GDPR Threatens Viability of Internet WHOIS Database

/ March 27, 2018

The Internet Corporation for Assigned Names and Numbers (ICANN) has mandated that domain registrars maintain a WHOIS database providing information on the domain issued.  According to ICANN, the purposes of the database include

  • Enabling a reliable mechanism for identifying and contacting the registrant;
  • Providing reasonably accurate and up to date information about the technical and administrative points of contact administering the domain names;
  • Supporting a framework to address issues involving domain name registrations, including, but not limited to, consumer protection, investigation of cybercrime, DNSabuse, and intellectual property protection; and
  • Providing a framework to address appropriate law enforcement needs.

In 2015, as frustration grew over inaccurate WHOIS entries and the use of domain privacy services blocking registration information, ICANN debated steps to require that registrars validate the WHOIS data and limiting privacy services to non-commercial websites. This was welcomed by many in the legal community who rely on WHOIS information to identify and prosecute websites engaged in fraud, infringement and other illegal conduct.

Then came the European Union’s General Data Protection Regulation (GDPR) which goes into effect on May 25, 2018, and imposes substantial penalties of 2 – 4% of worldwide revenue for violations.  As a result, the entire WHOIS system is now up in the air which is a danger to those who rely on it to curb online abuses.

ICANN and GDPR

While some have argued that publishing individual contact information in WHOIS directories is permitted under GDPR because “the GDPR permits its processing, including publication, under certain circumstances… such as performance of a contract or the legitimate interests pursued by the controller or by a third party.”  ICANN’s outside counsel concluded, however, that this ‘would not be sufficient to motivate the intended use of the Whois services as public directories.”  More importantly, the EU agreed with him.

As a result, ICANN has been struggling to come up with a hybrid approach that would maintain the purpose of the WHOIS database while satisfying the GDPR.  Prior to its last meeting in Puerto Rico earlier this month, ICANN set forth an interim model that

maintains current requirements for the collection of registration data (including registrant, administrative, and technical contact information), but restricts most personal data to tiered/layered access via an accreditation program to be developed in consultation with the Governmental Advisory Committee (GAC), [Data Protection Authorities] and contracted parties with full transparency to the ICANN community.

As outlined in the Appendix below, there are varying degrees of information shared under this interim model.

icanngdprcompliancemodels

WHOIS Chaos

ICANN was unable to obtain any consensus at its Puerto Rico meeting and almost immediately the registrar for Austria’s top-level domain .at, announced that beginning in May it would restrict publication of contact information for domains owned by individuals but not for organizations (although they could request that contact information be hidden).  Contact information for individual domain holders “will only be accessible to people who identify themselves and have a legitimate legal reason for finding out who the domain holder is” which includes law enforcement agencies, lawyers or people who can prove that their rights have been infringed.

Expect other registrars worldwide to follow suit with their own policies.

Brian Krebs of Krebs on Security stresses that

WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations. . . .  I remain extremely concerned about the potential impact of WHOIS records going dark across the board.

 

White House Cybersecurity Coordinator Rob Joyce indicated that the Trump administration shares this concern.

We share some of your concern that some of the internet metadata that lets us hunt threat actors and which enables businesses to understand where the threats originate may be affected by GDPR.  We are actively attempting to push back and fix or create a carve out in the regulations for GDPR … we think there’s room and time to get the ICANN records exempted from it.

There will be no ICANN solution in time for GDPR compliance.  ICANN has requested forbearance from the EU until it comes up with a solution, but it has not received a response from the EU which rarely grants such requests.

 

Note:  The 2015 WhoIs debate was covered in CLBR #192.

slide11

Related posts