The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and The Anti-Phishing Working Group (APWG) have again collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s application of the European Union’s General Data Protection Regulation (GDPR) has impacted on the distributed WHOIS service and anti-abuse work. The resulting report, published in June, discusses the effect of the Temporary Specification on anti-abuse actors’ access and usage of domain name registration information, which is central for various types of investigations.
In the latest Domain Pulse Q&A series looking at the year in review and year ahead, we speak to ICANN board member Chris Disspain. Chris discusses the progress of the next round of new gTLD applications, the challenges of GDPR has thrown at ICANN relating to WHOIS, a 2019 highlight being finalisation of the new strategic plan especially in the way the ICANN community focused and pulled together to get it done and then what the future may hold for him after he completes his term on the ICANN board. He also would like to see a little more kindness “in the ICANN context”.
Domain Pulse: What were the highlights, lowlights and challenges of 2019 in the domain name industry, both for you and/or the industry in general?
Chris Disspain: The challenge of GDPR and its relevance to WHOIS has consumed an immense amount of time in 2019. And universal acceptance is a real issue for many especially but not exclusively in the IDN world.
The finalisation of the new strategic plan has been a highlight especially the way that the ICANN community focused and pulled together to get it done. And the streamlining of reviews work!
There are always lowlights. Calling them out isn’t necessarily helpful.
DP: What are you looking forward to in 2020?
CD: Enjoying my last year as a board member, making a difference and riding off into the sunset….. only to return later in 2021 wearing a different hat…..Or perhaps not!
DP: What challenges and opportunities do you see for the year ahead?
CD: Every issue has both a challenges and opportunities … Some examples for us are GDPR, various contractual matters, the sub-pro work, ccNSO work on retirement of ccTLDs, the ongoing work on IGOs acronyms, the ongoing community work-load and so on.
DP: How have new gTLDs fared in 2019?
CD: Some good, some bad I expect. But given that different gTLDs have different measures of success that’s quite a hard question to address. A brand likely doesn’t care about registration levels. A geographic may have a limited market and be happy with that. I guess the only real test will be to see what sort of applications come in in a next round.
DP: What progress do you see on a new round of applications for new gTLDs in 2020?
CD: Significant but it’s a long track that needs to be carefully navigated. As a board member (actually the only current board member) who was on the board from the beginning of the last gTLD round I know many of the issues that will need to be dealt with in the updated policy. Some of these are complicated and contentious but I’m hopeful that with the extraordinary work of the Sub-pro WG and the support of the community generally we’ll get there reasonably soon.
DP: What one thing would you like to see addressed or changed in the domain name industry?
CD: Well, in the ICANN context, I think a little more kindness would be good. And a ‘fix’ for the structural challenges within the GNSO would make a huge difference to the ability of the ICANN multi-stakeholder model to deal effectively and efficiently with the constantly changing industry dynamic.
Chris was also the founding CEO of Australia’s ccTLD policy and regulatory body, auDA.
Previous Q&As in this series were with:
- Loïc Damilaville, Market Research Manager at Afnic – here
- David Fowler, vice-president, marketing and communications, Canadian Internet Registration Authority (CIRA) – here
- Katrin Ohlmer, CEO and founder of DOTZON GmbH – here
- EURid, manager of the .eu top level domain – available here
Q&As in the 2019 series were with:
- EURid, manager of the .eu top level domain (available here)
- Katrin Ohlmer, CEO and founder of DOTZON GmbH (here)
- Afilias’ Roland LaPlante (here)
- DotBERLIN’s Dirk Krischenowski (here)
- DENIC (here)
- Internet.bs’ Marc McCutcheon (here)
- nic.at’s Richard Wein (here)
- Neustar’s George Pongas (here)
- CentralNic’s Ben Crawford (here)
- CIRA’s David Fowler (here)
- Jovenet Consulting’s Jean Guillon (here)
- GGRG’s Giuseppe Graziano (here)
- Blacknight Solutions’ Michele Neylon (here)
- Public Interest Registry’s President and CEO Jon Nevett (here)
- ICANN board member Chris Disspain (here).
Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs. Continue reading ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts
The deadline to submit comments on the Draft Report [PDF, 1.97 MB] of the Registration Directory Service (RDS-WHOIS2) Review Team has been extended until Monday 18 November 23:59 UTC.
The Registration Directory Service (RDS-WHOIS2) Review Team published its draft report and recommendations for public comment on 4 September 2018. The Registration Directory Service Review Team assesses the extent to which prior Directory Service Review recommendations have been implemented and implementation has resulted in the intended effect. The review team also assesses the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promotes consumer trust and safeguards registrant data. Informed by ICANN organization briefings and available documentation, the review team has formulated draft recommendations based on a factual analysis. This public comment proceeding aims at gathering community input on the RDS-WHOIS2 Review Team’s proposed draft findings and recommendations.
The RDS-WHOIS2 Review Team aims to publish its final report in Q1 2019.
Executive Summary [PDF, 285 KB]
Listen to the Registration Directory Service (RDS-WHOIS2) Review Engagement Session at ICANN63 for more information on their findings and recommendations. See here for details and recordings.
Listen to the Registration Directory Service (RDS-WHOIS2) Review Webinars on the Draft Report. See here for details.
This ICANN announcement was sourced from:
A joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANNâs Temporary Specification, its response on how to deal with the European Unionâs General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes.
With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.
According to survey respondents ICANNâs Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime â from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:
- Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
- Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.
âThe biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,â one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.
APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) concluded their analysis with recommendations for ICANN to:
- Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
- Restore redacted WHOIS data of legal entities.
- Adopt a contact data access request specification for consistency across registrars and gTLD registries.
- Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
- Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
- Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.
The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.
The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.
The Alliance for Safe Online Pharmacies (ASOP Global) presented its annual Internet Pharmacy Safety E-Commerce Leadership Award to .DK Hostmaster, which was announced at ICANN63 Tuesday.
DK Hostmaster, the Danish country code top level domain (ccTLD) manager, won the award based on their commitment to ensuring citizen safety by maintaining transparent WHOIS data, proactively enforcing identity accuracy policies to increase consumer trust and safety online.
DK Hostmaster has increased identity checks for Danish and foreign customers and deleted over 3,000 domain names of suspected fake stores since November 2017. In addition, DK Hostmaster supports an open WHOIS, which is helping to create transparency so it continuously is possible to see who is behind a .dk domain name.
âASOP Global is pleased to recognise DK Hostmaster for their outstanding efforts to prevent the illegal use of domain names for online drug sales and rapidly responding to any complaints,â said Libby Baney, Principal at Faegre Baker Daniels Consulting and senior advisor to ASOP Global.
ASOP Global is a 501(c)(4) non-profit organisation headquartered in Washington, D.C. with activities in the U.S., Canada, Europe, India, Latin America and Asia. Itâs dedicated to protecting consumers around the world, ensuring safe access to medications, and combating illegal online drug sellers.
âDK Hostmaster is honoured to receive this award for our continued efforts to ensure a safe and trustworthy .dk zone through transparency and focus on ensuring the identity of the owners of a .dk domain nameâ said DK Hostmaster CEO, Jakob Truelsen.
âDK Hostmasterâs policy to keep WHOIS data open and transparent creates a more secure, trustworthy environment in the .dk namespace,â Baney commented. As a member of the Coalition for a Secure and Transparent Internet, ASOP Global further commends DK Hostmaster for their policy on transparent WHOIS and encourages other registries and registrars to follow thier lead.
âTransparency has shown to be an effective tool to prevent abuse. Sunlight has proven to an effective disinfectantâ said DK Hostmaster CEO, Jakob Truelsen.
Nominations for ASOP Globalâs third Internet Pharmacy E-Commerce Safety Award are now open. Award recipients will be announced during ICANN66 in November 2019 in Montreal, Canada.
Recently threat intelligence organisation Recorded Future published a blog post suggesting “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules.”
The General Data Protection Regulation that came into force on 25 May, seeks to give individuals more control over their personal data and to simplify data protection regulation in the European Union to one rule for all countries. Recorded Future published spam volumes compiled by Cisco which found that “on May 1, 2018, the total volume of email was 433.9 billion messages; spam accounted for 370.04 billion messages, or 85.28 percent of all email. On August 1, 2018, the total volume of messages was 361.83 billion, with 85.14 percent, or 308.05 billion messages, identified as spam. While the total volume of email fell precipitously, most likely due to a combination of seasonal email fluctuations and as the result of newly enforced privacy standards, the percentage of spam remained roughly the same.”
Recorded Future surmised that “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules. Spam is still a big problem, but it has not become a bigger problem, contrary to popular opinions among security researchers.”
Spamhaus has taken a similar view. They note “the real answer is that it is far too early to tell.”
“Before GDPR came into effect, records such as a domain’s registered owner and registered contacts could be looked up in WHOIS databases maintained by individual registrars governed by ICANN.”
“WHOIS information was used by researchers in organisations such as Spamhaus to help determine a domain’s reputation. Domains determined from this and other factors to have a bad reputation would have potentially been listed on our Domain Block List (DBL).”
Spamhaus goes on to note that “whilst the lack of some of this information is tiresome and makes a security researcher’s job a little more difficult, it isn’t insurmountable. Spam will be blocked. Domains will continue to be added to our DBL and email will be filtered accordingly.”
“It’s true, spam rates have dropped marginally since May 2018. Spamhaus never anticipated a tsunami of spam to follow GDPR, however current claims that spam has fallen as a result of GDPR are unconvincing.
“Of course, it could be that legitimate companies, who are concerned about being GDPR compliant, have started purging email lists and are sending less ‘legit’ spam. However, one needs to remember that spam from legitimate companies accounts for a very small percentage of overall spam numbers, so any reduction in this area would have a minute impact on the figures.
“Another theory could be that due to the changes on WHOIS fewer bad domains are being identified and therefore some anti-spam systems are flagging less email.
“Nonetheless, this small reduction in spam is more than likely down to the natural ebb and flow of spam volumes, which have always been highly variable, just like botnet traffic.”
Spamhaus note there could be “numerous non-GDPR related reasons as to why there’s been a recent drop in spam email ranging from the spambots which are currently in operation (or not in operation as the case may be) to who has been arrested recently!”
So Spamhaus say there’s “no hard evidence we have seen proving that this current decline in spam is as a direct result of GDPR…it will be interesting to see what the volumes of spam are like over Black Friday and the subsequent Christmas holidays.”
They also suggest the drop in spam levels bein attributed to the GDPR is a “vacuous claim, unless it’s worth considering that snowshoe spammers don’t need as many new identities now that their current ones are withheld on WHOIS.”
“A more likely explanation to the drop in domain name registrations could be something as simple as top-level domains (TLDs) not having run any ‘specials’ recently (everyone loves a bargain, even a cybercriminal).”
But Spamhaus suggests that prohibiting personal details being visible on Whois “will hamper, if not stop, organisations being able to join the dots and identify gangs of professional cybercriminals who have a mechanism of fraud that is proving successful.”
According to Spamhaus “researchers collect all kinds of information from WHOIS. This data allows us to identify patterns in spamming activity, and build intelligence to attribute it to specific spam gangs.”
Whois data are “small but critical pieces of data [that] can become crucial to investigations later down the line, although they may not be obvious at the time. This evidence can assist law enforcement agencies to pursue these prolific gangs who are defrauding significant amounts of people of vast quantities of money” with “even fraudulent information that is used in a WHOIS record can be used against criminals.”
Whois data is âmore important than ever beforeâ as malicious actors seek to undermine democracy, according to a post on the DomainTools blog.
â2018 has been a tough year to be a domain name Whois record. For years Whois has been a favorite and uniquely effective tool of security researchers and law enforcement to battle cybercrime and cyberattacks, yet now that data will be kept under wraps to be metered out, if at all, under the watchful eye of domain name registrars whose strongest orientation in this matter is to their own legal certainty and the privacy of their customers. The situation DNS finds itself in is the unfortunate result of todayâs privacy-centric global policy regimes.â
The introduction of the EUâs General Data Protection Regulation (GDPR) has meant itâs much more difficult to obtain the Whois data that was, for all but those domain names that utilised privacy protection, freely available. Although it wasnât always accurate of course. DomainTools note that less than 25% of domain name registrants utilised privacy protection.
In their post DomainTools note that the âproponents of the anonymization of the internet are saying that âsee, the sky is not falling, Whois didnât really matter after allâ. Except that it does matter. It matters a great deal to the very same people GDPR is designed to protect.â
DomainTools give a couple of examples of where they believe âsecurity investigations or processes [have been] impaired by the current global inability to identify the people or organizations that register and use domain names on the internet.â
âElection meddling is a hot-button issue, it gets to a very closely held civil right in most democratic countries. So last weekâs announcements by Microsoft, cybersecurity company FireEye, Facebook, and Google regarding US midterm election influence campaigns being run on social media and also via state-sponsored phishing attacks, was widely distributed, read and referenced.â
In one example, DomainTools note âFireEyeâs confidence to name Iranian actors as the responsible party stems from âa combination of indicators, including site registration dataâ as well as âRegistrant emails from the sites âLiberty Front Pressâ and âInstituto Manquehueââ.
âFacebook builds on the FireEye research and through investigation of Facebook Accounts and Pages is âable to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP Addresses and Facebook Pages sharing the same admins.ââ
âGoogleâs blog post implicates the Islamic Republic of Iran Broadcasting (IRIB) by noting âTechnical data associated to these actors is strongly linked to the official IRIB address spaceâ¦domain ownership information about these actors is strongly linked to IRIB account informationâ¦(and) Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIBââ.
DomainTools concludes that âWhois data isnât going to solve the worldâs cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in todayâs internet. Itâs reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.â
In its Draft Report [PDF, 2.94 MB], the Registration Directory Service Review Team assesses the extent to which prior Directory Service Review recommendations have been implemented and implementation has resulted in the intended effect. The review team also assesses the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promotes consumer trust and safeguards registrant data. Informed by ICANN organization briefings and available documentation, the review team has formulated draft recommendations based on a factual analysis.
This public comment proceeding aims at gathering community input on the RDS-WHOIS2 Review Team’s proposed draft findings and recommendations.
To provide consistency and to facilitate review team’s analysis of comments, ICANN organization invites commenters to use the suggested template [PDF, 380 KB] to submit their public comment.
Following the review of public comments received on this report, ICANN organization will prepare a public comment summary report. The RDS-WHOIS2-RT will carefully consider comments received to shape its final report and recommendations to the ICANN Board for consideration.
Section I: Description and Explanation
The Registration Directory Service Review is one of the four Specific Reviews anchored in Article 4.6 of the ICANN Bylaws. These Specific Reviews are conducted by community-led review teams which assess ICANN‘s performance in reaching its commitments. Reviews are critical to helping ICANN achieve its mission as detailed in Article 1 of the Bylaws.
According to the Bylaws (Section 4.6(e)), ICANN shall use commercially reasonable efforts to enforce its policies relating to registration directory services and shall work with Supporting Organizations and Advisory Committees to explore structural changes to improve accuracy and access to generic top-level domain registration data, as well as consider safeguards for protecting such data.
Convened in June 2017, the RDS-WHOIS2-RT is now seeking input on its Draft Report [PDF, 2.94 MB], which assesses:
- the extent to which prior Directory Service Review recommendations have been implemented and the extent to which implementation of such recommendations has resulted in the intended effect.
- the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promotes consumer trust and safeguards registrant data.
Community input is being sought on 23 draft recommendations.
All comments will be reviewed and summarized in the report of public comments, which will be included as a supplement to the Final Report.
To provide consistency and to facilitate the discussion, ICANN organization invites commenters to use the suggested template [PDF, 380 KB] to submit their public comment. Commenters are requested to clearly indicate the relevant sections of the Draft Report, or numbered recommendations, with their comments.
The RDS-WHOIS2 Review Team will host a webinar on 17 September 2018 at 15:00 UTC and 21:00 UTC to present its Draft Report. Participants will have the opportunity to provide feedback and ask questions directly to the Review Team. Please use the following link to join either webinar: https://participate.icann.org/mssi-projects.
Section II: Background
Convened in June 2017, the RDS-WHOIS2 Review is being conducted under the section 4.6 of the ICANN Bylaws. This review effort is anchored in the portfolio of Specific Reviews, which address the following range of topics in addition to Registration Directory Services (RDS): Accountability and Transparency (ATRT), Competition, Consumer Trust and Consumer Choice (CCT), and Security, Stability and Resiliency of the DNS (SSR).
The RDS-WHOIS2 Review began with a call for qualified volunteers to serve on the review team. Choosing from a pool of candidates seeking nominations, ICANN‘s Supporting Organizations and Advisory Committees (SO/ACs) nominated a list of candidates to inform SO/AC Chairs’ discussions and decision as they assembled composition of the review team. Eleven review team members were appointed to conduct this review, including a Board member who serves on the review team. The Country Code Names Supporting Organization (ccNSO) opted to not participate in the review after consideration of the scope.
Prior to this review, community proposals were made to both limit the scope of this RDS-WHOIS2 Review to the assessment of the first WHOIS1 review team’s recommendations, and also to include a range of other issues over and above those mandated in the Bylaws.
Formally, the scope of a Review is the responsibility of the review team. After much discussion the RDS-WHOIS2 Review Team decided that it would review all of the Bylaw mandated areas, except the OECD Guidelines, as they were under consideration by the Next-Generation gTLD RDS PDP and were judged to be less relevant, particularly in relation to the GDPR. In addition, the RDS-WHOIS2 Review Team included in its scope a review of new policy adopted by ICANN since the WHOIS1 Review Team published its report, and decided to perform a substantive review of Contractual Compliance with the intent of (a) assessing the effectiveness and transparency of ICANN enforcement of existing policy relating to RDS (WHOIS) through ICANN Contractual Compliance actions, structure and processes, including consistency of enforcement actions and availability of related data, (b) identifying high-priority procedural or data gaps (if any), and (c) recommending specific measurable steps (if any) the team believes are important to fill gaps.
The RDS-WHOIS2 Review Team explicitly did not focus on ICANN‘s actions in response to the relatively new European Union GDPR. Those actions are ongoing, and the outcomes are not sufficiently firm as to allow them to be reviewed here. However, the Review Team recognized the GDPR issue is of significant importance and that it would probably impact several policies related to registrant data. To the extent GDPR and its effects on the RDS (WHOIS) could be factored in, the RDS-WHOIS2 Review Team did so.
To conduct this review, subgroups consisting of a rapporteur and 2-4 team members were formed to research facts associated with each objective, summarized below:
- Objective 1 – WHOIS1 Rec #1: Strategic Priority
- Objective 1 â WHOIS1 Rec #2: Single WHOIS Policy
- Objective 1 â WHOIS1 Rec #3: Outreach
- Objective 1 â WHOIS1 Rec #4: Compliance
- Objective 1 â WHOIS1 Rec #5-9: Data Accuracy
- Objective 1 â WHOIS1 Rec #10: Privacy/Proxy Services
- Objective 1 â WHOIS1 Rec #11: Common Interface
- Objective 1 â WHOIS1 Rec #12-14: Internationalized Registration Data
- Objective 1 â WHOIS1 Rec #15-16: Plan & Annual Reports
- Objective 2 â Anything New
- Objective 3 – Law Enforcement Needs
- Objective 4 – Consumer Trust
- Objective 5 â Safeguarding Registrant Data
- Objective 6 â Contractual Compliance Actions, Structure, & Processes
- Objective 7 â ICANN Bylaws
Informed by ICANN organization briefings and available documentation, these subgroups analyzed facts to identify possible issues and then formulated recommendations (if any) to address those issues.
To ensure full transparency, the review team operated in an open fashion where all review team calls and meetings were public, open to observers, with publicly-accessible recordings and transcripts.
Section III: Relevant Resources
Executive Summary [PDF, 285 KB]
Section IV: Additional Information
WHOIS Review Team (WHOIS1) Final Report [PDF, 1.44 MB]
Open Date: 4 Sep 2018 23:59 UTC
Close Date: 4 Nov 2018 23:59 UTC
Staff Report Due: 19 Nov 2018 23:59 UTC
This ICANN announcement was sourced from:
ICANN announced Friday they had lost another round in their battle to get EPAG, a subsidiary of Tucows, to enforce their “temporary specification” on the collection of domain name registrant data.
For the third time the German courts have ruled against ICANN. This time the Appellate Court determined that it would not issue an injunction against EPAG. In making its ruling, ICANN explains in its announcement, “the Appellate Court stated that the interpretation of provisions of the GDPR was not material to its decision, so there was no obligation to refer the matter to the European Court of Justice.”
“Rather, the Appellate Court simply found that it was not necessary for it to issue a preliminary injunction to avoid imminent and substantial disadvantages, and noted that ICANN could pursue its claims in the main proceedings in order to enforce the rights it asserts.”
Former ICANN staffer and now (again) journalist on the domain name industry Kieren McCarthy tweeted on the news:
#ICANN has lost its #Whois legal case yet again. And its insistence that the matter be referred to the ECJ has been refused. Just how bad does it have to get before this critical org gets itself some proper legal advice?
ICANN is seeking to have EPAG reinstate collection of administrative and technical contact data for new domain name registrations. To comply with the European Unions General Data Protection Regulation, ICANN was seeking to have all its 2,500 accredited registrars and registries to continue to collect “thick” data but anyone conducting a Whois search would only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.
However Tucows took the view ICANN’s temporary specification wasn’t compliant with the GDPR. They had problems with 3 core issues. These issues were the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.
Which led to a dispute on how the GDPR impacts EPAG’s registrar accreditation agreement. “The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”
ICANN note that they are now considering their “next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system and will provide additional information in the coming days.”