back to article Whois privacy shambles becomes last-minute mad data scramble

Thousands of internet registries and registrars will have just one week to overhaul their customer databases to fit with a policy that is still under development, or face ruinous fines. That is the end result of an extraordinary failure by the organization that oversees the internet's domain name system to address a change in …

  1. Anonymous Coward
    Anonymous Coward

    No extraordinary failures involved

    There is no extraordinary failure in a USA company assuming that the only law to apply is American and other legal systems are inexistent or subservient. That is business as usual - not a failure.

    1. Jove Bronze badge

      Re: No extraordinary failures involved

      Indeed, but it should be of no surprise given that it has been considered as a cushy job and perceived not to being very demanding for sometime. This is not something that is unique to ICANN and is wide-spread across the industry. In this instance they have been exposed by being crushed by the irresistible force due to their gross failings to grasp implications of the new legislation. A lesson for all in the industry.

  2. Anonymous Coward
    Anonymous Coward

    "It wants them to make it possible for third parties to contact registrants via email without having to seek permission from anyone else."

    Unless you have a court warrant then no, you have no right to my information.

    Three cheers for GDPR.

    1. Christoph

      I get lots of contacts to my registered address - mostly fraudulent renewal offers, but some general spam. Why does ICANN insist that this must continue - are the spammers paying them?

      1. Paul Smith

        RE: I get lots of contacts to my registered address

        It is your *registered address*! It is the address that you have chosen to register as the *public* point of contact for the website that you have chosen to *publicly* publish! Of course this must continue. Your lack of ability to set up a spam filter or use a webmaster@mypage.com address doesn't stop you from publishing the site (though maybe it should) so why should it stop me from inviting to partake of the latest special offer?

        1. Anonymous Coward
          Anonymous Coward

          Re: RE: I get lots of contacts to my registered address

          "It is the address that you have chosen to register as the *public* point of contact for the website that you have chosen to *publicly* publish!"

          Utter bollocks! You haven't chosen, you've been required to provide your email address and that's been made public. Having a domain doesn't mean you have a website. I have my own domain which I use for email, but I don't have a website running on it.

  3. Pascal Monett Silver badge

    Typical ICANN

    Oh look, here's something we knew about two years ago ; well, you deal with it by next Friday or else you will pay big fines.

    Sorry we couldn't be arsed to warn you before. Shit happens, right ?

    <sigh>

    Can somebody please nuke these guys from orbit ? Please ?

    1. Ole Juul

      Re: Typical ICANN

      I'm hoping that there's a legal case for a class action suit by registries claiming that ICANN was acting irresponsibly. Perhaps there is no legal basis for that, but there certainly is a moral one. I'd love to see ICANN hammered down a notch.

      1. Martin Gregorie

        Re: Typical ICANN

        It seems to me that, as the information that whois systems run by registries within GDPR countries must provide is specified by binding ICANN contract terms, it follows that fines levied on the registries for GDPR violations can be passed on to ICANN since its their contract terms that forced the violation and doing anything else leaves the registries in double jeopardy - itself a legal offence committed by ICANN.

        If this isn't the case, what did I miss?

        1. Jim Mitchell

          Re: Typical ICANN

          I believe that law overrules contractual agreements. If the contract says you must do A, but the law says that doing A is illegal, don't complain that if you do A, the law comes calling for YOU, not the other party to the contract. This puts the European registries in a tight spot.

          1. Doctor Syntax Silver badge

            Re: Typical ICANN

            "This puts the European registries in a tight spot."

            It shouldn't. Like everyone else they've had plenty of warning. As you say, statute law overrules contractual terms so ICANN's contract terms will shortly become invalid with respect to any data subject resident in the EU irrespective of where the registrar is or the TLD of the registration. The registries should have realised this and made their preparations in good time. The only question remaining is what do the contracts say about terms being made illegal - does the contract remain in force with only the affected terms struck out or is the entire contract invalidated?

            1. Mark 85

              Re: Typical ICANN

              The registries should have realised this and made their preparations in good time.

              I wonder how many of them already have the systems in place for this to happen and now they're just waiting to flip the switch? "It;s time. Push the button, Max!"** Hopefully there's popcorn ready as this could be interesting.

