back to article ICANN takes Whois begging bowl to Europe, comes back empty

ICANN has been told for a second time that it must fundamentally change its Whois service to become compliant with Europe's incoming privacy law – and do so within the next month. At a meeting in Brussels this week with the European Union's data protection authorities (DPAs), the US-based DNS overseer had hoped to persuade …

  1. Anonymous Coward
    Anonymous Coward

    Now I know why very littles been happening with Brexit

    Clearly our Brexit Dream-Team are moonlighting for ICANN.

    1. Christoph

      Re: Now I know why very littles been happening with Brexit

      They're certainly both using the same tactic. Announce loudly that they are going to do something which the EU has already specifically ruled out as impossible. Keep on insisting on this right down to the wire. Scream blue murder about those terrible EU bureaucrats when it turns out that the EU was telling the clear exact truth all along.

    2. Mark 85

      Re: Now I know why very littles been happening with Brexit

      So both use the "governance by committee" method whereby lots of meetings but no actual decisions? I'm sure that if they handed the WHOIS issue over to a few competent programmers (not outsourced to some low bidding company/country) the solution could be implemented rather quickly. But that would require a <gasp> decision on ICANN's part.

  2. Anonymous Coward
    Anonymous Coward

    'no solid plan for what to do'

    "ICANN's failure to come up with a plan despite Europe's GDPR being approved two years ago, and despite more than a decade's worth of letters from the self-same Article 29 Working Party warning it about how the Whois was not compatible with European law, is a sign of just how dominated by US interests the organization is."

    You can be sure if the tables were turned the EU would be getting assaulted right now. Hate to say it, but the truth is, America is not the World. Despite American Exceptionalism or whatever domineering self-delusional bullshit ideas Americans have about themselves etc. The world is fundamentally changing and Big Tech and other American corps need to accept they can't just shit all over the rest of the world. It simply won't be tolerated anymore!

    1. Anonymous Coward
      Anonymous Coward

      The EU can't cave, if they do...

      Every influential US firm will jump on the same band-wagon and lobby for the - 'I-Cant' - special exemption treatment! But you know what, I wonder if in a parallel universe, they might have gotten away with this extension prior to the Facebook-CA-Palantir revelations. But now the stakes are so enormously high. There's no way the EU can cave, or the whole GDPR Law will be a farce!

      1. Anonymous Coward
        Anonymous Coward

        'American corps need to accept they can't just shit all over the rest of the world'

        Its not like there hasn't been a separate Rule of Law between the EU and US for decades anyway. From GMO's, to stricter control of Pesticides and other Chemicals used in Products etc etc. The US tech giants have just been lazy and complacent here: 'Oh, Data / Privacy, it doesn't really matter does it? Its just those stupid Germans and their Stasi fears. Its not like that kind of toxic mass surveillance happens anymore anyway. In the Land of the Free?!

        1. Alan Brown Silver badge

          Re: 'American corps need to accept they can't just shit all over the rest of the world'

          " Its not like that kind of toxic mass surveillance happens anymore anyway. In the Land of the Free?!"

          It won't surprise may to find that the first large country for invasion of privacy rights is China.

          Or that the second one is the USA

          After that it's a succession of tinpot dictatorships and failed democracies.

    2. Gordon 10

      Re: 'no solid plan for what to do'

      You are being a bit too broad brush there. This is an ICANN/US registrars thing not a US thing in general, I've had plenty of updates on GDPR from US companies it's just those lot who somehow think they are special.

      Tbh ICANN could have dodged the whole bullet if they had just said to the registrars you must make whois compliant - here's a couple of models (eg Nominets approach) knock yourselves out.

      Instead they were blinded by thinking they were King Dick, giving far too much weight to special interests, and unwilling to give up an iota of control. In short BAU at ICANN.

      Now pass me that popcorn.

      1. I ain't Spartacus Gold badge

        Re: 'no solid plan for what to do'

        I don't think this is a US issue at all. Even Facebook claim they're complying with the GDPR.

        This is an ICANN incompetence issue.

        Their controlling committee are greedy and incompetent. However they were allowed to keep the IANA contract without ever quite introducing any of the governance reforms they vaguely promised to do.

