Any difference between ICANN vs FCC?
ICANN't see any... Special interests trump everyone and everything else...
The organization that oversees the internet's naming and numbering systems is continuing its embarrassing European legal campaign, insisting for a third time that the German courts have got it wrong. On Friday, ICANN appealed [PDF] the latest court decision against it, this time insisting that the Appellate Court of Cologne, …
ICANN used to be controlled by the US government and now it's not. The special interest groups seem to be in control from all accounts.
Should the government have spun it off on it's own? Who knows but this sure is beginning to appear to have been a huge mistake. If it hadn't been spun off, there might be other issues similar to what the FCC is doing including allegations of favoritism or maybe not. Don't know.
One of the biggest problems with "internet" and "tech" is the big corporations wanting things set up for their benefit and to hell with the people. Controlling the FCC and now it looks like ICANN, should give any profit monger a wet dream.
I don't see any of this ending well.
Not really. Until it is resolved, European registrars are refusing to collect this information, in breach of contract with ICANN, because it would be illegal to do so. (Generally the contracts state that if any clause is illegal, it will be exempt from the conditions and does not affect the standing of the contract, so ICANN can't break the contract, because the other parties are claiming the clause for collecting Whois data is illegal and therefore the clause in the contract is null and void. ICANN is therefore busily trying to prove this is not the case.)
So, either way, ICANN is not getting the data their big-corporate partners would like to have.
Something that most of this new wave of nationalists around the globe seems to be missing is that you can be in your own jurisdiction, your own nation, your own planet, whatever, but if you want to do business in my house, you have to follow my house's rules. Dropping international treaties doesn't mean that you suddenly get sovereignty over *other* nations.
Why the German courts? Of all the countries in the EU, why did the idiots at ICANN decide to fight this in Germany? Being the country where data protection has been a high profile political issue since at least the early 90s. I can't think of any worse country in the world for them to have picked this fight. Surely they could have found a nice friendly court somewhere else in the EU? Anywhere else.
Good question. I guess they picked to fight in Germany rather than say, Poland because of Germany's approach to privacy and data protection. So if ICANN could get a precedent set in Germany, they could try using that as leverage if any other registrars failed to comply.
The bit I'm curious about is how to kick something up to the ECJ. AFAIK, you have to exhaust the legal process in the country's jurisdiction before a case could be appealed to ECJ level?
I believe that lower courts can ask for a ruling from the ECJ on a point of european law impacting on national law. I'm pretty sure the High Court and Court of Appeal in the UK have done it, before the case even got to the Supreme Court - but I'm not sure if lower courts can.
Everyone's legal system is different too. So in some cases you have to ask for a lower court's permission to appeal, in others you can do it anyway as a matter of standard procedure. And that isn't even standard in any single jurisdiction, let alone internationally.
In the US it's even weirder. As their Supreme Court look at the cases that have been submitted for their attention, have a good old think for a couple of months, and then announce which ones they'll look at and which ones they're not interested in. But then the US Supremes and the ECJ both tend to rule on the point of law in question, give their guidance and then throw the case back to the lower court in question - who then get to do the actually judging on the individual merits of the case.
Law is complex.
The decision to fight in Germany seems utterly perverse to me. Much better to win a few cases in other jurisdictions and try to crack the German nut later. Not that I think their case ever had a hope anywhere. The GDPR is pretty clear on a lot of this stuff, and just whining that you should have an exception because you wantn one is going to piss off most judges in most places. They're liable to think that their time is being wasted.
Radio 4 had a great program on the UK Supreme Court earlier this year. I don't know if it's still on iPlayer or not. But it was interesting on the processes they've developed - as of course it's a very new court, brought in to replace the House of Lords.
So they discussed how they came to decisions and then who got to write them up. And how sometimes they'd have on person write up the judgement, with input and comments from others, and sometimes they'd separately have the dissenting opinion written by a spokesman for the dissenters and the majority verdict from one of them.
What I know about the US system comes mostly from Alistair Cooke. The BBC made a huge archive of his Letters From America available a few years ago. There's more than 900 of them, in groups and series. The early ones are all good - but given he started in the 40s, he was starting to repeat himself a bit by the early 90s. Which is only fair. And still may of the later ones are interesting. The Nixon ones are great, particularly in the light of recent Trumpy events. God he'd have been incandescent about Trump - Nixon actually had some redeeming features. I was surprised by how sceptical he was about Kennedy's foreign policy, for example. He covers the Surpremes in a few episodes. Worth a look, even if you only select a few - at mostly 15 minutes each I went through them over a few years of walks to work, interspersed with much other stuff. Mike Duncan's 'History of Rome' and now 'Revolutions' and David Crowther's 'History of England' are my podcast time-sinks now. Along with 'More or Less', 'Fighting Talk', 'Infinite Monkey Cage' and a few others.
Sorry, gone waaay off topic. But I love 'em all, so I'll plug 'em anyway.
"Looks like we'll be following EU law for quite a while,"
Yes, because, apart from the fact that GDPR, like all EU law, becomes part of UK law unil Parliament says otherwises, the current DPA is based on it more or less - that more or less bit is the wriggle room HMG has given itself. Because, unlike ICANN, we have a vested interest in doing business with the EU (not that some people realise that) the wriggle room is going to give us problems because I doubt the EU is going to be so daft as to give us a Privacy Figleaf as they did with the US.
The UK government has already said they would like to keep the GDPR. That is not surprising as a lot of UK businesses would feel serious pain if the UK fell out of the GDPR. Also, The UK Information Commissioner's Office happens to have had a big hand in drafting the GDPR.
But even outside of the GDPR, the 'Brussels effect' (https://en.wikipedia.org/wiki/Brussels_effect) is not going anywhere, whether we are a fully subscribed EU member or crashed out with a hard Brexit. Particularly not since we are surrounded on three sides by other EU member states and they will remain our major partners (from security and trade to foreign policy and regulation) in every scenario.
"despite...insisting that the lack of a Whois service...will cause an uptick in online crime, no one has yet to provide any evidence that that is the case...Law enforcement continues to be able to access full Whois data by simply requesting that registries and registrars provide it to them. So the issue is really large American corporations who want full Whois access in order to chase down anyone potentially infringing their trademarks"
Although ICANN has certainly butchered this whole issue and really ought to sit on the naughty step, what is written here is not correct. First, law enforcement can't compel registrars to provide data just because they say so in every jurisdiction - it really varies from place to place. In some places they can just ask; in others, they'd need a court order. Second, even if law enforcement can request it, you need to get their attention with your problem in order for them to do so - and there is a gigantic tidal wave of fraud that's reported through Action Fraud that just doesn't get dealt with. Third, if the registrar is in a different country to where the crime has been committed (e.g. UK crime, Egyptian domain), then you're going to need UK law enforcement to make a Mutual Legal Assistance Treaty request to the foreign authorities to get the data out of the other registrar. Fourth, not all Bad Things (counterfeiting, diversion of opportunity, defamation, harassment, passing off) are crimes or crimes that are serious enough to warrant a criminal investigation.
And so on. The lack of transparency on who owns domains makes investigating crime slower, more expensive and less successful. It also makes due diligence to prevent crimes more difficult. There's a (correct IMO) international push towards more transparency and public records of ownership of companies and property - why not also domains?
"and there is a gigantic tidal wave of fraud that's reported through Action Fraud that just doesn't get dealt with."
The utterly _clueless_ responses I see from Action Fraud from attempts to both report fraud and supply intelligence are a pretty good indication that the primary problems there related to the volume of reports.
Mind you, their press release are also a pretty good clue about that too. Jobs for the boys and all that.
The article's argument that ICANN's argument amounts to FUD - that criminality will increase in the absence of good, accessible WHOIS data - is incorrect.
Action Fraud's comment that it takes a consumer both sufficiently aggrieved as well as capable to even open a police case, followed then by an adequately resourced and motivated police force, in the same jurisdiction, to get WHOIS data to begin to track down malfeasants, is absolutely correct.
A large amount of small fraud is gotten away with all the time today due to the ease with which wholesale (fake) copies of e-commerce websites are set up and then SEO'd into high-end positions in search results that people looking for an article to purchase may find themself on such a fake site. Absent readily accessible WHOIS data, they (were they so skilled and inclined to check first) could not get the information needed to take into account in judging whether the site is likely legitimate, or (in the more common case of the consumer who lacks the wherewithal to do such analysis themself) other site rating services would not have enough information to form an opinion, because the sites churn quickly.
The result is that many consumer just take the risk of buying from the unknown site, and are defrauded (which, under credit card fraud rules in the US, is low risk to the consumer, but for the rest of us in the world, where we have far less legal protection against credit card fraud, is largely at our own risk), or, the more cautious consumer simply doesn't buy (which hurts the legitimate small business which forever whatever reason, either of their own potentially misguided commercial choice, or because of the defaults of their possibly-hidden-behind-two-service-provider-layers-Registrar has their registration data private).
There are US-EU dick-size contests going on here. But there also truly is a problem with the current towards-privacy-everywhere argument in WHOIS data.
My proposal is that WHOIS data should be made accessible in most cases (call this two different levels of WHOIS Privacy) to anyone who files a legally sworn statement as to the reason and validity of their request, with no need for police or court process, to be granted the requested access; if that access turned out to be fraudulent then that person will have committed an easily prosecutable crime. The second (higher) level of WHOIS Privacy would be accessible only upon presentation of a court or police finding that the registrant is under unusual threat, and would then enjoy the level of privacy that current one-size-doesn't-fit-all WHOIS Privacy provides.
Not having a WHOIS record is not much of defence in a fraud case, not least because there is no guarantee of the information being accurate. Easy enough via Interpol to subpoena the relevant registrar who, at least in Germany, will then provide the admin-c. For jurisdictions that do not comply then ICANN, as head domain honcho, has the ultima ratio of being able to turn off the relevant TLD. But, as anyone who's dealt with international fraud will tell you, getting the admin-c won't really get you very far as it's likely to lead to a company or trust registered in one of the jurisdictions like Delaware which don't provide information about their owners.
As usual, cleaning up their own backyards would be the best place to start.
El Reg is too credulous about the EU privacy bodies' views. From what is reported, the German courts refused an injunction for lack of urgency. Showing urgency is a sine qua non for an interlocutory injunction.
It is up to ICANN to decide the matters to which would-be registrants must consent in registering a domain and consent is a ground for data processing. Also, the EDPB's attempt to confine ICANN's legitimate interests to the technical management of DNS is imaginative but unfounded. ICANN has a legitimate interest in preventing fraud and - yes - IP infringement (such as cybersquatting).
Web site owners are not to be equated with "citizens" - they are economic operators against whom consumers are entitled to regulatory protection. This is why Article 5 of the Electronic Commerce Directive requires online operators to make publicly available a slew of identification data.
Would it not be possible to have an option at registration - is this for personal use or corporate use?
OK, there would be individuals who could pretend to be companies, but then they have lied and the data they gave (ficticious or genuine) will be published. Individuals privacy would then be protected if they register their domains in an individual capacity.
Does ICANN publish any data itself? For whois I though you had to go to the regional registries (RIPE, ARIN)?
This was offered prior to GDPR in the UK at least. For example GoDaddy would offer a service whereby - for personally-owned domains - where you could purchase domain masking where a nominee address was shown in WHOIS rather than your own details.
Post-GDPR this is moot in the UK, so this servioce is no longer charged for.
Does ICANN publish any data itself? For whois I though you had to go to the regional registries (RIPE, ARIN)?
That's kind of the crux of the matter. The RIRs (RIPE, ARIN, APNIC etc) run WHOIS for IP addresses, NIC handles, ASNs and other bits of data per IANA rather than ICANN. They've perhaps been a bit more grown up about GDPR, eg RIPE's policy is here-
So obtaining consent for any personal data, and limiting the display. RIR's probably can also argue a better case for operational necessisty to maintain routing integrity. ICANN on the other hand..
