back to article As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains

Incoming European privacy laws which carry a global impact for anyone doing business in the Union are continuing to cause an epic policy meltdown at internet overseer ICANN. This week the European Commission responded [PDF] to the US-based organization's latest efforts to resolve a stark conflict between the domain name system …

  1. Anonymous Coward
    Anonymous Coward

    I can almost guarantee that the rest of Silicon Valley

    Are thinking with the same complacency. No matter what they say. Backroom jokes about the odd / quaint Germans with their stupid old-fashioned Stasi fears. Irrationality! Meanwhile the rest of us are sleep-walking to a global surveillance state, that'd give the Stasi instant hard-ons.

    1. Voland's right hand Silver badge

      Re: I can almost guarantee that the rest of Silicon Valley

      are sleep-walking to a global surveillance state, that'd give the Stasi instant hard-ons.

      I believe we are already there. Probably time to check Comrade Erich Honeker's grave. I bet there are cracks in the marble plate because of the constant pressure from underneath.

  2. Anonymous Coward
    Anonymous Coward

    I was just given my first Article 14 from tastecard.co.uk that links to their GDPR privacy policy (tastecard.co.uk/privacy-policy/). its safe to say, its completely wrong. I mean, its the exact opposite of a privacy policy:

    The Dining Club Group (DCG) have a legitimate interest in further processing the information which is provided by customers at the point of sale for marketing purposes.

    We may also use your data, or permit selected third parties, such as but not limited to; participating restaurants or Livebookings Holdings Limited, trading as Bookatable, to use your data to provide you with information about goods and services which may be of interest to you and may contact you about these by post or telephone.

    So, what they are saying is, we'll give your data to anyone, anywhere, without your explicit consent because, um, we want to.

    There is a spanking coming soon, and its going to be epic. *popcorn*

    1. Anonymous Coward
      Anonymous Coward

      'popcorn'

      Hopefully! But it will take lawyers / law-firm sueballs to actually bring the pain. None of the governments / regulators of the world are agile enough! Look at cold-calling firms and their fines as a reference point along with the Irish DPC. Its all 'soft' complicity:

      https://www.irishtimes.com/business/technology/independence-of-data-protection-commissioner-questioned-1.2513682

      http://www.thejournal.ie/data-protection-commissioner-new-office-1488473-May2014/

      https://qz.com/162791/how-a-bureaucrat-in-a-struggling-country-at-the-edge-of-europe-found-himself-safeguarding-the-worlds-data/

      https://qz.com/993995/how-facebooks-fb-sheryl-sandberg-personally-lobbied-irish-prime-minister-enda-kenny-as-shown-by-2014-emails-published-in-the-irish-independent/

    2. James 139

      Their policy statement lets you know, up front, what they want to do with your data. My brief searching about it suggests this is valid, and therefore IS a privacy policy.

      They appear to be offering you two choices when it comes to data permissions, either accept it, or refuse it and don't use the card, their services or anything else they may be offering that requires your data.

      By granting them permission, you know what you are granting them permission to do, it is their choice to be basically giving a binary choice. Hopefully other companies will offer a more granular approach, the old "allow us" and "give to 3rd parties" choices.

      In theory, however, you should be able to write to them and explicitly revoke the use of your data with 3rd parties or even other businesses within their own group, except where they are legally required to do so.

      1. mark 120

        There's another Article which says you can't make a service or product conditional on signing up to Marketing, and it reads like that's exactly what they're proposing to do. So they're still wrong.

      2. TheVogon

        "Their policy statement lets you know, up front, what they want to do with your data."

        But they need your *explicit* permission to use your data. Not just passive permission from continuing to use their services.

        1. Fonant

          ICO:

          You must have a valid lawful basis in order to process personal data.

          There are six available lawful bases for processing.

          So you can process personal data if you have one (or more) of these:

          • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
          • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
          • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
          • Vital interests: the processing is necessary to protect someone’s life.
          • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
          • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

          So if you want to sell someone's details for marketing purposes, you must have explicit consent to do so. If you want to bulk email all your customers to let them know about a product recall, you don't need their explicit consent to do so. If you process personal information for the purposes of sending out quotations to people who've asked for them, or invoices to people you've contracted to work for, there is no need for explicit consent to do so.

