Internet Policy – Whois And GDPR: Sky Not Falling Just Yet?

The struggle over how to comply with Europe’s new General Data Protection Regulation dominates the agenda of the upcoming meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Panama. With the basic question how much data ICANN can ask its contractual partners to collect and store about its domain name customers, ICANN this week opened another hot topic to be discussed when publishing a paper on unified access to registration data. Meanwhile, trademark owners weighed in.

The 62nd ICANN meeting is taking place in Panama City, Panama, from 25-28 June.

On 17 May, a mere nine days before the GDPR became effective, ICANN published a temporary policy obliging its contractual partners to no longer publish any personal data in the so-called Whois database. The old Whois system, originally set up as a tool to facilitate contacting domain name owners in case of mainly technical problems, has been criticised by data protection experts for many years as a source of spam at least, and harassment of all sorts in the worst case. According to ICANN’s temporary policy, a domain name owner’s name, private address, phone number and email will still be collected upon registration, but not publicly displayed.

The locking up of these data resulted in harsh reactions, not the least from the new head of the US National Telecommunications and Information Administration, David Redl (IPW, North America, 12 March 2018).

ICANN now wants to quickly address the issue of “eligible user groups” for the privileged access, the organisation wrote in its proposal, “might include intellectual property rights holders, law enforcement authorities, operational security researchers, and individual registrants.”

INTA: Access Necessary, and Quickly, Please

Speaking for the International Trademark Association, Lori Schulman, senior director for internet policy, defended trademark owners’ interest in getting access to the personal data in the Whois. Schulmann in a press release called the information that remains publicly available under the GDPR compliant Temporary Specification “insufficient to ensure a secure and reliable domain name system.”

“The whole system of trademarks was to ensure the quality of goods and services so if you take the power of the trademark owners away to enforce, then how do they live up to their own policies,” Schulman told Intellectual Property Watch. Acknowledging that “information from Whois might in unstable countries be used to find people, and in some cases peoples’ lives might be at risk,” Schulman said. “This is also the case with counterfeiting.”

Calling it an issue of “safety,” she said her organisation favours full access to all Whois data to find “patterns of abuse,” while currently also exploring with members which parts of the Whois data sets would be most important. Such data sets include about 50 data points.

The accreditation model announced by ICANN has to “be done as quickly as possible to not interrupt the ability of trademark owners to enforce their trademarks online and enable them to protect consumers,” she said.

On ICANN’s idea to make the World Intellectual Property Organization the accreditation body for IP owners, Schulman said that would make whole new infrastructure necessary at WIPO. Would INTA want to chime in? That had not been considered, Schulman said.

“ChallengeBox” Still Empty

In an effort to allow INTA members to share stories about problems they face with the new system, the industry organisation has offered recommendations on how to mitigate from using IP addresses to find out more about domain users to finding the data in historical Whois databases offered by providers not falling under the GDPR. In an effort to collect stories about the challenges arising from the new situation, INTA invited members to send in reports to a dedicated Whois Challenges email box.

So far, though, the box remained empty at press time, Schulman reported.

“It has only been a week,” she said, suggesting reluctance of IP owners to share stories as a potential explanation. “We might get reports, and we might get none, time will tell,” she said.

Michele Neylon, CEO of the Ireland-based registrar Blacknight, confirmed the lack of problem reports. “What I am hearing from registrars suggests that the volume of requests for now non-public data is very low,” Neylon said in a written answer from Panama, adding, “Why would registrars and ICANN spend millions building processes and systems that nobody uses?”

Data Addiction

Neylon also is highly critical of the IP community’s push against the limitations to share personal data of customers enforced by the GDPR.

“All the discussions around this are fundamentally flawed. To date the focus has been on the third-party user that is addicted to the non-public data,” Neylon warned. That would assume that the third party has “some ‘right’ or ‘entitlement’ to access all the data once they are ‘in the system’,” which is incompatible with the underlying principles of data protection.

Bulk access in Neylon’s case cannot be legitimate, even for law enforcement. “Should law enforcement have access to data? Yes,” Neylon said, “but only the data they need for a specific case or incident.” Comparing the calls for bulk access to phone records, he added: “The police can get access to any phone record they want, but they need to follow due process. The same with accessing physical mail. So why would the personal data in Whois records be any different?”

With regard to accreditation for law enforcement entities, ICANN has envisaged Europol and Interpol as potential arbiters and also enforcers of the rules of a privileged access system.

With regard to INTA’s calls to allow bulk access, Neylon finally said: “The data addicts want more and more data, and it is easy to ask for it because there is no cost to them to ask.” Also none of those asking have “any real exposure,” he said.

Contrary to the registrars and registries, the data addicts would not get fined by the data protection authorities. Whether that remains the case once data is allowed to flow via accreditors to privileged users remains to be seen, as ICANN already is proposing to log the access to data via accreditors to ensure compliance.

ICANN Getting Ahead of Itself on Court Procedure

With the community on its way to the controversial discussions at the Panama meeting, ICANN on June 21 announced that it was one step further in its effort to get judicial clarification on its temporary Whois policy.

On 25 May, the same day the GDPR became effective, ICANN’s lawyers filed a request for an immediate injunction to force EPAG, a German subsidiary of the large Canadian registrar Tucows, to follow the temporary specification. Tucows as many other registrars had decided for themselves that ICANN’s temporary specification was not “GDPR-failsafe” enough by still collecting personal data on the so-called admin-c and tech-c data fields that might not be necessary anymore.

After the Regional Court in Bonn declined the injunction, stating that to investigate abuse the domain registrant data is central and sufficient, ICANN on 13 June filed an appeal with the court. ICANN has now announced that the Court had “decided to revisit its ruling in the injunction proceedings.” Yet a spokesperson of the court told Intellectual Property Watch that the court as of 22 June had not yet decided if it will revisit or decline the appeal and send it directly to the next instance.

Neylon commented that “the key issue in the EPAG complaint is that ICANN is demanding all contacts as mandatory.” If they were optional, allowing a choice for the domain customer, it would be different, he said.

Schulman pointed to EPAG’s decision not being “in the spirit of the multi-stakeholder model.” She argued that when ICANN transitioned away from US control, EU registries and registrars in particular were calling for the US “to get their thumb off the internet” and “allow for a real multi-stakeholder model.” INTA supported this transition, Schulman said, “but we did not support it with the endgame in mind that someone somewhere who is subject to ICANN policies would now say, we’re going to jettison this.”

Meanwhile, the Internet Governance Project (IGP) on the other side criticised the ICANN policy by pushing for a uniform access model instead of giving the multistakeholder community time to develop it and it also offered a proposal of its own.

 

Image Credits: ICANN