back to article US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy

The US government has waded into the omni-shambles that is the internet infrastructure industry's failed effort to comply with European privacy laws. Having tried to use its behind-the-scenes influence at a recent meeting of DNS overseer ICANN to drive decisions, the Department of Commerce's frustration had led to it going …

  1. IceC0ld
    FAIL

    US Govt weighing in

    the entire thing is going to rest on whether this is a breach of contract ? ffs,

    WHOIS is effectively on it's last legs now, so what possible outcome could occur that will still allow it to be used as was, and therefore be IN contract ?

    AND if I get this right, and the WHOIS DOES indeed disappear in a month or so, will ICANN need to rename to something more apropos ............

    may I suggest ICANT ....................

    1. Gordon 10

      Re: US Govt weighing in

      More like IWONT as in I won’t implement a simple solution coz it impacts some of our registrars get rich quick schemes and offends those nice IP lobbists who keep giving us those nice lunches and bribes consultancy fees.

    2. Anonymous Coward
      Anonymous Coward

      EU expecting it's laws to be global

      So screw them. ICANN should just move all registrations in the EU to registrars outside of it.

      1. Aqua Marina

        Re: EU expecting it's laws to be global

        At which point the EU has the legal authority to cut the fibres at its borders, appoint its own overseer of domain registry and go it alone. Stopping a whole chunk of annual revenue going overseas.

        Life would go on, business would still take place.

      2. Doctor Syntax Silver badge

        Re: EU expecting it's laws to be global

        "So screw them. ICANN should just move all registrations in the EU to registrars outside of it."

        There is an alternative. The rest of the world stops regarding ICANN as guardian ruler of that joint enterprise, the internet. They treat one of the existing DNS root mirrors as the definitive root, make any changes to that and point the other mirrors to it.

        US businesses will have to go along with that if they want to be seen by the rest of the world. The most that would be left to ICANN would be to mirror the new root and just keep up the face-saving pretence to the US public of being in charge.

    3. csecguy44

      Re: US Govt weighing in

      Why US Government? GDPR is an EU regulation

  2. bigtimehustler

    To be honest i find someone having to put their own details of who runs it publicly available as a barrier to every idiot putting up a site that they wouldn't want to be known as them. Lets face it, what is wrong with it? If you are a company, it will be your company address anyway, only in the case of personal users is it their home address (if they have again, not hidden it on a domain they can hide it).

    To be honest, why should the rest of the world comply with a law Europe has developed. Why should the US, Asia anyone else? They should just tell Europe, go ahead, take every internet company who doesn't comply to court, lets see how long that takes you. I think this again comes down to the problem, one countries laws can not change and force other countries to comply, yet on the internet, it often does. Thats a problem that has no easy solution.

    1. Jamie Jones Silver badge

      Ever thought that these laws are actually consumer friendly?

      The people complaining about GoDaddy have absolutely no real reason to have access to the data. They are just telemarketers, but as always in America, corporations trump the right of the people.

    2. John Brown (no body) Silver badge

      "To be honest, why should the rest of the world comply with a law Europe has developed. Why should the US, Asia anyone else?"

      Isn't this what the US does all the time?

      And anyway, it ought to only include data on or about EU citizens. And didn't the US set up a new data protection ombudsman recently to "protect" EU data held in the US? Not law, mind you, just an "agreement" and a "promise". I don't see that there's anything to stop the WHOS lookups simply not returning private details of individuals whose address is in the EU.

      1. Doctor Syntax Silver badge

        And didn't the US set up a new data protection ombudsman recently to "protect" EU data held in the US? Not law, mind you, just an "agreement" and a "promise"

        Did they actually get round to appointing the actual official rather than a deputy? In any event, what was the department responsible for that? Wasn't it Commerce?

    3. Paul Crawford Silver badge

      To be honest, why should the rest of the world comply with a law Europe has developed. Why should the US, Asia anyone else?

      Maybe because they want to do business with companies and people in the EU?

      Otherwise they are free to do as their local laws demand, but just not to deal with EU customers.

    4. Anonymous Coward
      Anonymous Coward

      "To be honest, why should the rest of the world comply with a law Europe has developed."

      To be honest, why should the rest of the world comply with ICANN's wish -not even a law- to have our private information and publish it globally? And then charge you to hide it....that's like volunteering for blackmail.

      Just lie on the forms. That's always been my policy for anyone who thinks they are entitled to my personal information, and it's worked pretty well so far. Poison that database. Bonus points for using details of marketers, so they can stay busy spamming each other.