    3. Anonymous Coward
      Anonymous Coward

      The basic problem is with the ICO. There is a complete absence of thorough worked examples for many scenarios. It gets very confusing, especially for the public.

      - I AM NOT A LAWYER, THIS IS NOT ADVICE -

      In this case they are telling you what they are going to do with your data and why, which is good, and even the business sector that they will pass it onto (note, not everyone). It's probably specific enough to pass. They relied on "legitimate interest" to hand your details over to others partly for their own business intersts but partly for yours.

      There must be a LIA (legitimate interest assessment) document somewhere where they weighed up what you the user get out of that as a service (being able to book a table via that third party), vs the impact on your privacy (very little). It would also have looked at if there was a lower impact way to achieve this too (probably not). Those third parties won't be allowed to use those details for general marketing etc - that would be a breach.

      The bit about "goods and services which may be of interest to you" seems a bit broad and might not pass muster. It is however quite difficult to frame this in a way to cover every service they provide to you via third parties (or might wish to in future), without getting broad. The third parties could only use your details for legitimate interest once again - again requiring a LIA assessment. This would probably include contacting you to tell you that your table reservation has been cancelled due to the Restaurant burning down.

      Due to the lack of concrete example guidance from the ICO, you are going to have to get used to seeing lots of companies feeling their way towards a fully compliant process.

      So yes, it looks like they are trying to do the right thing, it's just really really hard to get right and still run a business.

      1. Doctor Syntax Silver badge

        "There is a complete absence of thorough worked examples for many scenarios."

        What makes you think that there should be? The ICO don't know your business or your systems. The legislation is there. You need to look at how your business is affected by it, just like any other piece of legislation. Would you, for instance, expect a thorough worked example of how to fit fire doors to your premises so you could comply with legislation on fire protection?

        1. Anonymous Coward
          Anonymous Coward

          "Would you, for instance, expect a thorough worked example of how to fit fire doors to your premises so you could comply with legislation on fire protection?"

          Actually, yes. I'd expect details on exactly what constitutes a fire door. What standards it has to comply with, and hopefully a series of diagrams indicating compliant and non- compliant ways to fit them (they have to open in particular directions depending on where they are located).

          With the ico, a series of common, yet specific worked examples would help enormously. Such as a website with login that collects name and email in order to allow personalisation and password reset, but is associated with tracking user engagement.

          What should be the disclaimer on the site?

          What options do you need to give the user?

          What should the data access report look like if the user demands it later. Do you give them just their PII, or all connected information? Where does that stop, do you include logs? How about iis logs? Firewall logs?

          You know IP addresses are (mistakenly) regarded as PII right? Yes, even dynamic ones. You cannot rely on common sense with this stuff. Some of it doesn't make sense, but it's still the law.

          1. TRT Silver badge

            And another sneaky thing...

            beaglestreet

            You want a more detailed quote for cover, you fill in a form asking for name, age, address, email, phone etc then it gives you three squares "We may contact you in the following ways: email, phone, post".

            But they are just little boxes that turn blue or white when you click on them. No checkbox. The rules are that they can't "pre-select" opt-in to marketing. So the un-selected boxes (presumably) are bold and blue and stand out and look like they are selected. The SELECTED (presumably) boxes are white, flat, less bold, and look like inactive buttons.

            This is the sort of shit we've got to look forwards to?

            Spank that beagle.

          2. Dodgy Geezer Silver badge

            ...You know IP addresses are (mistakenly) regarded as PII right? Yes, even dynamic ones. You cannot rely on common sense with this stuff....

            If you do not understand a subject, the appropriate thing to do is to educate yourself, not display your ignorance.

            'Personal' data, as defined in data protection legislation, is data by which you can uniquely identify a person. That data can be ANYTHING so long as the identification process can operate, either with the actual data alone or with any extra data which you can reasonably be expected to have.

            So, if a company issues differently coloured jumpers to its staff, and holds a list of the jumpers issued against staff IDs, the jumper colour becomes controlled data for the purposes of data protection legislation...

            1. Anonymous Coward
              Anonymous Coward

              > So, if a company issues differently coloured jumpers to its staff, and holds a list of the jumpers issued against staff IDs, the jumper colour becomes controlled data for the purposes of data protection

              legislation...

              You (and they) seem to have made the incorrect leap that 1 IP at one point in time = 1 person. If you can then figure out who that person is, you have identified who did what.