        So they're in this great position where all oversight leads to various sub-committees of the board, who are then forced to produce independent reports slating their incompetence (or malice), but then lead to appeals to other sub-committees of the board who ignore them.

        What they have is circular oversight. And big bonuses. And they love it!

        This has clearly gone to their heads and left them fundamentally ill-equipped to deal with the real world. Such as trying to ignore legislation they've known about for ages.

        Of course they may still get away with it. Being in California, if they've got no European offices then what can the EU do to them? They can fine the various registries that do operate here, so maybe ICANN still think they can get away with it?

        1. Ken Hagan Gold badge

          Re: 'no solid plan for what to do'

          "Being in California, if they've got no European offices then what can the EU do to them? They can fine the various registries that do operate here, so maybe ICANN still think they can get away with it?"

          Half right. Being in California, they cannot be touched. However, without *any* legal presence in the EU, they can't touch European registries. ICANN are basically dead in the water. The internet will carry on running on empty for a bit and whilst ICANN sob to their friends (they must have some) in the US government, the rest of the world will develop an ICANN-replacement that they can live with.

          It's like a Hard Brexit, but for Internet Governance. Enjoy...

          1. Field Commander A9

            Re: 'the rest of the world will develop an ICANN-replacement that they can live with.'

            Sorry to break this to you but Russia and China will be firmly backing ICANN's practice on this.

  3. Lusty


    It's just occured to me why GDPR might actually be effective. The PPI deadline is looming in the UK so there will be a lot of organisations with lots of time on their hands. Because the fines in GDPR can be seen as a revenue stream this might become the most popular law ever. Cold calls asking "have you ever handed personal data over to anyone ever?". There could be a good business model in fishing for non-compliance and then lawyering up.

    Whois publishes my name and address right now and I'm thinking pay day next month :)

    1. Adam 52 Silver badge

      Re: Fines

      The point has been made here many times before, but this is a real risk. Organisations like ICANN may be able to convince regulators not to act, but the regulations explicitly allow class action civil action by victims. Ambulance chasing firms already exist for the Data Protection Act, their powers are about to be dramatically increased.

  4. Michael H.F. Wilkinson Silver badge

    Sounds like a "the dog ate my homework" moment

    What total incompetence on ICANN's side. What excuse do they have for apparently sitting on their hands for two years after approval of the law? If a student were to come to me, asking for an extension for the deadline for an assignment he'd known about months in advance, at the last minute there had better be a very good excuse (illness, accidents, death (one grandmother per year, max!), etc). This is just pathetic.

  5. Anonymous Coward

    ICANN will be first on my hit list...

    ...just for their sheer bloody arrogance.

    It's not like it's some piddly little organisation with no money for an IT department.

    1. I ain't Spartacus Gold badge

      Re: ICANN will be first on my hit list...

      Actually ICANN have barely a bean to rub together. Sure they took loads of moolah in the dot.word rip off domain name sale. But that's long since gone out in increased salaries and bonuses. 20% pay rises don't fund themselves you know! And all those conferences in Bermuda need to be covered...

  6. Anonymous Coward
    Anonymous Coward

    "through a vague reference to its own bylaws"

    So just being typical yanks then, thinking their way trumps geographic boundaries.

    Good on the EU for telling them where they can stick their bylaws.

    1. Anonymous Coward
      Anonymous Coward

      Re: "through a vague reference to its own bylaws"

      Yes. Whatever problems there are with the EU, they do speak up for peoples rights (far more than the government, for sure)

      That's why corporations - especially in big trading areas such as America hate them and their regulations.

      That's why Trump, Putin etc. would LOVE us to leave the EU.

      But we Brits would never be so stupid as to vote to leave, right? :-(

  7. MMR


    Every company which has anything to do with EU or EU customers had enough time to prepare.

    Which makes Whois' case even worse because as a tech company they should be able to change much faster than any other business.

    1. Jamie Jones Silver badge

      Re: Good.

      The thing is.... Change what?

      It's not critical to infrastructure. The only people who have ever used my entry in my 20 odd years of being on it are domain-renewal company scammers, domain sellers (ok, so if I own ***.com why the hell would I be interested in buying my***.com *** or *** ?) and the domain registrar themselves (who have access to thus information via my private billing information anyway)

      I can understand the purpose back in the days when only real companies got domains - after all, no legitimate company would want to hide that information.

