Whois? Whowas. So what's next for ICANN and its vast database of domain-name owners?
Beginning of the end of the US-led internet?
Special report DNS overseer ICANN has tried to put a brave face on it but even for an organization with a self-importance that often leads it down a path to delusion, being told that your most important contract is effectively unenforceable has to sting.
This week, a German court in Bonn informed the organization, which oversees the naming and numbering functions of the global internet, that one of its most critical services is so outdated that its contractors have every right to ignore it.
ICANN largely ignored that damning indictment, and claimed that the decision "did not provide the clarity [we were] seeking"; even arguing that because the court did not specifically say its approach was illegal, that all was fine.
We are talking of course about Whois – the public database of personal information and other details of who owns the world's domain names along with associated technical data that allows said domains to be found on the internet.
In the past six months, Whois has become a big issue thanks to the newly introduced European GDPR privacy legislation. Despite complaints about the vagueness of that law, it was clear to pretty much anyone that cared to look that the current Whois service was not in any way compatible.
But ICANN and the American corporations that dominate the non-profit based in California have refused to accept that reality and, as a result, have been soundly embarrassed three times in three months.
Now it is a matter of law, in Germany at least, that ICANN cannot force companies, or US corporations with European customers, which is almost all of them, to adhere to its current registrar contract because that contract is illegal, not matter what American lawyers parsing every word of the text argue otherwise.
This is the contract that, among other things, requires domain-name registrars to verify for Whois people's contact details for their domains, which involves handling personal information, which is where GDPR comes in, and where ICANN was caught with its pants down.
All of which leads to the question: what next for Whois, for ICANN, and for the future of the US-led and dominated internet?
But before answering that, it's worthwhile looking at what Whois actually is, and why it has become the center of a massive transatlantic argument that the US has lost and continues to lose.
The service was initially developed way back in 1982 as a way of keeping track of the nascent internet and who owned which pieces of it. It was subsequently carried over to an official protocol a few years later. This was still back in the days where only academics and technologists really knew about the interconnected network, and the system was wide open and built on trust.
Domain name sellers rub ICANN's face in sticky mess of Europe's GDPRREAD MORE
Of course that approach didn't last. Those early internet pioneers were shocked and disappointed when their system started being abused: first with unsolicited email, then a computer virus, then scams.
And then came the dotcom boom, and this small world was thrust into the global spotlight. Everything changed. But not the system for registering domain names. The Whois service still published your name, home address, telephone number, and email address right there on the internet for anyone to see.
And it didn't take long for people to notice and take advantage of it. Intellectual property lawyers were among the first, scouring the internet for any use of their company's or client's trademarks in internet addresses. It was the era of mass cybersquatting and they used Whois to track the owners down and send them threatening letters.
As the domain names themselves then became valuable, Whois enabled an entire industry of brokers to discover who owned what and how to contact them. Millions of dollars started flowing in this data service as it proved a foundational source of information.
Sex, lies and videotape
Things also took a dark turn. The most valuable domain of all time – Sex.com – was not only stolen, thanks to information on Whois, it was Whois that revealed to its owner that he not longer had control of it.
Then, following an increasing number of disturbing incidents where people were harassed through information discovered on Whois, registrars – spying an opportunity to make some extra money – starting offering proxy services. For a fee they would replace a domain name owner's personal information with their own – typically their HQ and a generic email address that forwarded to the owner.
Spammers realized that the Whois service provided a vast, free database of email addresses, and started hovering up as much information as they could before using it to blast anyone unlucky enough to have registered a domain with countless unwanted emails.
But it was when cybercriminals got in on the game that not only did the disadvantages to Whois become clear but its reason for existing also came under question. People setting up fake websites to lure unsuspecting victims didn't use their real names when registering domains, or their real addresses, or telephone numbers.
And due to the way the domain name system had been set up to be quick and fast, no one was checking that those details were true either before allowing Mickey Mouse or John Doe to register a domain and set up a website. Suddenly, Whois was punishing the honest and shielding the criminal.
None of this went unnoticed by ICANN, or, more accurately by all the organizations that work together under ICANN's umbrella.
With every new use of Whois for good or evil, one or more groups would come to the overseeing organization to argue that Whois was in dire need of reform. And they would push for a formal policy development process to decide how to change it.
And ICANN would start up its processes, gather hundreds of internet industry representatives together in seemingly endless meetings and conference calls and mailing lists to decide on improvements.
And every time that process would fail, caught up in endless argument and counter-argument, with both sides eventually deciding on a worthless compromise solution – to study the issue further.
Sponsored: Becoming a Pragmatic Security Leader