Merica f*ck yeah
Where any innovation in anything is stamped on in the name of continued business.
"you want us to reconsider our 20 year old policies in light of the changes to the internet... don't you understand this is america?"
A fight over private information and the internet's domain name system is heading to a German court, in a proxy battle between European legislators and American intellectual property lawyers. On Friday – the same day that new European GDPR privacy legislation took effect – DNS overseer and US corporation ICANN filed a lawsuit …
"Fundamentally, ICANN is arguing that there are exceptions in GDPR that say data collection is allowed when it is a "necessity for the performance of a contract" – and the Whois clause in its contract qualifies for such a protection."
Data collection might be. Publishing it without explicit opt in permission isn't.
This post has been deleted by its author
" Publishing it without explicit opt in permission isn't."
ITYM Publishing personal data
A lot of registrations use role accounts and those aren't personal data.
The problem is that domain registrations (and WHOIS) requires actual legally serviceable registrant addresses (ie, ones that can be served with legal paperwork in the event of shit hitting fan) and the tech contacts are supposed to be there to ensure that someone can be contacted to try and shut the mess down if something goes nuts.
ICANN hasn't been adequately enforcing accuracy requirements for 15-20 years (meaning that scammers have registered bogus addresses for kid porn domains that have had the wrong doors kicked in, etc etc) and scammers have spammed the living hell out of published email addresses, rendering the tech addresses useless/encouraging people to obfuscate or remove contact details.
At this point, trying to argue that collecting the data is necessary falls flat on its face over the kerbstone of historic indifference to its accuracy and I'm fairly sure that german courts will point that out.
Harder lines taken against network abuse and prioritising that over gross revenue maximisation would have prevented a lot of the issues that's got ICANN in court today. As it is, IMHO their actions have pretty much ensured that they won't prevail. (IANAL, YMMV, HAND)
"At this point, trying to argue that collecting the data is necessary falls flat on its face over the kerbstone of historic indifference to its accuracy and I'm fairly sure that german courts will point that out."
Sort of. The defendants might well point it out to the courts and the court would then note it in the judgement. Most likely the defence will point out that contract terms can't override legislation and here's a sling in which the court can hand ICANN its arse.
"The defendants might well point it out to the courts and the court would then note it in the judgement."
Yup - and from that point forward, even if ICANN tried to bring cases in non-GDPR jurisdictions they'd fail.
You're absolutely right that contracts can't trump law and that would be the first plank of any defence, however pointing out that ICANN haven't historically been bothered about enforcing accuracy makes a mockery of their demands now - and that's a pretty good supporting plank.
Remeber kids the internet is not yours or mine, or everyone's.... it's uncle Sam's so their laws and rules. And if you don't like it, tough.
What's that? Fines for silly amounts of money from somewhere that isn't the US? Sod em we'll just not bother paying..
Is that about the long and the short of how this is going to be for the next few years?
Time to invent some subscription system for popcorni think..
I hope the German court finds that the ICANN contracts require the contracted parties to do illegal things & thus are Null&Void. Then when ICANN appeals (and appeals & appeals & appeals) it goes straight to the top court where it's summarily told in no uncertain terms "Tough shit, you lose, go fuck yourselves".
Because ICANN has thumbed it's nose at everyone else's laws, ignored the requirements that were made policy over two years ago, has tried to weasel it's way out of doing it's damned job, so I hope the courts nail 'em to a wall & use 'em as a dart board.
ICANN has told the rest of the world "fuck you" for far too long; it's about time the rest of the world bends it over a table & does obscene things to it in retribution.
I just wonder how long ICANN still exists in its current form. It will probably be replaced by something else (sitting under the UN and based in Geneva?) or slowly rendered irrelevant because the stopgaps to circumvent its issues keep chipping away at ICANN's authority until the collection of stopgaps is better organised than ICANN itself.
The UN took over oversight of the ITU created in the 1850s,
There are issues with UN and ITU, but it was USA arrogance that DNS, IP assignments and Domain registration wasn't ITU from the beginning. Long before Web was added to the Internet. Possibly as soon as Arpanet was available outside Government & Universities.
"USA arrogance now being replaced by EU arrogance and attempting to export their regulations world-wide."
