Fight Ahead Over Website Owner Data At ICANN Meeting This Week

Some of the data collection practices of the Internet Corporation for Assigned Names and Numbers (ICANN), private overseer over the domain name industry, “appear to be excessive, disproportionate, and obtained without the free consent of the individual,” the International Working Group on Data Protection in Telecommunications (IWGDPT) wrote in a paper published on the eve of the 61st ICANN meeting in San Juan, Puerto Rico (9-15 March). During the meeting, controversial discussions about ICANN’s just-published interim model for compliance with the European Union General Data Protection Regulation (GDPR) can be expected after ICANN published a “cookbook” for GDPR compliance.

The list of changes recommended by the IWGDPT, which is led by Berlin’s Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, does not stop at hiding personal data of domain name registrants, which are currently published in the so-called public Whois database. The group has a focus on this practice, a spokesperson of the Commissioner’s office told Intellectual Property Watch.

Personal data disclosure in the public directory is “not proportionate to the original purpose of the WHOIS,” the paper states, and also “contrary to data protection principles and to the data protection law in many jurisdictions.”

Data Protection Officials: Narrow Remit of ICANN

In addition, the IWGDPT, which consists of privacy officers from Europe, America, Asia Pacific and Africa and some experts from civil society, academia and business, calls on the private domain name oversight body to more generally reconsider its data protection posture.

“We want to call on the organisation to acknowledge the need to limit data processing, even for legitimate purposes, to the narrow remit of ICANN,” the spokesperson said. The recommendations state that while there certainly could be legitimate purposes for various parties to collect certain personal information, that did not necessarily mean that those purposes were legitimate purposes for ICANN to require processing of the personal data.

ICANN itself has, the data protection officials note, defined a rather narrow definition of purpose centering on “information sufficient to contact a responsible party for a particular gTLD domain name who can resolve, or reliably pass on data to a party who can resolve, issues related to the configuration of the records associated with the domain name within a [domain name system] name server.”

Yet, contrary to that, the body has extended data collections over recent years and in 2013 added a data retention scheme. This retention practice “may not be lawful or proportionate,” warns the IWGDPT, “particularly as some data elements seem to be processed solely for the possible future use by law enforcement.” Again the data protection officials recommend to re-examine “the entire issue of how law enforcement agencies, private sector security companies, and private sector trademark and copyright holders make use of registrant data.”

Finally, transfers of data between the different parties of the domain name market, service providers, domain name registrars and their resellers, and registries, and also transfers across borders are non-transparent and opaque for normal domain name users. The question of why personal data has to go up the tree all the way to ICANN was, especially for the European data protection officials, a big question. “If technically possible, why not stick to the decentralized system,” the spokesperson in Berlin asked.

ICANN: Cooking for the GDPR

The ICANN management so far has decided to stick to the status quo. Hot off the press, the “Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation” – the “cookbook” – proposes changes only for the Whois publication part. No personal names, postal or email address or phone numbers will be published in the openly accessible Whois database, according to the cookbook. To allow a direct connection to the registrant, a neutral email address is kept, though.

But with regard to all other issues piled up by the data protection officials, ICANN’s management opted for the status quo. Full data sets (with over 50 data elements), full retention periods, transfers from registrars to registries across borders to fulfil the so-called thick data model instead of the thin one, currently still in use for more than 131 million .com domains for example. The change from thin to thick for .com names alone means that the data of millions of users are to be transferred to the company VeriSign in the US. So far the .com-registry still is operating under the older, decentralised handling of registrants’ data – the thin registry model – under which personalized data can be kept at the local registrar who sold the domain to the user.

Asked for a first reaction, the Berlin data commissioner’s spokesperson said, “I would doubt that such a proposal goes far enough.” ICANN CEO Göran Marby in a blog post before the ICANN meeting underlined that his organisation is in consultations with the Article 29 Working Party, the body of European data protection officials. The Article 29 party has given a mandate to a technical sub working group to look deeper into the issue, according to officials. Evaluations of ICANN’s proposals nevertheless have to go through the plenary, presumably in April.

ICANN in a rush now is trying to come up with a system of tiered or layered access to the now-hidden personal data for law enforcement, dispute resolution providers, and also some private parties, for example the highly concerned intellectual property community. Registries and registrars according to the cookbook “must provide access to non-public registration data only for a defined set of third-party requestors approved under a formal accreditation program administered by ICANN.” Whois eligible for full access will be developed in consultation with the Governmental Advisory Committee (GAC) and relevant EU data protection authorities, according to ICANN.

Governments could, upfront, provide “a list of authorized law enforcement authorities and other governmental agencies approved for access to non-public WHOIS data.” Beside GAC as the party to administer access for law enforcement authorities and dispute resolution providers access, and even private parties, the cookbook also mentions bilateral or multilateral agreements or just “legal processes.”

Data Grab

Stephanie Perrin, Canadian data protection expert and member of the Non-Commercial User Constituency, said she is worried with regard to putting the GAC in charge. “The GAC has over the years been the champion of open access Whois,” she recalled, “so do we want to trust that body with overseeing access?“ GAC over the years in fact has a track record of sitting down with parties asking for more data, namely law enforcement officers engaged in fighting fraud schemes and parties concerned with violations of trademarks or otherwise protected names. Data protection officials rarely are invited to the table.

Being close to the process, Perrin also is afraid that given the complexities of access management for so many different the call for a centralized database might be reinforced. “It smells much more like one central repository, despite this is not necessary for the tiered access solution, because you could use the new protocol RDAP instead,” she said.

ICANN Does Not Want to Be Data Controller

One more question looming over the Whois, data protection and GDPR controversy in San Juan is, whether ICANN is a data controller and can – if it messes up – in the end be fined by the European Data Protection authorities?

“To the extent that ICANN controls the collection of data through its contracts, and compels the registrars to collect, display, retain and escrow data, it is a data controller,” the IWGDPT matter-of-factly wrote. But ICANN would love to avoid this. “ICANN has determined that each contracting party is acting as an independent controller,” wrote ICANN, instead of being joint controllers. So there is more controversy ahead.