Domain name 'admin' role eyed up as latest victim of Whois system's GDPRmeggdon
Plus anonymous email and all personal info to be redacted
The long-standing but outdated "admin" role associated with every internet domain name will be killed off under new recommendations designed to update the Whois registry and make it compliant with European data privacy rules.
In addition, the "tech" role may be made voluntary, email addresses associated with domain owners will have to be anonymized and all personal data beyond someone's country and state will have to be removed from the public domain name database.
The changes should be uncontroversial: they are the same ones that people have been flagging for at least a year. But entrenched interests – in particular US intellectual property lawyers – continue to argue furiously against them.
That fierce disagreement has led the working group to note in its report that none of its 22 recommendations have universal agreement. It is putting them forward nonetheless and goes to significant lengths to ensure that public discussion of the report serves a useful purpose, rather than simply continue a 20-year fight over the database.
The request for public comment notes repeatedly that it is only interested in comments as they relate to GDPR i.e. the legal fantasies that some – including DNS overseer ICANN – have been pushing for years are simply not welcome. And rather than go with the usual open-ended public comment period, the working group has created an online form to develop focused comments on each recommendation.
Make it legal
Ultimately, the report outlines how the outdated Whois service – which until earlier this year published the name, address, phone number and email address of every domain name holder online – must be changed to make it legal.
Web domain owners paid EasyDNS to cloak their contact info from sight. It was blabbed via public Whois anywayREAD MORE
The deletion of the admin and technical contacts, in addition to the registrant contact, is perfectly logical. The industry has noted that in the vast majority of cases that all three contacts are exactly the same.
But IP lawyers had been hoping to use the extraneous contacts as a way around the law by pretending that they served an important technical function and so should be published online. This report effectively tells it like it is: they aren't needed. And so, under GDPR's concept of data minimization, the data shouldn't be gathered at all.
That recommendation will also embarrass DNS overseer ICANN, which has made the retention of those contact details the central point in a legal fight over Whois in Germany. ICANN has lost its case in the courts no less than four times in the past year; this report will ensure it loses a fifth time if it persists in appealing the decisions against it.
Anonymizing people's email addresses has also long been held out as a way of allowing people to contact domain name holders without publishing their personal data online. That approach has been fiercely resisted but, again, has been recommended as the best solution.
And while most details – including a domain registrant's name, address, phone and email – will still need to be gathered, there will be strict redactions made in the public database so that only someone's state and country are publicly available.
While the report represents a success in the sense that there are clear recommendations and its publicationb has managed to stay on the timeline originally set out, it remains no more than a single stepping stone across a fast moving river.
And the real issue
But the report falls far short from what is really needed – a reimaging of the entire system – because its purpose is to come up with a legal answer for overseer ICANN before its self-imposed May 2019 deadline. And the proposal avoids the most contentious topic of all: who is allowed to gain access to the non-public portions of the database.
Those battles are still to come and could well put the DNS into another self-imposed crisis similar to the one it hit last year when the GDPR came into force and the internet industry had no solution, resulting in an emergency measure that the ICANN board has to periodically renew.
In many respects, the Whois issue is representative of a bigger battle: challenging large US corporate interests within ICANN; interests that have always had an outsized influence on the policy body.
Having tried and failed multiple different ways to take control of the matter – including sending ICANN's executive team to Belgium to tell European authorities what their law actually means (it didn't go well) – those interests are facing the very unhappy prospect of picking a fight and losing. ®
Sponsored: Becoming a Pragmatic Security Leader