Hey, so Europe's GDPR privacy deadline for Whois? We're going to miss it ... by a year or so

Internet registries and registrars provide terrible timeline

So, um, the actual rules?

Even if ICANN does somehow manage to agree a new Whois approach in the next month, the registries and registrars warned in their own letter this week that it is still going to take them months to put the relevant systems in place.

They point out, for example, that it's not clear whether ICANN wants them to apply the new rules to all domain registrants, or just to those that live in Europe. It will be faster for there to be a blanket rule but there is significant pressure within ICANN to retain the current system for non-European registrants.

ICANN's proposal that all email addresses be replaced with an anonymized version or a web contact form may help it become complaint with the law but, they warn, would still take up to four months to implement.

Other key issues include whether to give domain registrants an opt-in system to have their contact details displayed – which would take nine months to implement - and a centralized credentialing system for law enforcement and, potentially, intellectual property lawyers to bypass the controls and view full Whois information.

That credential system would likely take a year to fully implement – and that is after its design has been agreed on. It may take even longer if ICANN decides the best approach is to change the Extensible Provisioning Protocol (EPP) that is the industry standard way of sharing relevant information within the DNS.

That would be a good, long-term solution but would take 15 months to introduce – pushing it to August 2019. And, again, that assumes that ICANN reaches agreement on the approach to be taken by next month.

All of which makes it abundantly clear that the domain name system is not going to be GDPR compliant by the deadline next month. Which begs the question: what then?

Free for all

No one is quite sure. ICANN has already made it plain that it will not enforce its current Whois contractual conditions until it has a new system in place (a fudge to prevent its contract from being torn up).

But what registrars and registries actually do may depend on whether European data protection agencies agree to give the DNS industry a special temporary exemption. Europe is unlikely to want to go that route or it will be flooded with similar requests from other industries. But at the same time, the US government has made it plain that it views the Whois service as a priority and has reportedly been pushing for such an exemption in governmental circles.

collapse

Whois? More like WHOWAS: Domain database on verge of collapse over EU privacy

READ MORE

If a special exemption is granted, then the status quo is likely to remain with an extended deadline – most likely one year. But if not, then it is all too probable that registrars and registries will take the least risky option and simply suspend their Whois service, cutting off law enforcement and IP lawyers from information about specific domain names.

So far only one of Europe's data protection authorities (Sweden [PDF]) has responded to ICANN's desperate plea, noting that the European Commission's Article 29 Working Party will consider its request and get back "in the next few weeks."

The same working party has been sending letters to ICANN warning it that its Whois service is not compliant with European law for at least six years – even before GDPR was passed (here's an example from 2013 [PDF]) - and has been repeatedly ignored by the organization, so it is unlikely to be in a very magnanimous mood.

In short, it is an absolute mess. And one that was entirely predictable and avoidable. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019