              **reference "The Great Race".

            2. Keith Langmead

              Re: Typical ICANN

              "As you say, statute law overrules contractual terms so ICANN's contract terms will shortly become invalid with respect to any data subject resident in the EU irrespective of where the registrar is or the TLD of the registration. "

              I imagine the question the registrars are asking isn't whether ICANN can enforce those terms in a court of law (obviously not), but whether they would enforce them independently. Being in the legal right is fine, but if ICANN decided to revoke your access due to being in breach of their terms, and that potentially caused your customers to lose access to their domains, what would you do? Take them to court, but that takes time, during which you and your clients have potentially lost lots of money and business.

              It should be far fetched to think they would do something like that, but with their past history, plus the fact that they're now WARNING of compliance audits rather than promising assistance, I wouldn't put it past them.

          2. Malcolm Weir

            Re: Typical ICANN

            @Jim Mitchell It's not that the law overrules contractual agreements, but that contracts mandating actions contrary to the law are unenforceable.

            That may sound like a differentiation without a difference, but actually it does matter, because the "obligation" under the contract remains, but ICANN can't enforce it to the extent that it contravenes the law. So if there is some lesser/partial/limited interpretation of those clauses, that lesser/partial/limited interpretation still stands.

            (Put another way: if the law dictates that 100% contractual compliance is unlawful, but 50% wouldn't fall foul of the law, then you don't get away with 0%!)

        2. Mage Silver badge
          Facepalm

          Re: Typical ICANN

          Contract terms that are coercive, violate law or would cause people to violate law are not enforceable. See also contracts inside shrink wrap boxes or on SW after/during install.

        3. Jove Bronze badge

          Re: Typical ICANN

          No, that is not the case.

  4. JohnFen

    Nom Nom Nom

    This popcorn tastes great!

  5. Franco Bronze badge

    I'm glad ICANN are getting slapped in to place for their stupidity, just wish Ajit Pai was getting what's due to him. (Yes, I know that the vote to slap him down has passed the senate, but it's very unlikely to get past the house

  6. doublelayer Silver badge

    really, fear should be unnecessary

    Registries may face fines in legal reality, but I think the people likely to actually look at requesting action be taken will be somewhat reasonable. I, at least, won't be expecting complete adherence on the date from registries that got no guidance. As long as it seems that registry X is doing its best to implement the regulations, I don't think registry X should be called out. Instead, call out the ICANN for ignoring its responsibilities and any registrations that choose not to care.

    1. Doctor Syntax Silver badge

      Re: really, fear should be unnecessary

      "I, at least, won't be expecting complete adherence on the date from registries that got no guidance."

      The registries have had as much guidance as everyone handling PII in other lines of business. GDPR mandates various behaviours which affect registries. That mandate overrules any clause in the ICANN contract which is in conflict.

      1. doublelayer Silver badge

        Re: really, fear should be unnecessary

        Sorry, I spoke unclearly. My comment on guidance refered to guidance from ICANN. Most of the registry-specific things seem not to be ready because ICANN put in roadblocks, perhaps due to contracts and their power over the registries. That gives me some level of sympathy for registries, if it is really the case that they now have to figure it all out. Therefore, if I am right in my guess, I see a reason for mild sympathy if the registries are trying but don't get everything finished in time. As before, I feel no sympathy for ICANN, no sympathy for any registry that doesn't bother to try to get this in line, and my sympathy will evaporate if it is the case that registries could have done this already and ICANN wasn't holding them up.

    2. Jove Bronze badge

      Re: really, fear should be unnecessary

      I doubt that; I expect that this will go to litigation. This could also undermine the long-term viability of ICANN with regions such as the EU establishing parallel organisations with all the consequences that will entail.

  7. Nate Amsden

    why is this even an issue

    https://en.wikipedia.org/wiki/Domain_privacy

    the approach has been there for years already. Though would be nice if the service was a standard(free) option with all domains, rather than a premium charge(as it seems to be with register.com whom I use or godaddy who my employer uses). Workaround to that would be just bake the service charge of the privacy service into the overall cost of the domain.

    1. Anonymous Coward
      Anonymous Coward

      Re: why is this even an issue

      > https://en.wikipedia.org/wiki/Domain_privacy

      You kind of answered the question yourself - in my case, the domain name registrar gets an additional £6 plus VAT from me for what it seems will soon be required by law.

      I paid the protection racket money because I suddenly got severely spammed, followed by phone calls, after registering a .net for a community project. I asked why I was getting this spam, having registered various domains for years without this trouble. It seems .uk addresses already have this privacy system applied to them automatically, but .net, .org etc do not.

      So your point that that whole thing already has a way of dealing with GDPR is already validated. But they will lose a chunk of protection money.

  8. bigtimehustler

    Whether or not you agree with hiding personal details from random whois searches or not. This does highlight an unresolved issue, if one country or group of countries creates legislation making something illegal and yet following that law would be illegal in a particular companies home country, what on earth is going to happen? It will happen one day, and no one has a solution. Every country can not have it's own way over every company in the world, it just won't work.

    1. Kevin McMurtrie Silver badge

      The world isn't the US or the EU

      This is exactly why WHOIS and GDPR are so broken. Each TLD has its own regulations. Most of those have specific ownership and usage requirements, and a process to challenge domains that appear to have violations. The '.com' is the commercial TLD that is supposed to have a high degree of accountability. The '.edu' domains are supposed to be registered only to schools, not people. Etc., etc.

      ICANN may be slightly screwed as a global service but the non-ICANN TLDs can simply forbid EU members from using them.

      1. Anonymous Coward
        Anonymous Coward

        Re: The world isn't the US or the EU

        "ICANN may be slightly screwed as a global service but the non-ICANN TLDs can simply forbid EU members from using them."

        And the EU can block access to all ICANN domains and launch a multi-billion Euro fine court case.

        Lets see who shits themselves first

        1. Jove Bronze badge

          Re: The world isn't the US or the EU

          It is my understanding that the EU has previously explored this type of approach and it is something that will no doubt be revisited.

      2. israel_hands

        Re: The world isn't the US or the EU

        I think you're getting two things confused here. ICANN is absolutely NOT the government and has no actual legal powers except those which are specified within it's contracts. While those may be legally binding, they're not the same as an actual law.

        GDPR is (or will be) law. Which supercedes anything in ICANN's contracts as illegal contractual clauses are not enforceable. So this isn't a case of EU vs US law. This is a case of EU law versus a US corporation which is (attempting) to operate contrary to EU law.

        The whole reason ICANN wants to retain the whois service is because of the pressure from the US copyright industry. As noted by others, whois is also widely abused by spammers and most registrars offer a privacy option that keeps details from the whois database anyway. If that were illegal action would already have been taken over it.

        So there's essentially no issue with ICANN allowing registrars to ditch the whois requirement because a) it would be illegal for registrars to enforce it and b) the only gnashing of teeth will be from copyright-chasing lawyers and spammers.

        1. Alan Brown Silver badge

          Re: The world isn't the US or the EU

          "The whole reason ICANN wants to retain the whois service is because of the pressure from the US copyright industry. "

          WHOIS has been broken for a couple of decades - well before the copyright cartels got involved.

          The problem has always been that no one has managed to come up with a pragmatic and effective way of keeping contact details of business domains online and _accurate_ vs the issue of personal protection for anyone silly enough to register a domain using their home address and phone numbers, whilst preventing scammers from abusing the process.

          What's needed is a complete replacement which allows abuse _of_ the network to be dealt with quickly and providing a path for proper legal discovery (with protections from abuses by copyright trolls) when it comes to abuse _on_ the network.

    2. Paul Hargreaves

      Re: Get burned?

      There is no conflict here. If a company wants to do business in a particular country, it needs to follow the laws of that country.

      If it doesn't want to (or, decides it can't) then it stops doing business in that country.

      Just because the internet now exists doesn't change how that works.

    3. Jove Bronze badge

      Jurisdiction

      This is not something that is new, but rather that a number of high-profile American IT businesses have helped bring about a perception that legal jurisdiction can be ignored, partly through such approaches as asserting that California Law applies etc.

  9. Anonymous Coward
    Anonymous Coward

    I'm still waiting for e-mails from Facebook(*) and Google

    asking me to confirm to whether or not I consent for them to continue holding personal data on me and the specific purposes for which they will be using it,

    *= even though I don't have an account with them, if they hold personal data they still need my consent to hold it.

    1. nagyeger
      Big Brother

      Re: I'm still waiting for e-mails from Facebook(*) and Google

      Isn't this wrong? There are multiple options for the legal basis, consent is only one of them. They might decide they ought to be able to claim that knowing my browsing habits is a legitimate business requirement.

      The biggest "problem" is when they used to rely on 'we could do it, and we're too big to bother with fines, so we did it.' For some reason that isn't in the GDPR.

      1. doublelayer Silver badge

        Re: I'm still waiting for e-mails from Facebook(*) and Google

        If you have a google account, the GDPR privacy update email should have arrived about two to six days ago. I'm not saying its contents are useful, but they have been sending them to all gmail addresses I have.

      2. JohnFen

        Re: I'm still waiting for e-mails from Facebook(*) and Google

        "They might decide they ought to be able to claim that knowing my browsing habits is a legitimate business requirement."

        If you don't even have a FB account, then such a claim is ludicrous.

  10. TrumpSlurp the Troll
    Trollface

    Irresistible force vs immovable object?

    Say that as an EU citizen (for the moment) I have a ".com" domain registered with a USA based registrar. I assume that USA law applies to the way that the registrar behaves. How is the EU going to prosecute the USA based registrar for correctly following USA law?

    Is this conundrum, perhaps, why the registrars of the ".eu" domain wanted to ditch non-EU registrants? Not the spiteful petty revenge portrayed by the UK press?

    If you solve that one can the same solution be used to prosecute all the Indian call centres who use my personal information to call me because I have a virus on my system?

    1. Paul Hargreaves

      Re: Irresistible force vs immovable object?

      > How is the EU going to prosecute the USA based registrar for correctly following USA law?

      Assuming the registrar has any legal entity in the country (i.e. either a subsidiary, or people employed) then they'll be the ones being taken to court as the representatives. This is what's been happening with Uber in London, for example.

      A court could go after the money; to Visa, Mastercard etc and tell them to stop accepting payments in the countries where the law is being broken.

      The courts could tell the ISPs in the country to block any requests to the particular domains owned by the extra-territorial entities, similar to how they block the fake rolex and torrent sites.

      etc.

  11. John 61
    Joke

    Re: Typical ICANN

    Maybe it should be called ICANN'T....

  12. Mage Silver badge
    Black Helicopters

    Accredited access component

    " the accredited access component. Registries and registrar will need to figure out a way to grant specific people access to non-private data but there is no guidance over the best way to do this or even who is eligible to gain that level of access"

    Same as getting user of a home IP address or a wire tap in most Democratic countries. A warrant issued to police as a result of application to court with reasonable excuse. Not fishing expeditions, or unproven allegations of infringement. Prove some real intent at copyright infringement or illegal content in open court FIRST, then get warrant for the actual court case.

  13. adam payne

    But ICANN has been resistant to changing the current rules, in large part because powerful US corporate interests want the current rules retained and feel that European laws should not override the current system put in place by US corporations and overseen by a US organization.

    A not for profit organisation being influenced and pressured from outside sources, typical.

    It wants companies to continue to gather all the same registration information – including people's names, home addresses and telephone numbers - even if they don't publish it all.

    Most of that information you do not need.

    It wants them to come up with some kind of system to let authorized users to access that information.

    Depends on what kind of authorised users you are talking about. Vetting?

    It wants them to make it possible for third parties to contact registrants via email without having to seek permission from anyone else.

    No just plain no! I do not want my email and my home address spammed thank you.

  14. cosmogoblin

    So people have known about a major change for ages, but not put into place systems to deal with it, or even agreed how those systems should work or what they should achieve?

    At least this is a unique case, and nothing like this could possible happen again, ever. And definitely not on 29 March 2019.

  15. Corwin_X

    WHOIS should just be taken behind the shed and shot. Anyone who thinks that kind of personal information should be publicly available, in this day and age, is an idiot. If anyone's up to no good on their domain then there should be a process for the police to get the info from the registrar - it doesn't need to be public. My WHOIS registration for my domain shows my old address and an old phone number. And ICANN can go swing if they want to show my current info to the world.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like