[sf-lug] [slightly? OT] gandi.net, whois, GDPR: Re: whois: ...

Rick Moen rick at linuxmafia.com
Sun Apr 7 23:59:23 PDT 2019 

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> So ... seems pretty straight-forward with gandi.net,
> basically just the default has changed (and the "privacy protection" is
> complementary with registration), and I'm guessing the data goes to
> ICANN but they may not be showing it in their public whois (but I've
> not fully checked those details, so I may be guessing incorrectly).
> In any case, gandi.net's public whois server data is seen in what
> ICANN (or likely about anyone) serves up - so it's pretty easy to
> follow and get whatever data the registrant has as public in whois.

Not ICANN.  I'll have a few words about ICANN at the end of this post.


It's understandable that all registrars, and particularly ones
headquartered in the EU, have been obliged to give a hard look at their
operations because of GDPR, because as we all know the effects of GDPR
since last May on treatment of personally identifying information
everywhere has been profound.  It's also understandable that many
registrars have (probably?) recently decided to make it easier on
themselves to avert accusation of GDPR violation by making domains
suddenly _default_ to private WHOIS -- as I described happening to my
NZ-based registrar.

I found the fire drill I was suddenly obliged to go through with
IWantMyName.com and 1API Gmbh, in order to re-enable public WHOIS
slightly annoying but understandable.  What's over the line, IMO, by
contrast, is what Joker.com has done about it.

Joker.com's online policy on that matter is IMO very clear:  They have
deliberately eviscerated public WHOIS for domains they register, and
it's pretty clear that their roadmap includes -no- 'per-customer
re-enable public WHOIS' ability.  My reading of
https://joker.com/index.joker?mode=reseller_docs#gdpr is that 
it's gone and they have absolutely no intention of restoring it even on
an as-requested basis.

They say:

  Our model will basically be grounded on the ICANN Interim Proposal
  (which just this April was not approved by EU authorities), with some
  modifications to comply to GDPR requirements which are missing in the
  ICANN model, according to German and European legal opinion, as well as
  the European commission, which just pointed out the missing parts by
  their "Article 29 Group".

There's a problem with that.  I looked up the ICANN Interim Proposal,
and it includes this:

  7.2.8. What registration data must be published in public WHOIS?

  7.2.8.1.  Registrars must provide registrants the opportunity to 
  opt-in to publication of full contact details in the public WHOIS. 

Note the above key sentence.

  The registrant’s consent should be given by a clear affirmative act
  establishing a freely given, specific, informed and unambiguous
  indication of the registrant’s agreement to the processing of personal
  data relating to him or her. The consent must be withdrawable at any
  time and otherwise consistent with the requirements of the GDPR (e.g., a
  domain name registration cannot be denied on the basis that the
  registrant has not consented to the publication of the full WHOIS data).

Reference:
https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf

So, Joker.com acts as if it's merely implementing the ICANN Interim
Proposal (albeit with the slippery qualifier 'grounded on'), but, when
you look up its specifics, they're denying registrants the option of
public WHOIS even though the ICANN Proposal says it must be offered.

Michael, I could be wrong but I'm pretty sure Joker.com will not budge.


On the separate matter of ICANN, here's your key question:

Q:  Who the hell is ICANN, and what authority does it have?
A:  ICANN is a Jedi mind trick.  

    It's a self-appointed body that acts like it's entitled to issue 
    orders to the registrars, the back-end registry, ARIN and the 
    other Regional Internet Registries, IANA, IETF, the IAB, etc., 
    but _has little to no legitimate authority_, especially concerning 
    Internet domains.

ICANN is a California non-profit corporation thrown together in a hurry
in 1998, headed initially by Esther Dyson.  (Jon Postel was supposed to 
be the initial head, but suddenly died just before that would have
happened.)

Prior to that, IANA was funded in part by (direct) US Department of Commerce
grants.  Commerce put out a broad hint in 1998 through its subsidiary the 
National Telecommunications and Information Administration (NTIA) that
it would welcome creation of a non-profit entity to administer IANA
on its behalf, so ICANN was constructed to fit that role and got the
first of a number of successive Commerce contracts for that governance
role -- not, you will note, over domains.  The timing was because DoD
had just shut down the last of ARPANET, and DARPA has bowed out ofbeing
in theoretical charge of IANA.

The Regional Internet Registries including ARIN reached an understanding
with ICANN to be vaguely under the ICANN umbrellla but left alone.  The 
root DNS zone and 13 root nameserver clusters remain administered by
IANA and VeriSign.  Also, the contractual relationship between NTIA
(Commerce Dept.) and ICANN ended in 2016:
https://www.icann.org/news/announcement-2016-10-01-en

And that leaves domains.  Again, ask yourself:  Who put ICANN in charge
of domains and registrars?  Nobody.  You might want to say 'US Commerce
Department', but they have no authority over the world's DNS namespace
to begin with.  Why should Commerce Dept. or a California corporation
have any authority at all over any of the non-US country-code TLDs, 
for example?  Neither Commerce nor ICANN is a world government entitled 
to tell countries what to do.

About a decade and a half ago, when the Bay Area Cypherpunks were still
having in-person meetings, they had a remarkable one on the Stanford
University campus where the featured speaker was the man technical guy
at the Kingdom of Tonga's ToNIC, custodians of the .to country-code TLD.
The Tongans has made an arrangement with a group of techies in San
Francisco to operate .to on their behalf subject to Kingdom direction
and law, which I believe remains the arrangement to this day.  According
to the speaker, one day ToNIC received an _invoice_ from ICANN
purporting to require ToNIC/Tonga to pay something like $20,000 for
their 'share' of ICANN's budget for that year.  The speaker showed us
that letter, along with ToNIC's response, which was that the Kingdom and
its agencies were not in the habit of paying out money for services they
don't want, don't need, and haven't received.

And that was the end of that, because it was a cheeky Jedi mind trick, a 
letter broadcast out in the hopes that the various national ccTLD NICs
would forget that they're agencies of sovereign countries.

I consider ICANN to have the power to make suggestions.  I see them as
having no legitimate role giving anybody orders.


My old piece on this matter from 1999, that I never finished:
http://linuxmafia.com/faq/Network_Other/icann.html

More information about the sf-lug mailing list