Tag Archives: privacy

ICANN Requests DPA Guidance on Proposed Interim Model for GDPR Compliance

ICANN has requested European data protection authorities (DPAs) provide specific guidance on the organization’s Proposed Interim Compliance Model [PDF, 922 KB] as it relates to the European Union’s General Data Protection Regulation (GDPR).

In letters to each of the 28 European member states’ DPAs and the European Data Protection Supervisor, ICANN asks the authorities to “help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.”

Absent this specific guidance, the integrity of the global WHOIS system and the organization’s ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened.

ICANN is concerned that continued ambiguity on the application of the GDPR to the global WHOIS may result in many domain name registries and registrars choosing not to publish or collect WHOIS out of fear that they will be subject to significant fines following actions brought against them by the European DPAs. ICANN has set out that its 2,500 domain name registries and registrars need clear guidance and a moratorium so that they will not have enforcement actions brought against them while they implement changes to comply with the GDPR.

At the same time, governments world-wide, law enforcement authorities, and those fighting abuse on the Internet are deeply concerned that blocked access to the global WHOIS may significantly harm the public interest, by blocking access to critical information which allow them to enforce other laws and protect consumers, critical infrastructure and intellectual property rights.

More information on ICANN‘s data protection/privacy activities is available here.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-03-28-en

U.S. Govt’s NTIA Has Preservation of WHOIS As Priority With Concerns It May Go Dark

Preserving WHOIS has become of the 2 main priorities internationally for the U.S. government’s National Telecommunications and Information Administration with fears the service may go “dark and become a relic of the Internet's history.” Continue reading U.S. Govt’s NTIA Has Preservation of WHOIS As Priority With Concerns It May Go Dark

ICANN: Data Protection/Privacy Update Webinar Scheduled for 2 February

ICANN today [25 Jan] announced that it will hold a webinar on 2 February from 1530 to 1630 UTC to provide an update on data protection/privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

The webinar will focus on ICANN‘s three proposed interim models for collecting registration data and implementing registration directory services published [PDF, 623 KB] earlier this month.

In order to facilitate global participation, interpretation services will be available in Arabic, Chinese, French, Portuguese, Russian, and Spanish. Participants will have the opportunity to ask questions at the end of the session. During the course of the webinar, participants may submit questions using the chat function in Adobe Connect. We will make every effort to answer the questions during the webinar. A recording of the webinar will be made available for future reference.

The community is encouraged to provide input on the proposed models [PDF, 623 KB] by 29 January 2018. Please send your feedback to gdpr@icann.org.

More information on ICANN‘s data protection/privacy activities is available here.

Webinar Details & How to Attend

Date: 2 February 2018

Time: 1530 – 1630 UTC

Join via Adobe Connect (please send dial-in requests to gdpr-questions@icann.org)

View Dial-in Information

Participant Codes:

English – Participant Code: 9001
Français – Participant Code: 9002
Español – Participant Code: 9003
中文 – Participant Code: 9004
Pусский – Participant Code: 9005
العربية – Participant Code: 9006
Português – Participant Code: 9007

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2-2018-01-25-en

ICANN Proposes Solutions To Deal With WHOIS and GDPR Conflicts

EU_GDPR_bannerEnforcement of the European Union’s General Data Protection Regulation (GDPR) is coming on 25 May and as of yet, ICANN still hasn’t worked out a way to deal with the conflicts between the collection of domain name registration data (WHOIS) and the requirements of GDPR.

Acknowledging it’s likely they won’t have a solution by the enforcement date, ICANN’s President and CEO Göran Marby wrote on the organisation’s blog last week that they’re “working to develop interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements. To be clear, these proposed models are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”

In November ICANN “published a Statement from Contractual Compliance, which indicated ICANN org would defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”

So what is the GDPR? It’s the E.U.’s way of harmonising data protection laws across the 28-member states and gives greater protection to data and the privacy of EU citizen’s data.

It applies to any organisation that processes data about individuals relating to the sale of goods or services to citizens in EU countries, which includes the registration of domain names involving registrars, resellers and registries. Which means that even businesses from outside of the EU who process data on the citizens of the European Union need to comply. This includes domain name registries and registrars.

The penalties for non-compliance are steep. Organisations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 million, the maximum fine. And if their data is infringed, the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed and to sue for compensation when non-material damage has been suffered. Consent for the collection of the data is necessary, and the withdrawal of consent must be made available.

Personal data under the GDPR is defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Which also includes WHOIS data required when registering a domain name.

The E.U. has expressed their concerns about how ICANN is progressing. In a letter to ICANN, the EU’s ARTICLE 29 Data Protection Working Party says “the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.” The letter states a “layered access” may meet the GDPR while also providing law enforcement with the access they require. The EU has been calling for such a layered access since 2003.

Regarding the publication of WHOIS data collected when registering a domain name, the WP letter says there are concerns regarding the way consent is given when collecting WHOIS data and how that consent is given.

In last week’s blog post, Marby outlines what ICANN has been doing, and the 3 options for moving forward. ICANN obtained legal advice that advised in November WHOIS as it currently exists must change. In December Marby advised ICANN was working on some “interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements.” The models “are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”

And then last week ICANN published for community input three proposed discussion models for collecting registration data and implementing registration directory services that reflect discussions “from across the community and with data protection authorities, legal analyses and the proposed models we have received to date.”

Marby summarised the three models [pdf] in his post at a high-level, which are reproduced below. “The models differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS:

  • Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
  • Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
  • Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.

Feedback must be received by 29 January 2018 with comments to be sent to gdpr@icann.org.

The models are available to read in more detail at https://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf.

Pirate Bay Founder Fights For Your Right To Register Domains Anonymously, No Matter How Objectionable You Are

The 38-year-old Pirate Bay co-founder and Swedish politician Peter Sunde has started a new business that allows almost anyone, anywhere to register domain names anonymously. Well, actually, you don’t register the domain name yourself. They register it for you and the domain name will be in their name. They claim if you want the domain name back, no problems, no additional costs.

Which raises a host of interesting questions such as what happens if their business goes down the gurgler. It also opens up the option for all sorts of crooks and shysters and copyright abusers, as well as human rights activists, to register domain names and not have their identity blown. They do say they “will help if there are legal merits to any formal government requests to our system.” The company is based in the small (93 square kilometres) Caribbean island of Nevis, which is also a tax haven.

The service, Njalla, which uses the Laos ccTLD (.la) and which in recent years has been used as an alternative for Los Angeles businesses, claims they’re helping registrants to “fight back … in the world where peoples right to privacy and the right to be anonymous is under attack.”

Reading the .la WHOIS Privacy Service Agreement though makes one wonder how the business will fly. No doubt their lawyers have worked on it, but there appear to be grounds for copyright holders to challenge the service.

To quote the Njalla news release:
“The service is not a regular domain name reseller. We don’t sell you domain names actually. You pay us so we can buy one for ourselves. The price includes your right to use it. We’re even giving you access to our anycasted DNS service.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions. As long as you keep within the boundaries of reasonable law and you're not a right-wing extremist, we’re for promoting your freedom of speech, your political weird thinking, your kinky forums and whatever. Even Trump is welcome. Hell, he might even be a customer. We’ll never know. We might even be approved by him! Or not. We don’t really care.”

They don’t care very much who you are. They don’t even care if they hate what you do. They claim they’ll protect anyone’s anonymity. From criminals to human rights activists, you’re fine. A cynic might say it’s all about the money. And if you just want to use their services and not have anonymity, that’s fine too.

“We don’t need to know who you are, what you are, where you are. We don’t even need an e-mail address — we can do with an anonymous XMPP account you can set up somewhere,” they say in their news release. They’ll also host and allow you to pay with Bitcoin. The service is now open for beta testing for a limited number of customers.

 

Privacy Concerns in the Domain Name System by Samantha Bradshaw & Laura DeNardis

Social Science Research Network logoAbstract: Some of the most contentious policy debates of our time involve questions surrounding the privacy of user data and the extent to which personally identifiable information is encrypted on mobile devices, in transit, or in the cloud. However, one aspect of personal privacy often missing from the public discourse is the question of confidentiality in the Internet’s Domain Name System (DNS).

The DNS is a distributed but hierarchically organized system that translates alphanumeric domain names into IP addresses. One facet of Internet governance scholarship on the DNS has focused on examining public policy concerns related to freedom of speech, intellectual property, cybersecurity, and jurisdictional oversight. However, the design of the DNS also inherently raises a number of privacy concerns, one being the technological condition that DNS queries are almost always unencrypted. Although these queries do not contain “content” such as email text, images, or search terms, they do reveal the sites a user visits. As such, query data can disclose sensitive information-seeking practices related to addiction services, gender identity, disease treatment, pornography, abortion clinics, mental illness, employment, or online dating services. Given that almost every activity online begins with a DNS query, concerns about the prospects for unauthorized access to query information and practices for how queries are processed, retained, aggregated, or shared should be examined further.

Situated conceptually in the field of Science and Technology Studies (STS) and topically within the extensive body of research on global Internet governance, this research project asks: to what extent do DNS queries raise privacy considerations; what is at stake for Internet privacy, security, business models and stability; and how can various Internet governance stakeholders address these privacy concerns? To help establish the dominant frames for conceptualizing privacy in the public sphere, the research project examines dominant media sources for a five-year period between 2010-2015 and compares this coverage data to other online privacy concerns such as search engine privacy and user device encryption. To assess the extent of privacy concerns implicated by DNS queries and understand the stakes of various privacy mitigating options, the research project draws from interviews with DNS engineers and privacy advocates; the archival mailing lists of the DNS Privacy Working Group; proceedings of meetings of the Internet Engineering Task Force; and relevant Internet Request for Comments (RFCs).

This paper makes two contributions to information and communication technology policy and scholarship: first, it will contribute to the corpus of Internet governance scholarship around the Domain Name System by expanding the spectrum of policy issues it implicates to include concerns about individual privacy; and second, it will provide an evidentiary basis to expand policymaking considerations around privacy to include DNS queries rather than primarily content and personally identifiable information.

 

Daily Wrap: Whois Privacy, Domain Suspensions Not a Priority for PIPCU, the Litigious IOC, IPv6 Grows in APEC and Neustar Expands, Again

FairWinds Partners logo“Whois privacy services by cybersquatters can frustrate and sometimes delay the resolution of a domain dispute but it can’t prevent the inevitable,” say FairWinds Partners in a recent blog posting. But they do result in “brand owner[s] having to incur the expense of filing a UDRP or URS complaint.”

City of London Police logoA London police unit, the City of London Police’s Intellectual Property Crime Unit (PIPCU), has decided that suspending pirate domain names is no longer a priority, according to TorrentFreak. The report says that after ICANN ruled that registrars don’t have to suspend domain names without a valid court order, the police have decided to put more emphasis on other enforcement tactics.”

The International Olympic Committee is very protective of its trademarks and litigious when it comes to those it believes to protecting those marks. So now the IOC and the U.S. Olympic Committee have sued a businessman on trademark charges, claiming he’s stockpiled more than 1,000 domain names of potential Olympic host cities and years to raise money, according to Courthhouse News Service.

However Stephen P. Frayne Jr. has “filed a complaint in the District Court for the Northern District of Illinois, averring that he acquired the domain name solely to establish a bona fide noncommercial forum for an ‘open and honest discussion’ about the Olympic Games, the complaint states.”

Use of IPv6 in the Asia Pacific is growing. According to recent stats from APNIC Labs, there are some encouraging signs across the region, with the United States (26.5%), Peru (15.5%), Japan (15.7%), Malaysia (10.2%) and Singapore (9.6%) all among the top 15 economies for IPv6 end-user adoption. In the post on the APNIC blog, it notes that “globally, IPv6 adoption has seen a 100% increase in the last 12 months. Although this only represents 4.9% of total users there is reason to be optimistic about the overall trend.”

Neustar is expanding its wings. In 2015 it has acquired Bombora, the Neustar logoregistry for the .au and .om ccTLDs, and assets owned by Transaction Network Services, to add to, among other acquisitions, .CO Internet in 2014. And just last week it acquired MarketShare Partners, LLC, a fast-growing marketing analytics technology provider to major brands, for $450 million. The purchase price is effectively reduced to approximately $390 million after taking into account tax benefits resulting from the transaction.

Could Closed Room TPP And OECD Deals Could Mean End to Whois Privacy

Privacy proxy services used by registrants are under threat following proposals in the Trans Pacific Partnership and from “a new revision of the OECD E-commerce Recommendation that would require domain name registration information to be made publicly available for websites that are promoting or engaged in commercial transactions with consumers,” according to the Electronic Frontier Foundation.And this, also according to the EFF, when ICANN’s GNSO Privacy & Proxy Services Accreditation Issues Working Group looked like it would “accept that privacy services should remain generally available, including by those who use their domain names commercially.”Both of these changes are being pushed by the United States with the backing of corporate interests, particularly those in the entertainment industries.The secretive Trans Pacific Partnership (TPP), a proposed trade agreement between 12 countries – Brunei, Chile, New Zealand, Singapore, Australia, Canada, Japan, Malaysia, Mexico, Peru, the United States and Vietnam – “has just ridden roughshod over that entire debate (at least for country-code top-level domains such as .us, .au and .jp), by cementing in place rules (QQ.C.12) that countries must provide ‘online public access to a reliable and accurate database of contact information concerning domain-name registrants.'””The same provision also requires countries to adopt an equivalent to ICANN’s flawed Uniform Domain-Name Dispute Resolution Policy (UDRP), despite the fact that this controversial policy is overdue for a formal review by ICANN, which might result in the significant revision of this policy. Where would this leave the TPP countries, that are locked in to upholding a UDRP-like policy for their own domains for the indefinite future?”The TPP’s prescription of rules for domain names completely disregards the fact that most country code domain registries have their own, open, community-driven processes for determining rules for managing domain name disputes. More than that, this top-down rulemaking on domain names is in direct contravention of the U.S. administration’s own firmly-stated commitment to uphold the multi-stakeholder model of Internet governance. Obviously, Internet users cannot trust the administration that it means what it says when it gives lip-service to multi-stakeholder governance — and that has ramifications that go even deeper than this terrible TPP deal.”These proposed agreements go against everything that ICANN has sought to achieve through its attempts at improving accountability with its multi-stakeholder model.For more information see:

The Final Leaked TPP Text Is All That We Feared
https://www.eff.org/deeplinks/2015/10/final-leaked-tpp-text-all-we-fearedU.S. Bypasses ICANN Debates on Domain Privacy with Closed Room Deals at the OECD and TPP
https://www.eff.org/deeplinks/2015/10/us-bypasses-icann-debates-domain-privacy-closed-room-deals-oecd-and-tppDomain Registrars Have to Ask ICANN’s Permission to Comply With Laws Protecting Your Privacy
https://www.eff.org/deeplinks/2015/10/domain-registrars-have-ask-icanns-permission-comply-laws-protecting-your-privacyVoluntary Practices and Rights Protection Mechanisms: Whitewashing Censorship at ICANN
https://www.eff.org/deeplinks/2015/10/voluntary-practices-and-rights-protection-mechanisms-whitewashing-censorship-icann

Domain Name Commission calls for public comment on .NZ WHOIS review

NZ Domain Name Commissioner logo[news release] As part of a wide-ranging two stage review, the Domain Name Commission Limited (DNCL) has today launched the first of two public consultations on the .nz WHOIS.

The WHOIS is the publicly available search service that that lets people find registration information for a .nz domain name. Using the WHOIS is commonly known as a ‘domain name search’.

In this first public consultation, members of the public and interested stakeholders are being asked to comment on a number of matters, including why .nz registrant data should / or should not be collected and made publicly available in the WHOIS.

To assist with people’s understanding of the .nz WHOIS and how it currently works, DNCL has put together a consultation paper and a one-page overview at https://dnc.org.nz/whois-review-consultation-1.

The deadline for making a submission on the first public consultation is 6 November 2015. Submissions can be made by email to policies@dnc.org.nz, or by mail to PO Box 11 881, Wellington.

A second consultation and public meetings in Christchurch, Auckland, Wellington and online will follow later in the year on what information is displayed in the WHOIS, and how.

Domain Name Commissioner Debbie Monahan says public feedback will help inform DNCL’s thinking as it progresses the WHOIS review, and encourages all interested parties to familiarise themselves with the first public consultation and make a submission.

For more information about DNCL’s .nz WHOIS review process and associated public consultations please visit https://dnc.org.nz/whois-review-consultation-1.

This Domain Name Commissioner news release was sourced from:
dnc.org.nz/story/domain-name-commission-calls-public-comment-nz-whois-review

Privacy Advocates Aghast As Entertainment Industry Pushes For Commercial Registrants To Reveal WHOIS

Privacy advocates are aghast at ICANN’s proposed changes to current rules around privacy and proxy services for domain name registrants. The changes, that many see as being lobbied for by the US entertainment industry, would see “commercial” registrants forced to reveal their identity and contact details.But the request for comments has outraged many including privacy advocates. The Electronic Frontier Foundation has given an example of “a free community website for transgender authors” that currently uses a proxy registration service keeping the registrant’s details private. The EFF asks whether such a website could be considered commercial, which under the proposals would force the registrant to reveal their contact details, or not.And as the EFF notes, the proposal is being pushed by US entertainment companies who told Congress earlier this year that domain registration privacy should only be allowed in limited circumstances. The entertainment companies want to be able to use registration data to be able “to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order.”In the Initial Report on the Privacy and Proxy Services Accreditation Issues Policy Development Process [pdf]that is open for public comment until 7 July, it asks if “domains used for online financial transactions for commercial purpose should be ineligible for privacy and proxy [P/P] registrations.” And it wants to know why or why not respondents think so.The paper also requests comments on whether “it would be useful to adopt a definition of ‘commercial’ or ‘transactional’ to define those domains for which P/P service registrations should be disallowed? If so, what should the definition(s) be?”Additional issues canvassed include what measures should be taken to ensure contactability and responsiveness of providers along with should “full WHOIS contact details for ICANN-accredited privacy/proxy service providers be required?” How to deal with websites with malicious or illegal content is also addressed.To date there have been well over 10,000 comments submitted, the vast majority opposing the changes.