protection. So we can semi assume this is not the case.

In addition to this, currently 39 countries are drafting privacy laws modeled towards the EU GDPR.

Please raise your hand if you think this Thick WHOIS Migration to the USA will still be a go?

We really need to re-think this Thick WHOIS server strategy on a global level.
Today it’s Trump, last year it was the Brexit creating a lot of issues that still need resolving. Next week we will have another crisis on our hands that blocks us from sending data.

Theo Geurts ICANN Thick WHOIS IRT Member.

The law is the law.