WHOIS database under GDPR: temporary measures in place
The General Data Protection Regulation (GDPR) is the biggest change to the handling of personal data on the internet in more than 20 years. And GDPR compliance, a legal requirement for any website used by EU citizens, is forcing the domain name industry to reconsider how the WHOIS database works. ICANN's solution.
What is WHOIS?
Created by ICANN (Internet Corporation for Assigned Names and Numbers) in the 1980s, WHOIS is a database that allows you to locate the names and contact information of domain name registrants. WHOIS is among the oldest online tools used to verify such information.
WHOIS has long been a valuable source of information for investigators and security professionals, the data publicly available and normally the starting point of inquiries where criminal activity is suspected. It's been used, for example, to track down malware outbreaks and to identify the culprits behind suspicious domains. And until this point, there was an agreement with all domain name registrars requiring them to publish data - names, email address, phone numbers - of domain registrants who use their services.
But the requirements of the WHOIS system are currently under review to ensure GDPR compliance. Under the GDPR, publishing private data is no longer legal without express consent from individual registrants. Keep in mind, for years now many registrars have offered a privacy feature to protect such data - for a price. Doing so now, however, isn't compatible with the GDPR.
Temporary measures have been put into place as of June 2018 that greatly restrict the available information contained within the WHOIS system. The Temporary Specification for gTLD Registration Data is one of many recent moves ICANN has taken to help the domain industry become GDPR compliant.
There is still much confusion and many questions surrounding the WHOIS database in a post-GDPR world. We hope the following will clarify some of the most important changes you should be aware of.
Can the WHOIS system still be accessed?
Under the Temporary Specification for gTLD Registration Data, the WHOIS system is still available. This doesn't mean, however, that all information previously accessible is still available. Certain basic data like technical information about the sponsoring registrar, registration status, record creation date, and domain expiration date can still be obtained. But, again, personal data, as outlined in the GDPR, can no longer be published unless consent to do so is specifically given by the registrant.
It should be noted that any personal data no longer publicly accessible in the WHOIS database falls within the scope of GDPR. Discussions regarding how to differentiate between data that's allowed and data that's inaccessible as a result of GDPR is ongoing. Moreover, ICANN's efforts to create a permanent policy that respects the right to privacy, will also have to take into consideration how redacted data can be accessed by third parties with a legitimate interest in it.
How can WHOIS registrant contact information be accessed?
Rights holders with domain name disputes or other actions related to infringement of their online IP can argue that they are third parties with legitimate reasons for such requests. The Temporary Specification says that in such situations there will still be ways to request the needed data and that the sponsoring registrars are obligated to reply to such requests within a reasonable amount of time. According to ICANN, if a response isn't received in such a case, there will be a way to formally file a complaint with ICANN's Contractual Compliance Department.
Is it possible to contact registrants without full WHOIS data?
While it's not as easy a process as it has been in the past because the contact information is no longer publicly available, yes, it can be done. Registrars are required to offer either a generic email for this purpose or an online contact form so you can contact registrants directly. Requests for contact information can also be submitted to the registrars.
Can a UDRP complaint be filed without registrant details?
Uniform Domain-Name Dispute-Resolution Policy (UDRP) complaints can be submitted without having the registrant details but should include all publicly available data - even if you're including items like "name redacted." More information about how the Temporary Specification relates to GDPR and UDRP can be found under WIPO's informal Q&A.
Is it possible to access registrant data after filing a UDRP complaint?
According to the Temporary Specification, registrars must provide registrant data to the UDRP provider once they receive notice of the complaint. The World Intellectual Property Organisation (WIPO) can allow those filing complaints to modify their cases using privacy services to hide registrant personal data. If the issue is resolved once the registrant's details are known, and it's determined there was no abuse, the fee imposed by the WIPO panel can be waived. If cost was incurred for what ends up being a misunderstanding, a fee may still apply.
Will third parties with legitimate need receive full WHOIS access?
An ICANN proposal, published on June 18, 2018, calls for a fixed method for granting full WHOIS database access to a specified group of users as opposed to trying to process individual requests as they are received.
The proposal identifies two user groups, the first law enforcement and governmental authorities, the second private third parties obligated by codes of conduct to ensure the integrity of personal data. Under the proposal, one option up for consideration is the receipt of a token or credential from an "authenticating body" or "credential provider".
As to the specific data made available, WHOIS database access levels would be determined by specific, legitimate need. A fee for such access may apply. More in-depth study will be required before any definitive decisions are made.
ICANN’s situation not easy
ICANN's position is inconvenient. It's under continuing pressure from security professionals and others with a legitimate need for the data contained in the WHOIS system. On the other hand, they are required to comply with GDPR to ensure the protection of personal data per the regulation. It's hoped by many that, in the near future, the agency will find a way to meet the needs of those who need its data while not jeopardising the privacy of users.
For more on the GDPR:
Team WP Sekure is a website management, maintenance, and security agency for WordPress websites that also specialises in website speed optimisation & SEO services for various local and national businesses. Visit teamwpsekure.com for more info.