Why The Public Directory Of Domain Names Is About To Vanish

Uploaded on 2018-11-14 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Law

The WHOIS service has run into the legal landmine of European data regulation and highlighted the weakness of consensus-based internet governance in the face of the law.

Until May 2018, anyone could look up the name and contact details for the owner of a domain name. The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based private company that coordinates internet domains and IP addresses, required companies that register domain names to collect and publish personal data in the so-called WHOIS service.

While far from a household name, WHOIS was widely relied upon by law enforcement and intellectual property owners to investigate and combat online crime and abuse. At the same time, privacy advocates and regulators have raised concerns (opens in new window) about the mandatory publication of every domain name holder’s name and contact details. These groups, each with their legitimate viewpoints, have been talking – sometimes shouting – past each other within ICANN for the past 20 years.

Then in May, the European General Data Protection Regulation (GDPR) arrived. The principles relevant to publication of WHOIS data were unchanged, but the GDPR’s big fines and long-arm jurisdiction captured the attention of the dominant US players within ICANN. Suddenly data protection became everyone’s problem, not just a quirky European wrinkle.

Despite warnings from several groups, the ICANN community as a whole failed to see the GDPR coming until a few months before GDPR took effect. There was a mad scramble to put in place a temporary policy that would be compliant with privacy laws.

On 25 May, the WHOIS 'went dark' –- all personal data was removed. Since then, ICANN has sued one of its own registrars in Germany for refusing to collect certain WHOIS data items. ICANN has so far lost at first instance (both on an emergency application (opens in new window) and full hearing (opens in new window)), then on appeal (opens in new window), and has failed (opens in new window) to obtain a reference to the Court of Justice of the EU. The German courts gave the status of ICANN’s consensus policies and contracts short shrift in the face of a European regulation.

In an effort to salvage a publicly accessible WHOIS service, ICANN has set up an emergency working group. The group is tasked to agree what, if any, registration data could still be collected and published on the WHOIS (company data? Non-EU data?), while a separate group is trying to agree rules to allow law enforcement and others access to non-public registration data. 

The emergency working group was due to make its interim recommendations by an ICANN meeting in Barcelona in October, but the meeting approaches, there is no sign of consensus.

Any policymaker will recognize that there are some issues on which multiple stakeholders will have incompatible, but legitimate views. In such cases, someone neutral has to step in to frame a solution which can reasonably satisfy all interests, without one side ‘winning’.

This approach is absent by design from the ICANN multi-stakeholder process, where policies are formed through consensus in a bottom-up process, and ICANN the organization assumes a passive role. The current temporary policy was only possible because the ICANN board imposed it, in an unprecedented break from tradition.

So, what will happen next? As is often the case with ICANN, the organization and its multi-stakeholder process is facing an existential crisis. Unable to solve this thorny policy issue for 20 years, ICANN’s latest group is unlikely to find consensus in the following days.

ICANN has lost in the German courts and the European Data Protection Board views with skepticism ICANN's claims that the interest of 'third parties' can justify continued collection and publication of WHOIS data.

Most public registers (like Companies House or the Land Registry in the UK) are required by statute, giving legal cover for their processing of personal data. There is no an equivalent in the ICANN world. ICANN has no ability to impose laws – it can only create 'consensus policies' which are reflected in contracts.

This may be a pragmatic way to achieve international implementation of policy, bypassing the dreary complexity of jurisdiction and international agreements. But consensus policies are informal instruments which, apparently, do not have the required status to offer protection or exemptions from the enforcement regimes of European regulations.

In recent years, intelligence agencies and law enforcement have consistently complained that the Internet is ‘going dark’. This narrative is part hyperbole and partly accurate, reflecting uptake of end-to-end encrypted applications such as WhatsApp, Signal and Telegram, adverse legal decisions in relation to the collection of bulk data, and stronger encryption available at the transport layer, such as TLS 1.3.

The WHOIS represented a small but strategic jump-off point for investigations, allowing law enforcement to look for patterns, or identify lines of enquiry. While the ICANN community struggles to find a way forward, yet another tool for law enforcement has disappeared.

Chatham House:

Emily Taylor is Associate Fellow, International Security at Royal Institute of International Affairs
 
You Might Also Read: 
 
EU Cybersecurity Act Could Impact Cross-Border Data Flows:
 
Russia Will Build A Separate Internet Directory:
 
 
« Can AI Be Used To Fight Crime?
Schoolboy Hacked Mock Florida Election Site In 10 Minutes »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clavister

Clavister

Clavister is a network security vendor delivering a full range of network security solutions for both physical and virtualized environments.

App-Ray

App-Ray

App-Ray provides fully automated security analysis of mobile applications to find security issues, privacy breaches and data leaking potentials.

Immersive Labs

Immersive Labs

Immersive Labs have created a kinesthetic learning platform which identifies gaps in your teams cyber skills.

Cybint Solutions

Cybint Solutions

Cybint provides customized cyber education and training solutions for Higher Education, Companies and Government.

MENAInfoSecurity

MENAInfoSecurity

MENAInfoSecurity is a regional leader in information security solutions, assurance services and managed services.

Variti

Variti

Variti Intelligent Active Bot Protection technology — traffic analysis, detection and stopping of malicious bots in real-time and effective response to DDoS attacks.

Concentric

Concentric

Concentric Data Risk Monitoring and Protection. Deep Learning to discover, monitor and remediate risks to sensitive data on-premises and in the cloud.

Krypsis

Krypsis

Krypsys is an information security company with a focus on helping you defend your information and data against emerging security threats.

HALOCK Security Labs

HALOCK Security Labs

HALOCK is an information security consultancy providing both strategic and technical security offerings.

PlexTrac

PlexTrac

PlexTrac is a cybersecurity reporting and workflow management platform that supercharges security programs, making them more effective, efficient, and proactive.

Pathlock

Pathlock

Pathlock (formerly Greenlight) help enterprises and organizations automate the enforcement of any process, access, or IT general control, for any business application.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.

Tenable

Tenable

Organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface—in the cloud or on-premises, from IT to OT and beyond.

EtherAuthority

EtherAuthority

EtherAuthority's engineering team has been helping blockchain businesses to secure their smart contract based assets since 2018.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

Nukke

Nukke

Nukke offers advanced cybersecurity software and tailored solutions for your business.