Tag: GDPR

ICANN71: GAC in the spotlight

ICANN71: GAC in the spotlight
Image source : icann.org website

Some 56 sessions were scheduled as part of the 71st ICANN Summit in The Hague. Held once again exclusively by video conference due to the global health situation, no less than a quarter of these sessions were organised by the GAC, the governmental advisory committee that advises ICANN on public policy issues related to ICANN’s responsibilities in the domain name system. The GAC has been very active on all current ICANN policy issues and has clearly made its mark.

The GAC currently has 179 members, representing a majority of the world’s countries. This gives it a good representation on a global scale to speak to a global governance body. The GAC is highly organised and precedes ICANN meetings with preparatory meetings that enable it to gather opinions at local level and then relay them to the governance body. Once again, this summit highlighted the fact that there are really a lot of policy issues going on at ICANN level.

The fight against DNS abuse

The topic of abuse has almost become a chestnut at ICANN summits, as it has been at the center of concerns for almost two years. While registries and registrars are already subject to a battery of obligations on this topic, many stakeholders consider these to be insufficient to really address the issue. The year 2020 has indeed seen an explosion in cybersecurity breaches, particularly as a result of the global pandemic, which has seen even more consumption via the web, particularly due to confinements, and where working methods have had to be reinvented in favour of the remote. It is clear that little has been achieved to date on that issue.

A thorough initiative rich in proposals was formulated by the SSAC (Security and Stability Advisory Committee) which, in its 24 recommendations transmitted to the ICANN Board, put forward the idea of initiating an expedited Policy Development Process (ePDP) with a view to developing an anti-abuse policy. Their report to the Board three months ago has not been acted upon to date. The second and more recent initiative comes from the Registry Stakeholder Group (RySG). It has finalised, with input from the GAC, a framework aimed specifically at botnets, attacks that use forms of Trojan horses to take control of computers to form networks of computers to carry out further attacks. Its principle is to allow voluntary registries to join a scheme that requires them to preemptively block bulk names generated via DGAs (Domain Generation Algorithms), algorithms used to periodically generate large numbers of domain names that can be used as rendezvous points with their command and control servers. The large number of potential rendezvous points makes it difficult for law enforcement to effectively counter botnets, as infected computers will attempt to contact some of these domain names every day to receive updates or commands. The principle here is therefore preventive. In return, the registries would benefit from incentives and would not have to pay the tax collected by ICANN when a domain is created. This initiative is to be welcomed, but it is carried out more directly by the RySG and is therefore not consensual, hence its voluntary nature and therefore its very limited impact.

The reason the DNS abuse issue is so stalled is that it is confronted with other ongoing and upcoming policy development processes and competing interests between bodies, the Intellectual Property Constituency (IPC) for example being very concerned about access to contact data in domain name directories, the RySG about the launch of the next round of new gTLDs that they want to see move forward.

The impact of the General Data Protection Regulation (GDPR) on domain name registration data

Recall that to replace the Temporary Specification, which was put in place on 17th of May 2018 just a few days before the GDPR came into effect, an ePDP process was initiated. This process, described as expeditious, seemed to be far from being finalised at this new ICANN summit, even though three years have passed.

Segmented into three phases, phase 1 aims to provide a perennial policy that should frame the management of personal data of domain names to replace the temporary Specification that notably redacted personal data from domain name directories (via the Whois and RDAP protocols). Its drafting is progressing but no date is known for its finalisation and therefore possible implementation. The delay is partly due to the difficulty of transcribing certain recommendations, one of which was in conflict with an existing policy, the Thick Whois Transition Policy, which provides for the systematic transfer of detailed contact data from registrars to registries. Another pitfall is that the policy overlaps with other existing policies, which therefore also require ongoing adaptation.

Phase 2 concerns the establishment of a harmonised system of access to redacted name directory data for “legitimate” interests. This system is now known as the Standardised Data Access System (SDAS). The first hurdle was that the Generic Names Supporting Organization (GNSO), the policy-making body for generic names, had surprisingly approved all of the recommendations in the Final Report, even those that did not achieve consensus. The recommendations to create this system were therefore all transmitted to the ICANN Board, which rather than pronounce and vote on their application decided to first initiate an Operational Design Phase (ODP). Initiated at the end of March by the Board, it should last six months and aims to identify the stages, risks, costs and resources to be allocated, with a consultation of the community once a milestone has been reached. It is therefore a form of project scoping. The publication of a Request for Information is planned for June for a first consultation of the community.

