Tag Archives: General Data Protection Regulation

M3AAWG/APWG Report Finds GDPR Impact on WHOIS Impedes Criminal Investigations

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and The Anti-Phishing Working Group (APWG) have again collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s application of the European Union’s General Data Protection Regulation (GDPR) has impacted on the distributed WHOIS service and anti-abuse work. The resulting report, published in June, discusses the effect of the Temporary Specification on anti-abuse actors’ access and usage of domain name registration information, which is central for various types of investigations.

Continue reading M3AAWG/APWG Report Finds GDPR Impact on WHOIS Impedes Criminal Investigations

DENIC-Chef Jörg Schweiger spricht über DENIC, Sicherheit, neue TLDs, ICANN, DSGVO und die Zukunft der Domains

Im Januar gab Jörg Schweiger, von 2007 bis 2014 CTO und seit 2014 CEO der DENIC, bekannt, dass er im Dezember von seinem Amt zurücktritt. Das ist eine lange Zeit, und die Domainbranche hat sich sehr stark entwickelt. Wir haben Jörg Schweiger ein paar Fragen zu seiner Zeit bei der DENIC und den Veränderungen, die er erlebt hat, gestellt.

Jörg Schweiger ist einer dieser Menschen, die einen mit einem freundlichen Lächeln einnehmen, immer offen für den Dialog. Als wir ihm also ein paar Fragen stellten, antwortete er mit einigen aufschlussreichen Ansichten darüber, warum er der Meinung ist, dass die neuen TLDs eine große Chance verpasst haben, wie wichtig Sicherheit und Zuverlässigkeit für die DENIC ist und welche Herausforderungen die Datenschutzgrundverordnung (DSGVO oder GDPR) sowie die Zukunft der Domainnamen mit sich bringen. Jörg fragt sich sogar, ob ICANN angesichts des Kostendrucks, der anstehenden globalen Regulierungsinitiativen und der unterschiedlichen Ansichten in ihrer “breiten, vielschichtigen Community” weiterhin ihre (klar umrissene) Aufgabe erfüllen kann.

Continue reading DENIC-Chef Jörg Schweiger spricht über DENIC, Sicherheit, neue TLDs, ICANN, DSGVO und die Zukunft der Domains

Three years of GDPR: the biggest fines so far

It’s been three years since the introduction of Europe’s data privacy and security law on 25 May 2018.

GDPR governs the way organisations that operate within the EU can use, process and store consumers’ personal data.

Continue reading Three years of GDPR: the biggest fines so far

Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates

[New York Times] When Europe enacted the world’s toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world’s largest technology companies.

Now, the law is struggling to fulfill its promise.

Continue reading Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates

Chris Disspain Looks At The Highlights of 2019 And What His Final Year On The ICANN Board Might Hold

In the latest Domain Pulse Q&A series looking at the year in review and year ahead, we speak to ICANN board member Chris Disspain. Chris discusses the progress of the next round of new gTLD applications, the challenges of GDPR has thrown at ICANN relating to WHOIS, a 2019 highlight being finalisation of the new strategic plan especially in the way the ICANN community focused and pulled together to get it done and then what the future may hold for him after he completes his term on the ICANN board. He also would like to see a little more kindness “in the ICANN context”.

Domain Pulse: What were the highlights, lowlights and challenges of 2019 in the domain name industry, both for you and/or the industry in general?

Chris Disspain: The challenge of GDPR and its relevance to WHOIS has consumed an immense amount of time in 2019. And universal acceptance is a real issue for many especially but not exclusively in the IDN world.

The finalisation of the new strategic plan has been a highlight especially the way that the ICANN community focused and pulled together to get it done. And the streamlining of reviews work!

There are always lowlights. Calling them out isn’t necessarily helpful.

DP: What are you looking forward to in 2020?

CD: Enjoying my last year as a board member, making a difference and riding off into the sunset….. only to return later in 2021 wearing a different hat…..Or perhaps not!

DP: What challenges and opportunities do you see for the year ahead?

CD: Every issue has both a challenges and opportunities  … Some examples for us are GDPR, various contractual matters, the sub-pro work, ccNSO work on retirement of ccTLDs, the ongoing work on IGOs acronyms, the ongoing community work-load and so on.

DP: How have new gTLDs fared in 2019?

