Friday May 25th: How Europe’s GDPR Might (Finally) Break The Internet’s Broken WHOIS System

You can thank the EU’s General Data Protection Regulation (GDPR) for important emails like the following clogging up your inbox:

GDPR-Compliant Harmonicas

The reason so many firms are blasting out emails asking for permission to store user data and frantically updating their terms of service is because they’re terrified of running afoul of the new data-sheriff coming to town starting Friday 25 May 2018… the EU’s big and bad European Data Protection Board (formerly known as the Article 29 Working Group)

The Data Protection Board does not mess around: starting Friday 25 May 2018, if the Board determines that a firm has collected/stored users’ personal information without explicit permission (or stored that data in a manner that isn’t secure) they possess the legal authority to slam non-compliant firms with severe penalties.

Depending on the nature of the violation (in addition to other factors), the GDPR’s enforcement unit can impose fines on the high end of up to 20million Euros ($23.5million) or 4% of a firm’s world-wide prior years’ revenue, whichever is greater.

Firms that do business (or want to do business) with the European Union have been counting down to 25 May 2018 ever since the GDPR’s enactment in April 2016. One organization that has gone through a quite bit of drama/turmoil when it comes to preparing for the GDPR, however, is the Internet Corporation for Assigned Names and Numbers or ICAAN.

WHOIS & WHOISNT (or ICAAN & ICAANT)

ICAAN is a non-profit that more or less coordinates the public ‘bones’ of the Internet and a key component of its mission is administering the Domain Name System. The DNS is essentially a big list that translates an IP address like 165.227.35.84 to a more memorable “domain name” like www.allaboutfrogs.org

ICAAN does not sell domain names. Instead, they ink agreements with various private 3rd-party “registrars” who sell the domains themselves. As part of the standard agreement with ICAAN, a registrar is required to make the domain name owner’s contact information available on a distributed directory service called “WHOIS.”

If you want to buy a domain name from its owner (or perhaps sue or even arrest its owner) the WHOIS record is usually the first legal point of contact. Unfortunately, the WHOIS system’s old-school access rules are based on the idea that surely no one would ever use an open directory of contact information for nefarious purposes. It requires no authentication and relies the honor system to make sure users don’t abuse it.

You can imagine how well that works out on the “modern” Internet where bad actors are anonymous and have every economic incentive to cheat. (If you’re curious what would happen if some poor soul neglected to ‘cloak’ their real contact information on WHOIS, see the article “This is What Happens When you Make WHOIS Data Public”)

The current WHOIS system, based on its current behavior and design, will likely never be compliant with GDPR’s data protection and privacy rules that make it a crime to publish personal data without permission. This fact has led to all sorts of interesting developments such as ICAAN CEO Göran Marby’s astonishing March 2018 letter which warns the EU’s data-protection group that

the integrity of the global WHOIS system and our [ICAAN’s] ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened […] the global WHOIS may result in many of the domain name registries and registrars choosing not to comply with their contractual requirements on WHOIS out of fear that they will be subject to significant fines following actions brought against them by your respective offices.

Marby’s March letter — sent a mere two months before the 25 May 2018 enforcement deadline — claimed the following:

1. If ICAAN’s registrar partners honor their agreements and keep WHOIS data, they could be on the hook for enormous fines under GDPR’s rules
2. If ICAAN’s registrar partners don’t honor their agreements with ICAAN, then the WHOIS system itself is danger

If the registrars pulled out or fragmented the WHOIS system and no longer honored their agreements with ICAAN, it could lead to major problems. As ICAAN (and others) argue that the WHOIS system is “[…] critical to the stability and security of the Internet, which allows for the easy identification and mitigation of bad actors, cybercriminals, intellectual property infringement, and other malicious activity online.” (The fact that WHOIS registration data can easily be faked or that most registrars — most often for a small fee — will gladly “cloak” registration data rendering it useless without a court order tends to go ignored.)

As the clock ran down to the enforcement at the end of May, ICAAN needed to pull a rabbit out of its hat — fast.

A Way Out: RDS

“Nothing is more permanent than the temporary”

A week before the deadline, on 17 May 2018 ICAAN approved a so-called “Temporary Specification” which attempted to split the difference. In this new temporary arrangement — which must be reevaluated every 90 days and lasts for a maximum of one year — registrars would honor their agreements with ICAAN and continue to collect and store sensitive contact data like names, phone numbers, email, etc as normal when someone creates or purchases a domain name.

But now whenever someone attempts to retrieve a WHOIS record, they must first demonstrate a “legitimate purpose” (ie legal or business reason) to fetch the personal contact data from a WHOIS record. If they lack authorization they will still see a record, but any personally-identifiable information will have been scrubbed out. Whether or not this arrangement will fly with the Data Protection Board remains to be seen — they’ve got 90 days to figure it out.

The GDPR privacy regulations might achieve something that ICAAN has been unable to accomplish: finally drag the antiquated and insecure WHOIS system into the 21st Century.

Stay tuned

Resources & Further Reading:

• http://fortlegal.com/on-14-april-2016-the-european-parliament-finally-approves-the-eu-general-data-protection-regulation/
• http://www.mondaq.com/unitedstates/x/703294/data+protection/Disappearing+Data+WHOIS+Blackout+Will+Likely+Start+May+25+2018
• https://www.theregister.co.uk/2018/05/18/gdpr_icann_domain_sellers/
• https://www.internetgovernance.org/2018/01/25/looming-battle-gdpr-purpose-whois-icann/
• https://icannwiki.org/images/1/1a/GDPR_Timeline_Calzone.png
• https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts
• https://www.zdnet.com/article/icann-makes-last-minute-whois-changes-to-address-gdpr-requirements/
• https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-en.pdf
• https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf
• https://www.theregister.co.uk/2018/05/18/gdpr_icann_domain_sellers/
• https://www.theverge.com/2018/5/23/17387146/instapaper-gdpr-europe-access-shut-down-privacy-changes
• http://www.domainpulse.com/2018/05/18/icann-temp-spec-eu-gdpr/
• https://krebsonsecurity.com/2018/04/security-trade-offs-in-the-new-eu-privacy-law/
• https://www.icann.org/news/announcement-2018-05-17-en