ICANN's Pre-emptive Attack On The GDPR Thrown Out By Court In Germany
from the who-is-whois-for? dept
The EU’s General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems’s formal GDPR complaints against Google and Facebook over “forced consent” (pdf). That hardly came as a shock — he’s been flagging up the move on Twitter for some time. But there’s another saga underway that may have escaped people’s notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet’s namespace. Back in 2015, Mike memorably described the organization as “a total freaking mess”, in an article about ICANN’s “war against basic privacy”. Given that history, it’s perhaps no surprise that ICANN is having trouble coming to terms with the GDPR. The bone of contention is the information that is collected by the world’s registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:
We realized that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].
All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with “consent management processes”, and a data flow “aligned with the GDPR’s principles”. ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to “preserve Whois data” — that is, to force EPAG to collect those administrative and technical contacts. A post on the Internet Governance Project site explains why those extra Whois contacts matter, and what the real issue here is:
The filing by ICANN’s Jones Day lawyers, which can be found here, asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet. “The technical contact and the administrative contact have important functions,” the brief asserts. “Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content.”
As the tell-tale word “content” there reveals, the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information. It uses the personal details provided by Whois to chase the people behind sites that it alleges are offering unauthorized copies of copyright material. This is precisely the same ICANN overreach that Techdirt reported on back in 2015: the organization is supposed to be running the Internet’s domain name system, not acting as a private copyright police force. The difference is that now the GDPR provides good legal and financial reasons to ignore ICANN’s demands, as EPAG has noted.
In a surprisingly swift decision, the German court hearing ICANN’s request for an injunction against EPAG has already turned it down:
the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
However, as ICANN rightly notes, that still leaves unanswered the key question: would collecting the administrative and technical contact information contravene the GDPR? ICANN says it is “continuing to pursue the ongoing discussions” with the EU on this, and a clarification of the legal situation here would certainly be in everyone’s interests. But there is another important angle to this. As the security researcher Brian Krebs wrote on his blog back in February:
For my part, I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities. I also very often rely on WHOIS records to locate contact information for potential sources or cybercrime victims who may not yet be aware of their victimization.
There’s no reason to doubt the importance of Whois information to Krebs’s work. But the central issue is which is more important for society: protecting millions of people from spammers, scammers and copyright trolls by limiting the publicly-available Whois data, or making it easier for security researchers to track down online criminals by using that same Whois information? It’s an important discussion that is likely to rage for some time, along with many others now being brought into sharper focus thanks to the arrival of the GDPR.