A Phase 2a additional layer of the PDP aims to assess the possibility of unbundling the contact data of publishable legal entities from non-publishable natural persons. Initiated in December 2020, it resulted in five recommendations in an initial report open for comment until 19th of July 2021. The first recommendation, which was much commented on at ICANN71 , finally recommends that nothing should be changed by allowing players who so wish to make this differentiation. This process will continue with a final report of recommendations expected in the second half of the year.

The GAC considers that improvements are needed in both of the above-mentioned topics. In particular, it considers that the system does not go far enough to protect consumers and increase their confidence. It also regrets that the evolution of the system over time has not been framed and fears that the cost, since access is subject to an accreditation system, could be a deterrent, particularly for those involved in the fight against security breaches who need access to registration data. On DNS abuse, the GAC reiterates the need to address this issue. It has already made several proposals at previous summits.

What about the next round?

The next round is still undecided. We just learned that the ICANN Board, which has just received the last inputs on the recommendations for the next round of new gTLDs, has confirmed that it will start an Operational Design Phase (ODP) to estimate the steps, risks and resources necessary to implement these recommendations. Not yet planned, the Board said it had asked ICANN org to prepare a document to frame the ODP in order to draft the resolution that will formalise it. This resolution will set a deadline for completion of the ODP, possibly six months as with the SSAD. 

The GAC, for its part, recalled the issues of specific concern to its members. These include: predictability, voluntary and mandatory registry commitments including how to address DNS abuse, its desire to see support for new applicants better adapted, particularly for less favoured areas, its opposition to closed generic TLDs, the consolidation of its ability to evaluate all applications in order to issue advices and warnings, and its opposition to private auctions to decide between applicants for the same gTLD. It also wishes to support non-profit community applications.

Other issues carried by the GAC are very committed

Other policy development processes are underway, such as the one on Governmental and Non-Governmental Organisation Identifiers (IGOs, INGOs), a process on the rights protection mechanisms, or in the initial phase a PDP on domain transfers and on the launch pad a PDP on IDNs. The GAC did not fail to recall the central issue of accuracy of registration data which is considered insufficiently addressed by the current obligations espacially due to the impact of GDPR. This topic will indeed be central in the perspective of the future NIS2 directives and the Digital Services Act currently being drafted at the European level. The GNSO was challenged by the GAC on the examination of this topic, which has not really started, and apologized for having too many topics in progress. Tensions that the GNSO has sought to alleviate by spending time reviewing its liaison with the GAC to improve it, a decidedly offensive and active GAC.

What About Future Summits?

ICANN summits usually end with a public forum where the public can directly question the Board. As a sign of a (temporary?) improvement of the health state on the covid, the traditional forum was dedicated to the future ICANN summits to know if they should be held in person. From this session it emerged that the answer is not obvious. At issue were the different levels of vaccination and access to vaccines in different countries, the currently restricted conditions of entry to the USA, ICANN72 being held in Seattle and the evolution of the pandemic which remains uncertain. This forum provided an opportunity to comment on a recent survey conducted by ICANN which showed that the majority of those interested in ICANN events considered that face-to-face meetings should be reactivated (54%). At the end of this session, ICANN committed to arbitrate during July. The format of ICANN72 could be hybrid, with limited on-site representation and the continuation of the remote format.

A notable feature of this summit was the large number of ongoing issues and the impression that things are moving forward with difficulty. This has resulted in notable tensions between bodies and discontent expressed, for example, by the group of representatives of geographical extensions, the geoTLDs. If for some, the return to face-to-face meetings seems to be the solution to improve things, through our presence in certain bodies and our participation in working groups, we think that it is rather a problem of visibility due to too many subjects being launched in parallel, some of which overlap with a clear lack of prioritisation. The ODP, the new tool which aims to frame the implementation of a harmonised system of access to registration data and which is now being applied in the next round, may go some way to improving these perceptions. Another aspect to be considered is the diverging interests between bodies. Here, facilitated exchanges can perhaps improve things.

ICANN66 at Montreal – A contrasting summit

During the first half of November, the 66th ICANN Summit was held in Montreal, Canada. This third and final annual summit devoted to policies applicable to Internet naming was eagerly awaited as the topics under discussion are numerous. At its closing, however, it left many participants a little bit disappointed.

A preview of the topics and postures during the weekend before the official launch of the Summit

The weekend before the official opening of the Summit is usually an opportunity to get an overview of the topics and postures involved. Not surprisingly, the expedited Policy Development Process (ePDP) which aims to develop a consensus rule to specify future conditions of access to personal data that are no longer published in the WHOIS, the domain name search directory, due to GDPR, is one of the major topics.

Among other related topics, the replacement of the same WHOIS by the RDAP (Registration Data Access Protocol) probably next year for generic domain names. This replacement is not insignificant when we know that WHOIS has been in use for nearly 35 years.

The body representing governments, the GAC, has weighed up the issue of domain name abuse, which has taken off considerably on the new generic extensions launched in 2012. When we know the rise of Internet practices aimed at weighing on elections in certain countries and the economic impact of computer attacks and hacking, we understand that this subject is being pushed by the GAC. While one of ICANN’s topics is to clarify in their texts the notion of malicious uses, this term refers to domains registered for phishing, malware, botnets and spam, the other part concerns the means to stem them. The existence of abusive domains indeed threatens the DNS infrastructure, impacts consumer safety and threatens the critical assets of public and commercial entities. Finally, and not surprisingly, the subject of a future round of new generic extensions has also been on many lips.

ICANN66 at Montreal - A contrasting summit
Cherine Chalaby at the ICANN Summit held in Montreal

“The best ICANN summit”, really?

During the traditional opening ceremony, which brings together all the guests for one hour (2500 according to Goran Marby, ICANN CEO) in a huge room to listen to various speakers, including Martin Aubé of the Quebec Government’s Ministry of Economy and Innovation, Cherine Chalaby, one of the ICANN Board members whose term ends at the end of the year, told his audience that ICANN66 would be the “Best ICANN summit”. It must be said, however, that at the end of the week of debates and meetings, which followed one another at a sustained pace, while the subjects under discussion are really numerous, the feeling regarding this assertion was more than mixed for many participants.

First, the expeditious process for access to WHOIS non-public data is progressing with a framework constrained by ICANN and the Personal Data Protection Authorities. The outcome of this process is envisaged between April and June 2020 and it is currently a centralized model where ICANN would allow the future lifting of anonymity of data that are now masked due to GDPR which holds the line.

Then the subject that was probably most often mentioned during this new summit week concerned abuses with domain names. For ICANN, the subject is central because it is directly correlated to its totem: the stability of the Internet for which they are the responsible. Since February 2019, ICANN has been publishing some metrics on malicious practices identified through DAAR, their Domain Abuse Activity Reporting.

Their latest report presented in Montreal shows that 364 extensions (mainly new generic extensions from the 2012 round) revealed at least one threat posed by one of the domain names activated on these extensions. More worryingly, new generic extensions would still account for nearly 40% of malicious uses, compared to 60% for historical generic extensions. This figure should be highlighted with the volume of these two categories of extensions. Indeed, out of just over 200 million generic names, new generic domains represent only 15% of the total number of registered names. ICANN therefore wants this subject to be taken up by the entire community present in Montreal.

Proposals were made by the various bodies present, some of which went so far as to request a policy development process (PDP). This last proposal, if it were to obtain ICANN’s approval, would have the unfortunate consequence of postponing the hypothetical schedule for a next round of new extensions, a subject that interested many of the guests present in Montreal. Indeed, for ICANN, the problem of the concentration of malicious practices in the new generic extensions must be solved before any future round, so that the PDP still in progress on the review of the last round of 2012 has gone almost unnoticed.  

If the rules are slow to evolve on malicious uses, your Nameshield consultant can already provide you with adapted solutions to your needs on this key matter.

Does the GDPR negatively affect enforcement efforts?

Does the GDPR negatively affect enforcement efforts?
Image source: mohamed_hassan via Pixabay

The General Data Protection Regulation (GDPR) has without a doubt a negative impact on the enforcement efforts, according to the participants at the INTA 2019 annual meeting (International Trademark Association) in Boston.

Margaret Lia Milam, domain name strategy and management lead at Facebook warned that the platform’s scale makes it a “huge target for bad actors”.

Milam stated that because the site is working at such a scale, it cannot turn to lawyers for the “thousands” of requests it receives.

