Tag Archives: GDPR

APWG and M3AAWG Survey Finds ICANN’s GDPR Response Impeding Cyber Investigations

APWG logoA joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANN’s Temporary Specification, its response on how to deal with the European Union’s General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes.

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.

According to survey respondents ICANN’s Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime – from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

  • Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  • Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

“The biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,” one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) concluded their analysis with recommendations for ICANN to:

  • Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
  • Restore redacted WHOIS data of legal entities.
  • Adopt a contact data access request specification for consistency across registrars and gTLD registries.
  • Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
  • Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
  • Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.

ICANN: Data Protection/Privacy Update Webinar – 8 October

ICANN today [27 Sep] announced that it will hold a webinar on 8 October 2018 from 15:00 to 16:00 UTC to provide an update on recent ICANN data protection and privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

To facilitate global participation, interpretation services will be available in Arabic, Chinese, French, Portuguese, Russian, and Spanish. Participants are encouraged to email questions prior to the call via email to gdpr@icann.org. We will also hold a question and answer period at the end of the webinar. A full recording of the webinar will be published on icann.org for future reference.

More information on ICANN‘s Data Protection/Privacy Issues is available here:

Webinar Details & How to Attend:

Date: 8 October 2018
Time: 15:00 – 16:00 UTC
Join via Adobe Connect
View Dial-in Information

Participant Codes:

English – Participant Code: 9001
Français – Participant Code: 9002
Español – Participant Code: 9003
中文 – Participant Code: 9004
Pусский – Participant Code: 9005
العربية – Participant Code: 9006
Português – Participant Code: 9007

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-27-en

German Courts Rebuff ICANN For Fourth Time Over WHOIS/GDPR Data Collection

ICANN has suffered another setback in its desire to continue to collect and make public domain name registrant contact details following an appeal to a German High Court who ruled against ICANN's plea to reconsider the Court's own earlier decision following the introduction of the European Union's General Data Protection Regulation earlier this year.

ICANN has been pursuing a preliminary injunction from the German Court to require EPAG, a Germany-based, ICANN-accredited registrar (that is part of the Tucows Group and based in Bonn, Germany) to continue to collect elements of WHOIS data, as required under ICANN's Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains.

ICANN received a ruling from the German Higher Regional Court in Cologne (“Appellate Court”) last week, that rejected ICANN's request for review (“plea of remonstrance”) filed by ICANN on 17 August 2018. ICANN's plea was filed to continue the immediate appeal in the ICANN v. EPAG injunction proceedings. ICANN initiated such proceedings against EPAG, to seek assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. The Appellate Court again has determined that it would not issue an injunction against EPAG.

This is the fourth time the German courts have rebuffed ICANN’s attempts to have EPAG enforce the RAA. On 30 May the Regional Court determined that it would not issue an injunction against EPAG. Then on 13 June ICANN appealed and on 18 July the Regional Court decided not to change its original determination not to issue an injunction against EPAG. The matter was referred to the Higher Regional Court in Cologne for appeal. Next on 3 August ICANN announced a German appeal court (Appellate Court of Cologne) had issued a decision on the injunction proceedings ICANN initiated against EPAG determining that it would not issue an injunction against EPAG.

In making its ruling, the Appellate Court found that the preliminary injunction proceeding does not provide the appropriate framework for addressing the nature of the contractual disputes at issue, and that a decision in preliminary proceedings does not appear to be urgently needed. Again, the Appellate Court did not address the merits of the underlying issues with respect to the application of GDPR as it relates to WHOIS.

ICANN is continuing to evaluate its next steps in light of this ruling, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

On 25 May, the day the European Union’s General Data Protection Regulation came into place, ICANN filed a legal action against EPAG. This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to their contracts.

In a post outlining their position back in May, EPAG Ashley La Bolle wrote the “GDPR begins with a statement of its core principle: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right.’ Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.

“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”

ICANN’s response to the GDPR came just over a week before the EU-wide data protection regulation came into place, and 2 years after it was announced. The “Temporary Specification”, as La Bolle writes, was “meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.” EPAG have 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.

ICANN: Data Protection/Privacy Update Webinar Scheduled for 26 September

ICANN today [13 Sept] announced that it will hold a webinar on 26 September 2018 from 15:00 to 16:00 UTC to provide an update on recent ICANN data protection/privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

Participants are encouraged to email questions prior to the call via email to gdpr@icann.org. We will also hold a question and answer period at the end of the webinar. A full recording of the webinar will be published on icann.org for future reference.