              However in the real world it's normal to have 1 IP = a whole organisation / household. Someone in that organisation may have an account with an ISP, but it doesn't follow that they did whatever was attributed to the IP address in question. Yes it's possible to have a single public IP for a single individual, but it's far from a certainty. I suppose that to be safe, the judgement is that ALL IPs will be counted as potential PII.

              In your jumper example, the company assigns jumpers to particular individuals, but then many other individuals wear their own jumpers with the same colours. Also some of the people assigned jumpers don't wear them somedays, and wear their own jumpers of different colours. This is still being counted as PII. You can't use it to identify someone, but it still counts.... which is the confusing part.

              The write-up on the case is interesting: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

              If you can obtain the required information from another party then it's also considered PII. In this case they considered that the organisation in question had the power to legally compel another entity to reveal information to complete the chain and identify the individual.

              For the rest of us in a less privileged position, if the user has revealed their IP anywhere we can obtain it and link to them then that would seem to make it PII. As you cannot guarantee that they didn't already do this (or won't do it in the future), then it's best to regard it as PII always - yes it's tenuous, but until the first round of legal cases have established precedent, who knows.

        2. DavCrav

          "Would you, for instance, expect a thorough worked example of how to fit fire doors to your premises so you could comply with legislation on fire protection?"

          Like this, you mean?

        3. Wensleydale Cheese

          "Would you, for instance, expect a thorough worked example of how to fit fire doors to your premises so you could comply with legislation on fire protection?"

          Yes. Even the humble VAT handbook has examples of when VAT should be charged and when not.

      2. Dodgy Geezer Silver badge

        ...In this case they are telling you what they are going to do with your data and why, which is good, and even the business sector that they will pass it onto (note, not everyone). It's probably specific enough to pass....

        Er, NO!!!!!! NO, NO, NO!!!!

        The data protection laws clearly state that personal data gathered must be the minimum for the business purpose, not used for anything else, and disposed of as soon as the business purpose is satisfied.

        You seem to think the law says that a business has carte blanche to use your data for any purpose so long as it tells you that it is going to do it. This is NOT SO......

  3. This post has been deleted by its author

  4. Paul Kinsler

    an organization [...] incapable of making a decision until it has no other choice

    Aha! They're waiting for the Seldon crisis!

    1. Sir Runcible Spoon
      Joke

      Re: an organization [...] incapable of making a decision until it has no other choice

      That reminds me, I must get my copy back from Elon.

      1. Sir Runcible Spoon
        Paris Hilton

        Re: an organization [...] incapable of making a decision until it has no other choice

        There are odd occasions, such as this one, when I truly wonder about the phantom d/voter, but then I remember I also have a life(and a sense of humour, allegedly).

        For anyone that didn't get the reference (surely not!?) I believe a copy of the foundation trilogy is now on its way to Mars in the glovebox of that Tesla.

        1. Anonymous Coward
          Anonymous Coward

          Re: No worries, I thought I'd downvote

          just for you, so that it was not a single lone phantom downvote. I get those too, and they puzzle me!

          Oh, and also because Elon's team just found a mathematical proof for when you can use a computation to make sure you never hit an indecision problem. Great for landing their rockets and preventing errors. The latest crash was not due to the computer failing to land, but there not being enough starting fuel for the descent phase.

  5. mark l 2 Silver badge

    The whois data was never really checked for accuracy anyway, they would send you an email every year to say 'is this info correct' but you could pretty much put in whatever you want and as long as your bill was paid when it was time for renewal most registrar's never gave a toss.

    I always use the whois privacy option on .com and .net domains so i don't get spammed. Freenom don't charge any extra for this and their prices are reasonable rather than offering 1st year really cheap then ramping up the price for the 2nd year.

    Unfortunately Nominet didn't allow privacy registrations for .co.uk domains when I registered my domain back in 200 (this may have changed now) and because of that the .co.uk domain gets loads spam about my domain expiring and even got some postal mail domain name scams because I had my home postal address linked to that site is published in the whois.

    1. Warm Braw

      when I registered my domain back in 200

      I thought my domain name (registered by JANET before Nominet existed) was old, but you're clearly in a different league...