CD: Some good, some bad I expect. But given that different gTLDs have different measures of success that’s quite a hard question to address. A brand likely doesn’t care about registration levels. A geographic may have a limited market and be happy with that. I guess the only real test will be to see what sort of applications come in in a next round.

DP: What progress do you see on a new round of applications for new gTLDs in 2020?

CD: Significant but it’s a long track that needs to be carefully navigated. As a board member (actually the only current board member) who was on the board from the beginning of the last gTLD round I know many of the issues that will need to be dealt with in the updated policy. Some of these are complicated and contentious but I’m hopeful that with the extraordinary work of the Sub-pro WG and the support of the community generally we’ll get there reasonably soon.

DP: What one thing would you like to see addressed or changed in the domain name industry?

CD: Well, in the ICANN context, I think a little more kindness would be good. And a ‘fix’ for the structural challenges within the GNSO would make a huge difference to the ability of the ICANN multi-stakeholder model to deal effectively and efficiently with the constantly changing industry dynamic.

Chris was also the founding CEO of Australia’s ccTLD policy and regulatory body, auDA.

Previous Q&As in this series were with:

Q&As in the 2019 series were with:

  • EURid, manager of the .eu top level domain (available here)
  • Katrin Ohlmer, CEO and founder of DOTZON GmbH (here)
  • Afilias’ Roland LaPlante (here)
  • DotBERLIN’s Dirk Krischenowski (here)
  • DENIC (here)
  • Internet.bs’ Marc McCutcheon (here)
  • nic.at’s Richard Wein (here)
  • Neustar’s George Pongas (here)
  • CentralNic’s Ben Crawford (here)
  • CIRA’s David Fowler (here)
  • Jovenet Consulting’s Jean Guillon (here)
  • GGRG’s Giuseppe Graziano (here)
  • Blacknight Solutions’ Michele Neylon (here)
  • Public Interest Registry’s President and CEO Jon Nevett (here)
  • ICANN board member Chris Disspain (here).

US Government Reiterates Opposition to Changes to WHOIS Resulting From EU’s GDPR

The US government continues to be opposed to changes to Whois that they believe will have little benefit for consumer privacy and major benefits for cyber-criminals. The comments were made, again, in a speech by the the NTIA’s Assistant Secretary of Commerce for Communications and Information, David J. Redl, at a FDA Online Opioid Summit in Washington, D.C. on 2 April.

In his speech, Redl said “the WHOIS is a resource that, prior to the GDPR, provided public access to domain name registration information, including contact information for the entity or person registering the domain name. This information is a critical tool that helps keep people accountable for what they do and put online. Law enforcement uses WHOIS to shut down criminal enterprises and malicious websites, including those that illegally sell opioids. Cybersecurity researchers use it to track bad actors. And it is a first line in the defense of intellectual property protection, including the misuse of opioid brand names.”

The European Union’s General Data Protection Regulation has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.

“Unfortunately, when GDPR went into effect, those companies responsible for providing WHOIS stopped publishing much of the data because they feared it would make them vulnerable to the massive fines GDPR imposes for privacy violations. The U.S. government’s position on this is clear: the loss of a public WHOIS without a predictable and timely mechanism to access redacted information has little benefit for consumer privacy, and major benefits for cyber-criminals.”

But Redl says there has been some progress on this issue within ICANN. “First, ICANN put in place last year a temporary policy that clarified that WHOIS data should continue to be collected and reasonable access should be provided. This kicked off an intensive global multistakeholder discussion about how to develop a long-term solution. NTIA continues to actively push U.S. interests in these discussions. In March, policy recommendations were finalised and submitted to the ICANN Board for approval.”

Redl says he wants “to congratulate the people who have worked on developing these policy recommendations for how to handle the processing of WHOIS information in a manner that is compliant with GDPR. This was the first step we needed to ensure that the WHOIS system is preserved.”

“However, it must be noted, issues remain. Yet to be addressed is development of a technical solution, and policies associated with disclosure and access to non-public WHOIS information.  Now it is time to deliberately and swiftly create a system that allow for third parties with legitimate interests, like law enforcement, IP rights holders, and cybersecurity researchers to access non-public data critical to fulfilling their missions. NTIA is expecting this second phase of the discussion to kick off in earnest in the coming weeks, and to achieve substantial progress in advance of ICANN’s meeting in Montreal in November.