More information on ICANN‘s data protection/privacy activities is available here:

Webinar Details & How to Attend:

Date: 26 September 2018
Time: 15:00 – 16:00 UTC
Join via Adobe Connect
View Dial-in Information

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-13-en

Has GDPR Contributed To Spam Decline? 2 Organisations Say It’s Too Early To Tell

Recently threat intelligence organisation Recorded Future published a blog post suggesting “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules.”

The General Data Protection Regulation that came into force on 25 May, seeks to give individuals more control over their personal data and to simplify data protection regulation in the European Union to one rule for all countries. Recorded Future published spam volumes compiled by Cisco which found that “on May 1, 2018, the total volume of email was 433.9 billion messages; spam accounted for 370.04 billion messages, or 85.28 percent of all email. On August 1, 2018, the total volume of messages was 361.83 billion, with 85.14 percent, or 308.05 billion messages, identified as spam. While the total volume of email fell precipitously, most likely due to a combination of seasonal email fluctuations and as the result of newly enforced privacy standards, the percentage of spam remained roughly the same.”

Recorded Future surmised that “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules. Spam is still a big problem, but it has not become a bigger problem, contrary to popular opinions among security researchers.”

Spamhaus has taken a similar view. They note “the real answer is that it is far too early to tell.”

“Before GDPR came into effect, records such as a domain’s registered owner and registered contacts could be looked up in WHOIS databases maintained by individual registrars governed by ICANN.”

“WHOIS information was used by researchers in organisations such as Spamhaus to help determine a domain’s reputation. Domains determined from this and other factors to have a bad reputation would have potentially been listed on our Domain Block List (DBL).”

Spamhaus goes on to note that “whilst the lack of some of this information is tiresome and makes a security researcher’s job a little more difficult, it isn’t insurmountable. Spam will be blocked. Domains will continue to be added to our DBL and email will be filtered accordingly.”

“It’s true, spam rates have dropped marginally since May 2018. Spamhaus never anticipated a tsunami of spam to follow GDPR, however current claims that spam has fallen as a result of GDPR are unconvincing.

“Of course, it could be that legitimate companies, who are concerned about being GDPR compliant, have started purging email lists and are sending less ‘legit’ spam. However, one needs to remember that spam from legitimate companies accounts for a very small percentage of overall spam numbers, so any reduction in this area would have a minute impact on the figures.

“Another theory could be that due to the changes on WHOIS fewer bad domains are being identified and therefore some anti-spam systems are flagging less email.

“Nonetheless, this small reduction in spam is more than likely down to the natural ebb and flow of spam volumes, which have always been highly variable, just like botnet traffic.”

Spamhaus note there could be “numerous non-GDPR related reasons as to why there’s been a recent drop in spam email ranging from the spambots which are currently in operation (or not in operation as the case may be) to who has been arrested recently!”

So Spamhaus say there’s “no hard evidence we have seen proving that this current decline in spam is as a direct result of GDPR…it will be interesting to see what the volumes of spam are like over Black Friday and the subsequent Christmas holidays.”

They also suggest the drop in spam levels bein attributed to the GDPR is a “vacuous claim, unless it’s worth considering that snowshoe spammers don’t need as many new identities now that their current ones are withheld on WHOIS.”

“A more likely explanation to the drop in domain name registrations could be something as simple as top-level domains (TLDs) not having run any ‘specials’ recently (everyone loves a bargain, even a cybercriminal).”

But Spamhaus suggests that prohibiting personal details being visible on Whois “will hamper, if not stop, organisations being able to join the dots and identify gangs of professional cybercriminals who have a mechanism of fraud that is proving successful.”

According to Spamhaus “researchers collect all kinds of information from WHOIS. This data allows us to identify patterns in spamming activity, and build intelligence to attribute it to specific spam gangs.”

Whois data are “small but critical pieces of data [that] can become crucial to investigations later down the line, although they may not be obvious at the time. This evidence can assist law enforcement agencies to pursue these prolific gangs who are defrauding significant amounts of people of vast quantities of money” with “even fraudulent information that is used in a WHOIS record can be used against criminals.”

ICANN Loses Another Round in Battle Over Whois and GDPR With EPAG

ICANN announced Friday they had lost another round in their battle to get EPAG, a subsidiary of Tucows, to enforce their “temporary specification” on the collection of domain name registrant data.

For the third time the German courts have ruled against ICANN. This time the Appellate Court determined that it would not issue an injunction against EPAG. In making its ruling, ICANN explains in its announcement, “the Appellate Court stated that the interpretation of provisions of the GDPR was not material to its decision, so there was no obligation to refer the matter to the European Court of Justice.”

“Rather, the Appellate Court simply found that it was not necessary for it to issue a preliminary injunction to avoid imminent and substantial disadvantages, and noted that ICANN could pursue its claims in the main proceedings in order to enforce the rights it asserts.”