      [But yes, as a private individual you can opt out of having the contact details for a .uk domain published. You can also advise Nominet if you think the privacy option has been activated other than for a private individual and they have a proces for challenging the privacy - not sure what happens to that post GDPR].

      1. Ben Tasker

        Re: when I registered my domain back in 200

        > But yes, as a private individual you can opt out of having the contact details for a .uk domain published.

        One caveat though. I don't know if this is still the case, but when they originally made the change their definition of what constituted "commercial use" of a domain was somewhat contentious.

        - Got ads on the site? Fuck you, no privacy

        - Talking about something you might be selling elsewhere? Fuck you, no privacy

        - Got anything resembling a shop section (even if it's a tiny proportion of the site)? Fuck you, no privacy

        At the time, they also doubled down by making these decisions and removing the privacy without actually telling the domain operator in advance (so no chance of appealing before your details went public).

        I'd hope they've improved in the meantime, but given Nominets apparent determination to circle drains, I'm not going to hold my breath.

  6. }{amis}{
    Thumb Down

    Maybe we will be lucky??

    I might be overly optimistic but i am kind of hoping that this turns into such a disaster, that it finally makes the world wake up to what a @#*& tip ICANN is and gets some massively overdue changes made!

    1. Len

      Re: Maybe we will be lucky??

      I would not mind if the body that takes over from ICANN is some organisation under the ITU. Sitting under the ITU umbrella but set at a distance from it so it can remain a bit more nimble than the ITU is generally considered to be. And then just move it to Geneva and introduce evidence based policy making.

      1. Mage Silver badge
        Pirate

        Re: ITU

        I explain the history of the ITU, how post, telegraph, phones, radio frequencies allocated, satellites etc.

        Then I explain domains and IP addresses control and Internet. People go "Wut!". The UN and ITU maybe crap, but having a mix of USA Corporate & US Government control & management is far far worse.

  7. Anonymous Coward
    Anonymous Coward

    Eerie parallels with Brexit

    just that ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Eerie parallels with Brexit

      "Eerie parallels with Brexit

      just that ..."

      The majority of us didn't vote for it, and it's not going to reduce immigration or be great for trade - so - uhm - how?

      1. Anonymous Coward
        Anonymous Coward

        Re: Eerie parallels with Brexit

        I suspect the PP meant that ICANN has been desperately fudging it to it's (US) members saying "it will all be OK" , whilst at the same time acting like a rabbit in the headlamps.

        And like the UK Brexiteers with the head in the arses, most US firms cannot conceive of a world where people don't say "how high" when Uncle Sam (or the British) say "jump"

        cf. the UK with Brexit.

        Only difference is that May 25th 2018 comes before March 29th 2019.

  8. I ain't Spartacus Gold badge
    Devil

    A job application...

    I hereby propose myself as the ideal person to conduct all future independent reports for ICANN. I have no relevant legal or technical expertise to offer, but I am totally independent, honest and impartial. Not that this matters either, seeing as ICANN only commission independent reports when they've fucked up but don't wish to admit it. Standard procedure is to then ignore said report, until forced to commission another one, when the outrage has had sufficient time to build.

    At which point the second report will be presented to a subcommittee of the board, which will turn out to be the final arbiter of the decision, and contain all the people who made the original decision in the first place. And thus, agree with the decision. Wait for build-up of more outrage, rinse and repeat.

    I therefore feel myself fully qualified for the post, as I enjoy first class travel and can drink vintage champagne and 50 year-old whisky with the best of them.

    1. I ain't Spartacus Gold badge

      Re: A job application...

      Good grief! 2 downvotes for being rude about ICANN. I'm astonished there are even 2 fans of the pisspoor way they conduct their governance to be found around here.

      Unless it's just a comment on my poor attempts at humour, in which case move on, nothing to see here.

      1. Doctor Syntax Silver badge

        Re: A job application...

        "2 downvotes for being rude about ICANN."

        Never mind. Have an upvote despite your expressed tolerance of over-priced fizzy drinks. Just stick to the 50-year old hard stuff.

    2. Wensleydale Cheese

      Re: A job application...

      "I therefore feel myself fully qualified for the post, as I enjoy first class travel and can drink vintage champagne and 50 year-old whisky with the best of them."

      As someone so well qualified for the job, you really need a salary attendance allowance to reflect the impartiality you will bring to the table.

      Shall we say $150,000 p.a. to reflect your status?

  9. Anonymous Coward
    Anonymous Coward

    On GDPR...

    From what I can see, companies are using enforced consent to meet GDPR. If you visit a page or try to use an online service, they leave an unticked box with "Tick to agree to our terms and conditions" with no option of proceeding without ticking. Somewhere in those terms and conditions is a legalese set of terms to allow them to do whatever they want with your data.

    So we're heading to the bizarre situation that it becomes more and more difficult to use online services anonymously, because all the services require an agreement tick before proceeding (looking at Google...) and then add a tracker to prove you've agreed, which they must track to prove consent (and each private browsing session will require ticking lots of agree boxes). And worse, you get no options on what you're agreeing to unless you create an account with them in order to manage their privacy settings(!). Instead of being anonymous by default, the consent requirement requires you to be identifiable.

    1. Doctor Syntax Silver badge

      Re: On GDPR...

      "Somewhere in those terms and conditions is a legalese set of terms to allow them to do whatever they want with your data."

      If so they should have taken better legal advice because that is an infringement in itself. And would probably be looked on as a basis for a bigger fine.

    2. Adam 52 Silver badge

      Re: On GDPR...

      "From what I can see"

      It's not May yet. What you're seeing is companies stretching the old regulations to build a contact pool that will tide them over for however long they think that they can justify grandfathering consent.

      Google, as always, are attempting to redefine normal how they want it to be - same as they did for copyright and cookie consent, but they're big enough to play by different rules to the rest of us.

  10. TheVogon

    "From what I can see, companies are using enforced consent to meet GDPR. If you visit a page or try to use an online service, they leave an unticked box with "Tick to agree to our terms and conditions" with no option of proceeding without ticking. Somewhere in those terms and conditions is a legalese set of terms to allow them to do whatever they want with your data."

    Which still breaches the GDPR. Large fines will soon fix that, dont worry. Their will be a major business of 'ambulance chasing' lawyers around this imo.

  11. Blitheringeejit
    Mushroom

    Companies House, anyone?

    If WHOIS is in breach of GDPR because it makes personal information available without having sought specific and updated consent, is the EU going to have a chat with Companies House any time soon?

    1. Anonymous Coward
      Anonymous Coward

      Re: Companies House, anyone?

      Is there an exemption for the functioning of government ?

      Companies house is an arm of the DTi/DWP (or whatever they are this month) and hold the information in accordance with their statutory duties.

      WHOIS and ICANN are not discharging any statutory function.

      I should be a lawyer.

      1. Doctor Syntax Silver badge

        Re: Companies House, anyone?

        "Is there an exemption for the functioning of government ?"

        Yes, providing, as you say, it's a statutory function. HMG seem to be trying to slip in some extra exemption in the current bill. If they get it through the Commons I can see a quick trip to the ECJ while there's still time. It would be pretty daft of them to do this if it ends up by costing equivalence post-Brexit.

    2. Wensleydale Cheese

      Re: Companies House, anyone?

      I would be quite happy to have my name in WHOIS as an officer of a company (director, company secretary, etc), together with the company's address and contact details, for a company website.

      For my own personal or hobby related website, however, I have never been entirely comfortable with having my home address published to the world plus dog.

      1. TRT Silver badge

        Re: Companies House, anyone?

        My dog's a brilliant webmaster you know.

  12. never a dull moment

    I found the solution !

    The solution to these problems is in a paper sitting in the front seat of Elon Musk's Tesla

    Roadster !

  13. Mage Silver badge
    Facepalm

    Simple solution

    Don't publish WhoIs AT ALL.

    If someone needs to know they should need to get a warrant.

  14. Anonymous Coward
    Anonymous Coward

    The funny thing is that adtech companies appear to be scrambling to use "legitimate interest" , and the same-old guff of opt-out etc etc in the belief it qualifies.

    Anyone fancy a bet on this being where the first big fine falls?

    I should admit to a sneaky amusement of replying to those companies scrambling for my consent, and asking them that unfortunately in addition to my non-consent, was it likely their business model was going to collapse in the next 12-18 months.

    Still waiting to hear back from any of them so far....

  15. Anonymous Coward
    Anonymous Coward

    Don't ICANN look really stupid now. Hardly covered themselves in glory.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like