Nominet drains mug of tea, leans back, calmly explains how to make Whois GDPR-compliant
.UK registry not entirely sure what all the fuss is about
The operator of the .uk domain-name registry has outlined the changes it plans to make to its Whois domain registration system to bring it in line with incoming European privacy legislation.
Nominet ran a short one-month public comment period asking for feedback on a range of proposed changes to its current system and published a summary of feedback [PDF] complete with its planned changes on Thursday.
The most significant change is that it will redact all registration data from Tuesday, May 22 – Europe's General Data Privacy Regulation comes (GDPR) into force three days later on May 25 – unless the domain owner explicitly gives it permission to do otherwise.
US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddyREAD MORE
Aligned with that change, the company will allow domain name holders to opt-in to having their details made public – something that corporate customers in particular are unlikely to have a problem with.
But, as with a wider debate on how to make the Whois service compliant with the new law, the big question is: who is allowed to access the redacted information and through what mechanism?
Nominet's answer to this is seemingly simple: law enforcement agencies (LEAs) can access that data for no cost at any point through a searchable Whois. Presumably they will be given a login to Nominet's systems.
The company notes in its summary of feedback that only one of 58 respondents to the comment period (which collectively covered over 70 per cent of domains under the .uk registry) was opposed to granting LEAs free access. That respondent felt an LEA should have a warrant before being given the data.
So, the IP lawyers...
The thorny issue however – as has been the case in global DNS overseer ICANN – is whether corporations, and in particular their intellectual property lawyers, should also be granted access.
Unsurprisingly the IP lawyers felt they should.
From the summary: "The feedback from those promoting greater IP rights protection emphasized the role they played in crime prevention and suggested that the proposed approach would prove to be a 'severe hindrance.' It was argued that 'without the redacted information [the searchable WHOIS] is of little value.'"
They also claimed that redacting the information in the public Whois "doesn’t appear to be a proportional response." But others argued the opposite, questioning why anyone other than law enforcement should be granted access to personal data.
In the end, Nominet hit on an interesting two-part compromise. Anyone other than LEAs will be able to pay to have access to the searchable Whois – meaning that they will get an instant response for a fee - but will not get the registrant's name and address.
Or they can use its data disclosure request form – for no fee – and wait for the company to get back: something it says it will aim to do within one working day.
Nominet makes it plain it isn't sure that this system will be the best solution but it is the one is going to go with in the meantime. "We will continue to closely monitor the volumes of data disclosure requests we receive to ensure the data disclosure process remains fit for purpose and adequately resourced," it noted.
And it referenced the ongoing debacle at ICANN, where the US-based company is relying on being granted a one-year moratorium by European data protection agencies in order to come up with a new approach and system.
"Nominet will also be closely monitoring how ICANN's policies and processes adapt to GDPR, particularly in relation to the proposal for an accreditation scheme to grant access to the newly configured Searchable WHOIS for non-LEAs," it notes. "We will consider how best to align ourselves to the emerging industry best practice in this area."
It is worth noting that while the bulk of Nominet's work revolves around the 12 million .uk domain names – which do not come under ICANN's jurisidiction - it also runs the back-end systems for more than 35 "global" top-level domains which do, including .vip, .work, .blog and .london. It is also in charge of the policies for the top-level domains .wales and .cymru – which comes under ICANN jurisidiction.
The adjusted policies outlined in its document this week only cover .uk.
In order to deal with what will inevitably be some degree of confusion, Nominet has promised to provide "illustrative examples" on "the circumstances in which data will be disclosed" before GDPR kicks in.
A related change will be that Nominet will no longer draw a distinction between domain names registered by individuals and used for personal reasons and those registered by corporations for commercial reasons (currently it redacts personal-use domain data).
And it will close its "Privacy Services framework" which was used to provide proxy privacy services and which registrars typically charged a small additional fee for. With its new redaction approach, there is basically no need for the service – something that several registrars complained about since it’s a useful source of additional revenue. But charging someone for something that isn't needed is unlikely to sit well with anyone.
Summing it up, Nominet's chief operating officer Ellie Bradley said: "We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation. While, as a result, we will be publishing less data on the Whois – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests."
In short, the IP lawyers ain't gonna be happy. But tough. They can get the information for a fee, or they can get it for free if they wait a day. Now it remains to be seen whether ICANN can wrestle itself free from the same powerful interests and reach a similar compromise. ®
Sponsored: Becoming a Pragmatic Security Leader