US government tells internet body to hurry the funk up on privacy
Yeah, yeah, yeah, it's hard. But so is my foot in your ass
The US government has warned the organization that oversees the domain name system that it needs to hurry up and finalize privacy rules for Whois internet addresses or Congress will back replacement legislation.
The letter [PDF] from assistant commerce secretary David Redl to ICANN is polite but firm, congratulating a policy group within the organization for coming up with an initial set of recommendations but noting that critical aspects are unresolved.
"The timely completion of this work is imperative," Redl notes, adding: "Now it is time to deliberately yet swiftly create a system that allow for third parties with legitimate interests." His emphasis not ours.
At the heart of the issue is the so-called Whois system that records the name, address and contact details of anyone that registers a domain name. It was created in the very early days of the internet and the information was published online but, as the internet grew, so did concerns about that information being made freely available.
The Whois is used by law enforcement, cybersecurity researchers and intellectual property lawyers to track who runs and owns specific internet addresses. But for the past 30 years it has also been used by scammers, spammers and miscreants to harvest people's most personal details – from their phone numbers to personal email to home addresses.
For 15 years, there have been near-constant efforts to update the Whois system within ICANN but a failure to arrive at agreed changes has simply reinforced the status quo – something that was in some groups' self-interest.
That all changed with Europe's GDPR privacy legislation which suddenly raised the specter of large fines if companies were found to be publishing personal data without user permission.
For a decade ICANN ignored warnings by European data protection authorities and registrars based in Europe that the Whois system was effectively illegal, relying on the fact it was based in the US to escape liability.
As a result, the organization failed to see the impact of GDPR – where companies under contract with it could be fined up to four per cent of their annual revenue for publishing personal information - until it was too late.
Head in the sand
While every other industry made the necessary changes to become compliant with the law in time for its introduction (there was a two-year lead time), ICANN refused to acknowledge it was impacted until one of its registrars bluntly informed the organization seven months before the law came into effect that it would not provide the contracted Whois service because the relevant clause was "null and void," since it conflicted with European regulations.
That led to a scramble to develop new rules that proved highly embarrassing for the organization. At its lowest ebb, ICANN's Board and staff persuaded themselves that they could ask for a special "moratorium" from the European authorities. Its CEO even flew to Brussels to explain why it should be granted immunity. There, the authorities informed the organization that no such mechanism existed, or could exist, because the law had already been passed two years earlier.
ICANN then embarked on a series of increasingly bizarre legal challenges in an effort to maintain its legal authority over the Whois system, which it lost repeatedly in the German courts. In the end, the organization was forced to turn off the system altogether and promised to come up with an alternative within a year. Next month that self-imposed deadline is up as the organization's "temporary specification" expires but it has, predictably, made little progress.
The group assigned to coming up with a solution – the snappily titled Expedited Policy Development Process (EPDP) on the Temporary Specification for GTLD Registration Data – came up with a series of initial recommendations in March and the US government's Redl noted in his letter that he "encourages the Board to expeditiously adopt the recommendations of the group."
But the recommendations do not address the biggest issue: who is entitled to view the "non public" parts of the system, which means people's phone numbers, email addresses and home addresses.
All about the IP
Redl lists three groups that the US government believes should have access to that data: law enforcement, intellectual property rights holders and cybersecurity researchers. In truth, few within ICANN has a problem with law enforcement and cybersecurity researchers having access to the data and the argument revolves almost exclusively around IP interests i.e. trademark lawyers.
Those lawyers have made a seemingly endless series of arguments for why they should have the right to access that private information. But no one except the US government is persuaded and thanks to those same lawyers blocking any kind of Whois reform for over a decade, there is a shortage of goodwill toward them from other groups within ICANN.
The big difference is that the status quo is no longer that Whois will remain open but that it will remain closed, so there is little reason for privacy advocates to accede to demands that private data should be provided to private companies just because they want it.
When faced with a difficult decision, ICANN has developed a strong culture of delay, often for years. The argument over .amazon for example has been going on for seven years with no resolution in sight.
Domain name 'admin' role eyed up as latest victim of Whois system's GDPRmeggdonREAD MORE
Hence the intervention from the US government, driven by those same IP interests. In his letter, Redl insists that "access to non-public data is critical" for the three groups he identifies so that they can "fulfill their missions."
He then outlines his own timetable for finishing up the key issue of access, noting that he expects to see "substantial progress, if not completion, in advance of ICANN’s meeting in Montreal in November." Industry insiders say that is unlikely to happen.
The US government no longer oversees ICANN following a contentious process that ended in 2016, so its main form of leverage is the fact that ICANN remains a US corporation and most of its money derives from US companies.
As such, Redl warns in his letter than "without clear and meaningful progress, alternative solutions such as calls for domestic legislation will only intensify and be considered." In other words: if you thought dealing with IP lawyers and privacy advocates was bad, just wait until you see the living hell that the US Congress can induce.
ICANN responded in its own inimitable way to the blunt letter from its own government demanding progress: it published a blog post outlining how hard it was working. Never mind the quality, feel the thickness. ®
Sponsored: Becoming a Pragmatic Security Leader