      1. HieronymusBloggs
        Pint

        "Poison that database. Bonus points for using details of marketers, so they can stay busy spamming each other."

        Upvote and pint.

      2. User McUser

        To be honest, why should the rest of the world comply with ICANN's wish -not even a law- to have our private information and publish it globally? And then charge you to hide it....that's like volunteering for blackmail.

        Was Whois data ever intended to be private in the first place? The identity of what entity owns which domain names never seemed to me like data that needed to be protected or kept secret. (Please note that I am NOT defending ICANN just arguing that Whois data is of public interest.)

        Then again when I was but a lad they published the name, address, and phone number of everyone in town with a phone in a big book that everyone got a copy of every year. (And if you didn't want your information listed in this book you had to pay a separate fee for the privilege of being unlisted.)

        1. Anonymous Coward
          Anonymous Coward

          "The identity of what entity owns which domain names never seemed to me like data that needed to be protected or kept secret."

          For organisations, sure. For solo operators like myself there absolutely is a reason...the internet is a big place, full of nutters, not all of whom would treat your personal information with the care that you would wish for. There's marketers who will waste your time trying to peddle their shit. There's identity thieves. There are plenty of full-bore turbo loonies who may take offence at something you do/say/type and want to point out your error in the most stabby way they can manage. And so on. Publishing my home address that way just is not a thing that is going to happen; legislate what you like. There is PO boxes and the like, of course, but that's a significant (comparatively) expense and doesn't help that much because it still gives out a fairly precise geographical location.

          Phone books, yes, but they were printed on paper; were pretty local. And abuses still happened. WHOIS is both electronic text and globally published; which makes bulk manipulation easier whilst simultaneously engorging the pool of potential piss-takers.

    5. RealBigAl

      They don't, they just won't be able to do business in or with EU countries or residents.

  3. Jamie Jones Silver badge

    Huh?

    Currently only ICANN-accredited registrars are allowed to make changes to name server and mail server records.

    Excuse-er-me-a-wots-a-wait-a-minute-huh?

    1. sitta_europea Silver badge

      Re: Huh?

      Factually challeneged journalist:

      "Currently only ICANN-accredited registrars are allowed to make changes to name server and mail server records."

      Jamie Jones:

      "Huh?"

      Quite so. I'm not an ICANN-accredited anything. In fact they ignore me when I tell them about criminals using their services. But I manage servers, and if you

      dig +short -t SOA jubileegroup.co.uk

      then the Authority in the reply that you'll get is me.

      1. Jamie Jones Silver badge

        Re: Huh?

        ditto me with welshgit.org :-)

  4. Jim Mitchell
    WTF?

    "...the GDPR is, after all, a globally applicable law that affects everyone. " This would be news to most, well, everyone.

    1. Tom 38

      If you want to do business in the EU, you must abide by EU law regarding personal identifiable information. So if Godaddy want to keep selling domain names to Europeans, or ICANN to have contracts with European registrars, the law applies.

      If you weren't aware of this, you should get aware, because the fines will be stupendous - up to 20 million euros or 4% of global turnover, whichever is greater, plus actual compensation for affected people - not just paying bribes to lawyers and "privacy foundations" like they do in the US.

      1. Aqua Marina

        “If you want to do business in the EU, you must abide by EU law“

        A very common misconception but not quite true. If you want to have an office based within the EU then any business performed from it must be compliant with EU laws. The EU does not forbid its citizens from seeking services outside the EU with organisations to which EU laws do not apply.

        1. Doctor Syntax Silver badge

          "A very common misconception but not quite true. If you want to have an office based within the EU then any business performed from it must be compliant with EU laws."

          And your second sentence also isn't quite true. It would mean that you couldn't send anyone over to conduct business in the EU nor would you be able to appoint agents there. In practical terms it would make it difficult to do business on a large scale if you couldn't do that.

          "The EU does not forbid its citizens from seeking services outside the EU with organisations to which EU laws do not apply."

          Apart from the logistical issues such an organisation would have to contend with being gaining a sleazy reputation. And if the nature of the service were B2B then its customers would be at risk.

          1. Aqua Marina

            "It would mean that you couldn't send anyone over to conduct business in the EU"

            It doesn't say anything of the sort. Anyone from the US could come over to the EU to perform business. What they can't do is get on a plane back to the US with a USB stick full of personal data. Whilst that person is within the EU they are bound by EU laws.

