
European regulators reject latest proposal by ICANN over its Whois data service - yulaow
https://www.theregister.co.uk/2018/07/06/europe_no_to_icann_whois/
======
lucb1e
The article speaks about "the critical Whois service". Can anyone tell me what
it's critical for? I can think of two reasons:

    
    
        - abuse contact info
        - registration date
    

(The latter is used in spam score calculations, I've heard.)

Neither of those are the registrant's private information. I don't understand
why we're pushing to have private data in a public directory in the first
place. (I never understood this, but being young, I first registered a domain
around 2008, long after it was common to ring Joe from USAF up because their
FTP was down.) The registrar has to store it for billing anyway, so if a
domain is used for something illegal, the police can get at the info anyway...

~~~
q3k
It's absolutely critical for network engineers.

Think figuring out who a given prefix belongs to, what routes are advertised
by an AS, what BGP communities does an AS honor, how to contact an
organization's NOC ...

(yes, whois is for more than just domain names)

~~~
lucb1e
I didn't know that this was part of WHOIS, I thought separate services such as
BGP looking glasses provided this. And other organizations (IANA and RIRs
iirc) hand out AS numbers and prefixes. But even if it were part of WHOIS,
then this is non-personal information which should be fine to list in a public
directory.

------
ggm
I work in a registry which has whois obligations over number resources and I
find this very troubling. I'm not going to say there is no right to privacy
here, but I suspect states inside the EU will be seeking high privileged
rights to information not in whois, come what may. So, this disempowers people
seeking redress from harm as outsiders but doesnt stop state actors or lawyers
or police.

Apart from my dayjob I have whois objects in DNS registries so i know there is
the other side of the coin. I see the bad stuff from choosing not to hide my
ID.

~~~
lucb1e
I'm fine with governments being the only ones who can view domain registration
details. Heck, I'd be fine with nobody having access, forget the whole whois
system: if the government needs to find who runs freemovies.example.net, they
can ask (or subpoena) whoever was paid to register it (i.e. the registrar).

As far as I understand, the WHOIS system was made in the 80s when it was
useful to be able to look and ring someone up. Literally everything was in
beta on the arpanet, and direct communication makes debugging a lot easier.
But it's 2018, and I do not want 4chan to be able to look up my home address
in that system. That creates more mayhem than it's worth by far.

Thinking about what use I ever had from the whois system, I guess it's only
abuse email addresses for IP addresses. And I hear that people make use of the
registration date of domains to calculate spam scores. Neither of those
require the registrant's private information to be in there.

~~~
ggm
Problem is, some domain and number holders have no incorperated body: they
hold the resource as a private individual. Hard to formulate consistent data
law around WHOIS when its both people, and corporate entities.

I was in the WHOIS as was from SRI-NIC. I kept GM85 in my current nic-hdl for
resources as a memory of the days gone by: they even published a paper copy of
the listing.. the phone book of the internet, how .. quaint.

Yes, the protocol is designed for days gone by. but the GDPR laws apply to
RDAP, even though it has HTTPS and could in principle use Oauth or similar to
constrain whats shown to open access.

~~~
lucb1e
I don't understand the problem. You say the problem is that both individuals
and companies register domains, but why should the info of either be visible
in a public database?

~~~
ggm
So that people who are seeking redress can find who holds the resource. That's
what whois is mostly about: redress. I'm not trying to defend that against
peoples rights to privacy I'm observing there's a significant community of
interest in "who did that" if you don't believe that's necessary then you win
with GDPR. If you do, then the masking means you cannot know, but lawyers and
judges and police and governments can.

------
cJ0th
As a German this rather doesn't make any sense to me. ICANN is not allowed to
offer the whois service, but I have to publish my full address on my website
according to German law.

How can this be?

~~~
usr1106
> but I have to publish my full address on my website according to German law.

The E-mail address does not need to be your personal address, Lufthansa uses
impressum_de@lufthansa.com and I don't see a reason why this would not be
acceptable.

The postal address does not need to be your personal address, a business
address is fine. Well, if you are a 1 person business run from home I am not
sure. Go to court and have it tested up to the constitutional court, why
Carsten Spohr (CEO of Lufthansa) gets better data protection than you do.

Yes, your real name has to be on a business web site. That's obviously the
price to pay to run a business. As a potential customer wasting my money on
fake service or otherwise suffering from a breach of contract, I think this is
a good thing.

------
cesis
I love the fact that "whois privacy protection" has become a free service now
thanks to GDPR.

