Slashdot Mirror
Will GDPR Kill WHOIS? (theregister.co.uk)
Slashdot reader monkeyzoo shares the Register's report on a disturbing letter sent to ICANN:
Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force... ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number. ICANN has already acknowledged it has no chance of doing so... The company warns that without being granted a special temporary exemption from the law, the system will fracture. ["Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law," ICANN warns.]
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."
Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."
Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
i wonder if icann was getting kickbacks from godaddy and the like from 'private' registration fees.. and that was the reason for them dragging their feet here.. eu's new requirements all but kills that 'little' side business and profit center.
Swedens domain .se does not show who owns a domain. If more info is needed you have to ask the register.
Another good example is the UK registry of limited companies. Here are the names of the directors of Tesco (a large supermarket) for all to see. How does that differ from whois ?
We may not need all the fields in the WHOIS record but there are many that are currently needed for the internet to function. I find it bizarre that the EU's data protection advisory group doesn't understand this and wouldn't create some sort of temporary provision to allow ICANN time to adjust. Their response seemed very arrogant.
Well, this is one in a long line of people applying for exemptions to laws because they are special. The usual answer is, no, you are not special. It isn't for the administrative apparatus to get rid of the law it administers, it is for the political body responsible for the measure to pass a corrective measure.
Presumably one would have to contact domain name holders through their registrars without knowing who the registrant is. The system is not transparent, but it is private.
The General Data Protection Regulation is a new set of rules governing the use of personal data in the EU. Among other things, it doesn't allow personal data to be shared without good reason, and ICANN makes names, addresses and other contact details available in the WhoIs database.
These rules have been on the horizon for years. It's not like they were suddenly announced yesterday. ICANN has had a long, long time to find a solution.
In any case, the system has been broken for decades anyway, because a lot of domains are registered behind privacy shield services, where a company registers the domain on behalf of their customer without revealing that person's information.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Let's hope so.
At the moment the whois database is:
a) A free mailing list for spammers
b) An excuse for ISPs to charge extra for "private listings".
If this law can change the situation then it gets my vote.
No sig today...
You already have a right to not be listed in the phone book.
What probably will change is that phone companies no longer can charge extra for this, and other 3rd party phone book providers (most of which are scammers) will have a much harder time operating.
No explanation of what the law is, or what provision that ICANN is in violation of... WTF kind of summary is this?
If you don't know how to use google then you probably shouldn't be reading this story.
https://www.cennydd.com/writin...
No sig today...
We have been working on getting our software GDPR compliant for past 6 months, with a huge effort in both analysis and development. And these guys think they will just shrug it of by waiting until the deadline and then writing a letter to the point of "we can just ignore this, right?" I literally LOLed.
That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.
Maybe it's an individual person who'd prefer not to have their full name, home address and telephone number published for the world to see.
No sig today...
It was finalized two years ago.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
They've been on the horizon, but exactly what form they would take has been unclear. So it's reasonable that ICANN can't.\
If you'll bother to read the summary you'll see that ICANN has had its hands over its ears and been going "I'm not listening, I'm not listening" for the last couple of years.
The law isn't hard to understand: It simply says "no!" to anybody who thinks personal data is something to be used to make money.
Publishing a database like "whois"? Not allowed.
No sig today...
You can also google these news stories without ever having to visit Slashdot. The reason for coming here is for curated information which fosters discussion. The summary provides the minimum information to understand the nature of the discussion and links to resources containing the fuller details. I would have to agree that this summary has failed to do that. The fact it's possible to work around the summary's deficiencies with a little extra labor does not make those deficiencies non-existent.
What makes more sense -- a million readers having to look up what GDPR is, or one person defining it?
When things get complex, multiply by the complex conjugate.
What does matter is who owns it --who is responsible for content served-- and who to contact in case of technical trouble.
Why? Why is there a need any of that to be public information?
If the content is illegal, tell the police. If the website is down then it's their problem, not yours.
No sig today...
As the "submitter" I have to agree. The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains. So I guess they editorialized it extensively, which is fine. But it still bears my name, which is weird.
