Security

Despite looming deadline, ICANN still has no plan for GDPR compliance

ICANN is struggling to find a workable temporary solution to address the imminent EU privacy regulation.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Despite being ratified in April 2016, ICANN has still not adopted a policy to address new privacy regulations in the GDPR, which go into affect May 25, 2018.
  • Disagreements have arisen over determining who should be be allowed access to domain registration records, and how long to maintain records.

ICANN has yet to implement a solution for maintaining privacy of domain registrant records in accordance with the EU GDPR (General Data Protection Regulation), which will go into effect on May 25. The organization published four original plans as temporary fixes, along with eight plans submitted by outside organizations like the EFF earlier this month (Excel download). A response from the European Union found the plans underwhelming (PDF), underscoring the need to urgently address compliance with the pending regulation.

The GDPR prohibits, among other things, sharing personally identifying information (PII) with third parties without user consent. While domain anonymization services have long been popular for the privacy-minded to avoid having information shared publicly, this type of opt-in protection is not adequate for compliance with the GDPR. Likewise, the length of time for which data is stored after domain registrations expire is also a point of contention.

SEE: IT leader's guide to the threat of cyberwarfare (Tech Pro Research)

ICANN has stated that they will not enforce the contract clause which otherwise obliges registrars to operate a WHOIS service for the interim in which a solution is created and adopted. Registrars have little realistic option, as fines for noncompliance with GDPR can be up to €20 million or 4% of revenue, whichever is higher.

Separately, GoDaddy has announced that automated WHOIS requests will block PII as of January 25, but web-based requests with a CAPTCHA challenge will still continue to provide full details.

Public access to WHOIS records have been a sore spot for some time, given the propensity of spammers to use this information to inundate registrants with spam email—as well as physical mail and phone calls—for web design services and the like. ICANN's own Expert Working Group recommended in 2013 (PDF) that WHOIS be scrapped in favor of a system which grants access to groups for "permissible purposes," including legal actions/regulatory enforcement and abuse mitigation.

There is value to public access to WHOIS records, however. Security analysts can utilize the data to track the spread of malware, while journalists rely on the records when investigating who is publishing information on the internet.

Management of ICANN has frequently been criticized in recent years. The implementation of new generic Top-Level Domains (gTLDs) has been criticised for forcing defensive registration of .exposed, .gripe, .review, .reviews, and .sucks gTLDs. In an interview with NPR, J. Scott Evans, associate general counsel at Adobe, characterized the $2,500 price for .sucks domains as "extortion." Additionally, the authorization of near-identical gTLDs such as .review and .reviews is likely to encourage typosquatting.

Also see

GDPR EU
Image: iStockphoto/Tanaonte

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox