Tag Archives: General Data Protection Regulation

Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates

[New York Times] When Europe enacted the world’s toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world’s largest technology companies.

Now, the law is struggling to fulfill its promise.

Continue reading Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates

Chris Disspain Looks At The Highlights of 2019 And What His Final Year On The ICANN Board Might Hold

In the latest Domain Pulse Q&A series looking at the year in review and year ahead, we speak to ICANN board member Chris Disspain. Chris discusses the progress of the next round of new gTLD applications, the challenges of GDPR has thrown at ICANN relating to WHOIS, a 2019 highlight being finalisation of the new strategic plan especially in the way the ICANN community focused and pulled together to get it done and then what the future may hold for him after he completes his term on the ICANN board. He also would like to see a little more kindness “in the ICANN context”.

Domain Pulse: What were the highlights, lowlights and challenges of 2019 in the domain name industry, both for you and/or the industry in general?

Chris Disspain: The challenge of GDPR and its relevance to WHOIS has consumed an immense amount of time in 2019. And universal acceptance is a real issue for many especially but not exclusively in the IDN world.

The finalisation of the new strategic plan has been a highlight especially the way that the ICANN community focused and pulled together to get it done. And the streamlining of reviews work!

There are always lowlights. Calling them out isn’t necessarily helpful.

DP: What are you looking forward to in 2020?

CD: Enjoying my last year as a board member, making a difference and riding off into the sunset….. only to return later in 2021 wearing a different hat…..Or perhaps not!

DP: What challenges and opportunities do you see for the year ahead?

CD: Every issue has both a challenges and opportunities  … Some examples for us are GDPR, various contractual matters, the sub-pro work, ccNSO work on retirement of ccTLDs, the ongoing work on IGOs acronyms, the ongoing community work-load and so on.

DP: How have new gTLDs fared in 2019?

CD: Some good, some bad I expect. But given that different gTLDs have different measures of success that’s quite a hard question to address. A brand likely doesn’t care about registration levels. A geographic may have a limited market and be happy with that. I guess the only real test will be to see what sort of applications come in in a next round.

DP: What progress do you see on a new round of applications for new gTLDs in 2020?

CD: Significant but it’s a long track that needs to be carefully navigated. As a board member (actually the only current board member) who was on the board from the beginning of the last gTLD round I know many of the issues that will need to be dealt with in the updated policy. Some of these are complicated and contentious but I’m hopeful that with the extraordinary work of the Sub-pro WG and the support of the community generally we’ll get there reasonably soon.

DP: What one thing would you like to see addressed or changed in the domain name industry?

CD: Well, in the ICANN context, I think a little more kindness would be good. And a ‘fix’ for the structural challenges within the GNSO would make a huge difference to the ability of the ICANN multi-stakeholder model to deal effectively and efficiently with the constantly changing industry dynamic.

Chris was also the founding CEO of Australia’s ccTLD policy and regulatory body, auDA.

Previous Q&As in this series were with:

Q&As in the 2019 series were with:

  • EURid, manager of the .eu top level domain (available here)
  • Katrin Ohlmer, CEO and founder of DOTZON GmbH (here)
  • Afilias’ Roland LaPlante (here)
  • DotBERLIN’s Dirk Krischenowski (here)
  • DENIC (here)
  • Internet.bs’ Marc McCutcheon (here)
  • nic.at’s Richard Wein (here)
  • Neustar’s George Pongas (here)
  • CentralNic’s Ben Crawford (here)
  • CIRA’s David Fowler (here)
  • Jovenet Consulting’s Jean Guillon (here)
  • GGRG’s Giuseppe Graziano (here)
  • Blacknight Solutions’ Michele Neylon (here)
  • Public Interest Registry’s President and CEO Jon Nevett (here)
  • ICANN board member Chris Disspain (here).

US Government Reiterates Opposition to Changes to WHOIS Resulting From EU’s GDPR

The US government continues to be opposed to changes to Whois that they believe will have little benefit for consumer privacy and major benefits for cyber-criminals. The comments were made, again, in a speech by the the NTIA’s Assistant Secretary of Commerce for Communications and Information, David J. Redl, at a FDA Online Opioid Summit in Washington, D.C. on 2 April.

In his speech, Redl said “the WHOIS is a resource that, prior to the GDPR, provided public access to domain name registration information, including contact information for the entity or person registering the domain name. This information is a critical tool that helps keep people accountable for what they do and put online. Law enforcement uses WHOIS to shut down criminal enterprises and malicious websites, including those that illegally sell opioids. Cybersecurity researchers use it to track bad actors. And it is a first line in the defense of intellectual property protection, including the misuse of opioid brand names.”

