The European Union (EU)'s General Data Protection Regulation (GDPR) protecting EU citizens' privacy takes effect on May 25, 2018. So far, so good. Who doesn't like privacy? But, many groups, including Internet Corporation for Assigned Names and Numbers (ICANN), which manages the Domain Name System (DNS), are completely unprepared for the new laws.
So, why does that matter to you? It matters because ICANN also runs the WHOIS public database of domain name owners. Everyone with any web domain must register not only their domain, but their names, addresses, email addresses, and phone numbers. GDPR requires companies to get affirmative consent for any personal information they collect on people within the European Union. If you violate the GDPR, your company can face fines of up to 4 percent of global annual revenues.
ICANN has long known that WHOIS has many privacy and security problems. To quote from the WHOIS history page: "WHOIS is at the center of long-running debate and study at ICANN, among other Internet governance institutions, and in the global Internet community. The evolution of the Internet ecosystem has created challenges for WHOIS in every area: accuracy, access, compliance, privacy, abuse and fraud, cost and policing. Questions have arisen about the fundamental design of WHOIS, which many believe is inadequate to meet the needs of today's Internet, much less the Internet of the future. Concerns about WHOIS obsolescence are equaled by concerns about the costs involved in changing or replacing WHOIS."
Knowing there's a problem and doing something about it are two different things. For years, ICANN knew WHOIS wouldn't work with GPDR. And, despite weekly meetings over the last two years ICANN couldn't come up with an answer. So, ICANN asked the GDPR Article 29 working party, the group in charge of enforcing GDPR in this specific area, to give ICANN at least another year to comply with the law.
That's so not happening. The Article 29 group replied that it "considers it of utmost importance that ICANN either reconsider or further evaluate its current approach". In short, no. No, you can't have more time.
ICANN replied, "Unless there is a moratorium, we may no longer be able to... maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented. ... A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services."
Security expert Brian Krebs explained, "WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations." Krebs continued, "WHOIS records are a key way that researchers reach out to Web site owners when their sites are hacked to host phishing pages or to foist malware on visitors. These records also are indispensable for tracking down cybercrime victims, sources, and the cybercrooks themselves. I remain extremely concerned about the potential impact of WHOIS records going dark across the board."
Data privacy and threat intelligence expert Angela Gunn added in an interview, "Europe's led the world on data privacy protections for years, but the GDPR treats WHOIS as just another dataset, rather than as an integral part of how the net itself works. That's incredibly short-sighted, especially when we're asking internet users to be better informed about where their information comes from."
Gunn continued, "Privacy and security belong together, but concealing WHOIS information offers a low return for privacy effort. Meanwhile, security researchers, investigators, other site admins, even ordinary citizens will pay dearly for the concealment. I expect pretty immediate blowback and eventually some sort of accommodation, but it looks like we all get to figure out those refinements the hard way. No rest for the GDPR-implementation-weary, right?"
In addition, there's the simple question of how will companies and individuals register domains if WHOIS goes dark.
The answer? ICANN has asked the Article 29 group to give them more time. That doesn't appear likely.
In the meantime, Some domain registrars have already restricted access to some of the companies registering domains with them. Others, such as GoDaddy, are redacting registrant data from its WHOIS records and restricting access to the data. Others, wary of that 4 percent penalty, will follow suit.
If they can, that is. The US government has decided to get involved in the dispute. Trump appointee, David Redl, head of the National Telecommunications and Information Administration (NTIA), which makes him the White House's primary adviser on telecom and broadband policy, objected to GoDaddy blocking WHOIS searches on port 43.
Redl wrote to ICANN, "NTIA is concerned that GoDaddy's approach of throttling access and masking information will be replicated by other registrars and registries, compounding the problems these actions create." In short, Redl wants the full WHOIS data to still be available.
Let's recap. GDPR Article 29 requires ICANN to fundamentally change WHOIS. ICANN cannot -- period, end of statement -- possibly change WHOIS in time. US domain registrants who try on their own to meet GDPR standards are now being pressured by Trump's administration to not comply with the GDPR.
Boy, oh boy, are we in for a fun time. The next time you register or re-register an internet domain, get ready for "interesting" times.