Standards Development to facilitate Third Party Access to Registration Data
This project proposed to do the background research and stakeholder consultation necessary to explore whether it would be useful to develop standards for professional accreditation of Canadian cybersecurity practitioners, and other third parties seeking access to subscriber data. We refined this scope to focus on the case study of ICANN, the Internet Corporation for Assigned Names and Numbers, and its struggle to come into compliance with the European General Data Protection Regulation or GDPR 1. ICANN has published a directory of domain name registrants knows as WHOIS for the past 20 years, and all the stakeholders who have benefitted from free and easy access to registrant data (a particular instance of subscriber data) are reluctant to give it up. The companies who sell registrations for domain names are the registrars, and those who assign the technical means to put them into existence on the Internet are the registries. Both are reluctant to risk non-compliance (and possible fines) with the GDPR in order to continue this practice of easy access, so as a case study of the application of a range of privacy standards, it is a good one.
ICANN is a non-profit corporation established in 1998 to manage the issuance of domain names (used for websites and email addresses) and Internet or IP addresses. Law enforcement, security companies who fight cybercrime and malware distribution, and intellectual property protection agents who protect business and trademark interests are key users of the personal information contained in the WHOIS. Cybercrime, including spam, phishing, and identity theft, has accelerated since the commercialization of the Internet, and is primarily fought by private sector security experts who draw extensively on the publicly accessible WHOIS directory. The WHOIS or more recently, the Registration Data Services (RDS) directory listed the personal information of all registrants of domain names on the Internet and was useful to anti-abuse practitioners to determine who is behind a domain name or website suspected of disseminating malware and attacks on other Internet users. But rarely are these investigators authorized under the rule of law to obtain personal data. The openness of the WHOIS directory has been a source of contention between data protection authorities and ICANN since it was established to manage the Domain Name System (DNS).
The coming into force of the General Data Protection Regulation (GDPR) in Europe in May 2018 has prompted the businesses who sell domain names, the Registrars, to cut off access to WHOIS, lest they be subject to stiff fines. A 2014 Experts Group 2 had recommended ceasing the publication of registration data in WHOIS, and instead using existing privacy enhancing technologies to provide “tiered” access to personal information, permitting limited access only by authorized parties. Progress on this recommendation was stymied by many factors in the stakeholder community including a refusal to take privacy law seriously, but the inability to solve the problem of determining eligibility for access and legitimacy of purpose was a key factor. Accreditation of data requestors, authorization of requests, and requirements to adhere to professional data protection standards could be an innovative solution, drawing on Canada’s history of leadership in privacy standards. Focused on privacy and security management practices, a standard could enable third parties, including law enforcement authorities and intellectual property abuse investigators to be accredited and authorized to use personal data and build reputation systems based on Internet traffic analysis and personal data.
The Internet of course knows no boundaries, and many Canadian companies have already endeavoured to comply with the new GDPR standard. Several of the largest registrars in the world are Canadian, so accreditation could enable automated authenticated access to certain personal information associated with Internet registration in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), thus enhancing the accountability and transparency of actors engaged in fighting cybercrime and other forms of Internet abuse here in Canada.
The data protection authorities have long taken an interest in standards as a way to assist in assuring compliance with law. Those in the European Union participated in the Article 29 Committee and met regularly to coordinate their responses to the national laws in Europe which were compliant with the European Data Protection Directive 95/46 3, while others met under the auspices of the International Working Group on Data Protection in Telecommunications and Media (IWGDPT) otherwise known as the Berlin group. Both groups have welcomed standards as a means to ensure compliance with data protection law, and meeting requisite security practices. We have summarized key documents in our report and links are available in the brief summary of our data protection analysis.
In the new General Data Protection Regulation, Articles 40 to 43 provide for the development, approval and monitoring of codes of conduct, and the accreditation and certification schemes related thereto. All of these activities would be achieved with the approval of relevant data commissioners, without prejudice to their other official duties. These provisions formalize the kind of standards development we would envisage as useful to assist in breaking the logjam at ICANN over the publication of WHOIS data.
Accordingly, this project proposed to study the situation at ICANN, conduct a workshop at the upcoming annual meeting to be held in Barcelona, Spain in October 2019, and consult the stakeholders as to their interest in standards development and application. Given sufficient interest, we proposed to develop a report on requirements and reach out to standards development bodies to pursue the further development of privacy standards.
