As the GDPR comes closer — is the end of public WHOIS in sight?

It is an ongoing point of discussion, but now the GDPR is coming closer its possible effects on public WHOIS records are slowly becoming clear. In spite of ICANN’s last-minute efforts to come up with a model that complies with the European privacy legislation, the Internet Authority is struggling to find a fitting solution. Here’s the story so far and what consequences this problem may have:

Over the last few months, ICANN is part of a back-and-forth on the issue. The Internet authority and the European Article 29 Working Party are looking for a way to make the WHOIS database comply with all GDPR requirements. In ICANN’s January 12th attempt, the organization proposed three interim models that it created through discussions with the online community. The European Commission took its time to reply, but on February 7th responded that it was glad to see ICANN taking steps. It also deemed the proposed models too abstract to give any real advice. As stated by the EC’s director-general of technology and communications, Roberto Viola: “The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests.”

A Second Attempt

The lukewarm by the European Commission response sent ICANN back to the drawing board. The organization released a new interim model early March, which was nicknamed ‘the Cookbook’ and proposed these possible solutions:

  1. An anonymized version of a web contact form through which people can reach domain registrants so that there is no online publication of registrant information.
  2. To give domain registrants an opt-in system to have their details displayed, and in this way ensure that everyone is in charge of their personal information.
  3. A centralized credentialing system for people who need to view full WHOIS information such as law enforcement and intellectual property lawyers.

With the release of these proposals, ICANN also asked for more time to implement necessary changes to the system. The organization wants to be exempt from GDPR legislation for now. While the European workgroup was less critical of these new solutions, it also stated that they did not comply with the GDPR as expected. The Article 29 Working Party stayed silent on ICANN’s request for more time to comply with the new privacy laws.
The ball is thus, once again, in ICANN’s court. The Internet authority says that it will continue development of a WHOIS model that adheres to GDPR, but also mentioned that it is willing to take legal action to get more time to comply with the new rules.

Photo by Bernard Hermant on Unsplash

WHOIS Can Go Dark

It is not just ICANN and the European Commission who have an interest in the new WHOIS model. The companies currently responsible for publishing and maintaining the domain registrant’s records, Internet registries and registrars, have also chipped in. They released a statement to inform the community that, depending on the final model that ICANN proposes, it may take them up to a year to implement all necessary changes. If they need this long to comply with GDPR and keep WHOIS records online to ICANN’s standards, they are at risk of receiving fines up to 20 million euros or 4 percent of global annual turnover.
So while registries and registrars say they also want to come up with a viable solution for the problem, it is unlikely that they will risk the fines that might be coming their way if they keep WHOIS records public. Many registries and registrars are therefore expected to stop providing WHOIS records once the GDPR goes into effect, at least until there is a new model to implement. This could mean that many WHOIS records become unavailable in the coming weeks. Some companies have already taken action, such as registry DENIC and registrar GoDaddy.

Good, Bad and the Ugly

We don’t know what will happen to WHOIS in the long run, but one thing is for sure: global, public WHOIS records as we know them will cease to exist. Whether the database goes completely dark for a while, or the community comes up with a solution in time remains to be seen.

As with most discussions, there are two sides to the possible black-out of WHOIS records. Privacy advocates have been fighting the publication of personal information under the WHOIS system for a long time, and are happy to see this (in their eyes) violation of online privacy go. The change will also be beneficial to individuals who own a domain name since they will no longer have to pay for privacy services to keep their personal information from being published on the web. Public domain name information is often abused by spammers who track down the domain registrant and contact that person dozens of time a day, something we can all do without.

Unfortunately, the downsides of these records no longer being public will also stay. There are domain registrants who buy a domain to commit digital fraud, who use it for their scamming or phishing efforts, and those who infringe on brands via their online page. Once all records with information on these bad actors are unavailable, it will become increasingly difficult for law enforcement and brand protection professionals to do their job. Right now, the WHOIS database is a first step for those trying to find cybercriminals and its disappearance will make those efforts a challenging task.

Coming Up Next

For now, ICANN has little over a month to come up with a replacement for the public WHOIS database. Its legal action against the European Commission may buy it some more time, but in the end, something has to change. We will have to see whether WHOIS records stay public for a bit longer, or if the database is soon dead until further notice.

What do you think, will this be the end of WHOIS or will a new model be able to save the day?

If you are a brand protection professional or work for law enforcement and rely on WHOIS records, the Brand Monitor tool may be a good alternative for you. Our database of public data indexes over 150 variables per website and can potentially identify unique characteristics shared between websites. This way, we can help you infer shared ownership between sites, even in the case of masked WHOIS records. For more information, contact or visit our Brand Monitor page.