Click the comments link on any story to see comments or add your own.
Subscribe to this blog
20 May 2018
On Friday I was on a surprisingly interesting session at Rightscon 2018 in Toronto about GDPR and WHOIS. The panel consisted of Eleeza Agoopian from ICANN staff; Avri Doria who was recently appointed to the ICANN board; Elliot Noss who runs large registrar Tucows; Stephanie Perrin who has done a lot of privacy work for the Canadian government and as an ICANN volunteer, and me; Milt Mueller, who is now at Georgia Tech, moderated. There was a lot of overlap of roles on the panel. For example, I was there as a security researcher, but I've also resold Tucows' service for almost 20 years.
I expected a lot of repetition of familiar arguments but was pleasantly surprised. Milt and others reminded us that they'd been telling ICANN about the privacy issues with WHOIS for 15 years and suddenly with GDPR there is a last minute panic. (In my experience there often were too many absolutist demands on both sides to make any progress.)
WHOIS is a service that was inherited from the pre-ICANN registries, and has never had a formal definition or rationale beyond that's the way it's always been. None of the attempts to rationalize WHOIS have gone anywhere, and there was a broad agreement that the processes had been repeatedly derailed by trademark lawyers who want a one-stop source for who to sue if someone utters their client's name in vain.
Elliot said with considerable emphasis that WHOIS data has been used and misused for a long time, a great deal of it by third party aggregators who stole it (his term) and resell it. With the GDPR looming in a week the registrars will do what they have to do to stay within the law, and if they have to choose between a fight with ICANN and a fight with governments, they'll choose the former.
He also said that the ICANN WHOIS compliance rules are arbitrary and widely abused. His registrar gets lots of complaints about missing fax numbers which are in obvious bad faith, often domain speculators hoping that the the domain will be cancelled and they can snipe it and resell it. On the other hand, I have seen plenty of domains at other registrars with obviously fake data, so we can't just trust the registrars.
Everyone agreed that some kind of tiered access is coming, with far too many of the details yet to be worked out. The privacy advocates often assumed that the people designing it hadn't thought through the issues. They were mostly wrong but I didn't see any reason to press the point, e.g., they assume that anyone who purports to be law enforcement gets access, while in fact we are quite aware that it is hard to tell who is really LE and who is not. There are further questions about whether it's a single bityou see everything or you see nothingor there's more complex access policies.
The Q&A started out with a guy from the Article 29 work party whose name I didn't catch talking about the view from his side. Everyone agrees that the GDPR never contemplated anything like ICANN or its situation. The rules that apply to ICANN were clearly written with large commercial marketers in mind. They work with ICANN as best they can, but they have to follow their rules. They can't give waivers, e.g., to delay the enforcement date, since the law doesn't allow them. A woman who does investigative journalism asked whether we'd thought about accrediting journalists (no, and it's another hard problem since every blogger is one in some sense) and about allowing queries without alerting the target (yes, security researchers and LE also have that issue.)
Elliot said, and we all agreed, that the registrars and registries and the people who need access will figure out private arrangements to get access since he was quite aware that the day after GDPR goes into effect there will be legit requests for data just as there are now. We'll figure it out, and it will most likely be handed back to ICANN as a fait accompli.
comments... (Jump to the end to add your own comment)
Add your comment...
Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.