...except in this case, it's a standard of regulation many people in the USA would like, but their corporate overlords don't want it (and pay their politicians to say so for them)
"it was USA arrogance that DNS, IP assignments and Domain registration wasn't ITU from the beginning. "
Huh?
The ITU didn't _want_ to be involved in any of this stuff until relatively recently.
In any case, ICANN has exactly as much power as people choose to give it. There have been alternative DNS systems and roots setup but they've all fallen over - largely due to ICANN being the monopoly, but secondarily due to ICANN playing 9000 pound gorilla and deliberately rolling out TLDs which conflicted with those of the alternates (they could and should have been charged with anti-competitive behaviour over that one and the decision to do it was _very_ deliberate)
That would be a bad outcome, if you'd like the Internet to run smoothly. And it probably won't happen - ICANN isn't actually planning to violate GDPR by publishing private information. And there isn't redundancy in requesting three contacts: owner (the person ultimately responsible), admin (the person to pay any fees involved), technical (the person to fix operational issues).
ICANN has been arrogant once in a while, but I don't think they've thumbed their nose at anybody's laws. As a corporation, they're bound by the law of their state of incorporation, which happens to be ca.us, but so is every corporation
"As a corporation, they're bound by the law of their state of incorporation"
Wuuuuuut????? Err - no, not at all. As anybody, corporation or not, they're bound by the laws of the place they're operating in. Ie, they're doing business in the US, they follow US laws, they're operating in the EU, they follow EU laws.
Or to take a different example, where the US is not the reference - do you believe that Chinese companies operating in the US follow Chinese laws only?
The exception clause applies to the relationship between the owner of the data and the entity providing a service to the data owner.
In other words, if I apply to a bank for credit they can acquire, store and retain data necessary for the provision of that credit. If that bank has a separate contract with an advertiser to provide email addresses of anyone applying for credit then the necessity exception doesn't apply there. And contract terms can never override law. Any term in the bank to advertiser contract that breaks the law becomes void.
So a registrar can collect data necessary for the provision of service to the end user but their contract to publish that data in whois is void as it compels them to break the law. That is exactly the position of EPGA and I would be very surprised if they do not prevail.
If ICANN are pressing ahead with this challenge then one of two things has happened. Their lawyers know it will fail but they get paid anyway so what the hell, lets bilk our client (likely), or their lawyers think the law is worded sloppily and they can twist it to cover the third party contract which was actually what you were hinting it. That is less likely but still possible.
That's well-established, not just GDPR. It's explicit in GDPR, and lawyers like "explicit", but if you didn't have something like that it would be a breach for somebody to put your name and address on a letter they post to you. I've had GDPR opt-in emails warning me that I won't get any notifications of dispatch if I don't opt-in. Which means they're saying they can't fulfil a contract. without an opt-in to everything.
How dodgy is that? A US service gave me a web page with default-on permissions for over 300 companies they share my data with. I tried to count them, as I clicked to "off", but lost track at over 270. As the Good Book says:
"Three shall be the number thou shalt count, and the number of the counting shall be three. Four shalt thou not count, neither count thou two, excepting that thou then proceed to three. Five is right out."
"if I apply to a bank for credit they can acquire, store and retain data necessary for the provision of that credit. If that bank has a separate contract with an advertiser to provide email addresses of anyone applying for credit then the necessity exception doesn't apply there."
Which is what Experian and friends have been hoping you wouldn't notice for a long time.
Up until GDPR the only way to stop them selling your data to advertisers was an explicit DPA section 11 notice and they used all kinds of scare tactics to dissuade those including "this may affect your credit rating" (which they also used to frighten people into not being on the closed electoral register)
These "credit rating agencies" actually make more money selling your data to marketers than they do from their supposed core business, so it's going to be interesting to see how many prosecutions result from GDPR breaches as they scramble to make up lost income by ignoring the laws.
Gathering data and making it available to others are two different issues.
Making it available to the interested party for them to challenge and correct is sensible. Making it public is not.
I wonder whether the UK government's policy of making the electoral register available is covered by GDPR. Until now, it has been made available to anybody who pays for it, after mandating its collection under threat of severe penalty to the individual if they refuse to supply it.
"If ICANN are pressing ahead with this challenge then one of two things has happened."
