This article is more than 1 year old

Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system

Internet policy wonks scramble over GDPR

Analysis The internet policy world is scrambling as one of the most critical and fiercely contested aspects of the global domain name system – its registration system – has started to fall apart.

The Whois system, which publicly publishes the name, address, email and telephone number of every domain name registrant, has been a bone of contention for over 20 years. But passionate disagreement has resulted in stasis and the system has remained unchanged while the broader internet has evolved.

That policy paralysis has finally become unsustainable however with the adoption of Europe's new privacy policy – the General Data Protection Regulation (GDPR).

GDPR will kick in next May, and, critically, it impacts not just European business but any business that holds data on European citizens. Put most simply, GDPR requires businesses to get clear consent from people to gather, store and publish their personal information.

The Whois system is entirely incompatible with that, to the extent that at least two internet registries have simply refused to offer a Whois service: an approach that has invited the ire of internet overseeing organization ICANN which developed the current approach and has repeatedly failed to update it.

In a letter [PDF] from its lawyers this month, the .amsterdam and .frl registry owner rejected a legal warning from ICANN that said it was in breach of its contract because, the registry argued, the relevant Whois clause is "null and void" since it conflicts with European regulations.

"For the avoidance of doubt: given the lack of valid consent, no other condition of Article 6.1 of the GDPR allows for such publication," the letter stated, referring to the Whois system and the new law.

Aaaaaargh... Discuss

The outright refusal by registries to accept ICANN's contractual terms and provide a Whois lookup service puts the DNS overseer in a difficult bind, and the issue is set to dominate its meeting next week in Abu Dhabi – a meeting that was already going to be contentious, thanks to a fight between governments and the private sector over the creation of the .amazon internet extension.

ICANN has long tried, and failed, to update the Whois system: in large part because two powerful groups within its policy processes prefer the current flawed model over a reformed version.

Intellectual property lawyers prefer a system that provides them with details on who owns a particular domain name (especially given widespread copyright infringement online) to one that excludes them from such information altogether.

And the companies that sell domain names, registrars, do not want to be responsible for verifying the contact details of registrants for both legal and financial reasons.

A reformed Whois is almost certain to restrict registration data to law enforcement and valid legal requests, and to include additional requirements that domains cannot be registered using false identities.

When faced with previous concerns that ICANN's rules broke European regulations, the US-based organization came up with an uncomfortable fudge where it allowed European registrars to write to it and ask permission to be exempted from the system – a request that was seemingly always accepted.

That approach was never going to hold, however, and with registries now refusing to accept ICANN's contractual terms, attention has turned to an alternative system that was developed several years ago: RDAP, or Registration Data Access Protocol.


Two of the internet's largest registries, including the operator of the dot-com registry Verisign, have just launched pilots of their RDAP systems. It is very early days but the RDAP system – which enables certain data fields to be restricted or revealed only to a specific user, i.e. an approved law enforcement officer would gain full access but the average internet user would not – may quickly become the norm.

For its part, ICANN is trying to push RDAP compliance using a carrot-and-stick approach it has used in the past to force the diverse domain name industry onto updated contracts.

Business: Stressed man with pile of paperwork works against the clock

Tick, tock motherf... erm, we mean, don't panic over GDPR


But the arguments and problems are very far from over. Earlier this month ICANN published the legal advice [PDF] it had commissioned with respect to Whois and the GDPR and it was not good.

Despite sugar-coating the memo with phrases like "potentially challenging areas with existing requirements," ICANN noted that the "publicly available Whois services cannot remain unchanged" and GDPR "could impact our ability to maintain a single global WHOIS system." In other words, the current Whois system is dead in the water and the internet community has seven months to replace it.

The response from the internet community has been predictably bad: various stakeholder groups are jockeying for position on a new "compliance task force" rather than focusing on the problem itself.


The US-business dominated Business Constituency insisted [PDF] on "broad community participation," i.e. members from its group being put in the task force, and argued that there needs to be a "more holistic examination of Whois, rather than focus on one aspect."

That was swiftly followed by the Intellectual Property Constituency (IPC) – also dominated by American businesses – which also wants greater influence over the process. "ICANN must leverage the deep knowledge within the community and take advantage of the knowledge and experience gained by many years of ICANN community activity and research in this area," its letter [PDF] argued.

Meanwhile, the registries and registrars have complained about being kept in the dark about what ICANN was doing behind the scenes and despaired at how slowly things were going.

"The lack of progress in identifying any tangible remedies has been frustrating and has created anxiety over the viability of developing a shared solution to GDPR compliance in time for that looming deadline," its letter [PDF] stated, including the threats that they will simply go their own way of ICANN doesn't buck up.

And it is that deadline that may finally shift the 15-year impasse. Under GDPR, organizations can be fined up to €20 million or four per cent of turnover, whichever is larger, if they are found to be in breach of the law. That will be foremost in many representatives' minds as they meet next week in an effort to finally crack the internet policy world's most persistent problem. ®

More about


Send us news

Other stories you might like