Home & Office

​ICANN makes last minute WHOIS changes to address GDPR requirements

ICANN is trying at the 11th hour to make the Domain Name System and WHOIS legal under the GDPR. Good luck with that.

The Board of Directors of the Internet Corporation for Assigned Names and Numbers (ICANN) struggled and sweated and with days left came up with a way to make the Domain Name System (DNS) and WHOIS, the master database of who owns what website name, compliant with the European Union (EU)'s General Data Protection Regulation (GDPR).

We'll see.

It doesn't appear to me that ICANN's "Temporary Specification for gTLD Registration Data" will pass muster with the GDPR Article 29 working party, the GDPR enforcement group.

ICANN had wanted a year of grace to address WHOIS's data privacy problems. They didn't get it.

ICANN argued, "Unless there is a moratorium, we may no longer be able to ... maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented ... A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services."

That's bad. Really bad.

Domain registration companies would be liable for GDPR penalties of up to €20 million or 4 percent of their annual turnover -- whichever is more. They might also be sued for failure to take action to comply with the law.

Another bad side effect for domain companies is many of them now charge extra to keep domain contact information private. Historically, this has been a big cash stream, and with GDPR enforcing privacy, the need for this service will dry up.

Outside of the domain business, data privacy and threat intelligence expert Angela Gunn pointed out that for the GDPR to treat "WHOIS as just another dataset, rather than as an integral part of how the net itself works is incredibly short-sighted." Gunn continued, "Security researchers, investigators, other site admins, even ordinary citizens will pay dearly for the concealment. I expect pretty immediate blowback and eventually some sort of accommodation, but it looks like we all get to figure out those refinements the hard way."

Or, as Cherine Chalaby, chair of ICANN Board of Directors, put it, "WHOIS is an important system, and preserving it allows it to continue to act as a key tool in the ongoing fight against cybercrime, malicious actors, intellectual property infringement, and more. This Temporary Specification, which is based on the Proposed Interim Compliance Model, aims to prevent fragmentation of WHOIS and ensure that WHOIS continues to be available, to the greatest extent possible. ICANN's role in providing the technical coordination of the globally distributed WHOIS system is a unique matter, including the public interest nature of WHOIS."

So, how will this work? Site registers will still collect the registration data they've always collected. This includes Registrant, Administrative, and Technical contact information. But, most personal data will not be available publicly. If someone does need the data -- say you forgot to renew your domain name and someone else grabbed it -- you can get access to their contract data through your domain registrars. This may be via an anonymized email or web form.

I say "may be" because ICANN couldn't lock down a policy on how they'll provide "reasonable access" to that data to third parties with "legitimate interests". Besides being confusing to users, that's unlikely to fly with the GDPR Article 29 working party.

Matt Serlin, SVP, Client Services and Operations at Brandsight, a corporate domain company, reports the second-largest website registrar, Tucows, will allow third parties to apply for access to their non-public WHOIS data. How exactly? Again, that's a good question and we don't have a good answer.

GoDaddy, on the other hand, doesn't plan to redact WHOIS data for domain names registered by people outside of the EU. Instead, the domain name giant will continue to publish contact information like it always has for web-based WHOIS searches. GoDaddy will take its chances with GDPR enforcement.

But, while those questions remain, the clock is still ticking. Ready or not, GDPR takes effect on May 25, 2018. Tick, tick, tick.

Related Stories:

Editorial standards