The European Union’s General Data Protection Regulation has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.

“Unfortunately, when GDPR went into effect, those companies responsible for providing WHOIS stopped publishing much of the data because they feared it would make them vulnerable to the massive fines GDPR imposes for privacy violations. The U.S. government’s position on this is clear: the loss of a public WHOIS without a predictable and timely mechanism to access redacted information has little benefit for consumer privacy, and major benefits for cyber-criminals.”

But Redl says there has been some progress on this issue within ICANN. “First, ICANN put in place last year a temporary policy that clarified that WHOIS data should continue to be collected and reasonable access should be provided. This kicked off an intensive global multistakeholder discussion about how to develop a long-term solution. NTIA continues to actively push U.S. interests in these discussions. In March, policy recommendations were finalised and submitted to the ICANN Board for approval.”

Redl says he wants “to congratulate the people who have worked on developing these policy recommendations for how to handle the processing of WHOIS information in a manner that is compliant with GDPR. This was the first step we needed to ensure that the WHOIS system is preserved.”

“However, it must be noted, issues remain. Yet to be addressed is development of a technical solution, and policies associated with disclosure and access to non-public WHOIS information.  Now it is time to deliberately and swiftly create a system that allow for third parties with legitimate interests, like law enforcement, IP rights holders, and cybersecurity researchers to access non-public data critical to fulfilling their missions. NTIA is expecting this second phase of the discussion to kick off in earnest in the coming weeks, and to achieve substantial progress in advance of ICANN’s meeting in Montreal in November.

Redl concluded by saying the “NTIA remains a staunch defender of the free and open Internet. That’s not going to change. But we also aren’t going to turn a blind eye to the real issues that are raised by this freedom and openness.”

“We reject the notion that a free and open Internet must tacitly condone illegal activity. We believe there’s a path to solving these issues without turning our backs on innovation and prosperity. And that path begins with honest discussions and debates, with compromise and collaboration. So if you have concerns or solutions you’d like to offer, I invite you to talk to NTIA. We welcome all thoughtful approaches to building the Internet of the future.”

ICANN: Deadline Extended: Expressions of Interest Sought for Chair of GNSO EPDP on the Temporary Specification for gTLD Registration Data – Phase 2

The Generic Names Supporting Organization (GNSO) is extending the deadline for submitting expressions of interest (EOIs) to chair Phase 2 of the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data to Monday, 8 April 2019. Learn more about the background by reading the announcement here.

Following the initial discussions of the EPDP Team during ICANN64 (March 2019) in Kobe, Japan, the GNSO Council leadership would like to provide some further details in relation to the expected workload and pace for Phase 2:

  • The topics to be addressed in Phase 2 have been mapped out on the EPDP Team Phase 2 Mind Map.
  • Following the appointment of the EPDP Team Chair, the EPDP Team is expected to commence with 90-minute weekly meetings (potentially on Tuesday or Thursday at 14:00 UTC) but with the possibility to increase the frequency. Additional meeting(s) may be purposed for either another weekly plenary session that would focus on a different stream of work or small team(s) meetings.
  • Although there is agreement on the importance and urgency of addressing the topics in Phase 2, there is also general agreement that it is not sustainable to continue on the same pace and intensity of work as for Phase 1.
  • Additional resources, such as mediation support, are expected to be made available to support the EPDP Team Chair, in addition to the support that is already being provided by policy staff. Candidates are encouraged to include in their EOI if there is any type of support or resource that is considered essential in supporting the EPDP Team Chair in his/her role.
  • In light of this new information, the deadline for expressions of interest has been extended to Monday, 8 April 2019

About EPDP

On 17 May 2018, the ICANN Board approved the Temporary Specification for gTLD Registration Data. The Board took this action to establish temporary requirements for how ICANN and its contracted parties would continue to comply with existing ICANN contractual requirements and community-developed policies related to WHOIS, while also complying with the European Union’s General Data Protection Regulation (GDPR). The Temporary Specification has been adopted under the procedure for Temporary Policies outlined in the Registry Agreement (RA) and Registrar Accreditation Agreement (RAA). Following adoption of the Temporary Specification, the Board “shall immediately implement the Consensus Policy development process set forth in ICANN’s Bylaws.” This Consensus Policy development process on the Temporary Specification would need to be carried out within a one-year period. Additionally, the scope includes discussion of a System for Standardized Access to Non-Public Registration Data. However, the discussion of a Standardized Access System will occur only after the EPDP Team has comprehensively answered a series of “gating questions” and non-objection by the GNSO Council.

About ICANN

ICANN’s mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2-2019-03-25-en

CentralNic’s Ben Crawford’s 2018 Highlight Was KeyDrive Merger, While nTLDs Offer Great Opportunities


Today’s Q&A sees CentralNic’s CEO Ben Crawford open up on 2018 and look ahead to 2019. Crawford’s major highlight and challenge, all rolled into one, was the merger of CentralNic and KeyDrive and re-listing on the London Stock Exchange. GDPR was a “familiar challenge” that exacerbated ‘tensions in the multi-stakeholder governance model’. Looking ahead Crawford sees more mergers and less “old-fashioned role delineations” with private equity groups becoming more involved.

In 2019 Crawford sees fewer new gTLD launches, which may create issues for those relying on continued launches for new registrations, but “a long-term significant market for affordable generic domain names, and the most remarkable fact is that so many industry veterans totally missed the opportunity.” And while the future of domain names is challenging, Crawford also sees “opportunities for using the DNS for the Internet of Things, and blockchain applications.”

Domain Pulse: What were the highlights, lowlights and challenges of 2018 in the domain name industry for you?

Ben Crawford: For us the obvious highlight and challenge was the merger of CentralNic and KeyDrive and our re-listing on the London Stock Exchange as the first industry player to be a world class competitor as a registry, registry backend provider, reseller platform, retail registrar and corporate registrar. We believe the rest of the industry will inevitably follow in moving away from the old-fashioned role delineations, and we see the large number of acquisitions by private equity funds (Dada Group, web.com, Donuts, one.com, etc.) in 2018 as the next step towards significant consolidation.

DP: GDPR – good, bad and/or indifferent to you and the wider industry and why?

BC: As a global company focussed on ccTLDs, we are specialists in working hand-in-glove with Governments – in many cases helping them with drafting of policies and even legislation to situate domains in a framework covering privacy, security, IP protection, etc.. So for us GDPR was a familiar challenge. By contrast it was evident that it exacerbates the tensions in the multi-stakeholder governance model for the internet when certain stakeholders have the rule of law behind them.

DP: What are you looking forward to in 2019?

BC: Delivering even more excellent service to our customers and returns to our investors. From a wider industry perspective, the development of a replacement for WHOIS that works for all stakeholders is a subject close to our heart and our Registry CTO, Gavin Brown is one of the members of the working group that ICANN have pulled together to deliver on the next phase.

DP: What challenges and opportunities do you see for the year ahead?

BC: On the challenge side, there will be very few domain launches, and that makes it tough for companies in our industry who have become addicted to launches to achieve their revenue targets. On the opportunity side, many companies that created spam fatigue among their customers with too frequent new gTLD launch emails may now have an opportunity to recover their most effective form of marketing by building the consumer confidence needed to improve open rates and click rates – GDPR permitting

DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now?

BC: As CentralNic Registry is the most successful backend provider for new gTLDs – with over 25% market share and 10 of the top 25 nTLDs – we actually delivered to our investors what they hoped for from the new TLDs. We are happy to see continued strength from .xyz and the Radix domains, as well as strong performances from our clients .icu and .ooo from the moment they migrated to our platform in 2018. There is obviously a long-term significant market for affordable generic domain names, and the most remarkable fact is that so many industry veterans totally missed the opportunity. Meanwhile the DotIndustry newTLDs like .design, .art and .press have strong support from their communities, while others have decided to keep their powder dry waiting for Google and Amazon to do the heavy lifting of building awareness of nTLDs before relaunching.

Similarly as a leading registry back-end provider for DotBrand TLDs, we are seeing a lot of interest in our solutions which allow DotBrand registries to minimise their costs by integrating registry and registrar services with a single provider who is happy to provide true expert advice when they want it at no charge , instead of having pushy sales people hassling them to “activate”.

DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past?

BC: There is no doubt that the tech platforms like Facebook/WhatsApp, WeChat, Amazon, Alibaba and Ebay have done a great job providing SOHO/microbusinesses with tools allowing them to do business online without the need for domain names or their own websites and corporate email addresses. And indeed I believe it has harmed our industry that it is so fragmented that no company has the market power yet to successfully launch domain-based responses to those challenges. Of course, with the backlash against platforms misusing user data and enabling fake news, there is a grassroots movement towards independence from them, which means more people building their own independent websites on their own domains.