            "nor would you be able to appoint agents there"

            Legally speaking an agent is the equivalent of having an office. So an EU based agent would be bound by EU laws, even if his wage packet comes from the US.

            "Apart from the logistical issues such an organisation would have to contend with being gaining a sleazy reputation."

            What logistical issues? I can go onto a US based retail website and order whatever I want provided they are willing to deliver to the EU. There are US ebay shops aplenty that do so and the same with Amazon US. No sleazy issues here thankyou very much, you are talking bollocks.

            "And if the nature of the service were B2B then its customers would be at risk."

            Again you are talking bollocks. I import from the US, and as long as the only personal details I give them are my own as the representative of the company, and not say my whole customer list then there is no risk.

        2. Anonymous Coward
          Anonymous Coward

          Actually I think GDPR covers that - the law explicitly includes non-EU companies who do business with EU citizens, e.g. a US website that is prepared to sell to a EU citizen has to be GDPR compliant with how it handles that citizens data.

          The non-EU company can, if it wishes, just elect not to do business with any EU citizens (including ones that live abroad, as GDPR applies to citizens, not phsyical locations).

          The same applies in reverse - EU companies doing business with US citizens for example have to follow relevant US laws (there just isnt a US GDPR equivalent)

    2. Doctor Syntax Silver badge

      "This would be news to most, well, everyone."

      It shouldn't be news to anyone responsible for holding personal data of European residents. It wasn't even news to ICANN; they just hoped if they ignored it it would go away.

      It would really be irresponsible of the EU to grant them a stay of execution. If they did that every other toe-rag in the data exploiting industry in the world would be queuing up next day. I think we can all guess who'd muscle to the front of the queue.

  5. Chris Fox

    Does NTIA (or CoCCA) really understand GDPR?

    "... it is likely to represent a legal workaround that would allow IP lawyers direct access to Whois data by bypassing the legal obligations contained in the contract ICANN has with registrars."

    So in other words, the NTIA is just pushing an approach that still seems at odds with the GDPR: it would give third parties access to personal information without consent, and without due legal process. Would this really satisfy the expectation of the Article 29 Working Party that there should be clear, legal reasons to grant someone access to the data? It seems doubtful that the say-so of an IP lawyer would count as a clear legal reason, unless backed up with a court order. But given that "the actions taken by GoDaddy last month... are of grave concern for NTIA given the US government's interest in maintaining a Whois service that is quickly accessible for legitimate purposes.", it seems that the NTIA is actually unhappy with the idea that a court order be required, and takes refuge in sophistry over what counts as a "legitimate" reason.

    Simiilarly, CoCCA's approach of allowing access on payment of a fee, as well as to the Secure Domain Foundatin, a third party organisation, doesn't seem to be consistent with the expectations of the GDPR.

  6. Peter Prof Fox

    Too late to the good/evil debate

    Head-in-sand (and much worse) ICANN have nobody but themselves to blame. An abject failure. That's not news. (My local county council is just as bad and corrupt.)

    Had they been interested and involved in privacy and cases where privacy might be reasonably breached (eg nasty bastards doing naughty things shouldn't be allowed anonymity) they would be [Gosh! Fetch the smelling salts] on top of their job. If I'm a persistent "Your granny smells of elderberries" miscreant then why should I be able to hide behind an invisibility cloak? OTOH my registrar cloaks my personal details so I say "Bwharrar!" to those with snotty nostrils.

    There is obviously a balance. All info akimbo in the breeze brings back unfortunate memories of that weekend at the nudist camp at Skegness. Complete lockdown and gagging brings back unpleasant memories of a cellar in Beaver street.

  7. Jove Bronze badge

    Walled Gardens

    Some where down the line, we are likely to see supra-state controlled walled-gardens of the internet for enforcement of data and security regulations.

    We already see this to a degree in the cases of China and Russia. Legislation currently in the pipeline both with the EU and the USA could necessitate the Great Redoubt of the EU once the differences become irreconcilable.

  8. Huw D

    If I do business with/in America I am expected to abide by their laws.

    If America does business with/in the EU then they are expected to abide by EU laws.

    It's that straightforward. Not just for GDPR, but for Employment, Tax, yadda yadda.

    An American can't walk the streets of London carrying a gun because he can where he lives.

    When in Rome and all that...

    Why are people making this so bloody difficult?

    1. Voland's right hand Silver badge

      If America does business with/in the EU then they are expected to abide by EU laws.

      Have you tried telling that to an American? Or more importantly an American government official? Or an American Judge(*)?

      (*)New York Federal circuit, Microsoft, Irish Data... You know... Special laws declaring that other country's laws are invalid on their territory...

      1. Huw D

        I tell it to Americans all the time - I have business relationships with US companies.

        I'll be bleating about it to another one today.

        I've also had "fun" (for certain values of fun) discussions with TSA.

        1. Aladdin Sane

          Are those the discussions that involve rubber gloves?

          1. Huw D

            Well, this one time it got close...

      2. JohnFen

        I'm an American, and I understand and agree with the sentiment. Not all Americans conform to the stereotype of "American".

    2. Alistair
      Windows

      "If America does business with/in the EU then they are expected to abide by EU laws."

      According to Batistelli and Gurry, this doesn't even apply to European organization.

    3. Jove Bronze badge

      "If I do business with/in America I am expected to abide by their laws."

      Sure, but the USA is still the Top Dog, and the EU states can not even be bothered to defend themselves, so for the foreseeable future the EU will need to jump when it is told to.

  9. Oldish Git

    Some "private" data _should_ be public domain!

    It seems to me a basic right in an open society to know whom you are doing business with.

    GDPR has many advantages in protecting individuals, but it's also having a lot of unintended consequences. I used to belong to a forum for former staff of a large organisation. It was a great place where memories were shared, a resource for researchers (of that industry's significant history) and ex-colleagues alike. Many of the contributors are no longer alive.

    Now its gone, as the costs of GDPR compliance were simply too great for the private individual who set it up. Much of the data was >40 years old though, with almost nothing from the last 20 years.

    There will be a lot of stuff like this, I fear.

    Then there's Companies House: I do a lot of research using its data, mainly competitor and (potential) client analysis. It's essential for our business to know who you are dealing with. Never mind GDPR, laws on filing company records have been "relaxed" over recent years, especially for smaller companies (typically fewer than 100 employees, which is our target market), to the extent that you can now learn almost nothing from what CoHo keeps. In particular the "balance sheets" they now ask for are a joke. By the time you've chased down the ownership of small companies, sometimes nested five levels deep, you've a good idea if they are trustworthy (or not), but you also need to be able to spot that a company is on its knees, before you extend it dangerous amounts of credit.

    I think all limited liability enterprises should be required to put director information and _full_ accounts into the public record,as a condition of trading, and that late filings and holding stuff back should actually be penalised (rather than the pretense of same). If we want moral superiority over say the Russians or even the Americans, it starts with as much transparency as we can manage. And the more honest our society is, the cheaper it is to run, and the more attractive we are for others to do business with.

    Back on topic, Whois long ago ceased to be very useful. Tried complaining recently to a contact point for some small-but-annoying site that's badly set up (or insecure or whatever)? How far did it get you?

    What's wrong with an anonymising referral system, like those Usenet servers in Finland*? Let ICANN or whoever pass through the data, but unless something is escalated, there's no need for actual names to be sent to the complainant. It's not hard.

    OG

    *You probably have to be of a certain age, and/or frequenting the wrong newsgroups...

    1. Voland's right hand Silver badge

      Re: Some "private" data _should_ be public domain!

      By the time you've chased down the ownership of small companies, sometimes nested five levels deep, you've a good idea if they are trustworthy (or not)

      while (company_chain != NULL) {

      trust --;

      suspicion++;

      }

      1. This post has been deleted by its author

        1. Voland's right hand Silver badge

          Re: Some "private" data _should_ be public domain!

          We both forgot the next statement. Goes to show that everyone is being spoiled by ready made macros and we are forgetting CS101 basics. Though that may simply be the effect of trying to type in something before the 4th double espresso.

          while (company_chain != NULL) {

          trust /=2;

          suspicion*=2;

          company_chain = company_chain->next;

          }

    2. Doctor Syntax Silver badge

      Re: Some "private" data _should_ be public domain!

      "Then there's Companies House: I do a lot of research using its data"

      In which case I'm quite sure that, despite your protestations, you're aware that CH filings are statutory. Statutory data isn't affected by GDPR. It would appear that your complaint isn't about GDPR but about company law relating to what's accepted in filings.

      1. Anonymous Coward
        Anonymous Coward

        Re: Some "private" data _should_ be public domain!

        "In which case I'm quite sure that, despite your protestations, you're aware that CH filings are statutory. Statutory data isn't affected by GDPR."

        So what happens if, as I think I've read has been proposed, the US pass a law making it a statutory requirement for internet regstrars based in the US to make all this info publically available? I assume we end up with the same situation of UK press injunctions where UK news refers to cases involving people that cannot be named in the UK but whoi's names (nudge nudge) are being reported on US web sites.

        1. Doctor Syntax Silver badge

          Re: Some "private" data _should_ be public domain!

          "So what happens if, as I think I've read has been proposed, the US pass a law making it a statutory requirement for internet regstrars based in the US to make all this info publically available?"

          I'd wondered about the existing situation in regard to that.

          As far as can seen ICANN's role is not statutory. If the US were to make such a move and try to make it apply to non-US residents, effectively making the net US property, the likely consequence would be a push by other governments to move the whole internet under ITU. I don't think the US or most of the internet users would want that.

        2. localzuk Silver badge

          Re: Some "private" data _should_ be public domain!

          I think the result of that would be EU companies not using US registrars at all. So, all EU and UK businesses would use TLD's from their own countries etc...

          So, no more .com for the UK, everyone uses .uk.

  10. Nimby
    Alert

    What does ICANN do?

    This is the most significant factor. The problem is not about companies and governments holding hands across the pond. Given reasonable time, that can all be worked out.

    The problem is that ICAN'T sits on is asterisk instead of doing anything, and then leaves people in impossible positions. Time and time again. This is where the culpabilities lay. This is where we need to stop feeding them carrots and start whacking them with a stick.

    You want to NOT do your job for years and then forego normal process to expedite yourself out of your self-made cesspool? No. Now go do your job for real, and follow the correct protocol. And every single fine, penalty, and lawsuit resulting from the situation that you willfully made with your neglect will be awarded without question. If you can't handle that, stop pretending and let someone step in who can. Have a nice day, ICAN'T. We've coddled you for too long already.

  11. gnarlymarley
    WTF?

    whois has always been public

    Okay, OKay. Apparently I am confused. Whois has been known to be public information and is nothing more than a phonebook of where the people who run their part of the internet "want" to be contacted. Technically, if you want to hide that information, then the "normal people" of the internet will think you are an evil hacker (I guess fracker in coding terms, or black hat in security terms). Why would anyone want to hide their "public business contact" information?

    Maybe we should be banning the phonebook for publishing our telephones?????

  12. Alistair

    WHOIS is a lookup directory that relates (domainname) to (owner/technical contact).

    At one point it was a "phone book" so that techies around the world could get in touch quickly and fix things.

    Now it's mostly used to mine out sales targets for cold calling, and email addresses to spam. The most critical use is by various legal entities to crucify the owner/techie responsible for *TERRORPEADODRUGGIECOPYRITEVIOLAT* of the day. ICANN want to have it left in state so that the TLA/FLA/global police/legalbeagle types don't have to go through some formal process in order to send out the swat teams, and will stop calling them 15 times a minute. ICANN can't afford to run that call centre for the TLA/FLA/global police/leaglebeagle support.

    ICANN has been a horribly dysfunctional entity for quite some time now, and is in drastic need of an overhaul, both in it's structure and in its management as well as in the relationship it has to *any* government.

    The GDPR may well be the club that can be used to beat an independent ICANN into something approaching a practical and useful entity, but to achieve this will take time and a concerted effort by *several* governments to create a structure that makes it feasible. *that* I doubt will happen any time soon.

  13. lookintothelite

    I'm an American, that is simply a statement of fact. I do not consider myself represented by the government of America. That is really the government of American businesses'. I'm very aware of ICANN, GDPR and the US's abuses of power. I try to extend an open mind to other cultures when I meet them and not judge based on what that country may have done in the past or what stereotypes preceded them. What you are seeing from ICANN and the US government is typical big business in the US. It would be nice to see the US have to start playing fair with others, including it's own population. I agree 100% with the idea of doing business in the EU you have to follow their rules. I hope it works out. I'm personally a little surprised about all of this considering England recently passed ?laws? not sure if that is correct, requiring data retention by ISPs about their customers that the police etc can view. Here it seems the police have a blanket supeona just by saying it's part of an ongoing investigation and then placing a gag order on the telco we have no idea how often it is really happening. Did it ever occur to anyone that this is just a placebo? Or maybe a power grab by the government? A government that was getting worried that the private sector was getting more info than they were? So now they are going to stop them from selling it that way they can consolidate the governments power?

    John Gordon

    Bend, Oregon, USA

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like