Statton Hammock of MarkMonitor said that MarkMonitor had suffered a loss of efficiency of 12% due to the GDPR. His team has “historically used WHOIS to protect IP rights” but because of the GDPR, all the data they have cached “become less and less useful with each passing day”.

Alex Deacon, founder of Cole Valley Consulting, echoed Milam and Hammock’s comments warning that the Spamhaus Project, an international organization aiming to track emails spammers, is struggling to manage its blacklist because of the GDPR.

Status of ongoing projects after ICANN64

A month ago, ICANN held its first annual meeting with the Internet community in Kobe, Japan. At this summit, ICANN presented the major projects of the year and those of the coming years. Let’s look back at the main topics.

The implicitely constraint of the GDPR

While in May 2018, Europe adopted ambitious legislation to protect users’ personal data, ICANN imposed a regulatory framework on domain name players to bring the industry into line with the constraints of the GDPR.

In the absence of consensus, this framework was imposed when the GDPR came into force on May 25, 2018. It contains non-consensual provisions such as no longer publishing in the registry’s registration directory service, which currently operates via the Whois protocol, data that can be assimilated to personal data for contacts associated with domain names: registrant contacts, administrative contacts, technical contacts. Exit therefore the names, first names, postal addresses, telephone numbers and anonymization of email addresses or hidding via a contact form.

However, as provided for in the Bylaws, the rules governing the role and operation of ICANN, non-consensual rules may not be imposed beyond one year. ICANN therefore had the May 2019 deadline in mind throughout the Kobe meeting.

To build on this, last year ICANN initiated an expedited policy development process (ePDP) whose delicate mission was to develop consensus rules to replace the temporary provisions currently in place.

Shortly before ICANN64, this working group, in which Nameshield participates, submitted its proposals to the GNSO, the ICANN body that manages policy development for generic domain names. This report, which is currently open for comments, is expected to result in a final framework that will be submitted to the ICANN Board in early May for voting and promulgation.

The proposals outline a target date for implementation by 29 February 2020. ICANN has therefore focused its efforts on managing the transition period between May 2019 and this still distant deadline of February 2020. The prevailing approach is rather pragmatic as it consists in keeping the provisions currently in place such as the masking of personal data in the Whois until all the new provisions can be implemented by actors such as registrars and registries by the above-mentioned deadline.

Access to hidden data subject to tensions

Launched in 2012 during the last round of openings of new domain name extensions but quickly relegated to the boxes, the RDAP (Registration Data Access Protocol), an alternative to the aging Whois protocol, has resurfaced with the GDPR because of its modularity, which allows, unlike Whois, to filter access to certain data according to the user’s profile.

ICANN confirmed in Kobe that this protocol will be widely deployed by this summer. First, this protocol will coexist alongside the Whois protocol. Registrars will therefore provide access to domain name data through both protocols.

The stakeholders present at ICANN64 also learnt about the project submitted by a technical study group mandated by ICANN on the operational way envisaged through the RDAP protocol for access to hidden domain name data. It has been the subject of tensions because it is not the result of a consensual process and ICANN suggested it could play a central role in collecting all requests to validate their authorization, with authentication of requests being carried out upstream by agents accredited by data protection authorities. This topic is also part of the new mission of the Policy Development Working Group (ePDP) in the coming months. Things can therefore evolve on this subject in the future.

Status of ongoing projects after ICANN64
Goran Marby, ICANN CEO, speaking on the proposed functioning of access to hidden data for domain names through the future RDAP

A multi-year strategic plan

At ICANN64, ICANN also presented progress on the implementation of a strategic operating plan for the organization for the period 2021-2025.

The adoption of a five-year plan is new for this organization, which has always operated on an annual basis. This plan must determine the priorities for the coming years, which is also a novelty in a context where multiple projects have always been carried out simultaneously without any real prioritization.

We already know that DNS security is one of the major issues of the coming period. Among the priorities identified are the reinforced fight against malware and the increased security of the DNS, in particular through a faster deployment of DNSSEC.

For the next round of new domain names extensions openings also mentioned, ICANN has also indicated that it will take into account the lessons learned from the previous round. Among them, new extensions are ten times more targeted than historical generic extensions (like .COM,.NET,.ORG,.BIZ,.INFO) by malicious practices such as typosquatting and dotsquatting on which phishing and pharming practices proliferate.

Feel free to contact your Nameshield consultant, who is very knowledgeable on all these subjects.

