Business

Policy

As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains

Whois and ICANN – the Sonny and Cher of internet policy

By Kieren McCarthy in San Francisco

47 SHARE

Incoming European privacy laws which carry a global impact for anyone doing business in the Union are continuing to cause an epic policy meltdown at internet overseer ICANN.

This week the European Commission responded [PDF] to the US-based organization's latest efforts to resolve a stark conflict between the domain name system's Whois service and the General Data Protection Regulation (GDPR), that will come into force this May.

It was not impressed.

"Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches," wrote the EC's director-general of technology and communications, Roberto Viola.

"The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests."

Which is a nice way of saying: That's it? This is what you've been working on?

Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system

READ MORE

The current Whois system publishes the name, address and telephone number of everyone that registers internet address; a system that is illegal under GDPR because it doesn't seek people's consent before sharing their personal details. Some companies offer to hide your details for an extra fee but that doesn't cut it either under GDPR rules.

ICANN has done its best to ignore that fact for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.

But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.

We got this

So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.

The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.

They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.

Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.

And then earlier this month - three months later - it outlined its solution. Well, its four solutions. And another eight solutions offered by others. Twelve solutions in total, packed into an Excel spreadsheet [XLSX].

There you go - sorted. ICANN's summary of other people's solutions.

With just over three months remaining before the law kicks in, a hugely complex and expensive change to how the internet's addressing system will work was expressed only in terms of a graphic so vague that no one quite knows what it means.

Umm, how do we say this?

The European Commission's biggest fear appears to be that ICANN will panic and impose whatever it thinks is the best solution without having given the fix proper consideration.

"Given the importance of determining the best approach in light of the important interests at stake and the many stakeholders concerned, we consider that it would be better to delay ICANN's final decision on the interim model while keeping the current momentum," the letter from Viola suggests.

He goes on: "Deferring the decision until after ICANN61 would allow for discussion with all stakeholders involved as well as the data protection authorities, which can only usefully take place now that concrete models have been put forward for consideration."

ICANN 61 refers to the organization's meeting in San Juan, Puerto Rico next month. It will be the last opportunity for ICANN's constituent groups to come together and agree a solution before GDPR becomes law.

The European Commission is arguing that a decision not be made by the ICANN Board in March but that the meeting be used to reach agreement and then the Board approved an interim solution later – presumably at its meeting in April or May.

Even by the standards of ICANN, an organization that is seemingly incapable of making a decision until it has no other choice, that is cutting it tight. ®

Sign up to our NewsletterGet IT in your inbox daily

47 Comments

More from The Register

DNS ad-hocracy in peril as ICANN advisors mull root server shakeup

Plan could reduce the number of central server operators

Internet overseer ICANN loses a THIRD time in Whois GDPR legal war

US org told by German court its delusional claims in privacy rules battle are not credible

German court snubs ICANN's bid to compel registrar to slurp up data

GDPR hell to continue for unprepared DNS overseer

ICANN't get no respect: Europe throws Whois privacy plan in the trash

Clueless DNS overseer sees lazy efforts torn apart – again

Domain name sellers rub ICANN's face in sticky mess of Europe's GDPR

Seeing as you love moratoriums on following the rules so much, how 'bout we get one, too?

ICANN takes Whois begging bowl to Europe, comes back empty

Rude awakening – yet again – for American DNS supremo

US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy

Yeah that oughta do the trick

Who had ICANN suing a German registrar over GDPR and Whois? Congrats, it's happening

Time for plan C, says DNS overlord stuck in a privacy bind

ICANN pays to push Whois case to European Court of Justice

Just has to lose GDPR rulings in other courts first

Whois is dead as Europe hands DNS overlord ICANN its arse

Can we still have a GDPR moratorium, asks US domain-name body