Written by Brent Carey (Domain Name Commissioner) and Jordan Carter (InternetNZ Chief Executive).
By now New Zealanders’ inboxes will be overflowing with notices alerting them to the existence of the General Data Protection Regulation (GDPR). This new privacy regulation is a European Union law that comes into effect on 25 May 2018.
GDPR, like New Zealand’s Privacy Act, aims to protect the fundamental rights of natural persons in relation to the processing of their personal data or information.
Our industry, the .nz domain name industry, processes and controls personal information of European citizens and is impacted by the GDPR. We must comply with its terms. We are caught because we don’t have any local presence requirements for .nz domain names – anyone, even Europeans, can register them.
ICANN oversees the top level of the global domain name system – top level domains (TLDs) are the letters found at the end of domain name, such as .com, .net, or .org. ICANN’s authority extends to all the TLDs that do not represent a country or a territory.
InternetNZ runs domain name infrastructure for New Zealand. Registrars and resellers sell .nz domain names to the public. Our subsidiary company, the Domain Name Commission, monitors and regulates the .nz domain name space. Together we are responsible for New Zealand’s top level domain .nz.
Long before GDPR, the New Zealand domain name industry in consultation with the local Internet community took measures to balance two competing goods: the free flow of information for accountability, security and public good purposes on the one hand, and the right to individual privacy on the other.
The New Zealand domain name space has in place a thick or gated WHOIS system with appropriate checks and balances. WHOIS is the common term for a search process to find out the details of someone who has registered a domain name. The Domain Name Commission and InternetNZ are the custodians of the information stored behind the gates.
A registrant's name, actual address and phone number are no longer accessible for a port 43 command line look up. So automated processes can’t as easily get that information as they used to do. Instead this type of information, where there isn’t a privacy flag on an individual domain, can be accessed from the Domain Name Commission’s website (following a CAPTCHA process to make forbidden automated harvesting harder).
Importantly the registrant’s name, email address, and country - even with a privacy flag - will still be available.
Other privacy by design measures that exist in the .nz domain name space include:
- the whitelisting of particular IP addresses by the Domain Name Commission to allow high volume searches for public good purposes;
- MoU arrangements with trusted agencies, and
- transparency reporting by the Domain Name Commission who watches the watchers.
For example, the Domain Name Commission works closely with Computer Emergency Response Team (CERT) to combat cybercrime. The CERT will not lose access to .nz domain name data, nor will its ability to detect and prevent fraud and Internet crime be reduced.
GDPR and privacy law reform will likely stay in the news. New Zealanders will continue to see more information published through the Domain Name Commission website about how personal information is managed in .nz. This has started with updates to our contracts with .nz authorised Registrars, changes to our privacy statement and a privacy and domains fact sheet produced in collaboration with the Office of the Privacy Commissioner.
There is something good in .nz’s gated access to personal information and transparency measures which could similarly be applied to government and industry online public registers, other country code top level domain name administrators and even perhaps ICANN itself.
The way New Zealand has designed its domain name space means that openness, privacy and security are not antagonists, but three important and correlated properties that are essential for a trusted and safe Internet.
The 708,000 individuals who choose to be part of the .nz community can be assured that privacy, security and accountability are being applied to the .nz domain name space in a measured and nuanced approach.
The contrast with ICANN couldn’t be sharper. ICANN’s contracts with TLD registries and registrars have required them to publish WHOIS information in ways that are not compatible with the GDPR. They have had to rush through an interim policy change to allow European registrars and registries, and those who serve European customers, to comply with the new privacy law. The final specifications for the interim tiered access approach were only agreed on 17 May, only a week or so before the new law comes into force.
In the longer term for global TLDs, there will need to be an agreed approach that deals with the conflict between a set of interests that value access to the data about domain names (law enforcement and the intellectual property constituency) and a set of interests that value individual privacy first. In the ICANN environment the two sides are fairly entrenched, and working through to a consensus policy is going to be hard work.