      And there's probably a good case to still require it for these types of domains (though it's something that could be required not by Icann, but by third parties - i.e. barclaycard refusing to be usable on a site with dodgy or anonymous info)

      But even then, still, it's not a technical issue. Registrars have the information already. DNS and the rest of the internet don't require it.

      What time do they need? They could literally demand that every registrar disables it within 24 hours, and the ONLY things that MAY break are the sweet deals they have with those who want to plunder our information.

      So yes, good on the EU to see through their bullshit (we need a *bullshit* icon!)

      1. Missing Semicolon Silver badge

        Re: Good.

        ICANN have been stuck with the US IP lobby (Disney, Universal etc). They demand that their automatic "Google latest film/follow link/check content/whois/invoice in the mail" system has to work, and they won't allow any change that breaks it. Due process is for schmucks.

        Never mind that any non-5I's registrar will simply ignore any subpoena from a US media giant.

  8. Blockchain commentard

    I moved my domain names to Google's Domain Name service last year and the first free thing they offer is anonymity via a 3rd party for name/email/phone records. Can't see why other registrars can't do the same.

    1. Jamie Jones Silver badge

      I realise your question is rhetorical, but I'll reply "they can!" anyway!

      Of course it's going around in circles a bit - it's simply a way to avoid ICAAN rules, that need to be removed in the first place!

  9. Charles 9

    Still waiting for the balkanization of the Internet, where businesses who refuse to play ball and can't be fined by the EU (due to lack of presence) are simply blocked wholesale.

    1. Doctor Syntax Silver badge

      "Still waiting for the balkanization of the Internet, where businesses who refuse to play ball and can't be fined by the EU (due to lack of presence) are simply blocked wholesale."

      You've overlooked market forces. If as a European resident I want the protection of GDPR and I'm currently registered with such a business I simply move my registration to where my privacy is protected*. The rogue US registrars can either play ball or lose customers.

      *I did this a long time ago anyway.

      1. Charles 9

        But what about foreign businesses with no physical presence in the EU? Protected by foreign sovereignty, there's no angle by which the EU can force them to comply other than wholesale blockading/

        1. Paul 195

          If foreign businesses want to collect money from customers in the EU, they have to have some sort of presence here to collect said money. For example Facebook could presumably retreat completely from Europe, but then they'd have no way of making money on advertising to EU customers. And that's a lot of money, even for Facebook. So they either behave or do without the business.

        2. I ain't Spartacus Gold badge

          Charles 9,

          Money. Money is the way to solve jusidiction problems on the internet.

          If an online registrar is failing to comply with the GDPR, then that means they got some European persons data when that person registered with them. So OK. they're in a third country. No matter. That European person had to pay them. Bang! The EU can pass rules to tell the credit card companies or banks not to deal with them.

          It's a hassle, and therefore only worth doing when it's important. But if Google and Facebook don't jump-to and deal with some of their more egregious privacy-invasion, fake-news spreading and general shit - then this is the way they can be dealt with, even if they close all their EU offices.

          If you follow the money, you will mostly eventually reach someone that you can force to act. And by forcing them to act and/or cutting off the money, you can force actions up the supply chain to the real miscreants.

          1. Charles 9

            Unless they decide to just cut things off and spare the hassle. Sure, Europe has a lot of money, but if the cost of compliance means too many headaches, it may, as they say, not be worth it. That's why the phrase "strangled by red tape."

            1. Doctor Syntax Silver badge

              "Unless they decide to just cut things off and spare the hassle."

              No problem. They'll none of them be missed. (Can you provide a little list?)

            2. Roland6 Silver badge

              re: but if the cost of compliance means too many headaches, it may, as they say, not be worth it. That's why the phrase "strangled by red tape."

              The trouble is that the US is starting from a very low base, so GDPR will be causing headaches as it seems to be requiring a level of thinking and compliance not previously required in corporate America.

              It is not clear whether GDPR actually increases compliance workload (ie. the administration and paperwork that is associated with being "strangled by red tape" or it simply requires a different way of thinking about personal data; once you've adopted that viewpoint, there is little appreciable difference. However, if currently, you do very little or no compliance, you may perceive compliance as being strangled by red tape...

