Inscription revealed on old paper - GDPR General Data Protection Regulation

Public WHOIS in a GDPR World

Come May 25th the General Data Protection Regulation aka GDPR will be in force and many companies will have made significant changes to how they handle personal information in order to comply with the law. I recently shared a “bird’s eye view” of our GDPR preparation and we’ve already touched on how .IE and .UK domain names will be impacted.

GDPR isn’t “revolutionary”. It builds on previous European legislation that has been around for a long time. The key difference is that while in the past data protection authorities could be selective around enforcement, under GDPR they really can’t. If they don’t enforce they land themselves in trouble. And of course the key difference is that GDPR brings in meaningful fines. Screw up under GDPR and it won’t be a simple rap on the knuckles.

We have been engaged in the debacles around WHOIS and other aspects of ICANN’s policies surrounding data processing and retention for years. Up until the advent of GDPR we and others were largely ignored. Now the truth is staring everyone in the face and some people hate it.

Will the changes signal the apocalypse? We don’t think so, even though it does give me a good excuse to share this video clip:

What will happen?

On or before May 24th gTLD domain name registries and registrars will be “flicking the switch” on changes to their public whois output.

Whois is not going dark. It’s just changing.

At the moment the public whois looks a lot like this (using one of my domain names as an example with a couple of the details changed):

 

Domain Name: MNEYLON.COM
Registry Domain ID: 34020836_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.blacknight.com
Registrar URL: https://www.blacknight.com/
Updated Date: 2014-10-15T19:00:47Z
Creation Date: 2000-09-04T00:00:00Z
Registrar Registration Expiration Date: 2019-09-04T00:00:00Z
Registrar: Blacknight Internet Solutions Ltd.
Registrar IANA ID: 1448
Registrar Abuse Contact Email: abuse@blacknight.com
Registrar Abuse Contact Phone: +353.599183072
Reseller:
Domain Status: clientTransferProhibited (http://www.icann.org/epp#clientTransferProhibited)
Registry Registrant ID:
Registrant Name: Michele Neylon
Registrant Organization:
Registrant Street: 1 The Street
Registrant Street: Road
Registrant City: Carlow
Registrant State/Province: Co. Carlow
Registrant Postal Code: RXX XXXX
Registrant Country: IE
Registrant Phone: +353.599183072
Registrant Phone Ext.:
Registrant Fax: +353.599164239
Registrant Fax Ext:
Registrant Email:michele@somedomain.ie
Registry Admin ID:
Admin Name: Michele Neylon
Admin Organization:
Admin Street: 1 The Street
Admin Street: Road
Admin City: Carlow
Admin State/Province: Co. Carlow
Admin Postal Code:RXX XXXX
Admin Country: IE
Admin Phone: +353.599183072
Admin Phone Ext.:
Admin Fax: +353.599164239
Admin Fax Ext:
Admin Email:michele@somedomain.ie
Registry Tech ID:
Tech Name: Michele Neylon
Tech Organization:
Tech Street: 1 The Street
Tech Street: Road
Tech City: Carlow
Tech State/Province: Co. Carlow
Tech Postal Code:RXX XXXX
Tech Country: IE
Tech Phone: +353.599183072
Tech Phone Ext.:
Tech Fax: +353.599164239
Tech Fax Ext:
Tech Email: michele@somedomain.ie
Name Server: NS.BLACKNIGHTSOLUTIONS.COM
Name Server: NS2.BLACKNIGHTSOLUTIONS.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-05-10T16:22:41Z <<<

 

After May 23rd our public whois output will be greatly reduced and we’ll be publishing something like this:

Domain Name: MNEYLON.COM
Registry Domain ID: 34020836_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.blacknight.com
Registrar URL: https://www.blacknight.com/
Updated Date: 2014-10-15T19:00:47Z
Creation Date: 2000-09-04T00:00:00Z
Registrar Registration Expiration Date: 2019-09-04T00:00:00Z
Registrar: Blacknight Internet Solutions Ltd.
Registrar IANA ID: 1448
Registrar Abuse Contact Email: abuse@blacknight.com
Registrar Abuse Contact Phone: +353.599183072
Reseller:
Domain Status: clientTransferProhibited (http://www.icann.org/epp#clientTransferProhibited)
Registry Registrant ID:
Registrant Name:REDACTED DUE TO GDPR
Registrant Organization:
Registrant Street: REDACTED DUE TO GDPR
Registrant Street:REDACTED DUE TO GDPR
Registrant City:REDACTED DUE TO GDPR
Registrant State/Province: Co. Carlow
Registrant Postal Code:REDACTED DUE TO GDPR
Registrant Country: IE
Registrant Phone: REDACTED DUE TO GDPR
Registrant Phone Ext.:
Registrant Fax: REDACTED DUE TO GDPR
Registrant Fax Ext:
Registrant Email: URL TO CONTACT FORM
Registry Admin ID:
Admin Name:REDACTED DUE TO GDPR
Admin Organization:
Admin Street:REDACTED DUE TO GDPR
Admin Street:REDACTED DUE TO GDPR
Admin City:REDACTED DUE TO GDPR
Admin State/Province: Co. Carlow
Admin Postal Code:REDACTED DUE TO GDPR
Admin Country: IE
Admin Phone:REDACTED DUE TO GDPR
Admin Phone Ext.:
Admin Fax:REDACTED DUE TO GDPR
Admin Fax Ext:
Admin Email:URL TO CONTACT FORM
Registry Tech ID:
Tech Name:REDACTED DUE TO GDPR
Tech Organization:
Tech Street:REDACTED DUE TO GDPR
Tech Street:REDACTED DUE TO GDPR
Tech City:REDACTED DUE TO GDPR
Tech State/Province: Co. Carlow
Tech Postal Code:REDACTED DUE TO GDPR
Tech Country: IE
Tech Phone:REDACTED DUE TO GDPR
Tech Phone Ext.:
Tech Fax:REDACTED DUE TO GDPR
Tech Fax Ext:
Tech Email:URL TO CONTACT FORM
Name Server: NS.BLACKNIGHTSOLUTIONS.COM
Name Server: NS2.BLACKNIGHTSOLUTIONS.COM
DNSSEC: Unsigned

Our choices around whois output are not arbitrary, but are based on the eco model and the ICANN “interim model” (PDF).

We will continue to collect the same information as we have always done. That will not change. The underlying data in many cases will be identical or very close to the client account information that we already collect and when it isn’t we feel that we can still collect and process it legally as all domain name registrations are subject to UDRP, while many are subject to the URS. Put in simpler terms if you register a domain name and infringe on someone else’s brand then there’s an arbitration process there and we need the domain registrant’s details for that.

Many of our registry partners have shared basic details of their plans around whois publication and most of them are aligned with the output I’ve described above. And based on conversations we’ve had with other registrars we expect to see similar output being used by many of them. The kind of differences, however, could be whether they output the redacted fields or not.

We plan to continue publishing the organisation name where one is provided, which it is in many cases. Again, this is a choice we’ve made as a business. The way our billing system works, as well as the way we’ve had to collect and process domain registration data for .ie domain names for the last 15 years means that we have a fairly high level of confidence in the organisation field being used by registrants that would be categorised as “legal persons”.

We will not be publishing email addresses of any kind and will instead be using a web form that will be domain specific ie. you would get a URL in the email field for a specific domain name and using it you’d be able to initiate contact with the registrant.

Under current ICANN policies and processes the bulk of the WHOIS data for .com and .net domain names is held and processed by us. It is not transferred abroad. So if anyone, apart from a dispute provider for UDRP or URS, wants access to our registrant’s underlying data they will need to request access under Irish law ie. either with a court order that is valid in an Irish court or via An Garda Síochána.

If you have any questions about what we’re doing please let us know via the comments.

, , , ,

2 Responses to Public WHOIS in a GDPR World

  1. James May 10, 2018 at 21:57 #

    Interesting does this mean that whois privacy services are somewhat dead or am I misunderstanding things?

    • Michele Neylon May 10, 2018 at 22:11 #

      James
      To a degree – yes. However it’s not quite that simple.
      We’re able to redact our whois server’s output. For now we have to rely on the registries to redact their output for the extensions that are “thick” like .biz and there are some ccTLDs that might not be making any changes to their whois output at all. Also with whois privacy enabled the data we send to the registries is the redacted version that at the moment is currently public. There’s also the issue around access to the data. With our whois privacy service we control the underlying data and who has access to it. When it gets “shipped” to a registry operator we lose that control.
      Also – we don’t know what the more permanent “solution” for how whois is going to be handled. At the moment it is not known nor decided.
      So the answer is probably “it depends”.
      If you were using “whois privacy” or “proxy” services simply to avoid robocallers and spam then it’s one thing, but if you were genuinely concerned about your data being published or accessed then it’s a different thing entirely.
      Thanks for taking the time to post a comment.
      Michele

Leave a Reply