The never ending saga of ICANN’s arrogance

The story so far. From the very beginning of the worldwide web a system has existed  to record the names and contact details of who owns and operates every web site, be that a private individual, a company or other organization. These details are meant to be accurate, up to date and publicly accessible. They are stored in a database known as WHOIS. The custodian of WHOIS globally is ICANN.

Crucially, the police and other law enforcement agencies have had ready access to  the information contained in WHOIS, as have other security interests such as anti-spam, anti-fraud and anti-piracy bodies.

Indeed everyone had access. If you were going to do business with a company for the first time you might check out the ownership details of their web site via WHOIS to see if everything was in sync. Anything looked dodgy you might not proceed.

Now it is true that for a variety of reasons there is a significant degree of inaccuracy in the WHOIS  database, and therein lies another tale, but from a law enforcement point of view it nevertheless remains an important investigative tool. Yet right now there is the possibility that all this will change because of an EU law, the GDPR, which comes into effect next month.

The situation is complicated and confused because ICANN  did not  manage to pull its finger out and make sure everyone was ready for  the new law. Its negligence and inattention means there is unlikely to be a smooth transition. A smooth transition was possible – one which ensured law enforcement  and legitimate security businesses continued to enjoy identical or broadly similar access rights.

But ICANN works at its own  stately pace, according to its own arcane lights. The interests of 28 European Governments are a trifling concern.

ICANN is now saying it wants implementation of  the relevant bit of the GDPR to be put on ice until a new arrangement can be agreed about access rights to WHOIS.  The European Data Protection Authorities  have pointed out there is no way they can suspend a law that kicks in on 25th May, further pointing out it has  officially been in the pipeline since 2012 (and informally since 2010), having been finalised in a Trilogue in 2015.

Only a body with the egregious arrogance of ICANN could behave in this way. The net result is currently there is some doubt and uncertainty about whether, after 25th May,  law enforcement agencies  and others will have to go to court each time they want to obtain WHOIS data.

ICANN is  itself threatening to go to court  to see if it can win a delay but that seems to be sheer bluster. There is zero legal basis for any court to say that the long stated implementation date of a law can be changed.

The whole inglorious debacle today prompted the White House to put out a statement saying that “cyber criminals are celebrating” the new EU data rules. The author of the statement, White House cyber co-ordinator Rob Joyce, directs all his fire at the substantive EU law and, astonishingly, omits to mention ICANN at all.

Whatever the proper interpretation of the law might be we should not be arguing about it at this late hour, and in that regard there is only one possible culprit. ICANN.

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised.
This entry was posted in Default settings, Internet governance, Regulation, Self-regulation. Bookmark the permalink.