Former ICANN staffer and now (again) journalist on the domain name industry Kieren McCarthy tweeted on the news:

#ICANN has lost its #Whois legal case yet again. And its insistence that the matter be referred to the ECJ has been refused. Just how bad does it have to get before this critical org gets itself some proper legal advice?

ICANN is seeking to have EPAG reinstate collection of administrative and technical contact data for new domain name registrations. To comply with the European Unions General Data Protection Regulation, ICANN was seeking to have all its 2,500 accredited registrars and registries to continue to collect “thick” data but anyone conducting a Whois search would only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.

However Tucows took the view ICANN’s temporary specification wasn’t compliant with the GDPR. They had problems with 3 core issues. These issues were the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.

Which led to a dispute on how the GDPR impacts EPAG’s registrar accreditation agreement. “The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”

ICANN note that they are now considering their “next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system and will provide additional information in the coming days.”

 

ICANN: German Regional Court to Revisit Ruling in Injunction Proceedings on Request to Preserve WHOIS data

ICANN was informed Thursday that the Regional Court in Bonn, Germany, has decided to revisit its ruling in the injunction proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group.

 

On 13 June 2018, ICANN appealed the Regional Court’s initial decision to reject ICANN‘s application for an injunction, in which ICANN sought a court order requiring EPAG to reinstate collection of administrative and technical contact data for new domain name registrations.

Upon receipt of an appeal, the Regional Court has the option to re-evaluate its decision that is being appealed, or affirm its decision and immediately forward the matter to the Higher Regional Court for consideration of the appeal.

In this instance, the Regional Court has decided to revisit its initial decision and has asked EPAG to comment on ICANN‘s appellate papers within two weeks.

ICANN is pursuing this matter as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system. To that end, ICANN continues to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the European Union’s General Data Protection Regulation (GDPR).

Background:

On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties that demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.

ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018, it would no longer collect administrative and technical contact information when it sells new domain name registrations. EPAG believes collection of that particular data would violate the GDPR. ICANN‘s contract with EPAG requires that information to be collected.

EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.

On 30 May 2018, the Regional Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement, or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

On 13 June 2018, ICANN appealed the Regional Court’s ruling to the Higher Regional Court of Cologne, Germany, and again asked for an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.

ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-3-2018-06-21-en

ICANN Appeals German Court Decision on GDPR / WHOIS

ICANN today (13 June) appealed a decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The appeal was filed to the Higher Regional Court of Cologne, Germany.

ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.

The Regional Court in Bonn rejected ICANN’s initial application for an injunction, in which ICANN sought to require EPAG to collect administrative contact and technical contact data for new domain name registrations.

If the Higher Regional Court does not agree with ICANN or is not clear about the scope of the European Union’s General Data Protection Regulation (GDPR), ICANN is also asking the Higher Regional Court to refer the issues in ICANN’s appeal to the European Court of Justice.

ICANN is appealing the 30 May 2018 decision by the Regional Court in Bonn as part of ICANN’s public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

“We are continuing to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR,” said John Jeffrey, ICANN’s General Counsel and Secretary. “We hope that the Court will issue the injunction or the matter will be considered by the European Court of Justice.”

Background:

On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties who demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.

ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018 when it sells new domain name registrations, it would no longer collect administrative and technical contact information. EPAG believes collection of that particular data would violate the GDPR. ICANN’s contract with EPAG requires that information to be collected.

EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.

On 30 May 2018, the Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

About ICANN

ICANN’s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-06-13-en

DENIC Restricts Publicly Available Registrant Data Following GDPR Introduction

DENIC have introduced significant changes to the publicly available data available through Whois requests for .de domain names that will see registrant data drastically restricted and only available to law enforcement bodies as a result of the European Union’s General Data Protection Regulation (GDPR) that came into effect on 25 May.

The changes in data publicly available for the German country code top level domain (ccTLD) will see that next to the contact details of the domain name registrant, such as name, email and postal address, DENIC will only record two additional email addresses for contact purposes as well as the technical data of the domain name.

The two email addresses recorded in addition to the registrant data will be non-personalised. They will be under the registrar’s responsibility and will serve as points of contact for general and technical requests as well as for enquiries or notifications about a possible unlawful or improper use of the domain. Also, DENIC will continue to record such technical data, including name server or DNS key information, that is needed to establish the functionality of the domain.

In addition to the domain status data (“registered”/”unregistered”), as of 25 May, only the domain name’s technical data and the two email addresses for the specified contact purposes (General Request and Abuse) will be available via the Domain Query. Those data relating to the technical contact and zone administrator (Tech-C, Zone-C) as well as to the administrative contact (Admin-C) previously output here will no longer be recorded and consequently not displayed anymore.

