Ready, set, GDPR! (Part 1: Domain names)

As the deadline approaches for GDPR (General Data Protection Regulation) implementation, .

Of course, this applies to companies and organisations, and it also applies to registrars like OVH, who have run into a few grey areas where until very recently, there has been conflict between the regulations imposed by organisations such as ICANN, and those imposed by the EU.

The General Data Protection Regulation was adopted by the European Union to guarantee all EU residents control over their personal data, particularly with regards to it being published and used on the internet. The recent Cambridge Analytica scandal has also served as a harsh reminder of how important this issue is. Two political visions of data published online have come into confrontation with one another: one presented by the European Union, and the other by ICANN, the US-based domain name authority. The issue regarding domain names involves a number of public and private players, as well as domain name registrars, registrants and registries. As a result, it was an enormous challenge to guarantee protection of personal data for the owners of domain names, websites and cloud storage space, while complying with the requirements of international bodies.

The Calzone Model: neither pizza nor pie

Although the regulation has been known since its adoption by the European Parliament in 2016, ICANN took its time in reacting. On 28th February 2018, the US domain name authority put forward a provisional model aimed at ensuring that all regulations around domain names were in line with the GDPR. It was only finally made official among the whole community on 14th May. Known as the “Calzone Model”, it contains – like the famous Italian folded pizza – numerous ingredients. Most of them stem from proposals long ago put forward by European players. “This model represents significant progress in terms of bringing domain name rules into line with the GDPR,” explains Rémi Loiseau, Registry Liaison Manager at OVH.

The question of WHOIS

First of all, there is the issue of WHOIS. Any person or entity that registers a domain name is required to enter a certain amount of personal information. Until now, this information was publicly accessible. The GDPR has just bulldozed this necessity. According to Suzanne Carranca, Registry Liaison Manager at OVH, “OVH Group was already way ahead of the game by offering our free OWO service, allowing users to hide certain information in the WHOIS database. All the currently complexity is down to the fact that for extensions, particularly gTLDs, WHOIS involves public, semi-public, private, national and international stakeholders. For the last year, we have therefore been really busy arranging events, holding training sessions and publishing information aimed at all stakeholders in order to ensure that everything complies with the GDPR.”

Transfers in unknown territory

There is also the problem of transferring domain names. How does a registrant transfer a domain name from one registrar to another if their contact data in WHOIS is hidden? The question remained unanswered for a long time by the Calzone Model. So a committee made up OVH and other registrars gave ICANN some suggestions for possible solutions. These provisions have now been confirmed by ICANN and will serve as the standard for everyone affected. The idea is to base it on the Auth-Code , a security key which, like the PAC code for phone numbers, authenticates each domain name. In this way, the FOA (Form Of Authorization) becomes optional. The domain name owner will need to re-submit their personal information to the registrar. According to Rémi Loiseau, “Throughout all these major issues, OVH’s main focus has been to ensure that all domain name owners enjoy the same level of service, security and protection of their personal data.”

The basis of ICANN’s new model

• The legal justification for collecting, using and publishing personal data in WHOIS will rest on two elements: ICANN’s aim of harmonising regulations and the rights of domain name holders;

• This information will be public: the domain name, where the primary and secondary domain name servers (DNS) are registered, the registrar, the date of registration and the date of expiration. Additional information could potentially appear: the owner’s name will not be publicly displayed, but the “organisation” to which they belong should be; the owner’s exact address will not be public, but their state or region might be; the owner’s email address and phone number will not be public, but an anonymised address or a contact form will be provided instead. The same applies to admin and technical contacts;

• The retention period for the data will not change (at OVH, one year after expiry of the domain name);

• The model will apply to all registrars accredited by ICANN and to all gTLD registries.

• This model will not apply to ccTLD registries, who can choose whether or not to follow the model. AFNIC, the registry for the .fr extension, already protects the identity of natural persons by only revealing the identity of legal persons.

A domain name, or DN is the address that allows websites to be identified without having to type in the IP address. It is made up of a “root” (or second-level domain) that corresponds to the desired website name, and an “extension” (top-level domain) that categorises it according to an activity (such as .com, .edu) or a geographical area (such as .fr, .de).

gTLD stands for generic top-level domain. It corresponds to all extensions of three or more characters that categorise a website’s activity independently of the country in which it is based. Examples include .org for organisations and the well-known .com for commercial activities. gTLD extensions are managed by different private bodies, with the most well-known being Verisign.

ccTLD stands for country code top-level domain. It corresponds to all extensions of two or more characters relating to a country (.fr, .ru...) or a geographical area (such as .eu for Europe). ccTLD extensions are managed by bodies belonging to each country or group of countries.

ICANN (Internet Corporation for Assigned Names and Numbers) is an international organisation based in California that acts as the authority for all domain names worldwide. In 2016, it finally became independent from the US government. One of its departments is the Internet Assigned Numbers Authority (IANA), which manages the system of top-level domains and links IP addresses to domain names so that each address is valid and unique.

Registry has two meanings: the database of domain names for one or more extensions and the body in charge of that database. It is sometimes also called NIC, which stands for Network Information Centre. This is echoed in the names of some country registries, such as AFNIC in France.

A registrar is an organisation responsible for reserving domain names for resellers or end customers.

A registrant is an owner of a domain name, with the right to use it for a fixed period of time depending on the extensions or registries.

WHOIS is a directory provided by domain name registries. Freely accessible on the internet, it allows technical and administrative information about a given IP address or domain name to be obtained. Note the difference between the Thick WHOIS – “thick” because it contains 98% of extensions in existence – and the Thin WHOIS , which contains fewer extensions but more volume (particularly .com). “Thick” WHOIS queries are handled entirely by the registry. “Thin” WHOIS queries obtain information from both the registry and the registrar.