[UPDATED] Nominet, The ICO, and the Importance of Privacy

ico loves nominet

*UPDATE* November 4 2013 – the ICO has responded to this. See bottom

History is defined by its ages. In the past we’ve had the middles ages, then we went through the industrial revolution, and became part of the industrial age, where machinery and manufacturing was key. Over the last 30 years, however, we’ve gone through a new revolution, the information revolution, and we’re now firmly into the information age.

In such an age, safeguards are THE most important thing we can have, because unlike industrial equipment, information is completely fungible, and readily disseminated. It also has significant liquidity, which is a serious concern when information can describe, and expose so much of our daily lives.

As a result, any restrictions, safeguards, or limitations – or indeed any enforcement of them – must be put into place with that in mind, and done from a position of competence, and privacy. This was the reason for the establishment of the Information commissioners office in the UK, and its brethren around Europe.

The core requirement is that it be competent, however, with a close second being a willingness to enforce the rules, and not be caught in a form of regulatory capture, putting the needs of businesses above the needs of citizens. Unfortunately, this may not always be the case, and if it’s not, what can be done?

This comes to mind primarily because of an ongoing case I have with the Information Commissioners office in the UK. The ICO is in charge of enforcing the UK’s Data protection laws, as well as being the last word on appeals for Freedom of Information Requests. As such, they’re the ultimate enforcer of what is now the basis of the world’s economy. It’s not a claim I make lightly – look at the billion-dollar company sales/mergers and IPO’s. They don’t make products any more, most of the time you can’t even buy anything from them, they’re information services.

You may remember that during the summer, I had a ‘run-in’ with Nominet, over my website domain details. Nominet had decided to implement a new policy back in May, where they’d start to ‘verify’ everyone’s details, and mine was first hit. Now since I had used my common pseudonym (K`Tetch Dureek – one I’ve now used for just over 18 years) I failed their ‘data validation’. In addition, looking at my personal blog site, they decided it was a commercial site, and so revealed my home address details, despite my direct and specific objections.

Not good, and some serious breaches of both UK and EU data protection laws there, in my opinion, so after dealing extensively with Nominet (accounts of which are here and here) I filed a complaint with the ICO, on these grounds.

I recently got a response, and it underscores the two core requirements above, because it was neither competent, nor enforced accurately, and to get such a poor response, I had to wait a significant period. First, let’s have a quick look at the responses from them.

I file the complaint on June 7th and get an automated response. On July 8th (that’s 31 days later) I get an email from a case officer, asking me to give them all the info I can within the next 14 days. She gets a response 6 hours later saying ‘sure’, and that is sent off July 21st (13 days later – it’s a lot to compile)

July 29th, I get an email saying they’ve written to Nominet for some more details (actually, I get it TWICE)

Then a stony silence. So September 22nd (8 weeks later), I send an email asking “what’s going on?” and get automated emails that she’s out of the office until September 25th. So I get a response on the 30th saying they’ve received a response from Nominet (no, really? In 9 weeks, I should hope so!) but nothing’s been done, and she’ll get back to me in the next 14 days after she’s considered the case. Just to reiterate, it’s the end of September, and she’s not considered anything. She’s had my info for 10 weeks, it’s been 12 weeks since she opened the case, and more than 16 weeks since I filed the original complaint. Nothing like a timely resolution, and she’s not even started ‘considering’.

Anyway, on to the ruling, and boy it’s a doozey. She decides entirely in Nominet’s favour, for some of the most bizarre reasons. It’s clear she didn’t understand the case, but because it’s taken so long, she didn’t bother to get clarification, she just went ahead. Here’s her ruling.

The ICO caseworkers response to my complaints

The ICO caseworkers response to my complaints (click to enlarge)

Let’s go through the justification, and see just how badly she got things wrong.

Nominet has explained that upon registering with Nominet there are a number of obligations on both the registrant and Nominet. Specifically, clause 4.1 requires registrants to provide Nominet with a correct name and contact details and clause 11.2 deals with the publication of contact details on Nominet’s WHOIS database.

The contact details they had were accurate enough for the purpose of contacting me. In addition, the statement is false. At the top of the Registrar agreement it states “Note: The new Registrar Agreement came into effect on 18 March 2014.” My domain was registered Feb 04 2012, and the renewal was done on January 26 2014. Any contract I had with Nominet (actually with their contractor Namecheap) was prior to the current agreement, and thus I could hardly agree to them, could I?

We’ll get back to the details of these clauses in a few minutes though.

In this case, you registered the domain name to KTetch Dureek – a name Nominet was unable to validate. I understand Nominet requested evidence so it could validate the registrant name of your domain.

Certainly they did. They requested personal information (including copies of ID) in order to comply with a policy they had just enacted a few weeks earlier. The ICO’s own site says that ‘a policy’ is not a good enough reason to require personal information, either to collect, process or store. Nominet has been around for almost exactly 18 years at the time the policy went into effect, and if they’d not needed to collect and verify this information before, why would they now? This was actually one of the points being complained about, and here’s the complaint is not only ignored, it’s actually used as justification for Nominet. CRAZY!

As Nominet did not receive such evidence it had to infer that the domain name ktetch.co.uk did not qualify to be opted out under clause 11.2.

BZZZ wrong. Oh so wrong. This is where it becomes clear that the documents provided by me were not really looked at. There were TWO cases started by Nominet. One on the data validation mentioned here (“Your domain registration – additional action required (case 1595487)” – which I’ll call the “487” case for brevity) and one on the WHOIS opt-out (“Your .uk domain name will be opted in to the WHOIS (case 1594954)” – now the “954” case)

Nominet's initial complaint, case 1595487

Nominet’s initial complaint, case 1595487

All emails back and forth with Nominet up to and including the period where the whois details were ‘opted in’ were entirely on the 954 case, which dealt with the personal opinion of Nominet staff that this is a commercial site. You might remember the email posted in its entirety back when I first wrote about this back in June. It had a 7 day deadline, at which point my whois details would be made public.

Nominet's initial complaint, case 1594954

Nominet’s initial complaint, case 1594954

The 487 case focused on the data validation program, and it wasn’t resolved until almost the end of the 30-day period they gave for resolution of that case. Notably the requested changes were unable to be made by me, even under protest, and for good measure I ended up sending a video of me being unable to do so to the head of Customer Services (and still getting a ‘suspension’ notice because I didn’t change it in time).

So, to recap. 954 case is on site ‘commercialism’, 7 days to fix it or my WHOIS details go public.
487 case was on my WHOIS details (specifically the name) not being verifyable, 30 days to fix it or the domain is suspended.

Two separate issues, two separate timescales, two separate sets of consequences.

Nominet took the view that ktetch.co.uk was commercial/trading as opposed to consumer and therefore under the guidance ktetch.co.uk did not qualify to be opted out of the WHOIS.

Indeed they did, of course, they couldn’t give me a consistent story of what was ‘commercial’ so it could be rectified, and then wouldn’t hold off while I asked for the issue to be escalated to someone who could be clearer and knew what they were talking about. Also, considering most of what they were complaining about had been there for a matter of years, there was no pressing issue that forced it then, rather than a week later after review – you’ll notice that the WHOIS is back “private” again, indicating that yes, they know it’s a personal, and not commercial site, and therefore they were WRONG to publish my home address (for anyone wondering, it’s no longer my home address, for this and other reasons I ended up moving at the end of July)

Nominet has told us that you have since updated your details which have been validated, allowing you to opt out from having your details published on WHOIS.

Again, wrong. The WHOIS details were re-hidden June 10th, shortly before this story was covered by the Guardian. The WHOIS itself shows that ‘validation’ didn’t take place until almost 2 weeks later

 “Data validation:
 Registrant contact details validated by Nominet on 23-Jun-2014”

Nominet further explained that digital signatures and encryption are not services being offered to registrants at present.

I wasn’t asking for it as a service. It’s not a ‘service’, it’s a practice. They’ve already stated they have the systems in place and have had for many years .It’s a single ‘click’ to enable it. What’s more, the reason they claim they don’t is that ‘people don’t understand it’. That might fly with regular people, but it’s not a good excuse for someone who openly uses it in their emails. In addition, the use of it would not add any cost (because they already have it set up, and know how to use it) so it’s just that they CHOOSE not to use it. That’s the first time I’ve ever heard the ICO saying that it’s ok not to use a secure method that’s requested by someone, when it’s freely available to the company. In fact, I remember ACS:Law being fined for not treating their email as securely as possible.

From the information provided by you and Nominet it does not appear that Nominet has breached the DPA and the issue you have raised does not suggest any wider concerns about Nominet’s information rights practices. We are not taking any further action in relation to your concern.

However, your concern will be kept on file and this will help us over time to build a picture of Nominet’s information rights practices.

Thank you for bringing this matter to our attention.

If you are dissatisfied with the service you have received, or would like to provide us with feedback of any kind, please let me know.

Yours sincerely

Daisy Higgins
Case Officer
Tel: 01625 545531 (Mon & Tues only)

That’s because you’ve not bothered to actually look at the case facts. Two cases, with separate incidents and timelines have been jumbled together to deal with one issue (that of my home address release). Meanwhile, remember the whole clauses thing I said we’d come back to? Those relate to the ‘Data Quality’ (aka Data validation) aspect. Well, did you spot the ruling on that?

No?

Me either. That’s because it’s not mentioned. Despite the fact that it was a significant part of the complaint (the second of two points), it was completely ignored in Daisy’s ruling. Well ,not completely ignored, the underlying policy was used to justify things, as I said earlier. Somehow data validation is ‘inferred’ in clause 11.2 (which makes no such reference, saying address info will be made public unless you opt out by being a non-commercial individual)

Personal data

11. We will make your personal data available in the following ways, but not release it for any other purpose to any other person. We may:

11.2 include it on the WHOIS (which is also available outside the EEA) and PRSS. For these purposes we will publish your name and (unless you are a consumer and choose to opt out) your address, but not your phone or fax number or e-mail address;

And that I hadn’t followed clause 4.1 which says

4. You have various responsibilities set out generally in this contract. You must also:

4.1 give and keep us notified of your correct name, postal address and any phone, fax or e-mail information and those of your contacts (if you appoint any, see condition 5.2). This duty includes responding quickly and correctly to any request from us to confirm or correct the information on the register;

Where ‘correct’ is defined as

correct’ – This means that the information must be good enough to allow us to contact you quickly at any reasonable time without having to get information from anywhere else, must not be deceptive, and (if possible for that type of information) must clearly identify you. For your name this also means that the information must be detailed enough that we can tell exactly who you are (in legal terms, exactly which legal entity we have this contract with).

Amazingly enough, they did manage to contact me quickly, and K`Tetch Dureek is not deceptive, and *very* clearly identifies me. In other words, the name “K`Tetch Dureek” is in full compliance with their Terms and Conditions )

It’s only their new (as in week or two before this all started) policy of Data Validation, which is where they’ve decided to collect, and process people’s personal information, because it’s ‘important to them’. Not, you might note, because of any actual NEED. After all, Nominet had been functioning for 18 years prior to this policy, and their business has not changed. The ‘product’ they’re offering today is the exact same product as in 2012, so with no need, it’s very hard to justify this data processing as necessary, or that there’s even a legitimate interest.

All in all, this judgement by the ICO flies in the face of their own practices, and policies. It ignores the basic facts and twists things to justify certain actions, while ignoring a significant amount of the complaint. It has all the hallmarks of a rushed job, where no significant attention to evidence was given, and extraordinary weight was given to protecting the status-quo of a significant UK internet organisation, regardless of the merits or legality of the issues. In an information society, the new digital economy, that’s just not acceptable.

*UPDATE* November 4 2014

After sending a copy of this (in a format more suitable for email) on October 21st I got the following response this morning (only a 2 week turnaround this time…)

ICO response to Nominet issues 2

Basically, she’s standing by her claims, despite it not matching any of the facts. We’ll see how the complaint goes when escalated..