2018-08-26

News Review: ICANN & GDPR, 'WHOIS Is Mostly DEAD' Says Paul Vixie

graphic "News Review" ©2016 DomainMondo.com
Domain Mondo's weekly internet domain news review (NR 2018-08-26) with analysis and opinion: Features • 1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie2) a. KSK Rollover, What to Expect, b.New gTLD .AFRICA, c. Public Comment at ICANN,  3) Names, Domains & Trademarks: a. France.com, b.China, c. Transfers, 4) ICYMI, 5) Most Read.

1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie
ICANN EPDP Team Meetings* this week: Tuesday Aug 28, and Thursday Aug 30, 13:00 UTC, 9am EDT. Non-members of the EPDP Team can follow the EPDP meetings via Adobe Connect: https://participate.icann.org/gnso-epdp-observers, or audio cast via browser or application (e.g., iTunes).

*Each EPDP meeting's links to documents, transcripts, MP3 audio and Adobe Connect recording, will be posted here, as made available by ICANN (links to EPDP meetings' transcripts are usually posted on the GNSO calendar within 24 hours). See also EPDP Team wikimail listTemp SpecEPDP Charter (pdf), and AC/SOs responses to request for early input.

UPDATES 29-30 Aug:
a. Editor's note: the core questions completely missing thus far in the EPDP: Specifically, WHAT registrant data does ICANN need registrars to collect from registrants, and WHY? My answer  (which I have given before): NAME of the legal entity or person registering the domain name (i.e., the "registrant"); ADDRESS of the registrant (for contacting registrant concerning the domain name); EMAIL address for contacting the registrant concerning the domain name; PHONE number for contacting the registrant concerning the domain name. Anything more (for ICANN's purposes), is redundant, unnecessary, violative of the GDPR, including data minimization requirements (see ICANN vs EPAG), and in the case of fax numbers, an even more serious cybersecurity risk. The registrar may collect billing and other data in compliance with the GDPR, but that is none of ICANN's business, and should be beyond the scope of the EPDP, Temp Spec and policy. Frankly, the faster the EPDP can reach consensus on the above, the faster they can begin addressing access & accreditation issues.

b. Special interests push U.S. Congress to override ICANN’s WHOIS policy process--internetgovernance.org 29 Aug 2018--copy of the draft legislation (pdf) embed in full below:

c. EPDP Meeting #9 (Agenda in slides embed below), Thursday, 30 August 2018, 13:00 UTC, 9am EDT:

Notes:

UPDATES 28 Aug 2018: 
Slides of Aug 28 EPDP Meeting #8 (includes Agenda and "Project Plan"):

Note: input received on Triage Report and  section category allocation (pdf). Aug 28 chat transcript:

UPDATE from the EPDP mail list 27 Aug 2018:
"... The basic task of ePDP is to ratify or modify the temp spec. Here is the relevant statement from the charter:
"This EPDP Team is being chartered to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law." 
"Regarding access, the charter says, 'Work on this topic shall begin once the gating questions above have been answered and finalized in preparation for the Temporary Specification initial report'
"So: 1) temp spec first; 2) "other relevant privacy and data protection law" is applicable, not just GDPR; 3) we deal with access to redacted Whois data after we have resolved the status of the temp spec."--Professor Milton Mueller (NCSG)

Editor's note: For info and updates on last week's meetings, go to last week's News Review, here's a peek:
EPDP Dysfunction: EPDP Chair Unilateral Rule Change (text graphic)
Little of substance has been accomplished thus far, as the EPDP Team has essentially wasted the month of August preparing a "Triage Report" for the GNSO Council that could have been completed in the first week with a simple survey, or even better, eliminated from the Charter altogether. EPDP Team Chair Kurt Pritz continues with his long, rambling monologues, mostly ignoring suggestions and comments from the more functional, and definitely brighter, EPDP team members. A face-to-face EPDP meeting has been scheduled for September 24-26 in Los Angeles, but at this rate, it's looking increasingly doubtful whether much will get done.

I've yet to see a cogent work plan that first addresses the fundamental questions which ICANN org glossed over or failed to grapple with BEFORE slapping together the Temporary Specification in a rush due to the incompetent ICANN management team wasting 2 years and failing to properly prepare for the GDPR, which became enforceable May 25, 2018 (ICANN management, as late as April, 2018, were laboring under a delusional fantasy that ICANN and its contracted parties would be granted a moratorium from GDPR enforcement.)

The EU GDPR was adopted on 27 April 2016 and published in the EU Official Journal on 4 May 2016. ICANN has had an office in Brussels for more than 10 years (pdf) and European Data Protection authorities have been warning ICANN about its public WHOIS data since 2003, and yet, neither ICANN nor the U.S. government's NTIA warned the "global multistakeholder community" about the ramifications of GDPR for ICANN and its public WHOIS directory, before the IANA transition was completed October 1, 2016. Neither the dysfunctional "ICANN Community" nor their expensive law firms, which received $15 million in legal fees preparing for the IANA transition, ever mentioned the GDPR as a "risk factor" or otherwise.
ICANN's GDPR Train Wreck (graphic) ©2018 DomainMondo.com
Definition: "train wreck" (noun) a chaotic or disastrous situation that holds a peculiar fascination for observers.
Dr. Paul Vixie of FarSightSecurity.com on the Uncertain Fate of WHOIS, & Other Matters of Internet Accountability at Black Hat 2018 USA, "WHOIS is mostly DEAD" (video below): Dr. Paul Vixie discusses the uncertain fate of WHOIS in the age of GDPR, the risks of domain name homographs, and other underpinnings of the internet that are hard to trust and harder to fix. Video provided by, and also available at darkreading.com if the above does not play in your browser, recorded at Black Hat 2018 USA.

Note also:
  • ICANN Board reaffirmed Temporary Specification for an additional 90-day period on Aug 21.
  • ICYMI: ICANN's ePDP - An Insider's Perspective | circleid.com"... There really is no clear path forward if this group is unable to produce a final report with specific policy to replace the temporary specification when it expires in May of 2019. If that were to happen, it's not a stretch to think it would call into question the overall ability of ICANN (and the community) to manage the global DNS ..."--EPDP Team member Matt Serlin.

2) Other ICANN News
graphic "ICANN | Internet Corporation for Assigned Names and Numbers"
a. Internet Root KSK Rollover 11 October 2018, What To Expect
 What to Expect During the Root SKS Rollover
 What to Expect During the Root SKS Rollover (pdf)
"... the user will start seeing failure sometime in the 48 hours after the rollover. Users will see different symptoms of failure depending on what program they are running and how that program reacts to failed DNS lookups. In browsers, it is likely that a web page will become unavailable ... In email programs, the user might not be able to get new mail, or parts of message bodies may show errors. The failures will cascade until no program is able to show new information from the Internet. Note that the term “users” here does not just indicate humans. Automated systems that are also using unprepared resolvers for their DNS resolution will start to fail, possibly catastrophically."--What To Expect During the Root KSK Rollover, supra, p. 5, (emphasis added).
Root KSK Rollover--SSAC: Let's 'Roll the Dice' on Crashing the Internet!--SAC102SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover English [PDF] excerpt from the dissenters*:
"The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc. While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties. We would like to reiterate that we understand our colleagues' position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision ..."--SAC102 Dissent, p.4
*Dissenters:
  • Danny McPherson (Chief Security Officer for Verisign); 
  • Warren Kumari (Senior Network Engineer/Senior Network Security Engineer with Google);
  • KC Claffy (founder and director of the Center for Applied Internet Data Analysis (CAIDA), based at the University of California's San Diego Supercomputer Center, and Adjunct Professor in the Computer Science and Engineering Department at UCSD); 
  • Jay Daley (techobscura.com, interim President & CEO PIR.org );
  • Lyman Chapin (co-founder and partner at Interisle Consulting Group).

b. DotConnectAfrica Trust v. ICANN (Trial Court Proceeding) 1 August 2018 
Court Order: Trial date vacated; Status Conference scheduled for 25 September 2018. 

c. ICANN Public Comment Periods closing in September (on each date indicated at 23:59 UTC) subject to change by ICANN:

d. ICANN Global Domains Division (GDD) General Operations Handbook for Registrars 21 Aug 2018: registrar-handbook-21aug18-en.pdf [421 KB], and Registrar Billing Frequently Asked Questions (FAQ) 21 Aug 2018 registrar-billing-faq-21aug18-en.pdf [323 KB].

3) Names, Domains & Trademarks
graphic "Names, Domains & Trademarks" ©2017 DomainMondo.com
a. France.com: Miami Man Sues France For Seizing His Domain Name--Marketplace.org podcast (MP3) also available here. Includes commentary by University of Miami Law Professor Michael Froomkin.

b. China's first internet court handles over 10,000 cases | xinhuanet.com: mainly civil cases such as contract disputes involving online shopping, service and small loans, copyright and infringement lawsuits, domain name disputes, internet defamation, and some administrative lawsuits.

c. Post GDPR gTLD Domain Name Transfers--realtimeregister.com.

4) ICYMI Internet Domain News 
graphic "ICYMI Internet Domain News" ©2017 DomainMondo.com
a. US: 
  • Congress should consider small-business exception to internet sales tax--TheHill.com.

b. China: 
  • From laboratory in far west, China's surveillance state spreads quietly--reuters.com.
  • Google is welcome to return to Chinabut only if it complies with the censorship regime enforced by the government of China’s internet regulator, according to a report in Chinese state media (the People's Daily)--Newsweek.com.

c. Russian hackers targeted U.S. conservative think-tanks, says Microsoft--reuters.com.

d. AI: New genre of artificial intelligence programs take computer hacking to another level | trust.org.

e. India: India Steps Towards Internet Freedom: DoT Bars ISPs From Blocking Internet Content | inc42.com.

5) The Most Read Post this past week on DomainMondo.com: 
graphic "Domain Mondo" ©2017 DomainMondo.com

-- John Poole, Editor, Domain Mondo 

feedback & comments via twitter @DomainMondo


DISCLAIMER

Domain Mondo posts: