Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampire
Whois to become Whoisn't
Like a bad horror movie in which the vampire keeps coming back from certain death, the Whois protocol – which provides information on who owns specific internet addresses – has endured far longer than anyone wanted or expected. But the final act is nigh and the wooden stake is being sharpened.
DNS overseer ICANN sent a letter [PDF] this week to its registries and registrars formally calling for a negotiation to its contract with both groups. The negotiation’s “primary focus” will be to “incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services.”
And the 90-day negotiations will cover a “plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.” Which, in non-policy wonk language, means Whois is finally going to die. And not a decade too soon.
The shift will be invisible for internet users but it does mean a significant shift for all the companies that work directly with the DNS and it opens to door to a more modern and, hopefully, privacy-protecting internet.
Registries and registrars maintain large databases on all the domain names registered with them and Whois has always been the system by which that information is stored and shared. But it is desperately out-of-date and has been for 20 years.
RDAP is its replacement and is a more modern system, allowing for information to stored in many more languages, secured, and shared across all suppliers rather than held by individual companies.
Crucially, RDAP will allow specific authorized people to access private data – such as someone’s name and home address – while blocking others. Whois has long been hailed as a privacy nightmare because it published on the internet, for anyone to see, all the personal details of anyone that registered a domain name, including telephone number, email address and so on.
Efforts to reform that approach have been frequent but consistently stymied or delayed in large part because some groups – particularly intellectual property lawyers – wanted access to the information in order to carry out brand protection at low cost. The industry has been at a stalemate for decades; something that itself highlighted the weakness of ICANN’s decision-making processes.
But that stalemate was finally trampled by Europe’s GDPR legislation, which aims to allow people to protect their personal data. Despite years of warnings that Whois was in obvious and direct violation of that law, ICANN failed miserably to recognize the impact, seemingly hoping that as a US corporation it could just ignore the European law, as it has done repeatedly in the past.
But it reckoned without the companies from which it derives most of its income – registrars – many of whom had offices or headquarters in Europe and were worried about being hit with multi-million-dollar fines. ICANN finally woke up when a registry based in Europe refused outright to offer a Whois service and – when threatened by ICANN’s legal time about breaking its contract – called ICANN’s Whois clause “null and void” because it ran counter to European law.
Cue much scrambling and an increasingly embarrassing campaign waged by ICANN to be seen as a special case in which it was told no less than four times by the courts that it was living in La La Land. In the end, ICANN was forced to shutter Whois altogether.
This has infuriated some groups like law enforcement who rely to some degree on Whois information to track online criminals. But a solution to the Whois problem has again proven impossible because American IP lawyers don’t want to concede that they don’t have a right to people’s personal information. Meanwhile ICANN has developed an ostrich-like instinct to any complicated policy topic.
Well, the Whois problem is about to become the RDAP problem. Back in February, ICANN told all its registries and registrars that they had to make the same registration data available on an RDAP server by the end of August.
By the time the deadline hit, only a quarter of registrars were compliant. As of today, that has changed significantly and only 15 per cent of the 2,450 accredited registrars (around 380) don’t provide data to RDAP servers. That shift is likely what sparked ICANN to send its letters pushing for a formal end to Whois and adoption of RDAP.
US government tells internet body to hurry the funk up on privacyREAD MORE
Under the process outlined by ICANN, there will be a 90-day negotiation period between ICANN and the registrars and registries, followed by a 30-day public comment period, a final version of the agreement will be reviewed and approved by ICANN’s Board, and then go into effect 60 days after that.
That, in itself, is a step forward: ICANN has originally tried to jam its RDAP position – including related service level agreements – down registries and registrars' throats. But it was met with a united front arguing that a proper and formal negotiation was the only way to make such a change. As such, the almost humble letter from notoriously thin-skinned CEO Goran Marby is a sign of things going right – in least in this respect.
Given the fact that ICANN has given up any pretense of listening to concerns or comments that run counter to a path it has already decided upon, that means that Whois will be dead before May 2020.
What is unlikely to be resolved by that date, however, is the data access issue that kept Whois alive far beyond its useful lifespan. ®