DENIC will still provide registrant data where legally required to public authorities acting within the framework of their public powers (including law enforcement, hazard prevention or seizing orders). DENIC will also disclose registrant data, on the basis of case-by-case assessments and upon submission of evidence of a legitimate interest, to such parties who own a right to a name or trademark that may be violated by the domain, or to such claimants who have obtained an enforceable title against the domain registrant and seek judicial seizure of the registrant’s claims defined in the domain contract, under civil law. In all other cases, DENIC will provide no information on the registrant.

For evaluating the legitimate interest of enquiries and for the subsequent provision of the relevant data, DENIC will use both automated and non-automated processes.

DENIC’s amended policies as laid down in the DENIC Domain Terms and Conditions and DENIC Domain Guidelines are published on the DENIC website.

ICANN Finally Approves Temporary Specification To Comply With EU’s GDPR, With 7 Days To Spare

It was adopted on 14 April 2016 and after a 2-year transition period it becomes enforceable on 25 May 2018. Yet despite this timeframe, ICANN only approved a Temporary Specification for gTLD Registration Data to comply with the European Union’s General Data Protection Regulation on 17 May, with a draft published on 11 May. But it only gives registries and registrars 7 days to finalise and implement changes to their systems, or 14 days if they started when the draft was published. That is if they waited for ICANN’s snail-like process to take place.

The GDPR has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.

ICANN’s approval of a Temporary Specification [pdf] is the result of 12 months of consultation with the community and “is an important step towards bringing ICANN and its contracted parties into compliance with GDPR,” said ICANN’s Chair Cherine Chalaby. “While there are elements remaining to be finalised, the adoption of this Temporary Specification sets us on the right path to maintaining WHOIS in the public interest, while complying with GDPR before its 25 May enforcement deadline.”

One can’t help but feel it’s an extraordinary failure by ICANN and the community given the time they’ve had to develop a solution. The Temporary Specification will be revisited by the ICANN Board in 90 days, if required, to reaffirm its adoption. And whether the Temporary Specification meets European Commission’s requirements remains to be seen. In early April the EC’s Article 29 Data Protection Working Party wrote to ICANN [pdf] noting they weren’t satisfied with what ICANN had then proposed.

So what will happen on 25 May? Registry Operators and Registrars will still be required to collect all WHOIS information for generic top level domains (gTLDs). However, WHOIS queries will only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.

The changes are not unlike those being implemented by several European country code top level domain (ccTLD) registries. And while quite a few Registries and Registrars will have been waiting (or rather sweating) on ICANN’s announcement this week, some decided they couldn’t wait and have been developing solutions on what they believed ICANN’s response would have been.

Within Europe, some ccTLDs, such as the Austrian registry nic.at have implemented a “thin” model for individuals registering domain names, but legal entities or businesses will continue to have “thick” WHOIS data published. Others such as DENIC, the German ccTLD registry, will only record the contact details of the domain name registrant, two additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data, which is similar to the ICANN model.

Registrars are frustrated. One, the German EPAG, which is part of the Tucows group, spoke of their frustrations to Domain Pulse at the Domain Pulse conference (unrelated) in Munich in February.

“We wish that ICANN had started work on this a year ago,” said Ashley La Bolle, Managing Director of EPAG Domainservices GmbH. “Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”

“The domain industry has been really late to the game on GDPR implementation,” La Bolle went on to say. She noted how frustrating it was that the entire industry was slow to develop solutions and that solutions were only beginning to be finalised back then. The changes require significant resources to be thrown at implementing changes. In an industry that operates on razor-thin margins, it’s not an ideal situation.

“The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.”

It has also been claimed that the changes will be a boon for cybercriminals. While Krebs on Security admit that while “cybercriminals don’t use their real information in WHOIS registrations … ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.” And while some cybercriminals do take advantage of privacy protection services, “based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services.”

Krebs also notes that while “it is true that the European privacy regulations as they relate to WHOIS records do not apply to businesses registering domain names … the domain registrar industry — … operates on razor-thin profit margins and which has long sought to be free from any WHOIS requirements or accountability whatsoever. Krebs believes they “won’t exactly be tripping over themselves to add more complexity to their WHOIS efforts just to make a distinction between businesses and individuals.”

“As a result, registrars simply won’t make that distinction because there is no mandate that they must. They’ll just adopt the same WHOIS data collection and display polices across the board, regardless of whether the WHOIS details for a given domain suggest that the registrant is a business or an individual.”