Redl concluded by saying the “NTIA remains a staunch defender of the free and open Internet. That’s not going to change. But we also aren’t going to turn a blind eye to the real issues that are raised by this freedom and openness.”

“We reject the notion that a free and open Internet must tacitly condone illegal activity. We believe there’s a path to solving these issues without turning our backs on innovation and prosperity. And that path begins with honest discussions and debates, with compromise and collaboration. So if you have concerns or solutions you’d like to offer, I invite you to talk to NTIA. We welcome all thoughtful approaches to building the Internet of the future.”

ICANN: Deadline Extended: Expressions of Interest Sought for Chair of GNSO EPDP on the Temporary Specification for gTLD Registration Data – Phase 2

The Generic Names Supporting Organization (GNSO) is extending the deadline for submitting expressions of interest (EOIs) to chair Phase 2 of the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data to Monday, 8 April 2019. Learn more about the background by reading the announcement here.

Following the initial discussions of the EPDP Team during ICANN64 (March 2019) in Kobe, Japan, the GNSO Council leadership would like to provide some further details in relation to the expected workload and pace for Phase 2:

  • The topics to be addressed in Phase 2 have been mapped out on the EPDP Team Phase 2 Mind Map.
  • Following the appointment of the EPDP Team Chair, the EPDP Team is expected to commence with 90-minute weekly meetings (potentially on Tuesday or Thursday at 14:00 UTC) but with the possibility to increase the frequency. Additional meeting(s) may be purposed for either another weekly plenary session that would focus on a different stream of work or small team(s) meetings.
  • Although there is agreement on the importance and urgency of addressing the topics in Phase 2, there is also general agreement that it is not sustainable to continue on the same pace and intensity of work as for Phase 1.
  • Additional resources, such as mediation support, are expected to be made available to support the EPDP Team Chair, in addition to the support that is already being provided by policy staff. Candidates are encouraged to include in their EOI if there is any type of support or resource that is considered essential in supporting the EPDP Team Chair in his/her role.
  • In light of this new information, the deadline for expressions of interest has been extended to Monday, 8 April 2019

About EPDP

On 17 May 2018, the ICANN Board approved the Temporary Specification for gTLD Registration Data. The Board took this action to establish temporary requirements for how ICANN and its contracted parties would continue to comply with existing ICANN contractual requirements and community-developed policies related to WHOIS, while also complying with the European Union’s General Data Protection Regulation (GDPR). The Temporary Specification has been adopted under the procedure for Temporary Policies outlined in the Registry Agreement (RA) and Registrar Accreditation Agreement (RAA). Following adoption of the Temporary Specification, the Board “shall immediately implement the Consensus Policy development process set forth in ICANN’s Bylaws.” This Consensus Policy development process on the Temporary Specification would need to be carried out within a one-year period. Additionally, the scope includes discussion of a System for Standardized Access to Non-Public Registration Data. However, the discussion of a Standardized Access System will occur only after the EPDP Team has comprehensively answered a series of “gating questions” and non-objection by the GNSO Council.

About ICANN

ICANN’s mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2-2019-03-25-en

CentralNic’s Ben Crawford’s 2018 Highlight Was KeyDrive Merger, While nTLDs Offer Great Opportunities


Today’s Q&A sees CentralNic’s CEO Ben Crawford open up on 2018 and look ahead to 2019. Crawford’s major highlight and challenge, all rolled into one, was the merger of CentralNic and KeyDrive and re-listing on the London Stock Exchange. GDPR was a “familiar challenge” that exacerbated ‘tensions in the multi-stakeholder governance model’. Looking ahead Crawford sees more mergers and less “old-fashioned role delineations” with private equity groups becoming more involved.

In 2019 Crawford sees fewer new gTLD launches, which may create issues for those relying on continued launches for new registrations, but “a long-term significant market for affordable generic domain names, and the most remarkable fact is that so many industry veterans totally missed the opportunity.” And while the future of domain names is challenging, Crawford also sees “opportunities for using the DNS for the Internet of Things, and blockchain applications.”

Domain Pulse: What were the highlights, lowlights and challenges of 2018 in the domain name industry for you?

Ben Crawford: For us the obvious highlight and challenge was the merger of CentralNic and KeyDrive and our re-listing on the London Stock Exchange as the first industry player to be a world class competitor as a registry, registry backend provider, reseller platform, retail registrar and corporate registrar. We believe the rest of the industry will inevitably follow in moving away from the old-fashioned role delineations, and we see the large number of acquisitions by private equity funds (Dada Group, web.com, Donuts, one.com, etc.) in 2018 as the next step towards significant consolidation.

DP: GDPR – good, bad and/or indifferent to you and the wider industry and why?

BC: As a global company focussed on ccTLDs, we are specialists in working hand-in-glove with Governments – in many cases helping them with drafting of policies and even legislation to situate domains in a framework covering privacy, security, IP protection, etc.. So for us GDPR was a familiar challenge. By contrast it was evident that it exacerbates the tensions in the multi-stakeholder governance model for the internet when certain stakeholders have the rule of law behind them.

DP: What are you looking forward to in 2019?

BC: Delivering even more excellent service to our customers and returns to our investors. From a wider industry perspective, the development of a replacement for WHOIS that works for all stakeholders is a subject close to our heart and our Registry CTO, Gavin Brown is one of the members of the working group that ICANN have pulled together to deliver on the next phase.

DP: What challenges and opportunities do you see for the year ahead?

BC: On the challenge side, there will be very few domain launches, and that makes it tough for companies in our industry who have become addicted to launches to achieve their revenue targets. On the opportunity side, many companies that created spam fatigue among their customers with too frequent new gTLD launch emails may now have an opportunity to recover their most effective form of marketing by building the consumer confidence needed to improve open rates and click rates – GDPR permitting

DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now?

BC: As CentralNic Registry is the most successful backend provider for new gTLDs – with over 25% market share and 10 of the top 25 nTLDs – we actually delivered to our investors what they hoped for from the new TLDs. We are happy to see continued strength from .xyz and the Radix domains, as well as strong performances from our clients .icu and .ooo from the moment they migrated to our platform in 2018. There is obviously a long-term significant market for affordable generic domain names, and the most remarkable fact is that so many industry veterans totally missed the opportunity. Meanwhile the DotIndustry newTLDs like .design, .art and .press have strong support from their communities, while others have decided to keep their powder dry waiting for Google and Amazon to do the heavy lifting of building awareness of nTLDs before relaunching.

Similarly as a leading registry back-end provider for DotBrand TLDs, we are seeing a lot of interest in our solutions which allow DotBrand registries to minimise their costs by integrating registry and registrar services with a single provider who is happy to provide true expert advice when they want it at no charge , instead of having pushy sales people hassling them to “activate”.

DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past?

BC: There is no doubt that the tech platforms like Facebook/WhatsApp, WeChat, Amazon, Alibaba and Ebay have done a great job providing SOHO/microbusinesses with tools allowing them to do business online without the need for domain names or their own websites and corporate email addresses. And indeed I believe it has harmed our industry that it is so fragmented that no company has the market power yet to successfully launch domain-based responses to those challenges. Of course, with the backlash against platforms misusing user data and enabling fake news, there is a grassroots movement towards independence from them, which means more people building their own independent websites on their own domains.

There are also opportunities for using the DNS for the Internet of Things, and blockchain applications for domains like those pioneered by .xyz and others. But again history tells us that even if these are the best technical solutions, they won’t win the market share war without the backing of bigger companies.

Previous Q&As in this series were with EURid, manager of the .eu top level domain (available here), with Katrin Ohlmer, CEO and founder of DOTZON GmbH (here), Afilias’ Roland LaPlante (here), DotBERLIN’s Dirk Krischenowski (here), DENIC (here) Internet.bs’ Marc McCutcheon (here), nic.at’s Richard Wein (here) and Neustar’s George Pongas (here).

