Domain Mondo's weekly internet domain news review (NR 2018-08-26) with analysis and opinion: Features • 1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie, 2) a. KSK Rollover, What to Expect, b.New gTLD .AFRICA, c. Public Comment at ICANN, 3) Names, Domains & Trademarks: a. France.com, b.China, c. Transfers, 4) ICYMI, 5) Most Read.
1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie
ICANN EPDP Team Meetings* this week: Tuesday Aug 28, and
Thursday Aug 30,
13:00 UTC, 9am EDT. Non-members of the EPDP Team can follow the EPDP meetings via Adobe Connect:
https://participate.icann.org/gnso-epdp-observers, or audio cast via
browser or
application (
e.g., iTunes).
*Each EPDP meeting's links to documents, transcripts, MP3 audio and Adobe Connect recording, will be posted here, as made available by ICANN (links to EPDP meetings' transcripts are usually posted on the
GNSO calendar within 24 hours). See also EPDP Team
wiki,
mail list,
Temp Spec,
EPDP Charter (pdf), and
AC/SOs responses to request for early input.
UPDATES 29-30 Aug:
a. Editor's note: the core questions completely missing thus far in the EPDP: Specifically, WHAT registrant data does ICANN need registrars to collect from registrants, and WHY? My answer (which I have given
before):
NAME of the legal entity or person registering the domain name (
i.e., the "registrant");
ADDRESS of the registrant (for contacting registrant concerning the domain name);
EMAIL address for contacting the registrant concerning the domain name;
PHONE number for contacting the registrant concerning the domain name.
Anything more (
for ICANN's purposes), is redundant, unnecessary, violative of the
GDPR, including data minimization requirements (see
ICANN vs EPAG), and in the case of fax numbers, an even more
serious cybersecurity risk. The registrar may collect billing and other data in compliance with the GDPR, but that is none of ICANN's business, and should be
beyond the scope of the
EPDP, Temp Spec and
policy.
Frankly, the faster the EPDP can reach consensus on the above, the faster they can begin addressing access & accreditation issues.
b. Special interests push U.S. Congress to override ICANN’s WHOIS policy process--internetgovernance.org 29 Aug 2018--
copy of the draft legislation (pdf) embed in full below:
c. EPDP Meeting #9 (Agenda in slides embed below),
Thursday, 30 August 2018, 13:00 UTC, 9am EDT:
Notes:
UPDATES 28 Aug 2018:
Slides of Aug 28
EPDP Meeting #8 (includes Agenda and "Project Plan"):
Note:
input received on Triage Report and
section category allocation (pdf).
Aug 28 chat transcript:
UPDATE from the EPDP mail list 27 Aug 2018:
"... The basic task of ePDP is to ratify or modify the temp spec. Here is the relevant statement from the charter:
"This EPDP Team is being chartered to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law."
"Regarding access, the charter says, 'Work on this topic shall begin once the gating questions above have been answered and finalized in preparation for the Temporary Specification initial report'
"So: 1) temp spec first; 2) "other relevant privacy and data protection law" is applicable, not just GDPR; 3) we deal with access to redacted Whois data after we have resolved the status of the temp spec."--Professor Milton Mueller (NCSG)
Editor's note: For info and updates on last week's meetings, go to last week's News Review, here's a peek:
Little of substance has been accomplished thus far, as the
EPDP Team has essentially wasted the month of August preparing a
"Triage Report" for the GNSO Council that could have been completed in the first week with a simple survey, or even better, eliminated from the Charter altogether.
EPDP Team Chair Kurt Pritz continues with his long, rambling monologues, mostly ignoring
suggestions and
comments from the more functional, and definitely brighter,
EPDP team members. A
face-to-face EPDP meeting has been scheduled for
September 24-26 in Los Angeles, but at this rate, it's looking increasingly doubtful whether much will get done.
I've yet to see a cogent work plan that first addresses the fundamental questions which ICANN org glossed over or failed to grapple with BEFORE slapping together the Temporary Specification in a rush due to the incompetent ICANN management team wasting 2 years and failing to properly prepare for the GDPR, which became enforceable May 25, 2018 (ICANN management, as late as April, 2018, were laboring under a delusional fantasy that ICANN and its contracted parties would be granted a moratorium from GDPR enforcement.)
The
EU GDPR was adopted on 27 April 2016 and published in the EU Official Journal on 4 May 2016. ICANN has had an office in Brussels
for more than 10 years (pdf) and
European Data Protection authorities have been warning ICANN about its public WHOIS data
since 2003, and yet,
neither ICANN nor the
U.S. government's NTIA warned the
"global multistakeholder community" about the
ramifications of GDPR for ICANN and its
public WHOIS directory,
before the
IANA transition was completed
October 1, 2016. Neither the dysfunctional "ICANN Community" nor their expensive law firms, which received
$15 million in legal fees preparing for the IANA transition, ever mentioned the
GDPR as a "risk factor" or otherwise.
|
Definition: "train wreck" (noun) a chaotic or disastrous situation that holds a peculiar fascination for observers. |
Dr. Paul Vixie of
FarSightSecurity.com on the Uncertain Fate of
WHOIS, & Other Matters of Internet Accountability at
Black Hat 2018 USA, "WHOIS is mostly DEAD" (video below):
Dr. Paul Vixie discusses the uncertain fate of
WHOIS in the age of
GDPR, the risks of domain name homographs, and other underpinnings of the internet that are hard to trust and harder to fix. Video provided by, and also available at
darkreading.com if the above does not play in your browser, recorded at
Black Hat 2018 USA.
Note also:
- ICANN Board reaffirmed Temporary Specification for an additional 90-day period on Aug 21.
- ICYMI: ICANN's ePDP - An Insider's Perspective | circleid.com: "... There really is no clear path forward if this group is unable to produce a final report with specific policy to replace the temporary specification when it expires in May of 2019. If that were to happen, it's not a stretch to think it would call into question the overall ability of ICANN (and the community) to manage the global DNS ..."--EPDP Team member Matt Serlin.
2) Other ICANN News
a. Internet Root KSK Rollover 11 October 2018, What To Expect
"... the user will start seeing failure sometime in the 48 hours after the rollover. Users will see different symptoms of failure depending on what program they are running and how that program reacts to failed DNS lookups. In browsers, it is likely that a web page will become unavailable ... In email programs, the user might not be able to get new mail, or parts of message bodies may show errors. The failures will cascade until no program is able to show new information from the Internet. Note that the term “users” here does not just indicate humans. Automated systems that are also using unprepared resolvers for their DNS resolution will start to fail, possibly catastrophically."--What To Expect During the Root KSK Rollover, supra, p. 5, (emphasis added).
Root KSK Rollover--SSAC: Let's 'Roll the Dice' on Crashing the Internet!--SAC102: SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover
English [PDF] excerpt from the
dissenters*:
"The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc. While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties. We would like to reiterate that we understand our colleagues' position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision ..."--SAC102 Dissent, p.4
*Dissenters:
- Danny McPherson (Chief Security Officer for Verisign);
- Warren Kumari (Senior Network Engineer/Senior Network Security Engineer with Google);
- KC Claffy (founder and director of the Center for Applied Internet Data Analysis (CAIDA), based at the University of California's San Diego Supercomputer Center, and Adjunct Professor in the Computer Science and Engineering Department at UCSD);
- Jay Daley (techobscura.com, interim President & CEO PIR.org );
- Lyman Chapin (co-founder and partner at Interisle Consulting Group).
b. DotConnectAfrica Trust v. ICANN (Trial Court Proceeding) 1 August 2018
Court Order: Trial date vacated; Status Conference scheduled for 25 September 2018.
c. ICANN Public Comment Periods closing in September (on each date indicated at 23:59 UTC) subject to change by ICANN:
d. ICANN Global Domains Division (GDD) General Operations Handbook for Registrars 21 Aug 2018:
registrar-handbook-21aug18-en.pdf [421 KB],
and Registrar Billing Frequently Asked Questions (FAQ) 21 Aug 2018
registrar-billing-faq-21aug18-en.pdf [323 KB].
3) Names, Domains & Trademarks
a.
France.com: Miami Man Sues France For Seizing His Domain Name--Marketplace.org podcast (MP3) also available here. Includes commentary by University of Miami Law Professor Michael Froomkin.
b.
China's first internet court handles over 10,000 cases | xinhuanet.com: mainly civil cases such as contract disputes involving online shopping, service and small loans,
copyright and infringement lawsuits, domain name disputes, internet defamation, and some administrative lawsuits.
c.
Post GDPR gTLD Domain Name Transfers--realtimeregister.com.
4) ICYMI Internet Domain News
a. US:
- Congress should consider small-business exception to internet sales tax--TheHill.com.
b. China:
- From laboratory in far west, China's surveillance state spreads quietly--reuters.com.
- Google is welcome to return to China—but only if it complies with the censorship regime enforced by the government of China’s internet regulator, according to a report in Chinese state media (the People's Daily)--Newsweek.com.
c. Russian hackers targeted U.S. conservative think-tanks, says Microsoft--
reuters.com.
d. AI: New genre of artificial intelligence programs take computer hacking to another level | trust.org.
e. India: India Steps Towards
Internet Freedom:
DoT Bars ISPs From Blocking Internet Content | inc42.com.
5) The Most Read Post this past week on
DomainMondo.com:
-- John Poole, Editor, Domain Mondo