ICANN Loses Yet Again In Its Quixotic Quest To Obtain A Special Exemption From The EU's GDPR
from the oh,-do-give-it-a-rest dept
Back in May, we wrote about the bizarre attempt by the Internet Corporation for Assigned Names and Numbers (ICANN) to exempt itself from the EU's new privacy legislation, the GDPR. ICANN sought an injunction to force EPAG, a Tucows-owned registrar based in Bonn, Germany, to collect administrative and technical contacts as part of the domain name registration process. EPAG had refused, because it felt doing so would fall foul of the GDPR. A German court turned down ICANN's request, but without addressing the question whether gathering that information would breach the GDPR.
As the organization's timeline of the case indicates, ICANN then appealed to the Higher Regional Court of Cologne, Germany, against the ruling. Meanwhile, the lower court that issued the original judgment decided to re-visit the case, which it has the option to do upon receipt of an appeal. However, it did not change its view, and referred the matter to the upper Court. The Appellate Court of Cologne has issued its judgment (pdf), with a comprehensive smackdown of ICANN, yet again (via The Register):
Regardless of the fact that already in view of the convincing remarks of the Regional Court in its orders of 29 May 2018 and 16 July 2018 the existence of a claim for a preliminary injunction (Verfügungsanspruch) is doubtful, at least with regard to the main application, the granting the sought interim injunction fails in any case because the Applicant has not sufficiently explained and made credible a reason for a preliminary injunction (Verfügungsgrund).
The Appellate Court pointed out that ICANN could hardly claim it would suffer "irreparable harm" if it were not granted an injunction forcing EPAG to gather the additional data. If necessary, ICANN could collect that information at a later date, without any serious consequences. ICANN's case was further undermined by the fact that gathering administrative and technical contacts in the past had always been on a voluntary basis, so not doing so could hardly cause great damage.
Once more, then, the question of whether collecting this extra personal information was forbidden under the GDPR was not addressed, since ICANN's argument was found wanting irrespective of that privacy issue. And because no interpretation of the GDPR was required for the case, the Appellate Court also ruled there were no grounds for referring the question to the EU's highest court, the Court of Justice of the European Union.
ICANN says that it is "considering its next steps", but it's hard to see what those might be, given the unanimous verdict of the courts. Maybe it's time for ICANN to comply with the EU law like everybody else, and for it to stop wasting money in its forlorn attempts to get EU courts to grant it a special exemption from the GDPR's rules.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
The First Word
“Not too hard to see
"ICANN says that it is "considering its next steps", but it's hard to see what those might be"Really? It's hard to figure out what options the global internet registration authority might have in this scenario?
Do you know what ICANN does?
Do you know what happens if they stop doing it?
I suspect if EU forces the issue they won't be pleased with the results. Having to go to American registrars for domain names and ASNs won't sit well with European organizations.
And what is the author's beef with accurate whois, and why is a Luddite writing for techdirt?
Subscribe: RSS
View by: Time | Thread
I'm an old fart, first domain from the late 80's, and the WHOIS database was required to be accurate. You wanted to know who was attacking your network, you looked up their contact info and gave them crap. They let the anon middlemen into the picture and that's when things started going to hell. Now, we're seeing the conclusion of that journey, nobody cares, or will deal with problems, and we're forbidden by law from knowing who to complain to?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
You also didn't have the web, among many other things. Times have changed greatly.
"You wanted to know who was attacking your network, you looked up their contact info and gave them crap."
Good for the days when the person listed was the person actually responsible for the domain and what was running on it. Today, you're just as likely to get some clueless person whose friend set the domain up on the cheap, has never updated and they've just been pwned by some 3 year old Wordpress vulnerability.
"we're forbidden by law from knowing who to complain to?"
Their hosting provider isn't anonymous, and a lot of the time they'll know more than the registrant anyway.
[ link to this | view in chronology ]
Re:
I assume you've heard of doxxing?
There are perfectly legitimate reasons why people might not want their real names and addresses attached to the things they say online.
[ link to this | view in chronology ]
Re:
I don't see how GDPR would prevent WHOIS from including a valid email address. It can't be the registrant's personal address, but can presumably forward to one.
What does "attacking your network" have to do with anything? It's a half-assed attack if you're getting valid reverse DNS; such a half-assed attacker is likely using a corporate ISP or hosting provider who's going to list an abuse contact in WHOIS for you.
[ link to this | view in chronology ]
Re:
I covered this topic at length with Nominet (.uk domain admin) 4 years ago.
They suddenly changed their WHOIS policy, saying they're now going to check all WHOIS details through government databases, and suspend all those who weren't accurate.
In short, they wanted to suddenly collect a bunch of data, and then use government databases to verify, and remove anyone that didn't adhere to those databases.
My domain (ktetch.co.uk) was under my working professional name (K`Tetch Dureek) which is perfectly legal under UK law (pseudonyms are perfectly legal for use if the aim is not to obscure or hide the identity of the person, and there's no such thing as a 'legal name' in the UK). I objected to the requirement, and then they decided that the content of my site was not 'personal' enough.
See, Nominet had free domain privacy for personal domains, but prohibited it for commercial ones. Commercial accounts according to them were any with any sort of commercial activity - including google ad banners, a link to my book on Amazon, or an email subscription signup) - or 'too many links to commercial sites', which would be any site as a business, including wikipedia, techdirt, Google, etc.
Their argument was just as yours was, that 'people need to know who they're doing business with'. Thing is, no-one's doing business with me on anything. They're doing it with other companies acting on my behalf, or they're not doing any business at all.
I appealed, got nothing, they made my address public, even while I was appealing to their director, and then to the ICO. I had to VERY quickly go out and get a PO box, and change the address.
Then the story hit the Guardian (https://www.theguardian.com/technology/2014/jun/11/nominet-new-rules-uk-domain-end-privacy), and Jimmy Wales started sending them angry tweets, and all of a sudden they decided my site was private, and NOT a commercial site.
Thing is, I've been targeted in the past. I've been doxxed by Jeremy Hammond and his supporters, and I've had a few Assange supporters threaten me now for exposing his... plot holes. Keeping my address private is important. I moved within a month, which is lucky because 5 months later some Anon's tried using WHOIS info to harass me (luckily, they were dumb, and went for ktech.co.uk and not ktetch.co.uk) but you could find that address cached at the time if you looked.
This isn't the world of 30 years ago. was was the 'domain' [heh] of a rarefied few then, is now normal for many, and the malicious uses for that info are now widespread.
[ link to this | view in chronology ]
Re: Re:
Indeed, "it worked fine 30 years ago" is a pretty poor defense of a design choice.
SMTP worked fine 30 years ago when you could put any damn e-mail address you felt like in the "From" header and there was no attempt to verify the sender was who they claimed to be. And look how well that design decision has worked out in the long term.
[ link to this | view in chronology ]
Re: Re:
Out of curiosity, why did you choose to include a character that's not used in any natural language (the backtick)? Some kind of typographic or programmer in-joke?
[ link to this | view in chronology ]
Re: Re: Re:
However, a lot of software (IRC servers, for instance) take K'Tetch and turn it into just K.
so it's become more normal to use ` as it's accepted as an actual characterrather than punctuation, and it's become habit to use it. I guess you could call it a typographic trick.
also, while I'm a robotic engineer, I'm FAR from a programmer, I've not coded in almost 20 years (since University) }}}:-{>
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Loss of accreditation
So Tucows subsidiary in the EU looses accreditation. If they can't, for whatever reason, collect accurate domains registration information inside the EU then domains shant be registered there.
[ link to this | view in chronology ]
Re: Loss of accreditation
ICANN has painted itself in a corner because they stalled (more than 10 years) adapting the WHOIS rules to EU privacy law. They get slapped by German judges now, I don't see why judges in other EU countries will act substantially differently.
If ICANN wants to make the hole they made for themselves deeper, they should continue digging.
[ link to this | view in chronology ]
Re: Re: Loss of accreditation
[ link to this | view in chronology ]
Re: Re: Re: Loss of accreditation
Executing a verdict on a foreign organization is harder, but there are sufficient options.
[ link to this | view in chronology ]
Not too hard to see
Really? It's hard to figure out what options the global internet registration authority might have in this scenario?
Do you know what ICANN does?
Do you know what happens if they stop doing it?
I suspect if EU forces the issue they won't be pleased with the results. Having to go to American registrars for domain names and ASNs won't sit well with European organizations.
And what is the author's beef with accurate whois, and why is a Luddite writing for techdirt?
[ link to this | view in chronology ]
Re: Not too hard to see
What ICANN has shown so far in effectiveness makes me think they would lose against a half-baked competitor.
[ link to this | view in chronology ]
Re: Re: Not too hard to see
Convincing people to use a new root server would be tough but not impossible, so DNS is not necessarily a blocker. But IP addresses and autonomous system numbers have to reliably be globally unique or things dramatically don't work.
[ link to this | view in chronology ]
Re: Re: Re: Not too hard to see
So long as there was a way to identify which DNS scheme is in use from its text form, the local (machine or local network) resolver can route the request to the correct servers for the scheme. The only critical bit is ensuring that Global IP addresses are unique, and that should not be a problem.
[ link to this | view in chronology ]
Solutions to anonymity...
On the one hand, our favorite journalist activist is not unreasonably afraid the gubmn't is gonna single her out for harm. She needs anonymity.
On the other hand, my iOT security dumpster fire is spamming body parts and cracking passwords, and it needs to be shut off. Someone needs to be able to get in touch or otherwise take action.
On the third hand, I'm just a content creator, and I barely understand hosting versus domain registration.
I argue that anonymity needs to be available, but it may have certain consequences.
[ link to this | view in chronology ]
Re: Solutions to anonymity...
3rd hand - this is basically the same as the first, although most don't realise it. there's all kinds of crazies out there that can take umbridge (or worse, infatuation) with someone.
the 2nd hand is completely different, as in not even relevant. I've an IoT fridge, it's spewing shit online. Well, it's using my home connection, rather than my personal domain. doesn't matter what is or isn't in my WHOIS, because the two are unrelated. The reverse lookup for my IP is of use, because that tells you my ISP, and MAYBE you can contact them with the info, and the ISP can forward it on to the customer, but it's nothing to do with domains, ICANN and WHOIS'.
[ link to this | view in chronology ]