There are also opportunities for using the DNS for the Internet of Things, and blockchain applications for domains like those pioneered by .xyz and others. But again history tells us that even if these are the best technical solutions, they won’t win the market share war without the backing of bigger companies.

Previous Q&As in this series were with EURid, manager of the .eu top level domain (available here), with Katrin Ohlmer, CEO and founder of DOTZON GmbH (here), Afilias’ Roland LaPlante (here), DotBERLIN’s Dirk Krischenowski (here), DENIC (here) Internet.bs’ Marc McCutcheon (here), nic.at’s Richard Wein (here) and Neustar’s George Pongas (here).

If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

‘ICANN’s Naïve and Unprofessional GDPR Approach’ A 2018 Lowlight Says nic.at’s CEO, But Celebrating Triple .AT Anniversaries A Highlight

“ICANN's naïve and unprofessional approach to” the EU's GDPR was one of 2018's lowlights says Richard Wein, CEO of Austria's ccTLD registry nic.at in today's Domain Pulse Q&A with leading industry figures, looking at the year in review and year ahead. GDPR planning dominated many European ccTLDs in the first half of 2018 to the detriment of other work, but while Wein has come concerns about the GDPR, he wonders if it is a “sledgehammer to crack a nut”. Overall he thinks it's a positive and now he's happy about how the team at nic.at responded to the European Union's consumer data protection regulation. A positive highlight was nic.at celebrating 3 anniversaries: “30 years of .at, 20 years of nic.at and Stopline and 10 years of CERT.at.” Looking ahead, Wein believes 'it's still far too difficult to register your own domain, set up e-mail or create a new website'. Largely, Wein believes, new gTLDs haven't lived up to expectations, with a few exceptions, and currently doesn't believe a second round of applications is needed. Domain Pulse:What were the highlights, lowlights and challenges of 2018 in the domain name industry for you? Richard Wein: I think that the first half of 2018 was particularly shaped by the effects of the GDPR. Many registries (especially European ccTLDs) seemed paralysed and put all other plans and projects on hold. This was also the case for nic.at. ICANN’s naïve and unprofessional approach to this topic was a real disappointment, and the necessary measures were taken far too late. A “normal” company would have been punished by the markets for this kind of performance. But I am proud to say that we manged to finish the project in time with a new privacy policy and new internal processes for .at which were ready on May 25 – with a solution which was at the same time pragmatic, legally correct and end-user friendly. The whole nic.at team had put lots of effort in this project and we can see now, 6 months later, that we took the right decisions and found a good way to deal with it. The market changes were also exciting, especially among the gTLD registries – the sale of Donuts was a good example of this. It was also interesting to note the rather sobering registration numbers worldwide. Real (natural) growth is happening only in low single digits, so the whole industry will have to adjust to much tougher times and every market participant, whether registry or registrar, must take appropriate measures. Our nic.at company highlight was of course the anniversaries we celebrated in 2018: 30 years of .at, 20 years of nic.at and Stopline and 10 years of CERT.at. We had a big party for our partners and were able to show all the activities and initiatives we are undertaking for Austria’s internet community. DP: GDPR – good, bad and / or indifferent to you and the contrary to industry and why? RW: Essentially, protection of data is very positive to see and any initiative in this area is to be welcomed. The only question is whether the GDRP was a sledgehammer to crack a nut. Unfortunately the original goal of putting the big data monsters such as Facebook, Google etc “on a leash” was not achieved, and yet enormous bureaucratic hurdles have been created for many companies and government agencies. It is clearly positive that awareness of data protection and sensitive (personal) data in all areas has significantly increased. After around 8 months of “live” GDRP the onslaught expected by many (including us), e.g. requests for information because there is now no public WHOIS, completely failed to materialise.
In my opinion, the world can survive very well without a public WHOIS. DP: What challenges and opportunities do you see for the year ahead? RW: I think the whole industry will have to make an effort to bring their products to the market in a way that is more understandable, simpler, and accessible without much (technical) know-how. In my opinion it is still far too difficult to register your own domain, then set up your own e-mail or create a new website. The subject of “digitisation” is currently on everyone's lips, but it has negative connotations; so a lot of work must be done to convert this to a more positive, beneficial impression. This involves domains and all associated products. DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now? RW: All in all (apart from a few exceptions), positive hopes and expectations have not been realised. Many of the gTLD registries are still struggling to survive, and I have not seen any evidence of the frequently described “dotbrand” hype, so the new gTLDs will probably remain a “niche” for another year. The consolidation process will continue, both with the registries and the backend providers, but also with the registrars. A few gTLD's will be established on the market (and among users), many of the others will disappear again. At the moment I do not see any need for a second round (at least from the demand side), but clearly some want to utilise their (technical and sales) scaling effects to offer new gTLDs as quickly as possible, and put them on the market. DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past? RW: A clear YES to this. If you look at the number of users of “social media”, such as FB or Instagram, there is a clear negative trend. It's not about either / or, but businesses in particular will develop a balanced “online strategy” and this includes their own website with one (or more) domains. Of course, there is some saturation, but there is still enough global potential to increase awareness of domains and to secure growth over the long term. Previous Q&As in this series were with EURid, manager of the .eu top level domain (available here), with Katrin Ohlmer, CEO and founder of DOTZON GmbH (here), Afilias’ Roland LaPlante (here), DotBERLIN’s Dirk Krischenowski (here), DENIC (here) and Internet.bs' Marc McCutcheon (here). If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

Q&A With DOTZON’s Katrin Ohlmer on Year in Review, 2019, GDPR and Future of Domain Names

In the second of our series asking industry figures and companies to comment on their highlights and lowlights of 2018, looking ahead to 2019, the EU’s GDPR as well as the future of domain names, Katrin Ohlmer, CEO and founder of DOTZON GmbH, gives her views.

DOTZON is an international management consulting dedicated to digital identities. Since 2005 they’ve worked with companies, cities and organisations for the concept, application and operation of their own top-level domains. DOTZON helps their clients protect, establish and strengthen the digital identities of brands and companies. Since 2017 they’ve published the annual Digital City Brands study and since 2018 the Digital Company Brands study.

Domain Pulse: What were the highlights, lowlights and challenges of 2018 in the domain name industry for you?

Katrin Ohlmer:

Highlights
A growing interest in domain names as such, both from the business and consumer side. We’ve noticed an increased interest by various stakeholder groups on Internet Governance topics, which might lead to a shift in the Internet Governance Stakeholder Map in the next few years.

Lowlights
Stolen data sets, as in the cases of Marriott, LinkedIn and others do not give consumers the security they need. Also, the whole domain industry could still improve in terms of customer experience and customer-centric marketing and communications. In 2019, we would like ICANN to focus again on their mission “to ensure the stable and secure operation of the Internet’s unique identifier systems”.

Challenges
For sure all the new processes around GDPR, especially the closed public WHOIS.

DP: GDPR – good, bad and/or indifferent to you and the wider industry and why?

KO: Good for me as an individual since spam is extremely limited nowadays. Indifferent for a registry operator as no personal data is available to gain insights about their customer base in order to market the TLD. Bad for trademark owners who used to be able to contact registrants easily and negotiate a solution for a domain name without going to court.

DP: What are you looking forward to in 2019?

KO: I’m looking forward to seeing new creative use cases of .BRANDS following the ones we saw in 2018 like www.doc.new by Google and www.berlin.audi or www.weare.audi.

DP: What challenges and opportunities do you see for the year ahead?

KO: The challenge for the ICANN community will be two-fold: On the one hand, we will have to agree on how to handle the GDPR topic in the future. On the other hand, we will have to finalise the last steps in the review process of the last gTLD round and collect input for improvements for a new gTLD round, where we play an active role. I’m looking forward to seeing the results for both of these activities in 2019.

DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now?

KO: Millions of domains under the new gTLDs have been registered and hundreds of thousands of great domains are in use. This is great news! But: Although there are many attractive new top-level domains, they are still a minority in the market, whether as brand, geo or generic TLDs. The market is only slowly adapting to this wider variety. However, it can be observed that the diversity is slowly but constantly increasing. We therefore expect an uptake in the long run.

DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past?

KO: The awareness of domain names among consumers has certainly decreased. At the same time more and more businesses go online and need a website. We therefore see a continuing demand in domains, which we can foster by delivering easy-to-use products whose features meet demands.

The first in this Q&A series was with EURid, manager of the .eu top level domain, and is available here.

If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs. Continue reading ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

SIDN Sets Up Privacy Portal and Legal Help Desk To Assist Registrars Comply With GDPR

To assist their registrars comply with the European Union’s General Data Protection Regulation, SIDN, the .nl ccTLD manager, has set up a Privacy Portal and a Legal Help Desk. SIDN acknowledges that for registrars, bringing their operations into line with the GDPR — and making sure they stay that way — can be a challenge.

