General Data Protection Regulation Archives - Page 2 of 4

CentralNic’s Ben Crawford’s 2018 Highlight Was KeyDrive Merger, While nTLDs Offer Great Opportunities

Todayâs Q&A sees CentralNicâs CEO Ben Crawford open up on 2018 and look ahead to 2019. Crawfordâs major highlight and challenge, all rolled into one, was the merger of CentralNic and KeyDrive and re-listing on the London Stock Exchange. GDPR was a âfamiliar challengeâ that exacerbated âtensions in the multi-stakeholder governance modelâ. Looking ahead Crawford sees more mergers and less âold-fashioned role delineationsâ with private equity groups becoming more involved.

In 2019 Crawford sees fewer new gTLD launches, which may create issues for those relying on continued launches for new registrations, but âa long-term significant market for affordable generic domain names, and the most remarkable fact is that so many industry veterans totally missed the opportunity.â And while the future of domain names is challenging, Crawford also sees âopportunities for using the DNS for the Internet of Things, and blockchain applications.â

Domain Pulse: What were the highlights, lowlights and challenges of 2018 in the domain name industry for you?

Ben Crawford: For us the obvious highlight and challenge was the merger of CentralNic and KeyDrive and our re-listing on the London Stock Exchange as the first industry player to be a world class competitor as a registry, registry backend provider, reseller platform, retail registrar and corporate registrar. We believe the rest of the industry will inevitably follow in moving away from the old-fashioned role delineations, and we see the large number of acquisitions by private equity funds (Dada Group, web.com, Donuts, one.com, etc.) in 2018 as the next step towards significant consolidation.

DP: GDPR â good, bad and/or indifferent to you and the wider industry and why?

BC: As a global company focussed on ccTLDs, we are specialists in working hand-in-glove with Governments – in many cases helping them with drafting of policies and even legislation to situate domains in a framework covering privacy, security, IP protection, etc.. So for us GDPR was a familiar challenge. By contrast it was evident that it exacerbates the tensions in the multi-stakeholder governance model for the internet when certain stakeholders have the rule of law behind them.

DP: What are you looking forward to in 2019?

BC: Delivering even more excellent service to our customers and returns to our investors. From a wider industry perspective, the development of a replacement for WHOIS that works for all stakeholders is a subject close to our heart and our Registry CTO, Gavin Brown is one of the members of the working group that ICANN have pulled together to deliver on the next phase.

DP: What challenges and opportunities do you see for the year ahead?

BC: On the challenge side, there will be very few domain launches, and that makes it tough for companies in our industry who have become addicted to launches to achieve their revenue targets. On the opportunity side, many companies that created spam fatigue among their customers with too frequent new gTLD launch emails may now have an opportunity to recover their most effective form of marketing by building the consumer confidence needed to improve open rates and click rates – GDPR permitting

DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now?

BC: As CentralNic Registry is the most successful backend provider for new gTLDs – with over 25% market share and 10 of the top 25 nTLDs – we actually delivered to our investors what they hoped for from the new TLDs. We are happy to see continued strength from .xyz and the Radix domains, as well as strong performances from our clients .icu and .ooo from the moment they migrated to our platform in 2018. There is obviously a long-term significant market for affordable generic domain names, and the most remarkable fact is that so many industry veterans totally missed the opportunity. Meanwhile the DotIndustry newTLDs like .design, .art and .press have strong support from their communities, while others have decided to keep their powder dry waiting for Google and Amazon to do the heavy lifting of building awareness of nTLDs before relaunching.

Similarly as a leading registry back-end provider for DotBrand TLDs, we are seeing a lot of interest in our solutions which allow DotBrand registries to minimise their costs by integrating registry and registrar services with a single provider who is happy to provide true expert advice when they want it at no charge , instead of having pushy sales people hassling them to âactivateâ.

DP: Are domain names as relevant now for consumers â business, government and individuals â as they have been in the past?

BC: There is no doubt that the tech platforms like Facebook/WhatsApp, WeChat, Amazon, Alibaba and Ebay have done a great job providing SOHO/microbusinesses with tools allowing them to do business online without the need for domain names or their own websites and corporate email addresses. And indeed I believe it has harmed our industry that it is so fragmented that no company has the market power yet to successfully launch domain-based responses to those challenges. Of course, with the backlash against platforms misusing user data and enabling fake news, there is a grassroots movement towards independence from them, which means more people building their own independent websites on their own domains.

There are also opportunities for using the DNS for the Internet of Things, and blockchain applications for domains like those pioneered by .xyz and others. But again history tells us that even if these are the best technical solutions, they wonât win the market share war without the backing of bigger companies.

Previous Q&As in this series were with EURid, manager of the .eu top level domain (available here), with Katrin Ohlmer, CEO and founder of DOTZON GmbH (here), Afiliasâ Roland LaPlante (here), DotBERLINâs Dirk Krischenowski (here), DENIC (here) Internet.bsâ Marc McCutcheon (here), nic.atâs Richard Wein (here) and Neustar’s George Pongas (here).

If youâd like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

‘ICANN’s Naïve and Unprofessional GDPR Approach’ A 2018 Lowlight Says nic.at’s CEO, But Celebrating Triple .AT Anniversaries A Highlight

“ICANN’s naïve and unprofessional approach to” the EU’s GDPR was one of 2018’s lowlights says Richard Wein, CEO of Austria’s ccTLD registry nic.at in today’s Domain Pulse Q&A with leading industry figures, looking at the year in review and year ahead. GDPR planning dominated many European ccTLDs in the first half of 2018 to the detriment of other work, but while Wein has come concerns about the GDPR, he wonders if it is a “sledgehammer to crack a nut”. Overall he thinks it’s a positive and now he’s happy about how the team at nic.at responded to the European Union’s consumer data protection regulation.

“ICANN's naïve and unprofessional approach to” the EU's GDPR was one of 2018's lowlights says Richard Wein, CEO of Austria's ccTLD registry nic.at in today's Domain Pulse Q&A with leading industry figures, looking at the year in review and year ahead. GDPR planning dominated many European ccTLDs in the first half of 2018 to the detriment of other work, but while Wein has come concerns about the GDPR, he wonders if it is a “sledgehammer to crack a nut”. Overall he thinks it's a positive and now he's happy about how the team at nic.at responded to the European Union's consumer data protection regulation. A positive highlight was nic.at celebrating 3 anniversaries: “30 years of .at, 20 years of nic.at and Stopline and 10 years of CERT.at.” Looking ahead, Wein believes 'it's still far too difficult to register your own domain, set up e-mail or create a new website'. Largely, Wein believes, new gTLDs haven't lived up to expectations, with a few exceptions, and currently doesn't believe a second round of applications is needed. Domain Pulse:What were the highlights, lowlights and challenges of 2018 in the domain name industry for you? Richard Wein: I think that the first half of 2018 was particularly shaped by the effects of the GDPR. Many registries (especially European ccTLDs) seemed paralysed and put all other plans and projects on hold. This was also the case for nic.at. ICANN’s naïve and unprofessional approach to this topic was a real disappointment, and the necessary measures were taken far too late. A “normal” company would have been punished by the markets for this kind of performance. But I am proud to say that we manged to finish the project in time with a new privacy policy and new internal processes for .at which were ready on May 25 – with a solution which was at the same time pragmatic, legally correct and end-user friendly. The whole nic.at team had put lots of effort in this project and we can see now, 6 months later, that we took the right decisions and found a good way to deal with it. The market changes were also exciting, especially among the gTLD registries – the sale of Donuts was a good example of this. It was also interesting to note the rather sobering registration numbers worldwide. Real (natural) growth is happening only in low single digits, so the whole industry will have to adjust to much tougher times and every market participant, whether registry or registrar, must take appropriate measures. Our nic.at company highlight was of course the anniversaries we celebrated in 2018: 30 years of .at, 20 years of nic.at and Stopline and 10 years of CERT.at. We had a big party for our partners and were able to show all the activities and initiatives we are undertaking for Austria’s internet community. DP: GDPR – good, bad and / or indifferent to you and the contrary to industry and why? RW: Essentially, protection of data is very positive to see and any initiative in this area is to be welcomed. The only question is whether the GDRP was a sledgehammer to crack a nut. Unfortunately the original goal of putting the big data monsters such as Facebook, Google etc “on a leash” was not achieved, and yet enormous bureaucratic hurdles have been created for many companies and government agencies. It is clearly positive that awareness of data protection and sensitive (personal) data in all areas has significantly increased. After around 8 months of “live” GDRP the onslaught expected by many (including us), e.g. requests for information because there is now no public WHOIS, completely failed to materialise.
In my opinion, the world can survive very well without a public WHOIS. DP: What challenges and opportunities do you see for the year ahead? RW: I think the whole industry will have to make an effort to bring their products to the market in a way that is more understandable, simpler, and accessible without much (technical) know-how. In my opinion it is still far too difficult to register your own domain, then set up your own e-mail or create a new website. The subject of “digitisation” is currently on everyone's lips, but it has negative connotations; so a lot of work must be done to convert this to a more positive, beneficial impression. This involves domains and all associated products. DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now? RW: All in all (apart from a few exceptions), positive hopes and expectations have not been realised. Many of the gTLD registries are still struggling to survive, and I have not seen any evidence of the frequently described “dotbrand” hype, so the new gTLDs will probably remain a “niche” for another year. The consolidation process will continue, both with the registries and the backend providers, but also with the registrars. A few gTLD's will be established on the market (and among users), many of the others will disappear again. At the moment I do not see any need for a second round (at least from the demand side), but clearly some want to utilise their (technical and sales) scaling effects to offer new gTLDs as quickly as possible, and put them on the market. DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past? RW: A clear YES to this. If you look at the number of users of “social media”, such as FB or Instagram, there is a clear negative trend. It's not about either / or, but businesses in particular will develop a balanced “online strategy” and this includes their own website with one (or more) domains. Of course, there is some saturation, but there is still enough global potential to increase awareness of domains and to secure growth over the long term. Previous Q&As in this series were with EURid, manager of the .eu top level domain (available here), with Katrin Ohlmer, CEO and founder of DOTZON GmbH (here), Afilias’ Roland LaPlante (here), DotBERLIN’s Dirk Krischenowski (here), DENIC (here) and Internet.bs' Marc McCutcheon (here). If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

Q&A With DOTZON’s Katrin Ohlmer on Year in Review, 2019, GDPR and Future of Domain Names

In the second of our series asking industry figures and companies to comment on their highlights and lowlights of 2018, looking ahead to 2019, the EU’s GDPR as well as the future of domain names, Katrin Ohlmer, CEO and founder of DOTZON GmbH, gives her views.

DOTZON is an international management consulting dedicated to digital identities. Since 2005 they’ve worked with companies, cities and organisations for the concept, application and operation of their own top-level domains. DOTZON helps their clients protect, establish and strengthen the digital identities of brands and companies. Since 2017 they’ve published the annual Digital City Brands study and since 2018 the Digital Company Brands study.

Domain Pulse: What were the highlights, lowlights and challenges of 2018 in the domain name industry for you?

Katrin Ohlmer:

Highlights
A growing interest in domain names as such, both from the business and consumer side. We’ve noticed an increased interest by various stakeholder groups on Internet Governance topics, which might lead to a shift in the Internet Governance Stakeholder Map in the next few years.

Lowlights
Stolen data sets, as in the cases of Marriott, LinkedIn and others do not give consumers the security they need. Also, the whole domain industry could still improve in terms of customer experience and customer-centric marketing and communications. In 2019, we would like ICANN to focus again on their mission “to ensure the stable and secure operation of the Internet’s unique identifier systems”.

Challenges
For sure all the new processes around GDPR, especially the closed public WHOIS.

DP: GDPR – good, bad and/or indifferent to you and the wider industry and why?

KO: Good for me as an individual since spam is extremely limited nowadays. Indifferent for a registry operator as no personal data is available to gain insights about their customer base in order to market the TLD. Bad for trademark owners who used to be able to contact registrants easily and negotiate a solution for a domain name without going to court.

DP: What are you looking forward to in 2019?

KO: I’m looking forward to seeing new creative use cases of .BRANDS following the ones we saw in 2018 like www.doc.new by Google and www.berlin.audi or www.weare.audi.

DP: What challenges and opportunities do you see for the year ahead?

KO: The challenge for the ICANN community will be two-fold: On the one hand, we will have to agree on how to handle the GDPR topic in the future. On the other hand, we will have to finalise the last steps in the review process of the last gTLD round and collect input for improvements for a new gTLD round, where we play an active role. I’m looking forward to seeing the results for both of these activities in 2019.

DP: 2019 will mark 5 years since the first new gTLDs came online. How do you view them now?

KO: Millions of domains under the new gTLDs have been registered and hundreds of thousands of great domains are in use. This is great news! But: Although there are many attractive new top-level domains, they are still a minority in the market, whether as brand, geo or generic TLDs. The market is only slowly adapting to this wider variety. However, it can be observed that the diversity is slowly but constantly increasing. We therefore expect an uptake in the long run.

DP: Are domain names as relevant now for consumers – business, government and individuals – as they have been in the past?

KO: The awareness of domain names among consumers has certainly decreased. At the same time more and more businesses go online and need a website. We therefore see a continuing demand in domains, which we can foster by delivering easy-to-use products whose features meet demands.

The first in this Q&A series was with EURid, manager of the .eu top level domain, and is available here.

If you’d like to participate in this Domain Pulse series with industry figures, please contact David Goldstein at Domain Pulse by email to david[at]goldsteinreport.com.

ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs.

SIDN Sets Up Privacy Portal and Legal Help Desk To Assist Registrars Comply With GDPR

To assist their registrars comply with the European Unionâs General Data Protection Regulation, SIDN, the .nl ccTLD manager, has set up a Privacy Portal and a Legal Help Desk. SIDN acknowledges that for registrars, bringing their operations into line with the GDPR — and making sure they stay that way — can be a challenge

In a blog post on the SIDN website by RA CEO Margreth Verhulst and SIDN’s Key Account Manager Sebastiaan Assink discuss the Privacy Portal and Legal Help Desk now available to registrars.

âAt the start of the year, SIDN organised a webinar on the implications of the GDPR for domain name registration. Participants were asked whether they had set up a data processing register, as required under the new legislation. And no fewer than 66 per cent of the registrars responded by saying that they hadn’t yet set one up. A broadly similar picture emerged when the RA surveyed its members to find out how many were GDPR-compliant. From the survey feedback, it was also clear that registrars would welcome support bringing their activities into line with the directive. The RA and SIDN therefore linked up with the ICTRecht legal consultancy to create the Privacy Portal, which opened for business on 27 September 2018. The Portal is intended to advise registrars on recording and protecting sensitive information and other privacy-related issues. “The Privacy Portal offers registrars free guidance on all aspects of privacy management,” explains Sebastiaan. “You can get answers to legal questions, or help with data processing agreements and other documents.” Dozens of registrars have already turned to the Portal for assistance.

A registrarâs first contact the Privacy Portal sees them being asked a few general questions. Answers are used to build up a profile and then a customised account can be established. Through the account, tailored advice is made available and appropriate measures are suggested. Facilities are also available for organising your enquiries and documents. “The intake privacy scan provides an immediate impression of what you’ve got under control and what still needs attention,” adds Margreth.

âThe Portal also features a tool that can be used to set up and maintain a data processing register, another of the GDPR’s new requirements. There’s a privacy statement generator as well, and a utility for checking the adequacy of your technical data protection measures. Another feature of the Privacy Portal is its data breach registration functionality, which you can use to comply with the GDPR’s requirement that details of all breaches must be recorded. Finally, there’s a tool for generating appropriate data processing agreements to regulate your relationships with any data processors that handle data on your behalf. In other words, the Privacy Portal offers all kinds of assistance with GDPR-compliance.â

“Registrars process a great deal of personal data and cooperate with other actors, including suppliers and partners. They collect registrants’ personal details, for example, and forward the information to us on the registrants’ behalf. That’s how a domain name is registered. Naturally, it’s primarily the registrars’ responsibility to make sure that their data processing complies with the law. However, it’s also very much in our interests to see that registration data is processed and exchanged securely,” continues Sebastiaan. As Margreth points out, registrars have a lot on their plates, even without the GDPR. “Their core business is domain name registration, and compliance with the many rules and regulations that apply to the industry sometimes gets sidelined. So the Portal has been created with the aim of relieving some of the burden and making compliance easier for registrars. For any registrar who sees GDPR compliance as a dauntingly high mountain, the Privacy Portal will act like a Sherpa. You’ve still got to get up the mountain yourself, but the Portal is there to shoulder some of the load.”

âThe Privacy Portal is just one of the ways that the RA and SIDN are working together to support and invest in the registrar community. It is a spin-off from the Legal Help Desk opened earlier in the year. Via the Help Desk, all 1250 or so .nl registrars can get free legal advice regarding issues involving contracts, ICT, terms and conditions and the like. Questions are simply submitted to the Help Desk using a standard form. Another product of cooperation between SIDN and the RA is the SIDN Academy.â

“So far, we’ve run three SIDN Academy sessions for registrars. The one-day sessions are intended for sharing knowledge on particular topics,â said Assink. âThe first round of sessions was devoted to e-mail security, for example.”

Looking forward, the post notes Margreth and Sebastiaan have no preconceptions about how the Help Desk and Portal should develop from here. Both are really still pilot services. “We’ll evaluate the situation after twelve months,” says Margreth. “The future direction of the projects will depend on how registrars use these facilities in practice. A positive response and high levels of use will encourage us to continue and extend the services.”

The full version of this post originally appeared on the SIDN website here. SIDN is the country code top level domain (ccTLD) manager for .nl (Netherlands).

APWG and M3AAWG Survey Finds ICANN’s GDPR Response Impeding Cyber Investigations

A joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANNâs Temporary Specification, its response on how to deal with the European Unionâs General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.

According to survey respondents ICANNâs Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime â from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

âThe biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,â one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) concluded their analysis with recommendations for ICANN to:

Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
Restore redacted WHOIS data of legal entities.
Adopt a contact data access request specification for consistency across registrars and gTLD registries.
Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.

ICANN: Data Protection/Privacy Update Webinar – 8 October

ICANN today [27 Sep] announced that it will hold a webinar on 8 October 2018 from 15:00 to 16:00 UTC to provide an update on recent ICANN data protection and privacy activities related to the European Union’s General Data Protection Regulation (GDPR)

To facilitate global participation, interpretation services will be available in Arabic, Chinese, French, Portuguese, Russian, and Spanish. Participants are encouraged to email questions prior to the call via email to gdpr@icann.org. We will also hold a question and answer period at the end of the webinar. A full recording of the webinar will be published on icann.org for future reference.

More information on ICANN‘s Data Protection/Privacy Issues is available here:

Webinar Details & How to Attend:

Date: 8 October 2018
Time: 15:00 – 16:00 UTC
Join via Adobe Connect
View Dial-in Information

Participant Codes:

English â Participant Code: 9001
FranÃ§ais â Participant Code: 9002
EspaÃ±ol â Participant Code: 9003
ä¸æ â Participant Code: 9004
PÑÑÑÐºÐ¸Ð¹ â Participant Code: 9005
Ø§ÙØ¹Ø±Ø¨ÙØ© â Participant Code: 9006
PortuguÃªs â Participant Code: 9007

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address â a name or a number â into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-27-en

German Courts Rebuff ICANN For Fourth Time Over WHOIS/GDPR Data Collection

ICANN has suffered another setback in its desire to continue to collect and make public domain name registrant contact details following an appeal to a German High Court who ruled against ICANN’s plea to reconsider the Court’s own earlier decision following the introduction of the European Union’s General Data Protection Regulation earlier this year.

ICANN has suffered another setback in its desire to continue to collect and make public domain name registrant contact details following an appeal to a German High Court who ruled against ICANN's plea to reconsider the Court's own earlier decision following the introduction of the European Union's General Data Protection Regulation earlier this year.

ICANN has been pursuing a preliminary injunction from the German Court to require EPAG, a Germany-based, ICANN-accredited registrar (that is part of the Tucows Group and based in Bonn, Germany) to continue to collect elements of WHOIS data, as required under ICANN's Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains.

ICANN received a ruling from the German Higher Regional Court in Cologne (“Appellate Court”) last week, that rejected ICANN's request for review (“plea of remonstrance”) filed by ICANN on 17 August 2018. ICANN's plea was filed to continue the immediate appeal in the ICANN v. EPAG injunction proceedings. ICANN initiated such proceedings against EPAG, to seek assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. The Appellate Court again has determined that it would not issue an injunction against EPAG.

This is the fourth time the German courts have rebuffed ICANN’s attempts to have EPAG enforce the RAA. On 30 May the Regional Court determined that it would not issue an injunction against EPAG. Then on 13 June ICANN appealed and on 18 July the Regional Court decided not to change its original determination not to issue an injunction against EPAG. The matter was referred to the Higher Regional Court in Cologne for appeal. Next on 3 August ICANN announced a German appeal court (Appellate Court of Cologne) had issued a decision on the injunction proceedings ICANN initiated against EPAG determining that it would not issue an injunction against EPAG.

In making its ruling, the Appellate Court found that the preliminary injunction proceeding does not provide the appropriate framework for addressing the nature of the contractual disputes at issue, and that a decision in preliminary proceedings does not appear to be urgently needed. Again, the Appellate Court did not address the merits of the underlying issues with respect to the application of GDPR as it relates to WHOIS.

ICANN is continuing to evaluate its next steps in light of this ruling, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

On 25 May, the day the European Union’s General Data Protection Regulation came into place, ICANN filed a legal action against EPAG. This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to their contracts.

In a post outlining their position back in May, EPAG Ashley La Bolle wrote the “GDPR begins with a statement of its core principle: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right.’ Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.

“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”

ICANN’s response to the GDPR came just over a week before the EU-wide data protection regulation came into place, and 2 years after it was announced. The “Temporary Specification”, as La Bolle writes, was “meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.” EPAG have 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.

Has GDPR Contributed To Spam Decline? 2 Organisations Say It’s Too Early To Tell

Recently threat intelligence organisation Recorded Future published a blog post suggesting “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules.”

The General Data Protection Regulation that came into force on 25 May, seeks to give individuals more control over their personal data and to simplify data protection regulation in the European Union to one rule for all countries. Recorded Future published spam volumes compiled by Cisco which found that “on May 1, 2018, the total volume of email was 433.9 billion messages; spam accounted for 370.04 billion messages, or 85.28 percent of all email. On August 1, 2018, the total volume of messages was 361.83 billion, with 85.14 percent, or 308.05 billion messages, identified as spam. While the total volume of email fell precipitously, most likely due to a combination of seasonal email fluctuations and as the result of newly enforced privacy standards, the percentage of spam remained roughly the same.”

Recorded Future surmised that “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules. Spam is still a big problem, but it has not become a bigger problem, contrary to popular opinions among security researchers.”

Spamhaus has taken a similar view. They note “the real answer is that it is far too early to tell.”

“Before GDPR came into effect, records such as a domain’s registered owner and registered contacts could be looked up in WHOIS databases maintained by individual registrars governed by ICANN.”

“WHOIS information was used by researchers in organisations such as Spamhaus to help determine a domain’s reputation. Domains determined from this and other factors to have a bad reputation would have potentially been listed on our Domain Block List (DBL).”

Spamhaus goes on to note that “whilst the lack of some of this information is tiresome and makes a security researcher’s job a little more difficult, it isn’t insurmountable. Spam will be blocked. Domains will continue to be added to our DBL and email will be filtered accordingly.”

“It’s true, spam rates have dropped marginally since May 2018. Spamhaus never anticipated a tsunami of spam to follow GDPR, however current claims that spam has fallen as a result of GDPR are unconvincing.

“Of course, it could be that legitimate companies, who are concerned about being GDPR compliant, have started purging email lists and are sending less ‘legit’ spam. However, one needs to remember that spam from legitimate companies accounts for a very small percentage of overall spam numbers, so any reduction in this area would have a minute impact on the figures.

“Another theory could be that due to the changes on WHOIS fewer bad domains are being identified and therefore some anti-spam systems are flagging less email.

“Nonetheless, this small reduction in spam is more than likely down to the natural ebb and flow of spam volumes, which have always been highly variable, just like botnet traffic.”

Spamhaus note there could be “numerous non-GDPR related reasons as to why there’s been a recent drop in spam email ranging from the spambots which are currently in operation (or not in operation as the case may be) to who has been arrested recently!”

So Spamhaus say there’s “no hard evidence we have seen proving that this current decline in spam is as a direct result of GDPR…it will be interesting to see what the volumes of spam are like over Black Friday and the subsequent Christmas holidays.”

They also suggest the drop in spam levels bein attributed to the GDPR is a “vacuous claim, unless it’s worth considering that snowshoe spammers don’t need as many new identities now that their current ones are withheld on WHOIS.”

“A more likely explanation to the drop in domain name registrations could be something as simple as top-level domains (TLDs) not having run any ‘specials’ recently (everyone loves a bargain, even a cybercriminal).”

But Spamhaus suggests that prohibiting personal details being visible on Whois “will hamper, if not stop, organisations being able to join the dots and identify gangs of professional cybercriminals who have a mechanism of fraud that is proving successful.”

According to Spamhaus “researchers collect all kinds of information from WHOIS. This data allows us to identify patterns in spamming activity, and build intelligence to attribute it to specific spam gangs.”

Whois data are “small but critical pieces of data [that] can become crucial to investigations later down the line, although they may not be obvious at the time. This evidence can assist law enforcement agencies to pursue these prolific gangs who are defrauding significant amounts of people of vast quantities of money” with “even fraudulent information that is used in a WHOIS record can be used against criminals.”