If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

‘ICANN’s Naïve and Unprofessional GDPR Approach’ A 2018 Lowlight Says nic.at’s CEO, But Celebrating Triple .AT Anniversaries A Highlight

“ICANN's naïve and unprofessional approach to” the EU's GDPR was one of 2018's lowlights says Richard Wein, CEO of Austria's ccTLD registry nic.at in today's Domain Pulse Q&A with leading industry figures, looking at the year in review and year ahead. GDPR planning dominated many European ccTLDs in the first half of 2018 to the detriment of other work, but while Wein has come concerns about the GDPR, he wonders if it is a “sledgehammer to crack a nut”. Overall he thinks it's a positive and now he's happy about how the team at nic.at responded to the European Union's consumer data protection regulation. A positive highlight was nic.at celebrating 3 anniversaries: “30 years of .at, 20 years of nic.at and Stopline and 10 years of CERT.at.” Looking ahead, Wein believes 'it's still far too difficult to register your own domain, set up e-mail or create a new website'. Largely, Wein believes, new gTLDs haven't lived up to expectations, with a few exceptions, and currently doesn't believe a second round of applications is needed. Domain Pulse:What were the highlights, lowlights and challenges of 2018 in the domain name industry for you? Richard Wein: I think that the first half of 2018 was particularly shaped by the effects of the GDPR. Many registries (especially European ccTLDs) seemed paralysed and put all other plans and projects on hold. This was also the case for nic.at. ICANN’s naïve and unprofessional approach to this topic was a real disappointment, and the necessary measures were taken far too late. A “normal” company would have been punished by the markets for this kind of performance. But I am proud to say that we manged to finish the project in time with a new privacy policy and new internal processes for .at which were ready on May 25 – with a solution which was at the same time pragmatic, legally correct and end-user friendly. The whole nic.at team had put lots of effort in this project and we can see now, 6 months later, that we took the right decisions and found a good way to deal with it. The market changes were also exciting, especially among the gTLD registries – the sale of Donuts was a good example of this. It was also interesting to note the rather sobering registration numbers worldwide. Real (natural) growth is happening only in low single digits, so the whole industry will have to adjust to much tougher times and every market participant, whether registry or registrar, must take appropriate measures. Our nic.at company highlight was of course the anniversaries we celebrated in 2018: 30 years of .at, 20 years of nic.at and Stopline and 10 years of CERT.at. We had a big party for our partners and were able to show all the activities and initiatives we are undertaking for Austria’s internet community. DP: GDPR – good, bad and / or indifferent to you and the contrary to industry and why? RW: Essentially, protection of data is very positive to see and any initiative in this area is to be welcomed. The only question is whether the GDRP was a sledgehammer to crack a nut. Unfortunately the original goal of putting the big data monsters such as Facebook, Google etc “on a leash” was not achieved, and yet enormous bureaucratic hurdles have been created for many companies and government agencies. It is clearly positive that awareness of data protection and sensitive (personal) data in all areas has significantly increased. After around 8 months of “live” GDRP the onslaught expected by many (including us), e.g. requests for information because there is now no public WHOIS, completely failed to materialise.
In my opinion, the world can survive very well without a public WHOIS. DP: What challenges and opportunities do you see for the year ahead? RW: I think the whole industry will have to make an effort to bring their products to the market in a way that is more understandable, simpler, and accessible without much (technical) know-how. In my opinion it is still far too difficult to register your own domain, then set up your own e-mail or create a new website. The subject of “digitisation” is currently on everyone's lips, but it has negative connotations; so a lot of work must be done to convert this to a more positive, beneficial impression. This involves domains and all associated products. DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now? RW: All in all (apart from a few exceptions), positive hopes and expectations have not been realised. Many of the gTLD registries are still struggling to survive, and I have not seen any evidence of the frequently described “dotbrand” hype, so the new gTLDs will probably remain a “niche” for another year. The consolidation process will continue, both with the registries and the backend providers, but also with the registrars. A few gTLD's will be established on the market (and among users), many of the others will disappear again. At the moment I do not see any need for a second round (at least from the demand side), but clearly some want to utilise their (technical and sales) scaling effects to offer new gTLDs as quickly as possible, and put them on the market. DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past? RW: A clear YES to this. If you look at the number of users of “social media”, such as FB or Instagram, there is a clear negative trend. It's not about either / or, but businesses in particular will develop a balanced “online strategy” and this includes their own website with one (or more) domains. Of course, there is some saturation, but there is still enough global potential to increase awareness of domains and to secure growth over the long term. Previous Q&As in this series were with EURid, manager of the .eu top level domain (available here), with Katrin Ohlmer, CEO and founder of DOTZON GmbH (here), Afilias’ Roland LaPlante (here), DotBERLIN’s Dirk Krischenowski (here), DENIC (here) and Internet.bs' Marc McCutcheon (here). If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.