2018-05-27

News Review | GDPR Effect: ICANN Sues German Domain Name Registrar

graphic "News Review" ©2016 DomainMondo.com
Domain Mondo's weekly internet domain news review (NR 2018-05-27) with analysis and opinion: Features •  1) GDPR Effect: ICANN Sues German Domain Name Registrar, 2)  EU GDPR & ICANN WHOIS, What's Next for ICANN? 3) ICANN news: At-Large Review, GNSO,  FY19 Budget, June Public Comments, 4) Names, Domains & Trademarks, 5) ICYMI, 6) Most Read Posts.

UPDATE May 30, 2018: German Court Rejects ICANN Request for Injunction
Court Order on Application for Preliminary Injunction (German) [PDF, 2.82 MB] Unofficial English Translation provided by ICANN embedded below:

As disclosed by ICANN, in rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. The Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems). The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
"While ICANN appreciates the prompt attention the Court paid to this matter, the Court's ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings. ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services."--John Jeffrey, ICANN's General Counsel and Secretary.
UPDATES 29 May 2018: the blowback-- 
a. Tucows (tucows.com), parent company of EPAG, the German Registrar sued by ICANN (see below) on Friday, has responded to ICANN in a statement on its website--Tucows Statement on ICANN Legal Action | Tucows Inc. | tucows.com--excerpt: "... We realized that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts. ICANN’s goal since discussions about the impact of the GDPR on domain registration began has been to preserve as much of the status quo as possible. This has led ICANN to attempt to achieve GDPR-compliant domain registration via ‘process reduction’, as opposed to Tucows’ approach of starting with the GDPR and rebuilding from the ground up. These two approaches have led to significantly different results, and consequently a need to determine whether ICANN’s insistence on the collection of the full thick Whois data and this data’s transfer to gTLD Registries is in compliance with the GDPR. It is this disagreement and need for legal clarity that is at the heart of the lawsuit filed by ICANN ... we perceive three core issues with the [ICANN org / ICANN Board] Temporary Specification that we do not believe are compliant with the GDPR. These issues are the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts ... ICANN will need to prove that the minor, marginally incremental benefit of collecting, processing and transferring Admin and Tech contact data at the request of third parties outweighs the principles of data minimization and lawful processing enshrined in the GDPR. We find the argument that duplicative technical contacts are necessary for the security and stability of the DNS implausible. We were not convinced this was the case when we first examined the law, and we remain unconvinced following the release ICANN’s Temporary Specification ..."

b.  The Injunction: ICANN's lame attempt to turn DNS into a Trademark Registry | InternetGovernance.org: "... A narrow definition of ICANN’s mission, which involves coordinating and maintaining the stability of the domain name system, makes it clear that the Tech-C and Admin-C  information are not really necessary to that purpose ... Despite [ICANN CEO] Goran Marby’s friendly posturing of “consulting” with various groups, ICANN clearly isn’t listening to them and has unilaterally determined what its position will be ... With this filing, ICANN the organization has thrown off its mask of bottom up multistakeholder policy development regarding Whois, it has staked out a position that serves the interests of a few stakeholders. It has shown that it will fight hard and spend a lot of money to support those interests. It has also shown a willful disregard for the limited nature of its mission. The good news here, however, is that legal certainty regarding the application of GDPR to Whois may be on the way soon."--Professor Milton Mueller (emphasis added) [Editor's note: Professor Mueller has been an active participating stakeholder in ICANN since its founding in 1998, has written numerous oft-cited articles and books about ICANN and related matters, and would be an excellent 'expert witness' for EPAG in the German proceeding.]

c. Domain Names Registrar Namecheap (namecheap.com) announced today Free WHOIS Privacy forever:
 Free WHOISguard Privacy Free Forever

Editor's note: Score (as of 29 May 2018):
ICANN: 0  vs. EPAG (Tucows) & EU (GDPR): 3

Original Post:
1) GDPR Effect: ICANN Sues German Domain Name Registrar
ICANN Files Legal Action in Germany to Preserve WHOIS Data | ICANN.org 25 May 2018: "The Internet Corporation for Assigned Names and Numbers (ICANN) today filed injunction proceedings against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. ICANN has taken this step to ask the court for assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. ICANN's "one-sided filing" in Bonn, Germany, seeks a court ruling to ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR. EPAG recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules ...." (emphasis added)

ICANN v. EPAG Domainservices, GmbH | ICANN.org: lawsuit in the Regional Court of Bonn [Germany] [*NOTE: Personal identifiable information has been redacted by ICANN] ICANN’s Motion for the Issuance of a Preliminary Injunction 25 May 2018 (in German) [PDF, 1.76 MB].  (excerpt from p. 4 of 25, unofficial English translation, full embed further below):
"The technical contact and the administrative contact have important functions. Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content. Therefore, GDPR provisions do not prevent the Defendant from collecting these data elements. If the Defendant does not collect the requisite technical contact or administrative contact information among other things, the secure operation of the domain name system and other legitimate uses of the data, such as law enforcement trying to locate bad actors that use the domain name system for criminal activity, will be in jeopardy. Accordingly, the Applicant has attempted to convince the Defendant that it is still obligated under its contract with the Applicant to collect the administrative and technical contact information as part of the registration data it collects at registration. The parties were not able to solve this issue out of court. Therefore, the Applicant kindly asks the court to order the Defendant by way of preliminary ruling, not to sell respective new domain name registrations without collecting such data."
English Translation of Motion for Issuance of Preliminary Injunction (Unofficial; provided for information purpose only) [PDF, 937 KB] embed below:

Appendix AS-8: Affidavit of John Jeffrey in support of ICANN’s Motion for Preliminary Injunction [PDF, 79 KB] embed below:

Related:
•  Temporary Specification for gTLD Registration Data | ICANN.org: effective as of 25 May 2018; Adopted on 17 May 2018 by ICANN Board Resolutions 2018.05.17.01 – 2018.05.17.09. Temporary Spec PDF here [735 KB].

• 25 May 2018 Letter to Graeme Bunton from Jamie Hedlund, ICANN SVP Contractual Compliance and Consumer Safeguards. ICANN response to Registrars request for Compliance Moratorium for Temporary Specification Implementation--excerpt from letter:
"As you know, on 17 May 2018, ICANN posted an announcement regarding the Board’s adoption of the Temporary Specification for gTLD Registration Data. The Temporary Specification, effective 25 May 2018, modifies contractual obligations in ICANN's agreements with registries and registrars in order to comply with Europe's General Data Protection Regulation [GDPR]. It does not include a compliance moratorium since ICANN must also comply with the law. ICANN Contractual Compliance will enforce the Temporary Specification from the effective date and address any areas of non-compliance with the contracted parties per the established process."
• 23 May 2018 Letter from ICANN CEO Göran Marby to Roberto Viola, Paraskevi Michou, and Tiina Astola (pdf) re: ICANN Proposed Temporary Specification for gTLD Registration Data, excerpt:

•  For further background see last week's News Review | ICANN's GDPR Train Wreck 25 May 2018 & Beyond.

Editor's note--Bottom Line: EU law (GDPR) trumps ICANN bylaws and ICANN's contracts with its gTLD Registry Operators and accredited Registrars. ICANN believes its interpretation of the GDPR and its application to the collection, processing, and publishing of WHOIS data is correct, but ultimately, EU DPAs (data protection authorities) and European Courts will decide, not ICANN. My own opinion is that current WHOIS policy collects much more data than is necessary or appropriate. The relevant questions are: 1) Who is the legal registrant (or representative of the registrant) of a domain name, and 2) how can that person be contacted? Registrants should be able to choose to list their name, address, and email and phone data (fax is an anachronism), or appoint an agent ("Registrant's Agent" which could include an accredited WHOIS privacy provider) for public WHOIS purposes. As a default, and to comply with the GDPR, if the registrant fails to choose one of the above methods for the Public WHOIS, the domain name's registrar of record should be listed as registrant's agent since most domain disputes (e.g., UDRP and URS) are essentially in rem or quasi in rem actions. It really should be that simple, but I am afraid ICANN is "lost in La-La Land."

2) EU GDPR & ICANN WHOIS, What's Next for ICANN? EPDP (Expedited Policy Development Process): 25 May 2018 Letter from ICANN Board Chair Cherine Chalaby to GNSO Chair Heather Forrest (highlighting added):


Chat transcript below from above presentation webinar:

