As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains

Whois and ICANN – the Sonny and Cher of internet policy

Incoming European privacy laws which carry a global impact for anyone doing business in the Union are continuing to cause an epic policy meltdown at internet overseer ICANN.

This week the European Commission responded [PDF] to the US-based organization's latest efforts to resolve a stark conflict between the domain name system's Whois service and the General Data Protection Regulation (GDPR), that will come into force this May.

It was not impressed.

"Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches," wrote the EC's director-general of technology and communications, Roberto Viola.

"The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests."

Which is a nice way of saying: That's it? This is what you've been working on?


Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system


The current Whois system publishes the name, address and telephone number of everyone that registers internet address; a system that is illegal under GDPR because it doesn't seek people's consent before sharing their personal details. Some companies offer to hide your details for an extra fee but that doesn't cut it either under GDPR rules.

ICANN has done its best to ignore that fact for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.

But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.

We got this

So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.

The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.

They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.

Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.

And then earlier this month - three months later - it outlined its solution. Well, its four solutions. And another eight solutions offered by others. Twelve solutions in total, packed into an Excel spreadsheet [XLSX].

ICANN graphic showing various Whois solutions

There you go - sorted. ICANN's summary of other people's solutions.

With just over three months remaining before the law kicks in, a hugely complex and expensive change to how the internet's addressing system will work was expressed only in terms of a graphic so vague that no one quite knows what it means.

Umm, how do we say this?

The European Commission's biggest fear appears to be that ICANN will panic and impose whatever it thinks is the best solution without having given the fix proper consideration.

"Given the importance of determining the best approach in light of the important interests at stake and the many stakeholders concerned, we consider that it would be better to delay ICANN's final decision on the interim model while keeping the current momentum," the letter from Viola suggests.

He goes on: "Deferring the decision until after ICANN61 would allow for discussion with all stakeholders involved as well as the data protection authorities, which can only usefully take place now that concrete models have been put forward for consideration."

ICANN 61 refers to the organization's meeting in San Juan, Puerto Rico next month. It will be the last opportunity for ICANN's constituent groups to come together and agree a solution before GDPR becomes law.

The European Commission is arguing that a decision not be made by the ICANN Board in March but that the meeting be used to reach agreement and then the Board approved an interim solution later – presumably at its meeting in April or May.

Even by the standards of ICANN, an organization that is seemingly incapable of making a decision until it has no other choice, that is cutting it tight. ®

Sponsored: Detecting cyber attacks as a small to medium business


More from The Register

Dotcom illustration

ICANN extracts $20m signing fee for $1bn dot-com price increases – and guess who's going to pay for it?

Comment Sorry, meant to say Verisign contributes to 'security threat' education

Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampire

Whois to become Whoisn't

The .amazon argy-bargy is STILL going on – and Uncle Sam has had enough with ICANN

Analysis Will Amazon finally get hold of its internet namesake?
An illustration using the words I Can't Even

Hey, ICANN, if you need good reasons to halt the .org super-sell-off, here are two: Higher fees, more website downtime

You need stability concerns? Here’s some stability concerns, say DNS gurus at Packet Clearing House

Dot-org price-cap scrap latest: Now ICANN accused of snubbing registrars with 'sham' public comment process

DNS overlord ignored opposition, says Namecheap

ICANN finally reveals who’s behind purchase of .org: It’s ███████ and ██████ – you don't need to know any more

Analysis Purchase funded by debt, includes another ex-ICANNer, will be done through four different companies. All perfectly normal

ICANN demands transparency from others over .org deal. As for itself… well, not so much

Do as we say not as we do, DNS overseer sternly tells Internet Society
People arguing with each other in an office

Let’s check in on the .org sale fiasco: Senators say No, internet grandees say Yes – and ICANN pretends there's absolutely nothing to see here

Analysis 'Ethos Capital, ISOC, and PIR have failed to provide clear and transparent information'

Biting the hand that feeds IT © 1998–2020