GDPR and consequences: DomainTools appeals injunction decision in .NZ whois case

GDPR and consequences: DomainTools appeals injunction decision in .NZ whois case
Image source: mohamed_hassan via Pixabay

DomainTools sued by DNCL

In June 2018, .NZ registry, DNCL (Domain Name Commission Limited) sued the American company specialized in tools of monitoring and investigation, on the ground that it violated the registry’s terms of use.

The DNCL was successful and the Federal Court in the State of Washington granted a preliminary injunction that banned DomainTools to collect the whois data of .NZ and ordered the suppression of the data used in the existing publications, while the lawsuit proceeded.

Indeed, since June 2016, .NZ registry has indicated in its terms that it was now forbidden to copy the domain names holders’ data.

DomainTools appeals the injunction decision

Without surprise, DomainTools, that first indicated that the use of these data was also of general interest, these data being used by its customers in the context of the fight for cybersecurity, appealed the preliminary injunction.

Of course, this trial reflects the terms of the debate which took place at ICANN regarding the General data protection regulation (GDPR).

DomainTools is mentioned in the American draft legislation unveiled by the Internet Governance Project, which indicates as such, that this attempt would be led by different lobbies. The Transparent, Open and Secure Internet Act of 2018, dated from August 16, 2018 mentions these two possibilities of evolution: 

  • The first called “large” proposes keeping a whois with a wide enough spectrum of information (more or less the same as our old fashioned whois)
  • The second, more limited, would keep this obligation to publish the data to the American residents or to the actors targeting a business activity on the US market.

An intense debate about the GDPR

This trial reminds us how the debates regarding the GDPR implementation are intense within ICANN, opposing actors using the now so precious data and the privacy advocates, supported by the WP29 (Article 29 Data Protection Working Party) that mentions in particular the applicable sanctions.

Finally, it should be reminded that the GAC attempts to minimize the consequences of the European regulation. After being dismissed by the German Court from their attack in May 2018, which aimed a registrar that stopped to provide customers data under the GDPR, the GAC aims to obtain from the EU’s Court of Justice a favorable decision on this subject. The debate about the DomainTools case deserves to be followed closely!

GDPR – What is the impact on your SSL certificates?

GDPR – What is the impact on your SSL certificates?
Source : mohamed_hassan via Pixabay

The European Data Protection Regulation (GDPR) came into effect on 25th May and its impact on the management of your SSL certificates portfolio is not neutral.

All Certification Authorities have previously always relied on the WHOIS of the domain name that needs to be certified in order to validate that the certificate applicant has the domain name technical operator’s agreement.

In order to validate an order, one of the authentication steps involved sending an email to one of the email addresses (admin or technical) found on the WHOIS.

However, the GDPR has left its mark and registrars no longer have the right to provide domain name owner personal data without the owner’s explicit consent. This means that the WHOIS database is unusable in terms of Certification Authorities being able to send out validation emails.

Faced with this situation, the Certification Authorities propose sending domain validation emails to one of the following generic addresses by default:

admin@domain.com
administrator@domain.com
postmaster@domain.com
webmaster@domain.com
hostmaster@domain.com

What if none of these addresses exist or is it too complicated to create?

There is an alternative solution. The Certification Authorities are able to validate that you have the domain name technical operator’s agreement through TXT record verification in the DNS zone of the domain name to be certified.

By verifying the presence of this TXT record, the Certification Authority is able to:

  • issue the certificate if it is a simple DV certificate (Domain validation)
  • continue to the next authentication steps if it is an OV (Organization Validation) or EV (Extended Validation) certificate.

Even with this in mind, the GDPR is changing the game and is having a significant impact on the SSL industry.
If the generic email validation method is not possible and we have to use TXT record verification method then we will indeed see an increase in certificate processing times.

What are the benefits of using Nameshield to manage your SSL certificates portfolio?

As a Registrar, Nameshield offers a unique market advantage for its SSL clients.
Nameshield carries out a pre-authentication process before each order reaches the Certificate Authority. This makes it possible to anticipate any blocking factors and if necessary to act quickly to resolve them:

  • Modification of a WHOIS
  • Edition of the zone to set up a TXT record (if the DNS are those of Nameshield)
  • Creation of alias admin @, administrator @, webmaster @, postmaster @, hostmaster @ (if the MX are those of Nameshield)

If you have any questions, please do not hesitate to call our dedicated SSL service.