Past experience of dealing with the people involved is that they make up facts to suit themselves as they go along and don't take kindly to 3rd parties showing evidence that they were saying the exact opposite some months back (or made the exact statements they denied knowledge of, etc)
Trump may be a sociopathic delusional con artist but the reason he's managed to get to that position is that this kind of personality has managed to find itself in charge of increasingly large tracts of business during the last 40 years.
I wouldn't be at all surprised if their plan is to bring up the Chewbacca defense.
RFC 812 was obseleted twice, RFC3912 (the current whois Spec Published Sept 2004) states
The WHOIS protocol has no provisions for strong security. WHOIS lacks mechanisms for access control, Integrity, and confidentiality. Accordingly, WHOIS-based services should only be used for information which is non-sensitive and intended to be accessible to everyone. The absence of such security mechanisms means this protocol would not normally be acceptable to the IETF at the time of this writing.
Considering Germany has probably some of the strictest privacy laws in the EU (apparently a lot of criticism of the GDPR in Germany is that it doesn't go far enough) it is quite clever to start this case in Germany. If ICANN's position holds up in a German court it will likely hold up in any EU court and perhaps even the CJEU.
No, it's foolish because it's a slam dunk instant fail in Germany.
ICANN will lose, instantly with no appeal.
In other EU countries they might have stood a chance, but Germany have suffered the consequences of unnecessary data collection. Millions dead leaves a long shadow.
"but Germany have suffered the consequences of unnecessary data collection. Millions dead leaves a long shadow."
It does make me wonder if the ICANN people don't know their history and were working to the stereotype image of Germans being sticklers for the rules/law and hoped to bend the interpretation in a logical sounding way.
BBC are reporting on ICANN and their problems with an article that completely misses the issues and frames them as the victims !!!!
http://www.bbc.co.uk/news/technology-44290019
Must have a friend at the BBC or more likely yet, someone else who has been bamboozled by ICANN's version of reality !!!???
No wonder the BBC is attacked on all sides when it cannot be bothered to get the facts straight before publishing an article.
Organize their own GDPR False-Flag / Black-Ops tea-party.... This is just sick reporting... But you can bet some official has already bought it, and is phoning the EU right now to complain: 'won't someone think of the poor police and journalists' letting hackers simply escape. Talk about Fake-News reporting:
"Whois... used by the police and journalists to check the legitimacy of websites... Police will be robbed of ready access to vital data drastically impeding their efforts shut down illicit activity. The regulatory rubric EU has created will make it harder than ever to catch computer hackers"
"If you are being attacked by all sides surely you're doing something right.
The article could also just be ICANN's viewpoint. We might not agree with it but BBC is supposed to be neutral. Supposedly".
There are two possible reasons to be attacked by all sides:
1. You are generally neutral and 'all sides' are aggrieved at some point !!!
2. You are slapdash and misreport both sides at times. !!!
I leave the choice to you !!!
If the article IS just one particular view it is usual to frame the piece with a disclaimer of some sort to make the basis clear.
This is not the case with this article.
It is simply a condensation of someones 'pitch' without balance or reference to another view.
Lazy journalism to fill up space on the BBC News Website .... no more !!!.
P.S.
In case you wonder, I am the original AC and someone who supports the BBC and does 'generally' think they are balanced.
I have never called then 'left' or 'right' biased as tends to be the case nowadays.
I just dislike such lazyness.
BBC are reporting on ICANN and their problems with an article that completely misses the issues and frames them as the victims !!!!
To be fair, the BBC news site is edited down to such a bare minimum of facts and seems to be written with the intent of being understandable to anyone with an I.Q in the single digit range it's not a surprise it misses most pertinent facts or is vaguely anywhere close to the truth and not new for the fluffy mushroom heads and those that have dodgy living arrangements with seven bearded mining little folk.
I have my doubts about the BBC on a lot of things, these days, but I fear it is a growing awareness of the crapitude of news media, rather than any change at the BBC.
And when it is the frothing anti-EU loonies running the country, I find it hard to blame the BBC for being a bit circumspect.
(The other angle is that, on technical issues, it only takes one journalist to skew things; no names, but there are people writing for The Register who have an obvious political bias on some issues.)
"That looks like a lightly regurgitated press release, not actual journalism."
You mean news outlets* are supposed to do anything beyond regurgitating press releases in the 21st century? What a novel idea...! Has anyone told them...?
* Present company excepted. Ish.
To be fair, the BBC article does mention that they had years to prepare, and also finishes by saying
"cyber-criminals were never likely to have provided accurate contact details for their scam websites, and highlight that the law does provide added protection for legitimate registrants."
The organization that registers .de domains has to have personal info. They restrict who can register .de domains to people that live in germany. I had a .de vanity domain about 17 years ago, had it for probably 2 years then the .de folks took it back(I didn't know the "rules" at the time). Just checked again and the rule is the admin contact must be an address in germany.
So what? If the registrar needs that information to determine eligibility then it is entitled to collect it. But if the only reason for obtaining the info is for that determination then it is not entitled to use it for other purposes without setting out those purposes. Nor is it entitled to pass that info on to a third party without the permission of the registrant.
Look at this slanted POS reporting from the Beeb. What's the next line, intellectual property lawyers champion 'won't we think of the children'. This is totally False-Flag-GDPR-Black-Ops from ambulance chasing lawyers:
-----------------
"Whois... used by the police and journalists to check the legitimacy of websites... Police will be robbed of ready access to vital data drastically impeding their efforts shut down illicit activity. The regulatory rubric EU has created will make it harder than ever to catch computer hackers"
-----------------
GDPR 'risks making it harder to catch hackers' - BBC News
https://www.bbc.co.uk/news/technology-44290019
Any old contract won't stand up against GDPR, otherwise anybody could add a contract condition 'ignore GDPR'.
So, given this suicide-bomber on a desert-island approach, what is the alien intelligence (I-word used advisedly) trying to achieve? Perhaps, like Duck Turd, they already know they're a laughing stock but so far nobody has found the right stick to beat them with.
Anyway, as they're so keen for a tussle perhaps the big regs will respond in kind and lots of $$$ will start to pile up on ICANN's doorstep.
I've seen several examples recently with a pattern of US lawyers with limited experience of a field of law collecting large fees for rather feeble cases. Most recently, it was a personal-injury specialist from Texas taking on a Federal Trademark case, and trying to dodge the whole Trademark Registration procedure with a court case. The laughter from IP lawyers was muted, but unmistakable. The style is very different.
Are ICANN that stupid? You would think they would at least have involved a competent German lawyer. Some of the labels and concepts are different, but this is part of the point of having Barristers in the UK. The boundaries have blurred, some solicitors can now do jobs that only used to be open to Barristers, but this does look like what you get if you ignore competent and relevant legal advice.
Though there might have been some time pressure. Things do, generally, look a bit too last-minute on GDPR, and not just because the UK government is running around like a headless chicken on anything to do with Europe. But how much of that is wilful American-led blindness?
I am not arguing against GDPR, for ICANN, or in favor of US laws superseding European or German ones. Not at all. Having said that, Tucows' argument that for "the vast majority" of registered domains owner, admin, and tech contacts are the same and thus there is no need to collect all three seems strange. Even if those are different only in a small fraction of cases, it seems to me there may well be reasons for them to be different, and thus they need to be collected for legitimate operational purposes.
E.g., imagine an organization that wants to register a .de domain. Someone else here has already pointed out that one needs to be in Germany and have a German address to do that. That's the "owner", right? However, for administrative purposes, e.g., billing, someone else, maybe the company's finance department in another country, should be contacted (surely you've provided a separate "billing address" many times). That's a separate "admin" contact then. And technical/operational issues are handled by a third party - hell, the organization may not even have IT staff but still needs internet presence. That's a "technical contact", separate again. It does not seem to be far-fetched at all...
The registration procedure may have checkboxes saying "use the above address as your admin/tech contact" to avoid duplication (IIRC, this is similar to what AMZN do when you buy something from them - there is a checkbox to indicate that the billing address is the same as the delivery address), but in principle it makes perfect sense to me that the three contacts are logically independent and all are needed to complete the registration.
Its not really the collecting of the technical and admin contacts that is the issue, it is the publishing of them in the whois database. If they were collected by the registrar, and kept private by the registrar except in the case of a court order or other legal mechanism (as nominet is doing with .co.uk addresses) there isn't an issue - the registrar has the data that it needs to perform its contract, and can provide that information where there is a legal basis to do so.
The issue is that while ICANN claims to operate in the interests of the domain registrars, its main objective here is to ensure that IP lawyers can continue to use the whois database to identify where domains may sound vaguely similar to a well-known brand, and then charge the well-known band thousands of pounds to hound the owner of the domain until they give it up.
Yes, there is that provision within GDPR. However; the data collected/published has to have a lawfully justifiable PURPOSE, and the PURPOSE has to have a LAWFUL BASIS FOR PROCESSING - in other words they are using circular logic to try to confuse and I don't think the Courts are that thick.
The contract you're trying to use as a Lawful Basis for Processing has to be a legally binding contract and when it isn't, any clauses which are not lawful are discarded as if they're not there; THAT much is written into Contract Law and backed up by relevant Case Law.
ICANN have been lazy and they ARE going to pay the price for that. If I as a layperson can understand this, so can they - and I hope their attempts at obfuscation and delay are rewarded with a robust legal response.
I would have said that the ICANN argument has got to be along the lines of the fact that the provision of a domain requires registration with world DNS and a condition of this is provision of data to the whois service. This creates an argument that the contract between the site owner and the German registrar allows this because the German registrar isn't allowed to set up the domain without passing the information on. This then leads to a situation where the German registrar is the data controller but ICANN has status as a data processor and needs to comply with GDPR. It does muddy the waters but since the public availability of whois has not practical benefit to the discharging of any contractual obligations and only serves as a convenience I can't see any argument for allowing it other than ICANN claiming that their contract is not subject to GDPR and is covered by US law. That would then mean that no company can legally operate as a registrar in Europe and probably then goes on to the full enforcement of GDPR meaning that no personal data of a European can be passed to/through the USA or be held by a US or US owned company.
I really hope this doesn't turn into the equivalent of a nuclear exchange as it will devastate the world economy but that seems to be the stance ICANN are taking.
Because among the reasons under Lawful basis you can give for processing Personal information within GDPR is "legitimate interest"
It's less box-ticky than contract, opt-in permission, etc but if you can frame the processing correctly then you're in.
As ICO puts it "It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing"
I think many are missing the point ICANN are the controller in this case, and tucows (and their subsiduary) the processor.
ICANN contracts tucows to run the .de registry
ICANN contract requires they collect the said information
Tucows as processor must perform the duties they are requested by the Controller.
What ICANN does with that information, is not Tucows responsibility, however dodgy and against the law it is.
It is the responisbility or the registrant to gain Consent from the technical and admin contacts to publish this information.
I agree ICANN need hauled over the coals for the privacy implications in Whois, but this case isnt about WHOIS and GDPR, its about contracts.
If ICANN are the controller, then they are wilfully breaching the GDPR and admitting it by bringing the case.
If that's the argument they bring, then they are asking the German regulator to immediately impose the highest possible fine.
Howvere amusing that might be, the last missive sent out by ICANN specifically stated that the registrars - in this case Tucows - are the data controllers.
File a case involving GDPR and subsequently remove eyes from the real issue that the muppets in ICANN make breathing room to sort out the mess in their own backyard (presumably destroying evidence). It’s a classic tactic used in US court but doesn’t work in Europe all that well.
I’m quite sure this may result in a splinter of control and someone sulking in the corner muttering that they no longer want to play and its their ball. If they win - well give it a few years and some bright spark will come up with a better system to communicate and shaft them royally.
Time for our American cousins to grow up a little. There is always a bigger fish.
Interesting that the government is going to want that contact information when they find lawbreakers now using GDPR to hide, and yet the common folks are not allowed to have that contact information. I guess they would want it so they could spill it, and since they are the government, will not get caught. What a two-faced law GDPR is.
Hey commentards...
Does GDPR cover businesses?
How does it handle regulatory filings?
When you start to consider the details that you provide... you have no privacy because you're providing necessary contact details.
Its when those details are fake that you run in to problems.
If you've ever had to run a domain... and you trace back bad behavior to another user on another domain, what do you do? In the past, you look at the whois information and you contact their admin.
Now, I guess you just spin up a DDOS cloud and retaliate or some other immature stunt.