            3. strum

              >if the cost of compliance means too many headaches

              The cost of compliance is pennies. The profit from trading is billions.

              Not a hard choice.

        3. Doctor Syntax Silver badge

          "But what about foreign businesses with no physical presence in the EU?"

          If they want my custom they have to compete with businesses in the EU who are playing by the rules. So either they play too or else they lose out. What GDPR provides is a set of rules respecting the rights of the European customer. Within Europe that provides a level playing field. I can choose vendor A, B or C and be sure I have the same protection for my rights and, depending on their competence, must have more or less similar costs to achieve it. So why on Earth, if I value those rights, would I choose sleazy vendor D who provides an inferior, cheap and nasty product?

  10. Doctor Syntax Silver badge

    Did ICANN really think WP29 were daft enough to allow a precedent? If they had done they'd be besieged by everyone else with FB's lawyers fighting to the front and shouting loudest.

  11. David Knapman

    They can have their one year moratorium

    But to be fair to everyone else who's been working hard on this, it has to be back-dated to start on 25/05/2017

    1. CommanderGalaxian

      Re: They can have their one year moratorium

      They've already had a 2 year moratorium - GDPR became law on 27 April 2016 - so you need to backdate it to then.

      1. David Knapman

        Re: They can have their one year moratorium

        No, they want a one year moratorium. That's exactly what I've granted them. You're attempting to grant them even more time than they've requested.

        (We're both being pedantically rigorous, but in ways that lose their humour very quickly)

  12. DagD

    It's amazing how many US companies still feel that the GDPR has no effect on them.

    This is going to be a bigger sue-ball that Prop 65.

    1. Graham 32

      I don't know if there will be a lot of fines handed out, but it will be bargaining chip. When a European company gets an enormous fine from a US regulator (eg Volkswagen), an EU government might retaliate with a GDPR investigation on some US company. Or both sides might talk in the background and agree on silly small fines all round to keep things friendly.

  13. Chozo

    Ever since an incident with the magicians rabbit having rabies I have been wary of people pulling things out the hat at the last minute. I try to live in hope that somebody will come up with a truly inspired solution ushering in a golden age of the Internet but the nagging doubt remains we will be handed a fecal matter sandwich then gouged for breath mints.

  14. Dodgy Geezer Silver badge

    What to do? Who will win this faceoff?

    There's only one way to find out: FIGHT!!!

  15. Roland6 Silver badge

    Slight digression

    Recently we read about Nominet.UK and the actions it will be taking to comply with GDPR. Would be interesting to see what the other EU member gTLD registrars are doing about GDPR...

    I like that (an australian HQ'd business) is still offering a "Local presence service is available for foreign registrants to meet the registration requirements of this domain name." for .eu, .fr

    etc. domain names.

  16. imanidiot Silver badge

    Full Petulant child mode enabled

    Seems like ICANN has gone into full blown petulant child mode. You've told it a hundred times already it can't have a cookie because it's nearly dinner time, but you only get a whiny: "but, but, why can't I have a cookie??" for your troubles. Over and over and over.

  17. DerekCurrie

    I've attempted to get the point of GDPR, but I don't.

    Therefore, from my POV, ignoring GDPR regarding WHOIS is fine with me. Sorry EU. But knowing who owns a website should be publicly available knowledge. It's the anonymous cowards of the Internet that create its must annoying and bullying problems. How many people would pull cruel trolling moves on others if they were forced out of their anonymity? Knowing who everyone is means taking personal responsibility for one's behavior. Therefore, keep WHOIS, if not strengthen it by removing anonymization and delisting. Stand up when you speak up! Shouting an opinion while ducking behind the back of the gallery makes no sense.

    Tyrants don't pay attention to anonymous cowards speaking 'truth' to power. Know what I mean?

    1. Richard 12 Silver badge

      So you want to receive hundreds or thousands of phone calls and physical letters asking you to "renew your domain"?

      Or threats of personal violence against you and your family from people who disagree with things on your website?

      Those are the actual, real consequences of the ICANN whois system putting this personal information online.

      There is genuinely no purpose whatsoever for personally-identifiable whois data. None.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like