Whois privacy shambles becomes last-minute mad data scramble
Internet address industry given one week to introduce unfinished GDPR policy
Thousands of internet registries and registrars will have just one week to overhaul their customer databases to fit with a policy that is still under development, or face ruinous fines.
That is the end result of an extraordinary failure by the organization that oversees the internet's domain name system to address a change in European law: a change finalized two years ago.
The companies that sell internet address and run fundamental pieces of the internet's infrastructure, such as the .com registry, have been told by DNS overseer ICANN that its board expects to approve a new temporary policy covering the storing and publication of domain name registration data – called Whois - this week.
Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, yearREAD MORE
A draft of that new Whois policy [PDF] was only published five days ago but ICANN has told the companies - that are under contract to it - that they need to implement its contents before May 25 in order to bring themselves in line with the GDPR privacy legislation.
If they are found not to be in compliance with the law, those companies face multi-million-dollar fines from European regulators, and ICANN also warned that it would carry out compliance audits to its still-unfinished rules to make sure they are being followed.
The task of complying with that temporary policy has been made even harder however by the fact that the draft policy was changed three days after it was first published and further changes may happen before it is finally approved on Thursday, especially if European data protection regulators respond to questions ICANN asked them less than a week ago.
So, um, details...
In addition, several critical aspects of the new policy remain undecided, making it hard for registries and registrars to know what to do.
And the entire policy will expire in 90 days, at which point it will either be extended, or it will be tweaked to include more changes aimed at bringing ICANN in line with the new law.
Unsurprisingly, the response by the impacted companies has been one of anger tinged with confusion.
Many of those companies started implementing their own policies ahead of the GDPR deadline after ICANN failed to develop a policy in time and instead asked for European regulators to give it a special one-year "moratorium" on applying the law: something that those regulators pointed out they were in no position to approve.
The heart of the problem is that the personal details of domain name registrants – including their name, home and email address, and phone number – are published on the internet under the current Whois system.
That approach is illegal under the new GDPR legislation since it does not allow people to withhold their personal information; there is no permission sought for publication.
But ICANN has been resistant to changing the current rules, in large part because powerful US corporate interests want the current rules retained and feel that European laws should not override the current system put in place by US corporations and overseen by a US organization. That resistance has led ICANN right up to the deadline with no agreed solution.
It was only when European registries informed ICANN they would be disregarding parts of the US-based organization's contract because they were not compatible with the law of the countries in which they are based, that ICANN finally took action.
There are three main issues that ICANN seeks to address with its last-minute temporary policy:
- It wants companies to continue to gather all the same registration information – including people's names, home addresses and telephone numbers - even if they don't publish it all.
- It wants them to come up with some kind of system to let authorized users to access that information.
- It wants them to make it possible for third parties to contact registrants via email without having to seek permission from anyone else.
While those aims are understandable and legitimate given the purpose of the Whois service – to allow people to recognize who controls a given internet address – it will require significant changes to the companies computer systems in an incredibly tight window, with no certainty that those changes won't need to be discarded in a few months time when a revised policy in put out.
Previously, registrars had warned that shifting all their systems just to handle anonymized email address so domain owners can be contacted without being directly identified would take four months. They will have little more than four days.
The most critical and complex aspect however is the accredited access component. Registries and registrar will need to figure out a way to grant specific people access to non-private data but there is no guidance over the best way to do this or even who is eligible to gain that level of access.
ICANN hopes to be able to come up with a permanent solution to Whois that will answer those – and many more – questions within a year by running a special fast-track policy process.
Even if that process runs smoothly, however, the internet infrastructure industry is now going to have to deal with 12 months of uncertainty with the prospect of huge fines if they get it wrong. ®
Sponsored: Becoming a Pragmatic Security Leader