Slashdot Mirror
Will GDPR Kill WHOIS? (theregister.co.uk)
Slashdot reader monkeyzoo shares the Register's report on a disturbing letter sent to ICANN:
Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force... ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number. ICANN has already acknowledged it has no chance of doing so... The company warns that without being granted a special temporary exemption from the law, the system will fracture. ["Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law," ICANN warns.]
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."
Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."
Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
Well, this is one in a long line of people applying for exemptions to laws because they are special. The usual answer is, no, you are not special. It isn't for the administrative apparatus to get rid of the law it administers, it is for the political body responsible for the measure to pass a corrective measure.
Presumably one would have to contact domain name holders through their registrars without knowing who the registrant is. The system is not transparent, but it is private.
The General Data Protection Regulation is a new set of rules governing the use of personal data in the EU. Among other things, it doesn't allow personal data to be shared without good reason, and ICANN makes names, addresses and other contact details available in the WhoIs database.
These rules have been on the horizon for years. It's not like they were suddenly announced yesterday. ICANN has had a long, long time to find a solution.
In any case, the system has been broken for decades anyway, because a lot of domains are registered behind privacy shield services, where a company registers the domain on behalf of their customer without revealing that person's information.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
They've had two years since the GDPR was signed to law to prepare, and arguably *ten* years since the working group tasked with creating the GDPR first started outlining what they were going to propose to assess the likely impacts. ICANN have had plenty of time to "adjust" - and that other WHOIS providers around the world have adjusted is evidence of that - but chose to stick their head in the sand and claim it had nothing to do with them then, when it became obvious that was incorrect, to rely on something even their own legal counsel and contracted registrars told them was not going to fly. GDPR might be a vague legal quagmire for those that have to comply with it, but this, and the contractual mess it creates for their contracted registrars, is entirely down to ICANN's mismangement of the situation.
UNIX? They're not even circumcised! Savages!
As the "submitter" I have to agree. The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains. So I guess they editorialized it extensively, which is fine. But it still bears my name, which is weird.
Importantly, Slashdot's editors failed, IMO, to maintain a key point in this submission, that ICANN has been basically negligent and delusional in ignoring this pending law and failing to take any action in the TWO YEARS since the law was passed. And then at the last minute they asked for a moratorium and said otherwise they won't be able to adhere to the law. If you read the many months worth of coverage that The Register has published on this, it is a mindblowing story of incompetence and irresponsibility by ICANN. (Read the Register link in the OP, and the related articles will guide you.)
Submitted:
In a letter sent to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.
ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.
ICANN has already acknowledged it has no chance of doing so. The company warns that without being granted a special temporary exemption from the law, the system will fracture, perhaps even resulting in the Whois service being turned off completely while a replacement was developed.
Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.
European agencies responded and tore ICANN's plan to shreds, pointing out that it needs to be much more precise and to include both compliance and auditing functions. Critically, however, it did not address ICANN's request for a moratorium.
Even the idea of a moratorium appears to have been invented by ICANN. This is no evidence of a similar request from any other industry, and the GDPR is, after all, a globally applicable law that affects everyone.
---
ICANN gives domain souks permission to tell it the answer to Whois privacy law debacle
https://www.theregister.co.uk/...
As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains
https://www.theregister.co.uk/...
Whois is dead as Europe hands DNS overlord ICANN its arse
https://www.theregister.co.uk/...
US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy
https://www.theregister.co.uk/...
ICANN takes Whois begging bowl to Europe, comes back empty
https://www.theregister.co.uk/...
Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year
https://www.theregister.co.uk/...
https://www.icann.org/en/syste...
https://www.icann.org/news/ann...
Please allow me to disagree. The "free mailing list for spammers" is for data that is typically already accessible by many other means, all of which are already in use by spammers.
Also note that most domains are not legitimate. Most are owned by domain squatters. In particular, they are owned by Network Solutions, which pre-registers all unused domains that are looked up from their servers, including their "whois" services and held hostage to prevent the people who sought the domain from registering it anywhere but through Network Solutions. The practice is sometimes known as "domain frontrunning", but I would certainly qualify it as cyber squatting. Network Solutions, and the domain registrars for the more than 1000 current top level domains, can do this without paying any fees for the 4-day holding period.
Other sources of fraudulent domains, eased by current policies, are fomain squatting for fraud. It's been useful to be forced to provide valid contact information, since a business owner can be contacted and served with a court order to cease operations, and a fraud can be reported for fraudulent contact information and get their domain canceled. It's also been useful to contact domain owners to notify them of network or service difficulties that are otherwise difficult to report: "send me email" or "go to the website" does not work when the site's DNS service has failed for any reason, or web servers are down. I've certainly used it that way and it's been invaluable to reach business partners in the middle of the night, when even their own alert system is disabled by a network issue.