Log In | Subscribe | | |

Whois whoam I? How wrong can people get GDPR?

Publication: 
Bryan Edwards
chiefofficersnet

This is just silly. We own dozens of domain names and we manage a handful for friends and family because it's convenient, we can include them on our data protection system and deal with domain admin within our own processes rather than them have to do it. As a result, we get a lot of correspondence from domain hosts and domain registrars, especially as we are moving all the domains and websites, in batches, from one unsatisfactory host to a far better one. In addition, we also get notices from ICANN which really hasn't got a grip on this GDPR thing at all.

ICANN is the internet domain naming body. It's the one that doesn't police the .org top level domain so that fraudsters use it unremittingly, it's the one that has created a free-for all in TLD extensions (anyone can create their own, if they pay enough, and there is an apparently un-contained proliferation of TLDs that suggest closed groups but, again, aren't policed). It's also the one that could isolate many domains that pass themselves off as established brands or which, as we noted recently in relation to a not-quite-google domain, aim to steal traffic by using a similarly named domain, but it doesn't.

What has done is to follow some of the recommendations included in Cleaning up the 'Net by Nigel Morris-Cotterill with regard to identifying those effecting new registrations, although those checks as implemented are ineffective at preventing the creation of domains for criminal purposes.

Then, just as ICANN seemed to be making some, albeit slow, progress along came the in-force date for the EU's General Data Protection Regulation. So what? Well, first the GDPR relates to any company doing business in the EU so it has a degree of extra-territorial effect. Secondly, the GDPR is badly drawn law because it's stupidly complicated but written in stupidly simple English so its not clear exactly what is meant. But its principles are simple: except in certain, very limited circumstances, a business that collects personal data must not reveal that personal data to any third party and must have adequate systems in place to ensure that doesn't happen.

OK, so far, so good.

However, ICANN has decided that all data is personal data even when the most cursory examination of it would reveal otherwise.

This, then, has led to a request being sent via our new host for "WHOIS Data Confirmation " for several domains.

Our host says "ICANN, the organization responsible for the stability of the Internet, requires that each domain name registrant be given the opportunity to correct any inaccurate contact data (WHOIS data) associated with a domain name registration. Our records for your domain are as follows: "

Then it provides some domain related information:

Domain Name: JAMESYANGYONGCONG.COM
Registry Domain ID: 2238813405_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2018-06-22T16:49:35
Creation Date: 2018-03-13T21:59:22
Registrar Registration Expiration Date: 2019-03-13T21:59:22
Reseller: SiteGround Hosting Ltd.
Domain Status: clientTransferProhibited https://icann.org/epp#clientTr...
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUp...
Registry Registrant ID:
OK, so that's all good stuff (except the irritating "expiration" instead of "expiry" and the racist rejection of GMT in favour of "UTC" wich is shortened here to T.)

Then it descends into farce.

Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: REDACTED FOR PRIVACY
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext:
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext:
Registrant Email: REDACTED FOR PRIVACY
Registry Admin ID:
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext:
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext:
Admin Email: REDACTED FOR PRIVACY
Registry Tech ID:
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext:
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext:
Tech Email: REDACTED FOR PRIVACY
Registry Billing ID:
Billing Name: REDACTED FOR PRIVACY
Billing Organization: REDACTED FOR PRIVACY
Billing Street: REDACTED FOR PRIVACY
Billing City: REDACTED FOR PRIVACY
Billing State/Province: REDACTED FOR PRIVACY
Billing Postal Code: REDACTED FOR PRIVACY
Billing Country: REDACTED FOR PRIVACY
Billing Phone: REDACTED FOR PRIVACY
Billing Phone Ext:
Billing Fax: REDACTED FOR PRIVACY
Billing Fax Ext:
Billing Email: REDACTED FOR PRIVACY

Ignoring the fact that we argue that domain ownership registers should be public for crime prevention reasons (email and telephone numbers should not be public without special authority) we can understand why the PUBLIC register would show this.

However, we are being asked to check the register of ownership, etc. in relation to our own domains and to tell ICANN if they are wrong. So, provided ICANN, via our service provider, sends that information to the registered e-mail address (which is where this mail and all the others like it were sent so the data is in fact there), there can be no data protection reason for not telling us what information ICANN holds about us.

Or are we supposed, in response to this mail, to serve ICANN with a data protection disclosure notice so we can find out what data they have and then tell them if it's right?

And, just to put a cap on it, while each of the three requests received today do, in fact, relate to domain names for people not businesses, the registrations are to a company, the address is the company's registered office and the e-mail address, in readiness for GDPR, was created speficically not to include the name of an individual so that the Regulations don't apply to it anyway.

See: told you it was silly.

---------------- Advertising ----------------

World Nomads
Travel Insurance