Webinar Transcript (pdf) from above GNSO council webinar, excerpts:
  • "Keith’s (Keith Drazek) made a good point in the chat, his understanding is that a PDP triggered by the Board’s initiation of a temporary policy can confirm, amend or replace the temporary policy of specification." (p. 9)
  • Michele Neylon (pp 15-16): "... if you look at the history of Whois related activities over the last, I don't know how many years, pretty much everything has failed in one shape or another. This time around there really is no room for failure. The other point as well, I put that in the chat, is that I had asked during the GDD Summit last week in Vancouver and it needs to be asked again, is that we do need to see some kind of list of the policies and contractual clauses that are impacted by this temporary spec, because this EPDP will need to address those things specifically."
  • Stephanie Perrin (p.37): "I think it would be worthwhile even though we have very little time if the RDS Working Group more or less formerly - formally assessed how it failed ..."
UPDATE re: RDS Working Group a/k/a Next-Generation gTLD Registration Directory Services to Replace Whois see Wiki and WG email archive - RDS WG Chair resigns and recent excerpts below:

3) Other ICANN news
graphic "ICANN | Internet Corporation for Assigned Names and Numbers"
a. 22 May 2018 Letter from Farzaneh Badiei to Cherine Chalaby [Published 22 May 2018] Chair | Non-Commercial Stakeholders Group Statement of concern for At-Large Review Implementation Overview Proposal (embed below), [Editor's noteAt-Large, another aspect of the dysfunctional "ICANN community"]:

See also Contracted Party House (CPH) (Registrars & Registry Operators) Statement of concern for At-Large Review Implementation Overview Proposal bunton-to-chalaby-07may18-en.pdf [59.5 KB].

b. ICANN's Dysfunctional GNSO Wants To Be Functional? This Is No Joke: GNSO Policy Development Process 3.0: How to increase the effectiveness and efficiency of the GNSO Policy Development Process (pdf) embed below:

See also GNSO Active Projects List May 16, 2018 (pdf)

c. Final Proposed ICANN FY19 Operating Plan and Budget | ICANN.org: "... and submitted it to the ICANN Board for consideration at the meeting on 30 May 2018 ..." (more info at link above)

d. ICANN Public Comment Periods Closing in June 2018 at 23:59 UTC on each date indicated below [close dates subject to arbitrary changes (extensions) by ICANN at any time]:

4) Names, Domains & Trademarks
graphic "Names, Domains & Trademarks" ©2017 DomainMondo.com
a. Domains: GoDaddy Inc. (NYSE: GDDY) Announces Proposed Sale of Shares of Common Stock by Selling Stockholders | godaddy.net May 20, 2018: "... an underwritten public offering of 11,625,000 shares of its Class A common stock by certain of its stockholders pursuant to an effective Registration Statement on Form S-3 previously filed with the Securities and Exchange Commission.  GoDaddy will not receive any proceeds from the sale of the shares in this offering.  Citigroup and UBS Investment Bank are acting as bookrunners for this offering ... Selling stockholders participating in the offering consist of entities affiliated with Kohlberg Kravis Roberts & Co. L.P., Silver Lake Partners and YAM Special Holdings, Inc., an entity owned by GoDaddy founder, Bob Parsons. Additionally, GoDaddy's chief executive officer is offering 125,000 shares of GoDaddy's Class A common stock in the offering ..." (more info at link above)
$GDDY
b.  Infringement: The Real Pirate Bay "operates from an .org domain name, which happens to be managed by the US-based Public Interest Registry (PIR) ..."--TorrentFreak.com.

c. FBI seizes domain behind VPNFilter botnet | scmagazine.com: "evidence exists showing the domain toknowall.com was to be used as part of an attack."

5) ICYMI Internet Domain News 
graphic "ICYMI Internet Domain News" ©2017 DomainMondo.com
a. UK To Tackle 'Wild West' Internet--the UK government will publish a policy 'white paper' later this year setting out proposals for future legislation, aiming to enact new laws “in the next couple of years” said digital minister Matt Hancock May 20, 2018.

b. US Net Neutrality Is Just a Gateway to the Real Issue: Internet Freedom | WIRED.com May 18, 2018.

c.  The Path to Victory on Net Neutrality in the House of Representatives and How You Can Help | Electronic Frontier Foundation | EFF.org May 18, 2018.
 Net Neutrality | EFF.org

d. IGF 2018 Call for Workshop Proposals | Internet Governance Forum | intgovforum.org: The deadline for workshop submissions is 27 May 2018, 23:59 UTC. The final selection of workshops will take place during the IGF 2018 Second Open Consultations and MAG Meeting, scheduled on 11-13 July 2018 in Geneva, Switzerland.

e. EU & GDPR:

6) Most read posts this past week on DomainMondo.com: 
graphic "Domain Mondo" ©2017 DomainMondo.com


-- John Poole, Editor, Domain Mondo 

feedback & comments via twitter @DomainMondo


DISCLAIMER

Domain Mondo posts: