ICANN  Rules  vs.  Privacy  With  Michele  Neylon  

ICANN  Rules  (Contract)  vs.  Privacy  

Michele  Neylon  

Who  am  I?  

Michele  Neylon  -­‐  Founder  /  CEO  Blacknight  -­‐  h>p://mneylon.tel  -­‐      @mneylon  -­‐  h>p://michele.me/blog  -­‐  IIA  Net  Visionary  2013  -­‐  Chair  RrsG,  Chair  Registrar  

Advisory  Board  Eurid,  member  EWG  

What  Will  I  Cover?  

•  What  is  ICANN?  •  Registrars  •  EU  law  

•  Registries  •  ICANN  “law”  

I  am  NOT  a  lawyer!  

Who  Runs  The  Internet?  

Who  Runs  the  Internet?  

•  Graphic:  h>p://michele.cat/f4  •  Lots  of  acronyms!:  –  ICANN,  IETF,  IGF,  ISOC,  W3C,  RIRs,  LIRs,  IAB,  ISO  

Mixture  of  technical  /  operaZonal  +  policy    LOTS  OF  LAWYERS  

Head  Hurts?  

Why  do  I  Care?    

•  ICANN  –  gTLDs  (com,  net,  org  etc)  •  ICANN  -­‐>  new  TLDs  -­‐>  1000+  new  extensions  •  IANA  -­‐>  ccTLDs    •  RIRs  -­‐>  RIPE  –  LIR  –  ISP  -­‐>  YOU  

ICANN?  

•  US  (California)  CorporaZon  •  Formed  1998  •  Internet  CorporaZon  for  Assigned  Names  &  Numbers  

•  Co-­‐ordinaZon  –  stability  /  security  /  compeZZon  

ICANN  

•  All  registrars  selling  gTLDs  have  contract  with  ICANN  

•  Any  registry  operator  has  to  have  one  too  •  If  you  want  to  register  /  buy  a  gTLD  domain  you  have  to  deal  with  a  “contracted  party”  directly  or  indirectly.    

The  EU  Landscape  is  complex  (Sort  of)  

•  ccTLds  •  gTLDs  •  Regional  TLD  -­‐  .eu  •  Geo  TLDs  -­‐  .london,  .paris  •  LinguisZc  /  Cultural  -­‐  .cat,  .eus  etc  

Privacy?  

•  EU  has  privacy  laws  –  US?  Not  so  much  (though  they  don’t  like  being  reminded)  

•  European  Data  ProtecZon  DirecZve  95/46/EC  •  DirecZve  -­‐>  transposed  naZonal  law  -­‐>  Data  ProtecZon  (Amendment)  Act  2003  

•  Art.  29  Data  ProtecZon  Working  Party  -­‐>  DPAs  of  all  28  members  of  EU  

Privacy  +  ICANN?  

•  Whois  policy?  •  Data  policies  in  general  •  2013  contract  -­‐>  specific  data  retenZon  requirements  (LEA  wanted  more)  

EU  Registries  vs  ICANN  (Historical)  

•  .tel  –  delayed  due  to  whois  policy    •  .cat  –  3  years+  to  get  a  whois  policy  change  +  comply  with  Spanish  law  

Post  Snowden  World  

Gelng  away  with  murder?  

•  EU  ciZzens  more  conscious  of  data  privacy  +  digital  issues  than  before  

•  Logically  the  risk  of  liZgaZon  has  increased  •  Irish  DPC  being  sued  for  not  being  tough  enough  on  Facebook!  

•  Registrars  and  registries  at  risk?  •  Is  ICANN?  Doubnul  –  they’re  sZll  safe  in  the  US!  

EU  Law  vs  ICANN?  

2013  RAA  

•  Illegal  contract  for  EU  based  registrars  •  ONLY  1  EU  based  registrar  “granted”  waiver  •  PotenZally  problemaZc  for  non-­‐EU  registrar  with  EU  registrants  – Data  retenZon  – Data  elements  to  be  collected  – Periods  of  retenZon  

ArZcle  29  Working  Party  

•  6th  June  le>er  to  ICANN  (h>p://michele.cat/ch  )  

•  “..to  avoid  unnecessary  duplicaZon  of  work  by  27  naZonal  data  protecZon  authoriZes  in  Europe..  the  WP  wishes  to  provide  a  single  statement  for  all  relevant  registrars  targeZng  individual  domain  name  holders  in  Europe”  

ArZcle  29  Working  Party  

•  2013  RAA  obligaZons  NOT  based  on  legal  requirement  in  EU  

•  Risk  of  data  breach  -­‐>  exposure  of  personal  data  

•  Opposes  Private  corporaZon  (ICANN)  introducing  data  retenZon  -­‐>  naZonal  govt  should  do  it  (if  needed)  

ArZcle  29  vs  ICANN  

•  ICANN’s  responses  haven’t  been  helpful    •  Art  29  wrote  again  see:    •  h>p://michele.cat/eh  •  Google  France  have  learnt  the  hard  way  –  slapped  with  150k  fine  

What  about  Whois?  

•  Art  29  WP  doesn’t  like  “open”  whois  •  Most  ccTLDs  in  EU  “gate”  data  BUT  ICANN  forces  registrars  AND  registries  to  publish  EVERYTHING  by  default  

•  What  will  “Geo”  gTLDs  do?    

ICANN’s  response?  

•  Waiver  process  for  retenZon  /  collecZon  elements  of  2013  RAA  (see  h>p://michele.cat/cg  )  

•  No  change  on  Whois  “waiver”  process  (yet)  •  ArZcle  29  le>er  rejected  

Impact  on  Registrars  /  Registries  

•  Delays  (they  cost  too)  •  Cost  (lawyers  don’t  work  for  free!)  •  ONLY  registrars  on  2013  RAA  can  offer  new  TLDs  –  so  we  (Blacknight)  can’t  

•  If  a  registrar  doesn’t  have  a  waiver  then  how  will  their  DPC  react?  

•  Is  it  worth  the  risk?  

Waiver  =  how  long?  

•  Advantage  for  registrars  in  countries  with  other  registrars  

•  45  days?  90  days?  Based  on  current  experience  -­‐>  never?  

•  Timeline  published  by  ICANN  has  a  30  day  publicaZon  period  

Our  Experience  (so  far)  

•  Delay  •  Submi>ed  request  on  September  17th    •  Received  basic  acknowledgement  same  day  •  Received  a  reply  on  October  25th  with  queries  •  SZll  going  back  and  forth  

The  Future?  

•  GAC  involvement?  •  ArZcle  29  WP  again?  •  EU  Commission?  •  ICANN?    

QuesZons?  

Thank  You  …    

Credits  

•  Logos  image  via  h>p://www.flickr.com/photos/27845211@N02/2616906744/sizes/l/  

Who  am  I?  

Michele  Neylon  -­‐  Founder  /  CEO  Blacknight  -­‐  h>p://mneylon.tel  -­‐      @mneylon  -­‐  h>p://michele.me/blog  -­‐  IIA  Net  Visionary  2013  -­‐  Chair  RrsG,  Chair  Registrar  

Advisory  Board  Eurid,  member  EWG