In the meantime, the struggle over the WHOIS or Registration Data Services continues. The report of the Experts Working Group, released in 2014, was used as the basis for a new policy team who struggled for two years from 2016-2018 to agree on how access could be provided for legitimate purposes, while protecting the privacy rights of registrants and those implicated in the registration of business domains. The task of fighting “abuse” or the common, automated attacks on the Internet has fallen to the private sector generally. Government law enforcement agencies have tended to focus on serious criminal investigations (e,g. human trafficking, money laundering) whilst leaving network security management to the telecommunications companies and Internet Service providers (ISPs). Organizations have arisen to facilitate this activity, such as the Anti-Phishing Working Group (APWG), a private sector non-profit dedicated to pooling threat information and cooperating to react quickly to security issues. Cybercrime “practitioners” could be working for major IT companies such as Microsoft or Symantec, they could be working for telecommunications companies or Internet Service Providers such as Rogers or Bell Canada, or they could be free lance consultants working from their homes. Some analysis requires access to personal information, and rarely are these investigators authorized by law enforcement agencies and thus enabled under the rule of law to obtain personal data. This problem has largely flown under the radar of data protection authorities, although it certainly emerged in the struggle at ICANN over the openness of the WHOIS system during the period this RDS policy development process was alive.
When the GDPR was looming in early 2018, a temporary specification was agreed upon at ICANN that would stop the publication of data, and this RDS policy working group ceased operations. Immediately work began to establish another working group empowered to develop a new policy that respected data protection law yet permitted legitimate actors to access personal registration data. The report on phase one of that policy development project was released on February 20, 2019 and was approved by the Generic Names Supporting Organization (GNSO) 4. Phase 2 will focus on the mechanisms and terms of reference for the provision of personal information to legitimate third parties; this is the focus of our research and recommendations.
The activities of this research project, set against this backdrop of ongoing and intense work at ICANN to meet the data protection requirements of GDPR, included the following:
- Researching the existing standards literature for materials that could be of assistance in dealing with this challenge;
- Convening a workshop during an existing, scheduled ICANN meeting on October 21 in Barcelona, Spain to discuss the potential for standards and standardization activities to assist with the problem of compliance;
- Consulting experts in the data protection and ICANN environments, to gather their insights into the problem and interest in standardization development;
- Engaging in further research as directed by the results of the first three activities, including potential standards development;
- Providing a final report and recommendations.
We must stress that while this research was being conducted between April 2018 and March 31 2019, there was a strenuous and demanding effort going on at ICANN among its multi-stakeholder community to grapple with the impacts of GDPR, the shutting down of the open WHOIS directory, and the requirement to produce a great deal of policy and working technological solutions in a short time. This impacted our research; interest in theoretical solutions such as creating a new ISO management standard under the 27002 information privacy standard was negligible in the community, although supported by scholars. Existing technical standards development on the Registration Data Access Protocol of RDAP (a protocol developed by the Internet Engineering Task Force or IETF) was accelerated by the creation 5 of a Technical Study Group in October of 2018, and third parties (including government representatives) who had ceased to get free and easy access to data were studying the impacts of this phenomenon and complaining to ICANN.
The layered or tiered approach to access, recommended long ago by data commissioners, did not achieve sufficient support at ICANN in 2014 when the Experts Working Group (EWG) produced their report, despite the fact that the new notably RDAP, the Registration Data Access Protocol developed by the Internet Engineering Task Force (IETF) were designed to enable it. However, the new Technical Study Group worked quickly over the winter of 2019 to achieve a proof of concept for RDAP implementation, and their report 6 was released on March 6, 2019. While this group worked on the technical aspects of data access from distributed protected data repositories, we pursued one of the most interesting conclusions of our October workshop: Data Trusts.
A brief summary of our successful workshop 7 on the afternoon of October 21st appears here. The two civil society experts who joined us from Canada proposed a novel solution to the problem of providing appropriately controlled access to registration data. Based on the study of a number of other contentious collections of large amounts of personal data to which third parties wished to attain bulk access, they recommended we look at developing protocols and standards for a separate, independent data trust, with full participation of data protection authorities. This is a relatively new concept, but it appears to comply well with the provisions of the GDPR (Articles 40-43) and it could have a number of other applications in Canada, such as in the healthcare sector, the Internet of things (smart homes, vehicles, and cities), and in subscriber data. We directed our literature review to focus on data trusts.
In the meantime, ICANN’s Technical Study Group has developed potential working models of RDAP implementation, based on the assumption that ICANN would manage and control access and accreditation. Our research explores the policy reasons why such a management scheme would not be optimal, and we propose alternative concepts based on privacy management standards and the concept of an independent data trustee.
- Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (Data Protection Directive) OJ 1995, L281. https://publications.europa.eu/en/publication-detail/-/publication/775a4724-2086-4a06-9213-1a4e6489053b