As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains
Whois and ICANN – the Sonny and Cher of internet policy
Incoming European privacy laws which carry a global impact for anyone doing business in the Union are continuing to cause an epic policy meltdown at internet overseer ICANN.
This week the European Commission responded [PDF] to the US-based organization's latest efforts to resolve a stark conflict between the domain name system's Whois service and the General Data Protection Regulation (GDPR), that will come into force this May.
It was not impressed.
"Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches," wrote the EC's director-general of technology and communications, Roberto Viola.
"The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests."
Which is a nice way of saying: That's it? This is what you've been working on?
Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration systemREAD MORE
The current Whois system publishes the name, address and telephone number of everyone that registers internet address; a system that is illegal under GDPR because it doesn't seek people's consent before sharing their personal details. Some companies offer to hide your details for an extra fee but that doesn't cut it either under GDPR rules.
ICANN has done its best to ignore that fact for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.
But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.
We got this
So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.
The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.
They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.
Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.
And then earlier this month - three months later - it outlined its solution. Well, its four solutions. And another eight solutions offered by others. Twelve solutions in total, packed into an Excel spreadsheet [XLSX].
There you go - sorted. ICANN's summary of other people's solutions.
With just over three months remaining before the law kicks in, a hugely complex and expensive change to how the internet's addressing system will work was expressed only in terms of a graphic so vague that no one quite knows what it means.
Umm, how do we say this?
The European Commission's biggest fear appears to be that ICANN will panic and impose whatever it thinks is the best solution without having given the fix proper consideration.
"Given the importance of determining the best approach in light of the important interests at stake and the many stakeholders concerned, we consider that it would be better to delay ICANN's final decision on the interim model while keeping the current momentum," the letter from Viola suggests.
He goes on: "Deferring the decision until after ICANN61 would allow for discussion with all stakeholders involved as well as the data protection authorities, which can only usefully take place now that concrete models have been put forward for consideration."
ICANN 61 refers to the organization's meeting in San Juan, Puerto Rico next month. It will be the last opportunity for ICANN's constituent groups to come together and agree a solution before GDPR becomes law.
The European Commission is arguing that a decision not be made by the ICANN Board in March but that the meeting be used to reach agreement and then the Board approved an interim solution later – presumably at its meeting in April or May.
Even by the standards of ICANN, an organization that is seemingly incapable of making a decision until it has no other choice, that is cutting it tight. ®
Sponsored: Becoming a Pragmatic Security Leader