Importantly, Slashdot's editors failed, IMO, to maintain a key point in this submission, that ICANN has been basically negligent and delusional in ignoring this pending law and failing to take any action in the TWO YEARS since the law was passed. And then at the last minute they asked for a moratorium and said otherwise they won't be able to adhere to the law. If you read the many months worth of coverage that The Register has published on this, it is a mindblowing story of incompetence and irresponsibility by ICANN. (Read the Register link in the OP, and the related articles will guide you.)
Submitted:
In a letter sent to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.
ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.
ICANN has already acknowledged it has no chance of doing so. The company warns that without being granted a special temporary exemption from the law, the system will fracture, perhaps even resulting in the Whois service being turned off completely while a replacement was developed.
Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.
European agencies responded and tore ICANN's plan to shreds, pointing out that it needs to be much more precise and to include both compliance and auditing functions. Critically, however, it did not address ICANN's request for a moratorium.
Even the idea of a moratorium appears to have been invented by ICANN. This is no evidence of a similar request from any other industry, and the GDPR is, after all, a globally applicable law that affects everyone.
---
ICANN gives domain souks permission to tell it the answer to Whois privacy law debacle
https://www.theregister.co.uk/...
As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains
https://www.theregister.co.uk/...
Whois is dead as Europe hands DNS overlord ICANN its arse
https://www.theregister.co.uk/...
US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy
https://www.theregister.co.uk/...
ICANN takes Whois begging bowl to Europe, comes back empty
https://www.theregister.co.uk/...
Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year
https://www.theregister.co.uk/...
https://www.icann.org/en/syste...
https://www.icann.org/news/ann...
It seems obivous that ICANN was willfully ignoring reality. Various passages from The Register's coverage of the years' long unfolding:
ICANN has done its best to ignore [GDPR] for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.
But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.
So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.
The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.
They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.
Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.
When ICANN's staff and board realized it was going to be impossible to hit the May 25 deadline, it decided – by itself – that the best solution was simply to ask the DPAs for a delay.
And somehow – despite those authorities giving no indication that such an approach was even possible – the idea of a moratorium became the central component of ICANN's efforts to become compliant with the law.
In its summary of the subsequent meeting with WP29 earlier this week, US-based ICANN makes no mention of its core request for a moratorium and when we asked the organization whether it had made the request and what response it had received, it responded that it was "provided feedback from the DPAs and agreed there remain open questions."
What we now know is that the DPAs were much more blunt in their response: "The GDPR does not allow national supervisory authorities to create an 'enforcement moratorium' for individual data controllers."
Amazingly, it isn't just this concept of a moratorium where ICANN has deluded itself into believing a different version of reality.
Despite the clear guidance of the DPAs and even of its own external legal counsel that it specifically hired to advise it on how to become GDPR compliant, ICANN has also persuaded itself that it was going to be able to publish people's email addresses.
There's a quick solution to all of this. ICANN and IANA jointly run the root servers. Announce that any TLD registrar that doesn't provide WHOIS service will no longer be listed, and see how many days it takes the EU to fix their law.
If there is a conflict between the GDPR and WHOIS, then contrary to popular belief here on Slashdot, this is a flaw in the GDPR. As far as I know, even in the EU, people are not allowed to do business as a fictitious entity without registering their identity in a way that someone defrauded can look them up. The WHOIS database is the Internet equivalent of that. It serves an important role in the governance of the Internet, particularly with regards to copyright enforcement, but also with regards to libel laws, etc.
What the EU has done, with GDPR, is try to override the laws of many, many other countries whose laws require WHOIS to exist in one form or another, and to tear down one of the foundational pillars of Internet governance itself.
IMO, the nuclear response is the correct one. If, after GDPR goes into effect, registrars drop WHOIS, the Internet as a whole should drop all domains from that registrar from being visible anywhere outside of Europe. If they don't want domains to have to identify their owners, they can feel free to create their own little ultra-anonymous hell, cut off from the rest of the world. If they want the rest of the world to be able to see their websites, keeping their contact information up-to-date publicly is one of the requirements.
