Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

On-Prem

Networks

Whois is dead as Europe hands DNS overlord ICANN its arse

Can we still have a GDPR moratorium, asks US domain-name body

Kieren McCarthy Sat 14 Apr 2018  //  07:01 UTC

The Whois public database of domain name registration details is dead.

In a letter [PDF] sent this week to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.

The letter also has harsh words for ICANN's proposed interim solution, criticizing its vagueness and noting it needs to include explicit wording about what can be done with registrant data, as well as introduce auditing and compliance functions to make sure the data isn't being abused.

ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.

Hey, so Europe's GDPR privacy deadline for Whois? We're going to miss it ... by a year or so

READ MORE

ICANN has already acknowledged it has no chance of doing so: a blog post by the company in response to the letter warns that without being granted a special temporary exemption from the law, the system will fracture.

"Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain Whois," it warns. "Without resolution of these issues, the Whois system will become fragmented."

We spoke with the president of ICANN's Global Domains Division, Akram Atallah, and he told us that while there was "general agreement that having every thing public is not the right way to go", he was hopeful that the letter would not result in the Whois service being turned off completely while a replacement was developed.

Justify my love

"I think the Working Party is looking at this issue from a 'do you have the right justification?' perspective," he argued. "So we need to dig into the justifications in terms of our bylaws and mission and remit."

In other words, the Whois service may still publish some personal details once everything has been worked through, so long as there is a clear justification for it. It's uncertain at this stage what that would be.

But Atallah's current focus is on persuading the authorities to grant ICANN a stay of execution while it comes up with an interim model. "It is very important for us to have a moratorium and be able to say to our contracted parties 'if you implement this model, you will be in full compliance'," he noted. "We need some kind of relief."

He was however unable to give an example of another industry that has been granted similar relief, relying on public statements from data protection authorities that they aren't seeking to punish people but want to work with organizations to improve privacy, as an argument for why ICANN should be exempted for now.

Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.

One company that is caught in the middle of the dispute is sanguine about the possible death of the service. "Is this the end of public Whois? Yes, in its current form," CEO of Irish registrar Blacknight, Michele Neylon told us. "But is it going to go completely dark? No."

Neylon has long complained about ICANN's refusal to acknowledge European law when it comes to the Whois service: back in 2013, he refused to sign an updated version of the contract that domain name sellers have with ICANN until it gave him a legal waiver over its data retention requirements.

"That decision probably cost us money, but if we have to choose between operating legally or illegally our path is clear," he wrote in a blog post this week.

Already fixed?

Neylon also points out that dozens of other registries that are not under ICANN's control already have solutions for the GDPR legislation. The registry for .uk, Nominet, for example, has long withheld the personal details of domain registrants and provides only technical information publicly.

Last month, Nominet's general counsel Nick Wenban-Smith pointed out that even though Nominet has over 10 million domain names, it only receives one or two requests a week for non-public Whois information. The CEO of France's .fr registry, Pierre Bonis, also noted very similar, low levels of requests last month.

If that level of interest is repeated for other internet addresses under ICANN control, like .com, .org and .net, Neylon says it will be "perfectly manageable" from his business' perspective.

There are some however, including security researcher Brian Krebs and the US government itself, that fear a shutdown of the full Whois will result in a spike in online scams.

The US government reportedly told industry leaders at a closed-door meeting at ICANN's recent conference in Puerto Rico that it would consider legislation if broad access to all registration data wasn't included as a part of a revised Whois.

But the Working Party's letter makes it plain that there will have to be clear, legal reasons to grant someone access to that full data. It can no longer be a free-for-all.

It is also far from clear whether Europe's data protection authorities will be willing to make a special exception for ICANN and waive GDPR requirements while it puts a replacement in place.

The law impacts all industries and there has been a two-year lead-up to the deadline. Regardless, ICANN's CEO has said he will attend a meeting of the Article 29 Data Protection Working Party in Brussels later this month to plead his case.

Case study

His best line of attack is likely to be that the GDPR was designed for internet giants like Facebook and Google and their vast databases of personal data but did not properly consider more structural services like Whois.

The six-page letter from the Working Party was itself in response to an explicit request from ICANN, sent last month, to provide feedback on its proposed solution for making Whois complaint with the GDPR.

The letter is precise and outlines a series of concerns with ICANN's proposed solution complete with recommendations for how to fix them. But the upshot is undeniable: the Whois service as it stands is illegal and ICANN's efforts to rejig its current system to work with the new legislation are not going far enough.

As to how ICANN has ended up in this situation, remarkably the Working Party makes plain its view in what amounts to a searing indictment over how the organization operates:

ICANN should take care in defining purposes in a manner which corresponds to its own organizational mission and mandate, which is to coordinate the stable operation of the Internet's unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.

Which is a not-so-subtle way of telling ICANN that it doesn't care how much money or sway intellectual property lawyers have within its decision-making process. And neither should it. ®
Send us news
139 Comments

The UK Digital Information Bill: Brexit dividend or data disaster?

Move could 'weaken' Brits' personal data rights when info is transferred outside Europe

Record breach of French government exposes up to 43 million people's data

Zut alors! Department for registering and helping unemployed people broken into

Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit

GDPR claim alleges Facebook parent's 'commercial surveillance practices are fundamentally illegal'

ICANN proposes creating .INTERNAL domain to do the same job as 192.168.x.x

The plan is to keep the world at bay by never recording it in the DNS root – like many already do with a subdomain for an intranet

COVID-19 test lab accused of exposing 1.3 million patient records to open internet

Now that's a Dutch crunch

France fines Amazon €32M for watching staff so much they'd have to 'justify each break'

French watchdog says non to excessive monitoring of workers as retail giant plans appeal

DotAsia registry tries to put poll problems behind it and set new strategy

Home of the .asia gTLD has had a challenging year

Privacy crusaders accuse X of ad-targeting that flouts EU rules

Campaign to promote 'chat control' legislation allegedly sorted users by political views, religious beliefs

Spanish media sues Meta for ignoring GDPR and harvesting data

€550 million lawsuit seeks recompense for 'systemic and massive' disregard for privacy laws

Northern Ireland cops count human cost of August data breach

Officers potentially targeted by dissidents can't afford to relocate for their safety, while others seek support to change their names

Meta sued by privacy group over pay up or click OK model

Scrolling through endless humblebrags without targeted ads is a fundamental right, according to privacy expert

Watchdog bites back against blockage of $9M fine on US selfie-scraper Clearview AI

Britain's ICO claims tribunal misinterpreted law, wants case revisited