The story so far. From the very beginning of the worldwide web a system has existed to record the names and contact details of who owns and operates every web site, be that a private individual, a company or other organization. These details are meant to be accurate, up to date and publicly accessible. They are stored in a database known as WHOIS. The custodian of WHOIS globally is ICANN.
Crucially, the police and other law enforcement agencies have had ready access to the information contained in WHOIS, as have other security interests such as anti-spam, anti-fraud and anti-piracy bodies.
Indeed everyone had access. If you were going to do business with a company for the first time you might check out the ownership details of their web site via WHOIS to see if everything was in sync. Anything looked dodgy you might not proceed.
Now it is true that for a variety of reasons there is a significant degree of inaccuracy in the WHOIS database, and therein lies another tale, but from a law enforcement point of view it nevertheless remains an important investigative tool. Yet right now there is the possibility that all this will change because of an EU law, the GDPR, which comes into effect next month.
The situation is complicated and confused because ICANN did not manage to pull its finger out and make sure everyone was ready for the new law. Its negligence and inattention means there is unlikely to be a smooth transition. A smooth transition was possible – one which ensured law enforcement and legitimate security businesses continued to enjoy identical or broadly similar access rights.
But ICANN works at its own stately pace, according to its own arcane lights. The interests of 28 European Governments are a trifling concern.
ICANN is now saying it wants implementation of the relevant bit of the GDPR to be put on ice until a new arrangement can be agreed about access rights to WHOIS. The European Data Protection Authorities have pointed out there is no way they can suspend a law that kicks in on 25th May, further pointing out it has officially been in the pipeline since 2012 (and informally since 2010), having been finalised in a Trilogue in 2015.
Only a body with the egregious arrogance of ICANN could behave in this way. The net result is currently there is some doubt and uncertainty about whether, after 25th May, law enforcement agencies and others will have to go to court each time they want to obtain WHOIS data.
ICANN is itself threatening to go to court to see if it can win a delay but that seems to be sheer bluster. There is zero legal basis for any court to say that the long stated implementation date of a law can be changed.
The whole inglorious debacle today prompted the White House to put out a statement saying that “cyber criminals are celebrating” the new EU data rules. The author of the statement, White House cyber co-ordinator Rob Joyce, directs all his fire at the substantive EU law and, astonishingly, omits to mention ICANN at all.
Whatever the proper interpretation of the law might be we should not be arguing about it at this late hour, and in that regard there is only one possible culprit. ICANN.