ICANN again updated WHOIS policies - again dissatisfied
ICANN continues to attempt to ensure that the work of the WHOIS system, which provides open access to data on domain name holders, meets the requirements of a GDPR. The GDPR has already entered into force, but for now none of the initiatives proposed by ICANN has been approved by the European Union. We wrote about this in our blog on Habré.
In mid-May, ICANN published a regular, temporary set of policies for WHOIS. Today we decided to talk about the new initiative and the difficulties that it brought.
/ Flickr / dwayne bent / cc
')
The stumbling block in the whole situation is the WHOIS network protocol. The information obtained with its help falls within the scope of the GDPR, which tightens the requirements for processing PD.
At the end of last year, ICANN, in order to comply with the regulations, proposed to remove data on the owners of domain names from public access. According to the initiative, only accredited organizations could receive them. For example, law enforcement. For everyone else who wants to use the WHOIS system, the information on the domain name owner would be closed - they would only see an anonymous email address from which all correspondence is transferred to real email.
However, this information interests many other people. In particular, it is necessary for lawyers who, with the help of this data, find people who distribute pirated content. Journalists often turn to WHOIS databases when they need to get information for an article, or they are investigating. And ICANN wasn’t told if they would all have the opportunity to get the necessary accreditation. For this reason (and some others ) in March, ICANN's proposals were rejected by the European Commission.
In April, ICANN representatives asked the regulator to postpone until next year in order to be able to finalize policies in line with the GDPR. However, the postponement was not granted, and the deadline remained the same - on May 25.
In this regard, on May 11, ICANN hastily published a temporary specification for working with WHOIS. And it is very similar to ICANN's previous work, but with additions.
The temporary specification states that registrars should continue to collect all data of domain owners: names, home addresses and phone numbers. However, to meet the requirements of the general data protection regulations, multilevel access to personal data will be provided. The right to request access to private data through registrars will be only for users with legitimate purposes.
At the same time, ICANN wants registrars to organize a system that would allow a third party to request all information from domain name holders directly via email. The new policy also describes a domain exchange mechanism between two registrars that uses WHOIS data. From now on, before conducting a similar operation, both parties must obtain an authorization form from the owner of the domain name.
ICANN recognizes that policy changes are temporary. And in 90 days it will be either extended or changed again.
/ Flickr / Leandro Martinez / CC
As early as March , registrars warned that by the time the GDPR entered into force (May 25) they would not have time to implement a number of new requirements put forward by ICANN. They even made a document with the approximate timing of the introduction of each new function. Estimated work will be completed no earlier than the end of 2019.
The most difficult to implement registrars recognized the mechanism for providing access to WHOIS data at the request of interested parties. All this is complicated by the fact that the mechanism of accreditation of organizations for such requests has not yet been implemented.
The largest registrars, among them GoDaddy and Tucows, sent a letter to ICANN. In it, they asked for a delay in the introduction of new policies for at least 6 months, since they largely contradict the changes that the registrars introduced to match the GDPR on their own.
At the same time, ICANN recently started suing the EPAG registrar. He just began to independently implement various initiatives to put in order the procedures for handling personal data of users. And he now refuses to collect contact information for domain name holders, since, in his opinion, this still violates the requirements of the GDPR. But this behavior is contrary to the contract between ICANN and EPAG.
The blame for the uncertainty the community places on ICANN. The final version of the GDPR was published 2 years ago, in May of 2016. However, the Domain Name Management Corporation began to actively deal with compliance issues only in October 2017. The impetus for this was the moment when two Internet registrars, in order to comply with the requirements of the European regulations, refused to use the WHOIS service.
Now ICANN is hoping to quickly implement a full-fledged and permanent solution that will close all the detected gaps. But what will come of it, the registrars cannot yet assume - they will have to wait out several months of uncertainty.
In mid-May, ICANN published a regular, temporary set of policies for WHOIS. Today we decided to talk about the new initiative and the difficulties that it brought.
/ Flickr / dwayne bent / cc
')
The stumbling block in the whole situation is the WHOIS network protocol. The information obtained with its help falls within the scope of the GDPR, which tightens the requirements for processing PD.
At the end of last year, ICANN, in order to comply with the regulations, proposed to remove data on the owners of domain names from public access. According to the initiative, only accredited organizations could receive them. For example, law enforcement. For everyone else who wants to use the WHOIS system, the information on the domain name owner would be closed - they would only see an anonymous email address from which all correspondence is transferred to real email.
However, this information interests many other people. In particular, it is necessary for lawyers who, with the help of this data, find people who distribute pirated content. Journalists often turn to WHOIS databases when they need to get information for an article, or they are investigating. And ICANN wasn’t told if they would all have the opportunity to get the necessary accreditation. For this reason (and some others ) in March, ICANN's proposals were rejected by the European Commission.
In April, ICANN representatives asked the regulator to postpone until next year in order to be able to finalize policies in line with the GDPR. However, the postponement was not granted, and the deadline remained the same - on May 25.
In this regard, on May 11, ICANN hastily published a temporary specification for working with WHOIS. And it is very similar to ICANN's previous work, but with additions.
New WHOIS Policy
The temporary specification states that registrars should continue to collect all data of domain owners: names, home addresses and phone numbers. However, to meet the requirements of the general data protection regulations, multilevel access to personal data will be provided. The right to request access to private data through registrars will be only for users with legitimate purposes.
At the same time, ICANN wants registrars to organize a system that would allow a third party to request all information from domain name holders directly via email. The new policy also describes a domain exchange mechanism between two registrars that uses WHOIS data. From now on, before conducting a similar operation, both parties must obtain an authorization form from the owner of the domain name.
ICANN recognizes that policy changes are temporary. And in 90 days it will be either extended or changed again.
/ Flickr / Leandro Martinez / CC
How the registrars responded
As early as March , registrars warned that by the time the GDPR entered into force (May 25) they would not have time to implement a number of new requirements put forward by ICANN. They even made a document with the approximate timing of the introduction of each new function. Estimated work will be completed no earlier than the end of 2019.
The most difficult to implement registrars recognized the mechanism for providing access to WHOIS data at the request of interested parties. All this is complicated by the fact that the mechanism of accreditation of organizations for such requests has not yet been implemented.
The largest registrars, among them GoDaddy and Tucows, sent a letter to ICANN. In it, they asked for a delay in the introduction of new policies for at least 6 months, since they largely contradict the changes that the registrars introduced to match the GDPR on their own.
At the same time, ICANN recently started suing the EPAG registrar. He just began to independently implement various initiatives to put in order the procedures for handling personal data of users. And he now refuses to collect contact information for domain name holders, since, in his opinion, this still violates the requirements of the GDPR. But this behavior is contrary to the contract between ICANN and EPAG.
The blame for the uncertainty the community places on ICANN. The final version of the GDPR was published 2 years ago, in May of 2016. However, the Domain Name Management Corporation began to actively deal with compliance issues only in October 2017. The impetus for this was the moment when two Internet registrars, in order to comply with the requirements of the European regulations, refused to use the WHOIS service.
Now ICANN is hoping to quickly implement a full-fledged and permanent solution that will close all the detected gaps. But what will come of it, the registrars cannot yet assume - they will have to wait out several months of uncertainty.
Some fresh materials from the corporate blog 1cloud:
Source: https://habr.com/ru/post/359358/
All Articles