In a blog post on the SIDN website by RA CEO Margreth Verhulst and SIDN’s Key Account Manager Sebastiaan Assink discuss the Privacy Portal and Legal Help Desk now available to registrars.

“At the start of the year, SIDN organised a webinar on the implications of the GDPR for domain name registration. Participants were asked whether they had set up a data processing register, as required under the new legislation. And no fewer than 66 per cent of the registrars responded by saying that they hadn’t yet set one up. A broadly similar picture emerged when the RA surveyed its members to find out how many were GDPR-compliant. From the survey feedback, it was also clear that registrars would welcome support bringing their activities into line with the directive. The RA and SIDN therefore linked up with the ICTRecht legal consultancy to create the Privacy Portal, which opened for business on 27 September 2018. The Portal is intended to advise registrars on recording and protecting sensitive information and other privacy-related issues. “The Privacy Portal offers registrars free guidance on all aspects of privacy management,” explains Sebastiaan. “You can get answers to legal questions, or help with data processing agreements and other documents.” Dozens of registrars have already turned to the Portal for assistance.

A registrar’s first contact the Privacy Portal sees them being asked a few general questions. Answers are used to build up a profile and then a customised account can be established. Through the account, tailored advice is made available and appropriate measures are suggested. Facilities are also available for organising your enquiries and documents. “The intake privacy scan provides an immediate impression of what you’ve got under control and what still needs attention,” adds Margreth.

“The Portal also features a tool that can be used to set up and maintain a data processing register, another of the GDPR’s new requirements. There’s a privacy statement generator as well, and a utility for checking the adequacy of your technical data protection measures. Another feature of the Privacy Portal is its data breach registration functionality, which you can use to comply with the GDPR’s requirement that details of all breaches must be recorded. Finally, there’s a tool for generating appropriate data processing agreements to regulate your relationships with any data processors that handle data on your behalf. In other words, the Privacy Portal offers all kinds of assistance with GDPR-compliance.”

“Registrars process a great deal of personal data and cooperate with other actors, including suppliers and partners. They collect registrants’ personal details, for example, and forward the information to us on the registrants’ behalf. That’s how a domain name is registered. Naturally, it’s primarily the registrars’ responsibility to make sure that their data processing complies with the law. However, it’s also very much in our interests to see that registration data is processed and exchanged securely,” continues Sebastiaan. As Margreth points out, registrars have a lot on their plates, even without the GDPR. “Their core business is domain name registration, and compliance with the many rules and regulations that apply to the industry sometimes gets sidelined. So the Portal has been created with the aim of relieving some of the burden and making compliance easier for registrars. For any registrar who sees GDPR compliance as a dauntingly high mountain, the Privacy Portal will act like a Sherpa. You’ve still got to get up the mountain yourself, but the Portal is there to shoulder some of the load.”

“The Privacy Portal is just one of the ways that the RA and SIDN are working together to support and invest in the registrar community. It is a spin-off from the Legal Help Desk opened earlier in the year. Via the Help Desk, all 1250 or so .nl registrars can get free legal advice regarding issues involving contracts, ICT, terms and conditions and the like. Questions are simply submitted to the Help Desk using a standard form. Another product of cooperation between SIDN and the RA is the SIDN Academy.”

“So far, we’ve run three SIDN Academy sessions for registrars. The one-day sessions are intended for sharing knowledge on particular topics,” said Assink. “The first round of sessions was devoted to e-mail security, for example.”

Looking forward, the post notes Margreth and Sebastiaan have no preconceptions about how the Help Desk and Portal should develop from here. Both are really still pilot services. “We’ll evaluate the situation after twelve months,” says Margreth. “The future direction of the projects will depend on how registrars use these facilities in practice. A positive response and high levels of use will encourage us to continue and extend the services.”

The full version of this post originally appeared on the SIDN website here. SIDN is the country code top level domain (ccTLD) manager for .nl (Netherlands).

APWG and M3AAWG Survey Finds ICANN’s GDPR Response Impeding Cyber Investigations

APWG logoA joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANN’s Temporary Specification, its response on how to deal with the European Union’s General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes.

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.

According to survey respondents ICANN’s Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime – from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

  • Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  • Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

“The biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,” one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) concluded their analysis with recommendations for ICANN to:

  • Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
  • Restore redacted WHOIS data of legal entities.
  • Adopt a contact data access request specification for consistency across registrars and gTLD registries.
  • Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
  • Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
  • Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.