More to the point, everyone who owns (rents) a domain name knows this. The GDPR was intended to prevent companies from using people's personal information without their knowledge or consent. No domain owner should be surprised by the fact that WHOIS exists or by the fact that his or her information is being used in this way, because it was made abundantly clear in the ICANN domain registration agreement that he or she had to sign prior to registering a new domain name.
Further, ICANN-based registrars typically even go beyond the requirements of GDPR by regularly reminding registrants of their contractual obligation to keep their information in WHOIS up-to-date, lest their domains be confiscated.
So either the people reading the GDPR are misinterpreting it grossly or the GDPR is a train wreck of a law that attempts to force the will of a whiny group of bureaucrats over the objections of everyone involved in Internet governance. If it is the first, then the registrars will ignore the GDPR with regards to WHOIS, and nothing will change. I strongly suspect that this is the case, and that this is all much ado about nothing.
That said, if it is the latter, then the right thing to do is to segregate the EU into its own private Internet until such time as it agrees to comply with the rules of Internet governance. Their choice.
Check out my sci-fi/humor trilogy at PatriotsBooks.
"The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains."
I think it's about time a lawyer got involved because the editorialization has gone beyond anything reasonable. This literally amounts to them using your idea, your story, but literally everything stated is put into your mouth as if you had actually said it when you did not, ever.
Especially when the comments and such are supposed to be owned by the poster, which means they could've said some actionable and libelous shit, and been "That's how he submitted it." Now your ass is on the hook for their editorialization, which contains none of your original content.
No, this runs too close to being akin to identity theft in my book, and really msmash and anyone else on /. staff should probably consult with their lawyers on the legalities of what I just discussed, because this is serious. And they should probably make a full-out pinned story/apology for such bullshit.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Please allow me to disagree. The "free mailing list for spammers" is for data that is typically already accessible by many other means, all of which are already in use by spammers.
Also note that most domains are not legitimate. Most are owned by domain squatters. In particular, they are owned by Network Solutions, which pre-registers all unused domains that are looked up from their servers, including their "whois" services and held hostage to prevent the people who sought the domain from registering it anywhere but through Network Solutions. The practice is sometimes known as "domain frontrunning", but I would certainly qualify it as cyber squatting. Network Solutions, and the domain registrars for the more than 1000 current top level domains, can do this without paying any fees for the 4-day holding period.
Other sources of fraudulent domains, eased by current policies, are fomain squatting for fraud. It's been useful to be forced to provide valid contact information, since a business owner can be contacted and served with a court order to cease operations, and a fraud can be reported for fraudulent contact information and get their domain canceled. It's also been useful to contact domain owners to notify them of network or service difficulties that are otherwise difficult to report: "send me email" or "go to the website" does not work when the site's DNS service has failed for any reason, or web servers are down. I've certainly used it that way and it's been invaluable to reach business partners in the middle of the night, when even their own alert system is disabled by a network issue.
Whois is a relic of the early days of the internet, when things were small and simple, and most conflicts were resolved engineer-to-engineer with a phone call or an email. The contact information was there to allow this sort of communication - often in the form of 'logging hack attempts from your server, someone probably compromised it' or 'Fix your bloody BGP announcements!' There was no point involving anyone else - the rest of the company barely understood what a computer did.
That was before there were millions of dollars at stake and lawsuits were commonplace. These days any large company is going to want all inter-company communications to go through customer services coming in and legal going out. They certainly won't want their engineers trying to directly contact the engineers of another company. Engineers tend to be distressingly honest at times, and what they see as a harmless explanation, a lawyer might see as an admission of error that can be used in a lawsuit.
GDPR doesn't affect things like company registration and ownership records. There is a clear legal, necessary requirement for them to exist and permission is required in order to set up a limited liability company.
If ICANN tried to kick EU domains off then the EU would just fork DNS. The EU is much larger than the US (511 million to 325 million people) and any such move would hurt the US far more anyway, because the US would be the one with an incomplete set of DNS records.
In practical terms the US would be forced to recognize domains registered in the EU, because otherwise people in the US could register the same domains and use them to spread malware. Of course a lot of services people rely on would break for US users too.
ICANN will capitulate.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC