Internet overseer ICANN loses a THIRD time in Whois GDPR legal war The internet's domain names overlord has failed in a third attempt to keep to the wheels from falling off its Whois service in Europe, raising questions over its competence. US-based Internet Corporation for Assigned Names and Numbers (ICANN) was slammed by the Appellate Court of Cologne, Germany, for not having "sufficiently …
Looks like ICANN are having a Denzel Washington 'Training-Day' meltdown moment of denial:
..... "You think you can do this to ME? I'm the police! I run shit here, you just live here! King Kong ain't got SHIT on me! - I'm winning anyway / I can't lose"....
https://www.youtube.com/watch?v=AkNDQD0gkAU&t=0h0m45s
Pretty much. Ever since the ‘Patriot Act’, the rest of the world has been cautious of doing any business with the US that could expose data it wanted to be secure. Demonstrations such as this that US companies don’t give a fig about non-US law when doing business overseas really doesn’t help the case. Almost all that is needed to close the deal is for someone in the Whitehouse Lobby to point the Dotard In Chief at the problem, and let him declare all non-US laws illegal or similar...
Careful what you wish for, you may get it and then you'll discover ICANN is vaguely useful.
While ICANN is far from perfect, it's imperfections have created many of the freedoms that have allowed the Internet to grow and provide information to so many. It has also created a money gobbling NGO that acts largely in it's own interests (hence the dispute with GDPR which it thinks it can ignore), but appears to be more government neutral than any of the alternatives.
it's imperfections have created many of the freedoms that have allowed the Internet to grow and provide information to so many.
Organisations don't do this, the people in organisations do this.
Are the same people currently responsible for the current clusterfuck that is ICANN the same people who did many of these other useful things, or is this a newer generation in charge that have had nothing to do with the previous 'good things" that have come out of ICANN?
ICANN didn't exist prior to its incorporation on September 30, 1998. Most of the "good stuff" that I believe you must be referring to pre-date the founding of ICANN. Since then ICANN has been mostly in either maintenance mode of those benefits put in place prior to it - standing on the shoulders of, and taking credit for, those that came before it - or in clusterfuck mode, breaking those same benefits or trying to maintain itself with no regard for its "citizens", that is the civilian population who use the Internet, with the only regard for its own enrichment and power - "Respect my authorita!"
edit: typos
about the sale of domain names without a legit contact. Admittedly that horse has largely bolted, but there damn well ought to be a traceble organisation behind every spam and malware domain registration. OTOH publicly publishing names is clearly a bad thing: I was on the wrong end of that 25 years ago - which is another story.
You still need to provide a valid name and address for billing. But the anscilliary whois crud is not collected and the data is not published in whois, because it would be illegal.
If you can get an EU issued warrant to look at the information about a domain, the registrar will have to hand over the informaiton it does have, but it can't hand over the information without either the warrant or the explicit written permission of the identifiable persons in the data.
" ....but there damn well ought to be a traceble organisation behind every spam and malware domain registration. OTOH publicly publishing names is clearly a bad thing:
I have about a dozen or so domain names that I use for various projects and I have lost count of the number scam emails telling me they are about to expire and need to pay some stupid amount to renew.
the fix is the contact email is one used only for the registration and it dumps everything except from the registrar and hosting company. Phone number is a cheap 20 quid a year, premium number, when any spam calls come in on that number I'll talk to them for hours if they like.... lastly, a PO box for the address..
I love the idea of providing a premium rate contact phone number! Why didn't I think of that??
I have had to put up with idiot spam calls for years thanks to ICANN (on the basis that I already pay 'em enough for the domain, I'll be damned if I have to pay extra to have then not publish my phone number...).
"there damn well ought to be a traceble organisation behind every spam and malware domain registration"
Nobody is saying otherwise. The issue is that the contact information for registrees is made publicly available. There's no reason why ICANN couldn't stop that but still have a record of who registered what as well as the ability to contact them when such contact is legally required.
"about the sale of domain names without a legit contact. Admittedly that horse has largely bolted,"
That horse bolted long before 1998. ICANN didn't even _start_ taking an interest in whois accuracy until it was threatened with legal action over all the faked addresses and collateral damage ensuing (one kiddy porn domain was registered to a residential address in Guildford inhabited by a very confused and upset little old lady, as one example) and then when it realised it could be a money earner things started going cha-ching.
The only advantage of ICANN I can see is that it pretty much now can't do anything. Well it created all the shitty .word extensions, but we can pretty much just ignore those and they'll go away. Feel free to block at your firewall if you can be arsed, nothing of value will be lost.
And that will keep them in champagne, bonuses, 5 star travel and hookers for a few more years.
But given the decisions of a few governments concerning the internet, then it's probably better that they can't get anything done either.
As for GDPR, that will sort itself out. The registrars will comply with the law, because it's stupid to do anything else. And there's nothing ICANN can do about it, but sulk.
The only problem comes if there's something urgent to be sorted out in the domain name space. Because ICANN don't do urgent. Or competent. Or reasonable. But if that means the job goes to the ITU, then at least we'll have had some years when the basically nobody was running things.
Anything from the USA that is dissolved and replaced could well be replaced by something even worse.
Expect it to have less representation from real humand beings.
Expect it to have more representation from big corporations.
Ecpect more advertising.
Expect it to have poorer security.
Expect it to be selective about legal systems.
The last item will be fun. To do anything in the way of legal activity, you must do it in the courthouse of Cowchip in East Texas. Only lawyers accredited to that court will be able to speak.
Time for ICANN to be disolved and a true global politics free body created.
Easier said than done. ICANN is suffering from growing pains and an inflated sense of importance. GDPR should have been no suprise to it, and in political terms, ICANN should have been influencing that. Then if it failed, it had 2+ yrs to work on policy and prepare. The organisation's not exactly short of lawyers on staff or on speed dial.
For whatever reason, it failed to either influence the EU, or adapt to the legislation. And responded in typical NGO fashion by forming a WG to deliberate some more, which allows the WG members to feel gainfully employed and justify their expenses.. Even though as the article points out, it's comprised of a lot of the people who misread the situation in the first place.
Trying to create an ICANN2 would inevitably lead to the same problems. Transfering responsibility to other existing standards/governance bodies like the ITU has long been threatened, but isn't exactly politics-free, although it's probably better at dealing with regulators.
Be careful what you wish for.
The ITU is already trolling opinions that *they* should run the Internets because they're the International Telecommunication Union, that's why. And they can point to the hodge-podge of IP address allocation as proof. Never would have happened under the ITU's watch.
And they can point to the hodge-podge of IP address allocation as proof. Never would have happened under the ITU's watch.
Well, we can at least assume that an international body wouldn't have allocated a quarter of all IP addresses to a mixture of US government and US businesses, including ones that no longer exist, like DEC.
The class A allocations made sense at the time they were made. The ipv4 system was simply not designed to scale to anything like the number of nodes we now have on the internet. The majority of the address space was expected to go unused before classless inter-domain routing was implemented.
And they can point to the hodge-podge of IP address allocation as proof. Never would have happened under the ITU's watch.
Well, we can at least assume that an international body wouldn't have allocated...
Well if you look at history, I suggest the ITU would have adopted ISO OSI Network Addressing, in its full glory [sarcasm] and just made IPv4 addresses a permitted format...
"I can't see the need for most of the information in WHOIS records. Just knowing who the registrar is should be enough for most purposes. No?"
*Nail - Head*.
Registrant information should not be openly published - rather it should be that you need to go to the registrar and request the details - with a justifying reason for the request.
If ICANN cant work in the real world and abide by laws in that world it needs to be abolished.
"Registrant information should not be openly published - rather it should be that you need to go to the registrar and request the details - with a justifying reason for the request."
That was basically one of ICANN's proposals. It got rejected:
"Those "changes" let registrars collect, but not publish, the same Whois data they now collect; provide some kind of "authorized access" to the records; and still allowed third parties to spam registrants.
But that effort failed, with even the US government criticizing its approach."
I don't think it was rejected for the reason you're implying here. I think that the rejection was due to who it was going to consider as having "authorized access". Where that should have been "someone with a subpoena"*, it was going to be a whole lot more broad than that.
*in cases where contact was needed for technical, rather than legal, reasons, then registrars could forward the contact request to the domain name owner and let them handle it as they see fit.
>I can't see the need for most of the information in WHOIS records.
That's because it dates from a different era:
RFC812 (Original Whois 1982):
"WHO SHOULD BE IN THE DATA BASE
DCA requests that each individual with a directory on an
ARPANET host, who is capable of passing traffic across the
ARPANET, be registered in the NIC Identification Data Base.
To register, send full name, middle initial, U.S. mailing
address (including mail stop and full explanation of
abbreviations and acronyms), ZIP code, telephone (including
Autovon and FTS, if available), and one network mailbox, via
electronic mail to NIC@SRI-NIC."
This was also in RFC954 which was then updated by RFC3912.
What is notable is that it seems no one has actually read the Abstract to RFC3912:
"This document updates the specification of the WHOIS protocol,
thereby obsoleting RFC 954. The update is intended to remove the
material from RFC 954 that does not have to do with the on-the-wire
protocol, and is no longer applicable in today's Internet."
Which seems to make it crystal clear that the "Who should be in the Database" section is "no longer applicable in today's Internet". Interestingly, RFC3912 contains no material to indicate just what a Whois server database needs or should contain...
There's also the consent issue, along with remembering the original rules for domain registration. So .com being commercial, .org being non-profit and .net being infrastructure.
In a practical sense, WHOIS should have provided the legal entity, and a tech/abuse contact. Registrars didn't like this because it revealed customer info, cried 'privacy' and WHOIS results ended up containing the registrar's contact info. In doing so, it lost most of it's value as an operations tool for finding out who to contact in the event of technical problems.
Along side that of course were other privacy concerns, ie people's names, phone numbers etc and the never ending spam or slamming attempts. For the traditional domains, most of that could (and should) have been hidden by role accounts like abuse@ or info@.. Which would still have got spammed heavily, but aren't really personal data.
By allowing registrars to hide end-user info, WHOIS lost most of it's utility to the Internet at Large, especially as a lot of registrars are unresponsive to queries regarding domains they're hosting. So as WHOIS became increasingly useless and redundant, policy should have changed. ICANN doesn't really need the personal info of end-users, just a way to contact them in the event of dispute or problems, which it could do via the registrars.
@Jellied Eel - There's also the consent issue...
In doing so, it lost most of it's value as an operations tool for finding out who to contact in the event of technical problems.
The issue is that as it stands the Whois service dates from the era when the "Internet" wasn't a public network as we now understand a public network to be. When RFC's 812 and 954 were penned, the "Internet" was still a private(ish) network mainly used by academics and a small community of collaborators, who were developing this non-proprietary network - hence why it was useful to be able to directly contact people and discuss connection and interop issues (many people forget that prior to Interop 1986 - one of the great moments in Internet history, the Internet wasn't as interoperable as it is today).
I suspect that much of the consent, privacy and reporting issues you allude to arise from the closed community ARPANET/Internet being opened to the public at large, without regard for it's fitness for purpose - this mirrors the often seen way, where prototype IT systems are dropped into production...
without regard for it's fitness for purpose - this mirrors the often seen way, where prototype IT systems are dropped into production...
Exactly! When WHOIS began, the Internet was between relatively trusted peers and there were fewer privacy issues given the records served a purpose. Fast-forward to now and the creation of personal TLDs like '.me' and ICANN's created it's own privacy problems. Which it was warned about decades ago.
(Damn, I feel old..)
ICANN also morphed from an oversight body to a more blatantly commercial operation, so regarded exclusivity over individual WHOIS entries as it's own IP, which obviously has a value.. But it doesn't really need to know about individual records other than maybe for billing purposes. And by allowing data to be hidden behind registrar entries, WHOIS has lost utility for most purposes. Especially given it never really had a good handle on national issues, eg Germany's strict privacy rules. I think the issue now is ensuring registrars act responsibly, ie law enforcement liason and dispute resolution.
"The truth however is that ICANN continues to be baffled by the fact that the European court system has no interest in its corporate interests and refuses to be told that the Whois service is as important as ICANN considers it to be."
I think it's more of a case that ICANN isn't as important as it thinks itself to be.
"As much as I'd like this to be the case, I'm pretty sure there's an agenda going on.
ICANN seems in far too much of a hurry to lose this case."
You're not the only one who thinks this. I've made similar comments in the past as have others. They are taking on obviously lose-lose battles. Like there's some contractual or legal things they need to comply with and can't get out of but might eventually be able to point to superseding legal rulings that lets them off the hook by "losing" against the EU and GDPR.
It's also worth noting that other jurisdictions are looking closely at GDPR and implementing their own version, such as India. The US lack of privacy protection is beginning to stand out more as an outlier on the world stage more in keeping with the likes of China than democratic nations.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
