Will GDPR be the death of WHOIS?

Two cybersecurity and privacy attorneys recently argued that the General Data Protection Regulation (GDPR) will interfere with the availability of the WHOIS database and will seriously hinder the efforts of law enforcement and security researchers to track down malware peddlers, phishers, hackers and other online criminals.

Will it? And who’s to blame for this situation?

GDPR WHOIS

About the WHOIS database

The WHOIS service/database is operated by the Internet Corporation for Assigned Names and Numbers (ICAAN), and is populated with information collected by domain name registrars around the world.

The latter sign an agreement with ICAAN that requires them to collect, keep updated and available registrant, administrative, and technical contact information for each domain they register.

In some countries, domain owners can pay for “private registration” services usually provided by the domain registrars, so that a WHOIS query regarding their domain(s) shows only the registrar’s name and that of a forwarding service instead of the registrant’s personal information.

Enter GDPR

Until May 25, 2018, anyone could submit a query to the WHOIS service and security researchers and law enforcement agencies did so in bulk when investigating possible crimes or mitigating malware attacks.

But since the advent of GDPR, it is against the law for registrars to provide registrants’ information without their explicit consent and that makes the WHOIS service ineffective.

ICANN has had years to work out a solution for that problem but has left it until late, and has now been forced to implement a temporary specification to ensure that registrars meet GDPR requirements while still providing WHOIS data.

“Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains robust collection of Registration Data (including Registrant, Administrative, and Technical contact information), but restricts most Personal Data to layered/tiered access,” the specification says.

“Users with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators. Users will also maintain the ability to contact the Registrant or Administrative and Technical contacts through an anonymized email or web form.”

Those with legitimate purposes – law enforcement, security researchers, intellectual property holders – will have to contact the registrar and ask for access to the non-public data WHOIS data (the registrar is obligated to respond to the request in “reasonable time”).

The rest will get only technical data sufficient to identify the sponsoring registrar, status of the registration, and creation and expiration dates for each registration, but not personal data, and “will have access to an anonymized email address or a web form to facilitate email communication with the relevant contact for that registration.”

The European Data Protection Board – EU’s data protection advisory body and the successor of the Article 29 Working Party (WP29) – noted that, as WP29 before it, it “recognizes the recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system,” and will continue to monitor ICANN’s progress closely and engage with the organization to ensure that the legal requirements under EU data protection law are properly addressed.

What the future holds

“The public removal of personal information from WHOIS, the system used to store the registered users of website domains, undoubtedly makes life for security and law enforcement agencies much harder,” Redscan CTO Andy Kays commented for Help Net Security.

“Whether fake or not, the information stated on WHOIS, can be invaluable for helping to trace and track the individuals behind attacks such as phishing and spamming.”

He pointed out that an accreditation scheme that would vet access to personal data in WHOIS records for special interest groups such as the police, security researchers and journalists would certainly be very welcome and help to address concerns, but that planning to implement such a vetting system should have started years ago.

“By only recently attempting to outline its proposals, ICANN shows that it has been too slow to react to the global impact of the GDPR,” he concluded.

It now remains to be seen whether domain registrars will welcome and honor ICAAN’s temporary specification, or will decide to err on the safe side and withdraw access to the WHOIS data they store.

EPAG, a Germany-based registrar that is part of the Tucows Group, has recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules.

ICANN has filed injunction proceedings against the company in a German court, with the goal to make the court rule on how the GDPR should be interpreted in this case.