~~~
throwbacktictac
Nothing is truly free. You're paying for it in one way or another.

~~~
marticode
In this case the cost of the service is close to zero, so it's virtually free.
It was similar to phone operator charging for caller ID, an easy way to make a
quick buck by flipping a bit somewhere.

------
mirimir
> It should have been obvious that the legislation would also impact the Whois
> service, which requires anyone buying a domain name to provide their names,
> address and personal contact details – and then publishes it all on the
> internet for anyone to see.

Even using "whois privacy protection", I've always anonymized my contact
information. I've used a working email address, of course, so I can manage the
domain. But there's no reason to provide a physical address or telephone
number. I tend to use hostels and business hotels.

Also, while this will protect those registering or obtaining domains going
forward, historical data is widely available.

~~~
jlgaddis
> _But there 's no reason to provide a physical address or telephone number. I
> tend to use hostels and business hotels._

Except for that ICANN rule that if your information is incorrect, your domain
name can go bye-bye at any time.

~~~
mirimir
True. But I've never had that happen. And that's why I've used valid addresses
and numbers. You mainly need to pass validity checks.

And for critical domains, you can just hire trusted third parties to manage
them. There are law firms that specialize in stuff like that.

~~~
imron
> But I've never had that happen.

Well, I guess that means it will never happen in the future either then.

------
j16sdiz
My inner self is kind of in the 'watch the world burn' mode.

Given ICANN is a US based company, I believe they can terminate the contract
with all European registries for unable to fullfill the terms in contract.

------
blattimwind
Rightly so.

------
drtillberg
It seems to me that ICANN came up with a plausible interpretation and the
pushback from the regulator should be a wake-up call to those who naively
claimed GDPR was reasonable and no big deal.

I think it makes a lot of sense for a domain registrar to keep basic
information in the long-term, about who registered what. I find it odd that
this has become a point of contention.

~~~
galadran
Did you read the letter [1] that was linked in the article? It is much less
hyperbolic than the article makes out.

Paraphrased:

Yes, of course you can keep registration data for your own legitimate usage.
Contact information for the lifetime of the domain is fine.

Storing it for 2 years after expiry is not necessarily problematic, but you
need to document why you legitimately need it.

You can't make private contact information public without consent.

However, you can disclose it to 3rd parties who make a legitimate request, but
you should record the request.

[1] [https://regmedia.co.uk/2018/07/05/edpb-icann-
whois.pdf](https://regmedia.co.uk/2018/07/05/edpb-icann-whois.pdf)

~~~
drtillberg
It also sets up peculiar legal fictions, i.e., it is ok to keep contact info
for 'legal' persons, but not 'natural' persons and if the 'legal' contact info
hints indirectly about a 'natural' person, that's a violation, unless, I'm
sure a series of other conditions and legal fictions are satisfied. The 8
pages are dense with impenetrable legalese, and the message essentially is
that ICANN is not allowed under GDPR to fulfill its mission of publishing the
identities of website owners to the public. That is not a reasonable position,
from a US perspective. Why is only a government inquirer allowed to know such
things automatically, why must my request as a member of the public be logged
for ICANN to fulfill it? Is that actually beneficial to 'privacy' or a
derivative GDPR minefield?

GDPR is a negative development for openness, tranparancy and
interconnectivity.

~~~
galadran
I can explain it simply to you. Only the personal data of flesh and blood
human beings is protected. So contact info is protected if it is the direct
email of a human being. If its a huge faceless corporation and the email is
just "legal@.." it is not protected. Saavy?

Well its certainly beneficial for privacy. There are very few social media
sites in the world where publishing other people's contact details without
their permissions is allowed. Its banned here. Its banned on Reddit. And a ton
of other sites. There is really very little difference.

How would you feel if all HN submitters had to list a personal phone number?
Why is running a website any different?

