Now I know why very littles been happening with Brexit
Clearly our Brexit Dream-Team are moonlighting for ICANN.
ICANN has been told for a second time that it must fundamentally change its Whois service to become compliant with Europe's incoming privacy law – and do so within the next month. At a meeting in Brussels this week with the European Union's data protection authorities (DPAs), the US-based DNS overseer had hoped to persuade …
They're certainly both using the same tactic. Announce loudly that they are going to do something which the EU has already specifically ruled out as impossible. Keep on insisting on this right down to the wire. Scream blue murder about those terrible EU bureaucrats when it turns out that the EU was telling the clear exact truth all along.
So both use the "governance by committee" method whereby lots of meetings but no actual decisions? I'm sure that if they handed the WHOIS issue over to a few competent programmers (not outsourced to some low bidding company/country) the solution could be implemented rather quickly. But that would require a <gasp> decision on ICANN's part.
"ICANN's failure to come up with a plan despite Europe's GDPR being approved two years ago, and despite more than a decade's worth of letters from the self-same Article 29 Working Party warning it about how the Whois was not compatible with European law, is a sign of just how dominated by US interests the organization is."
You can be sure if the tables were turned the EU would be getting assaulted right now. Hate to say it, but the truth is, America is not the World. Despite American Exceptionalism or whatever domineering self-delusional bullshit ideas Americans have about themselves etc. The world is fundamentally changing and Big Tech and other American corps need to accept they can't just shit all over the rest of the world. It simply won't be tolerated anymore!
Every influential US firm will jump on the same band-wagon and lobby for the - 'I-Cant' - special exemption treatment! But you know what, I wonder if in a parallel universe, they might have gotten away with this extension prior to the Facebook-CA-Palantir revelations. But now the stakes are so enormously high. There's no way the EU can cave, or the whole GDPR Law will be a farce!
Its not like there hasn't been a separate Rule of Law between the EU and US for decades anyway. From GMO's, to stricter control of Pesticides and other Chemicals used in Products etc etc. The US tech giants have just been lazy and complacent here: 'Oh, Data / Privacy, it doesn't really matter does it? Its just those stupid Germans and their Stasi fears. Its not like that kind of toxic mass surveillance happens anymore anyway. In the Land of the Free?!
" Its not like that kind of toxic mass surveillance happens anymore anyway. In the Land of the Free?!"
It won't surprise may to find that the first large country for invasion of privacy rights is China.
Or that the second one is the USA
After that it's a succession of tinpot dictatorships and failed democracies.
You are being a bit too broad brush there. This is an ICANN/US registrars thing not a US thing in general, I've had plenty of updates on GDPR from US companies it's just those lot who somehow think they are special.
Tbh ICANN could have dodged the whole bullet if they had just said to the registrars you must make whois compliant - here's a couple of models (eg Nominets approach) knock yourselves out.
Instead they were blinded by thinking they were King Dick, giving far too much weight to special interests, and unwilling to give up an iota of control. In short BAU at ICANN.
Now pass me that popcorn.
I don't think this is a US issue at all. Even Facebook claim they're complying with the GDPR.
This is an ICANN incompetence issue.
Their controlling committee are greedy and incompetent. However they were allowed to keep the IANA contract without ever quite introducing any of the governance reforms they vaguely promised to do.
So they're in this great position where all oversight leads to various sub-committees of the board, who are then forced to produce independent reports slating their incompetence (or malice), but then lead to appeals to other sub-committees of the board who ignore them.
What they have is circular oversight. And big bonuses. And they love it!
This has clearly gone to their heads and left them fundamentally ill-equipped to deal with the real world. Such as trying to ignore legislation they've known about for ages.
Of course they may still get away with it. Being in California, if they've got no European offices then what can the EU do to them? They can fine the various registries that do operate here, so maybe ICANN still think they can get away with it?
"Being in California, if they've got no European offices then what can the EU do to them? They can fine the various registries that do operate here, so maybe ICANN still think they can get away with it?"
Half right. Being in California, they cannot be touched. However, without *any* legal presence in the EU, they can't touch European registries. ICANN are basically dead in the water. The internet will carry on running on empty for a bit and whilst ICANN sob to their friends (they must have some) in the US government, the rest of the world will develop an ICANN-replacement that they can live with.
It's like a Hard Brexit, but for Internet Governance. Enjoy...
It's just occured to me why GDPR might actually be effective. The PPI deadline is looming in the UK so there will be a lot of organisations with lots of time on their hands. Because the fines in GDPR can be seen as a revenue stream this might become the most popular law ever. Cold calls asking "have you ever handed personal data over to anyone ever?". There could be a good business model in fishing for non-compliance and then lawyering up.
Whois publishes my name and address right now and I'm thinking pay day next month :)
The point has been made here many times before, but this is a real risk. Organisations like ICANN may be able to convince regulators not to act, but the regulations explicitly allow class action civil action by victims. Ambulance chasing firms already exist for the Data Protection Act, their powers are about to be dramatically increased.
What total incompetence on ICANN's side. What excuse do they have for apparently sitting on their hands for two years after approval of the law? If a student were to come to me, asking for an extension for the deadline for an assignment he'd known about months in advance, at the last minute there had better be a very good excuse (illness, accidents, death (one grandmother per year, max!), etc). This is just pathetic.
Actually ICANN have barely a bean to rub together. Sure they took loads of moolah in the dot.word rip off domain name sale. But that's long since gone out in increased salaries and bonuses. 20% pay rises don't fund themselves you know! And all those conferences in Bermuda need to be covered...
Yes. Whatever problems there are with the EU, they do speak up for peoples rights (far more than the government, for sure)
That's why corporations - especially in big trading areas such as America hate them and their regulations.
That's why Trump, Putin etc. would LOVE us to leave the EU.
But we Brits would never be so stupid as to vote to leave, right? :-(
The thing is.... Change what?
It's not critical to infrastructure. The only people who have ever used my entry in my 20 odd years of being on it are domain-renewal company scammers, domain sellers (ok, so if I own ***.com why the hell would I be interested in buying my***.com ***online.com or ***web.com ?) and the domain registrar themselves (who have access to thus information via my private billing information anyway)
I can understand the purpose back in the days when only real companies got domains - after all, no legitimate company would want to hide that information.
And there's probably a good case to still require it for these types of domains (though it's something that could be required not by Icann, but by third parties - i.e. barclaycard refusing to be usable on a site with dodgy or anonymous info)
But even then, still, it's not a technical issue. Registrars have the information already. DNS and the rest of the internet don't require it.
What time do they need? They could literally demand that every registrar disables it within 24 hours, and the ONLY things that MAY break are the sweet deals they have with those who want to plunder our information.
So yes, good on the EU to see through their bullshit (we need a *bullshit* icon!)
ICANN have been stuck with the US IP lobby (Disney, Universal etc). They demand that their automatic "Google latest film/follow link/check content/whois/invoice in the mail" system has to work, and they won't allow any change that breaks it. Due process is for schmucks.
Never mind that any non-5I's registrar will simply ignore any subpoena from a US media giant.
"Still waiting for the balkanization of the Internet, where businesses who refuse to play ball and can't be fined by the EU (due to lack of presence) are simply blocked wholesale."
You've overlooked market forces. If as a European resident I want the protection of GDPR and I'm currently registered with such a business I simply move my registration to where my privacy is protected*. The rogue US registrars can either play ball or lose customers.
*I did this a long time ago anyway.
If foreign businesses want to collect money from customers in the EU, they have to have some sort of presence here to collect said money. For example Facebook could presumably retreat completely from Europe, but then they'd have no way of making money on advertising to EU customers. And that's a lot of money, even for Facebook. So they either behave or do without the business.
Charles 9,
Money. Money is the way to solve jusidiction problems on the internet.
If an online registrar is failing to comply with the GDPR, then that means they got some European persons data when that person registered with them. So OK. they're in a third country. No matter. That European person had to pay them. Bang! The EU can pass rules to tell the credit card companies or banks not to deal with them.
It's a hassle, and therefore only worth doing when it's important. But if Google and Facebook don't jump-to and deal with some of their more egregious privacy-invasion, fake-news spreading and general shit - then this is the way they can be dealt with, even if they close all their EU offices.
If you follow the money, you will mostly eventually reach someone that you can force to act. And by forcing them to act and/or cutting off the money, you can force actions up the supply chain to the real miscreants.
re: but if the cost of compliance means too many headaches, it may, as they say, not be worth it. That's why the phrase "strangled by red tape."
The trouble is that the US is starting from a very low base, so GDPR will be causing headaches as it seems to be requiring a level of thinking and compliance not previously required in corporate America.
It is not clear whether GDPR actually increases compliance workload (ie. the administration and paperwork that is associated with being "strangled by red tape" or it simply requires a different way of thinking about personal data; once you've adopted that viewpoint, there is little appreciable difference. However, if currently, you do very little or no compliance, you may perceive compliance as being strangled by red tape...
"But what about foreign businesses with no physical presence in the EU?"
If they want my custom they have to compete with businesses in the EU who are playing by the rules. So either they play too or else they lose out. What GDPR provides is a set of rules respecting the rights of the European customer. Within Europe that provides a level playing field. I can choose vendor A, B or C and be sure I have the same protection for my rights and, depending on their competence, must have more or less similar costs to achieve it. So why on Earth, if I value those rights, would I choose sleazy vendor D who provides an inferior, cheap and nasty product?
I don't know if there will be a lot of fines handed out, but it will be bargaining chip. When a European company gets an enormous fine from a US regulator (eg Volkswagen), an EU government might retaliate with a GDPR investigation on some US company. Or both sides might talk in the background and agree on silly small fines all round to keep things friendly.
Ever since an incident with the magicians rabbit having rabies I have been wary of people pulling things out the hat at the last minute. I try to live in hope that somebody will come up with a truly inspired solution ushering in a golden age of the Internet but the nagging doubt remains we will be handed a fecal matter sandwich then gouged for breath mints.
Recently we read about Nominet.UK and the actions it will be taking to comply with GDPR. Would be interesting to see what the other EU member gTLD registrars are doing about GDPR...
I like that .europeregistry.com (an australian HQ'd business) is still offering a "Local presence service is available for foreign registrants to meet the registration requirements of this domain name." for .eu, .fr
etc. domain names.
Seems like ICANN has gone into full blown petulant child mode. You've told it a hundred times already it can't have a cookie because it's nearly dinner time, but you only get a whiny: "but, but, why can't I have a cookie??" for your troubles. Over and over and over.
Therefore, from my POV, ignoring GDPR regarding WHOIS is fine with me. Sorry EU. But knowing who owns a website should be publicly available knowledge. It's the anonymous cowards of the Internet that create its must annoying and bullying problems. How many people would pull cruel trolling moves on others if they were forced out of their anonymity? Knowing who everyone is means taking personal responsibility for one's behavior. Therefore, keep WHOIS, if not strengthen it by removing anonymization and delisting. Stand up when you speak up! Shouting an opinion while ducking behind the back of the gallery makes no sense.
Tyrants don't pay attention to anonymous cowards speaking 'truth' to power. Know what I mean?
So you want to receive hundreds or thousands of phone calls and physical letters asking you to "renew your domain"?
Or threats of personal violence against you and your family from people who disagree with things on your website?
Those are the actual, real consequences of the ICANN whois system putting this personal information online.
There is genuinely no purpose whatsoever for personally-identifiable whois data. None.