Related Links

Top 5 Stories


Europe says ICANN’s proposals are illegal

01 October 2012

ICANN is in the process of renegotiating the basis of the WHOIS database. Last week it reported that it “and the registrars are much closer to reaching a negotiated position on Whois verification and data retention.” But now Europe has said you can’t do that – it’s illegal.

The Internet Corporation for Assigned Names and Numbers, better known as ICANN and responsible for managing the internet’s naming system, is in the process of updating its Registrar Accreditation Agreement (RAA). Many of the changes it has been negotiating are at the behest of law enforcement and the Governmental Advisory Committee.

Now the Article 29 Working Party of the European Union (a group comprising representatives of the data protection authority of each EU member state) has written to ICANN with its reservations. At issue are two particular points: the annual re-verification of contact details, and a new data retention proposal.

On the former, the Working Party seems to have two problems. Firstly, it notes that the WHOIS database is “being harvested on a large scale and abused for spamming. In other words, the way the system is designed provides a strong incentive for natural persons to provide inaccurate contact details.”

Secondly, however, it is concerned about illegal mission creep. The purpose behind collecting the data is to be able to contact a person who can resolve issues associated with the domain records. Since then, ICANN has noted that, “Over time, WHOIS data has been increasingly used for other constructive and beneficial purposes...” But the Working Party says that neither this nor the fact that law enforcement is requesting the change can “legitimize the collection and processing of personal data for those other purposes.”

In short, the new requirement to collect and publish re-verified contact details in the publicly accessible WHOIS database is “excessive and therefore unlawful.”

The Working Party’s second concern is over data retention. ICANN’s proposal is that all the registration details (not just those published in the public WHOIS database, which could include credit card details) are retained after registration. This requirement, notes the Working Party, “does not stem from any legal requirement in Europe, but again, is explicitly introduced by ICANN to accommodate wishes from law enforcement.” The Working Party strongly objects to this saying that if such is required, it is up to “national governments to introduce legislation” rather than “by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.”

It concludes that since “there is no legitimate purpose, and in connection with that, no legal ground for data processing, the proposed data retention requirement is unlawful in Europe.” In reality, these two concerns are an embarrassment for ICANN rather than a show-stopper. It doesn’t ultimately need Europe’s approval, although the lack of it could cause further problems for the internet.

This article is featured in:
Compliance and Policy  •  Internet and Network Security  •  Public Sector



eionmac says:

05 October 2012
Why can not the EU enforce all domains inside EU to only publish data inside EU with EU safeguards, for retention and data publicly available, i.e. ICANN must accept a reductionin its authority and set EU as a parallel authority. I assume if done major areas PR China and Russia would do likewise.

LynnG says:

02 October 2012
Is the letter that was sent to ICANN a recent letter or one sent years ago? False, incomplete or absent legitimate domain name registration contact details is enabling fraudulent and criminal activity and in particular, phishing schemes which exploit the personal data of individuals. It seems to me this illegal collection of personal data by websites without valid contact information should be a much greater concern to the Article 29 Working Party than spamming which happens to anyone with an email address.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×