Domain name sellers rub ICANN's face in sticky mess of Europe's GDPR
Seeing as you love moratoriums on following the rules so much, how 'bout we get one, too?
Internet domain-name sellers have turned the tables on global DNS overseer ICANN by using its own tactics against the hapless organization.
In a letter [PDF] to the California-based organization sent the day before it finally approved a "temporary" policy for the Whois service to bring it into compliance with new European privacy legislation – GDPR – registrars representing roughly a quarter of all domain names have asked for a "moratorium" on the new policy.
"We ask that any temporary specification include a formal ICANN compliance moratorium, not shorter than six (6) months, providing us an opportunity to conform, to the extent possible, our GDPR implementation with the GDPR-compliant aspects of any ICANN temporary specification," the letter signed by GoDaddy and Tucows – who as the two largest registrars in the market represent 67 million of the approximately 332 million domain names worldwide – as well as six other registrars, reads.
It adds: "We note that the six month timeline for implementation is a minimum and an estimate. Depending upon the scope and scale of changes, many registrars will need a longer period to implement any temporary specification imposed by the Board upon the community, and there should be an option for registrars to apply for an extension."
The "moratorium" language is a direct reference to ICANN's embarrassing efforts to excuse itself from the General Data Protection Regulation (GDPR) by asking European data protection authorities to grant it a special one-year exception before they applied the law: a request that the authorities pointed out they were in no position to grant.
Asleep at the wheel
GDPR was finalized two years ago – in May 2016 – and comes into full force next week, on May 25. Despite the rest of the world working on compliance with the new law, however, it wasn't until one of ICANN's registries refused to comply with its contract with ICANN over GDPR in October 2017 that the organization finally acted.
Whois? More like WHOWAS: Domain database on verge of collapse over EU privacyREAD MORE
Having tried and failed to rush through a policy through its decision making processes, ICANN then pinned all its hopes on a concept that its own staff and management board came up with: a moratorium while it spent a year developing a permanent solution.
The organization then wasted six critical weeks pursuing that effort before being told at a meeting of Europe's data protection regulators in Brussels last month that it wasn't remotely feasible: the law was settled two years ago, and becomes a right of all citizens in Europe starting May 25. The data protection authorities are obligated to act on complaints and follow the law.
Following that rejection, ICANN then decided to impose a "temporary" 90-day renewable policy just one week before the deadline, and then had the audacity to tell domain registries and registrars it would audit those companies to ensure they were following the new rules.
How do you spell 'kiss my ass' in legalese?
The frustration with ICANN's approach is apparent in the letter from the registrars: "Contracted party registrars have been working on our own technical implementations for many months, as there was no guidance from ICANN regarding proposed or actual new policies," it notes. "Any temporary specification adopted now that significantly deviates from previously held expectations and models will be far too late for us to accommodate for a May 25, 2018 implementation date."
In short, the world's largest registrars – on whom ICANN relies for most of its revenue – have told the DNS overlord that it can't just tell them to change all of their systems within a single week, with the knowledge that it may change again in three months, just because that might protect the organization from lawsuits and fines of up to €20 million ($24m).
It's impossible to know how the situation will play out but there is very real risk that someone will formally complain about the Whois service, and so put a registrar in the difficult position of either paying massive fines for breaching the privacy regulations – or turning on ICANN; an organization that has demonstrably failed to offer a reasonable solution while at the same time insisting only it can decide new policies. ®
Sponsored: Becoming a Pragmatic Security Leader