The second main way around the law is to devise an "access program" for specific groups to be granted access to Whois data and then devise the system in such a way that corporate interests are effectively viewed as equivalent to law enforcement.
Which is ICANN's IPR issue. Their domain registration database has value if it's complete, and it's "access program" would be via a range of subscription options. Call it $4.95 for an individual database query, or say $10k per year for full access.. IPR lawyers can expense that, or bill to their clients.
And that is supposed to be a problem how exactly ?
I wonder if there is anything in the German judiciary system that would allow it to tell ICANN to just shut up and go away. If not, this ridiculous charade is going to be the new SCO, and I'm not amused by the thought of spending years reading about ICANN's latest failure.
I do believe there is just such a provision if I remember correctly. Something about a verdict "with prejudice" , which means the applicant is no longer allowed to pursue the case any further. There was a Reg article a bit back which dealt with just such a case, I believe.
There's a good chance ICANN is heading that way... German courts are not very forgiving...
"I do believe there is just such a provision if I remember correctly. Something about a verdict "with prejudice" , which means the applicant is no longer allowed to pursue the case any further."
But wpuldn't they just challenge the ruling of prejudice on the basis of judiciary bias or some other claim? Or does such a ruling carry a legal basis of finality or even a threat of criminal prosecution?
...but unfortunately it's impossible because there isn't a single TLD registry in Europe who has worked it out, *except absolutely every ccTLD in the 30+ Member States and EEA. *
10 minutes doing WHOIS on Nominet.uk, Denic.de, sidn.nl etc and they'd find a series of acceptable solutions...
Trottel / Vollpfosten are similar in German. Trottel is probably closer, but also means simply idiot, as well as mug. You could also describe them as "arglos", which is guileless or naive, but it also mean ingenious...
Vollpfosten is probably more the equivalent of f'ing idiot, although they are pretty much synonyms. Just Vollpfosten is more derogatory than Trottel. Trottel is an idiot, in the vein of villiage idiot, whilst Vollpfosten is what you would shout if somebody cut you up in traffic.
German has a lot more technical words, but some "simple" words in English are hard to translate or have no direct equivalent.
Deutsche Sprache, schwere Sprache.
Not a linguist by trade, but my understanding is that the Normans had picked up a lot of Romanized terms -- as one does when trying not to appear a parvenue after invading the West. Meanwhile, the Angles/Saxons/Jutes kept much of their language, generally not bothering to learn more than the minimum British needed to get their message across*. So, in the end, their words tended to be short and their sentences direct, until their Romanized brethren showed up with their posh talk and fancy grammar.
Thus, for instance, the Anglo-Saxon serfs butchered sheep and deer, while the Normans ate mutton and venison, the poor shat while the rich defecated, etc., so the rule of thumb became "If it's monosyllabic, it's Anglo-Saxon, if it's polysyllabic, it's probably a Norman import."
* -- This also explains why English is the rare language that, in general, doesn't gender its nouns: The British nouns had gender but the invading Saxons, et al, couldn't be bothered to learn them, so they just didn't. "Bring food!" was clear enough to get the job done, so that was it.
...but that's how EU Law works. It's vague but in certain places very clear. It defines "personal data" very clearly, and it also defines a very short list of "Lawful Bases" for processing personal data.
"Contractual Obligation" is one of them, but it doesn't trump criminal Law. GDPR also specifies very clearly when an offence has been comitted by a data processor...
When a State interprets parts of GDPR locally, it's only in those parts which are deliberately vague - they cannot change any of the stuff I mention above, except by adding to it. They can't "re-clarify" or change any Offences listed in the act - they can only add new ones which are compatible with the rest of GDPR.
I think one of the issues with ICANN is that they're trying to say "...but we have a contractual obligation to store and process this data..." when GDPR very clearly states that the way they intend to **USE** that data is a criminal offence... the Offence wins, every time.