Whois? More like WHOWAS: Domain database on verge of collapse over EU privacy

Governments refuse to get sucked into policy shambles, kibosh DNS GDPR plans

An effort to resolve conflicts between upcoming European privacy legislation and the global Whois service for domain names has, predictably, failed, raising fears that cybercriminals will take advantage of the impasse.

At the end of a week of meetings hosted by domain-name overseer ICANN, the US-based organization's proposed interim model lies in tatters, and there is no sign of a forthcoming solution before the May 25 deadline, when the General Data Protection Regulation (GDPR) comes into effect.

Industry insiders fear that, without agreement, the Whois service, which publicly lists full contact details of domain-name registrants, will effectively shut down in order to avoid fines and possible lawsuits under the Euro rules.

That would leave law enforcement and intellectual property lawyers, among others, unable to access registrant details, and potentially give cybercriminals a larger window to carry out crimes.

The biggest blow to ICANN's last-minute proposal on how to make Whois GDPR-friendly – put out just one week before the meeting – came when the world's governments refused to accept the role ICANN tried to place on its Governmental Advisory Committee (GAC). ICANN said it wanted to task the GAC with drawing up a system that would allow certain groups – cops, attorneys, and similar – unfettered access to Whois records. That plan was firmly rejected.

"The GAC does not envision an operational role in designing and implementing the proposed accreditation programs," read an official statement from the GAC to ICANN's board at the end of the meeting.

Such a rejection was entirely predictable, raising questions over why ICANN's staff suggested it in the first place.

So, um, about your entire ethos

ICANN is designed to work as a "multi-stakeholder" decision-making model where everyone impacted gets a say in the solution, so the suggestion that just governments would decide on an accreditation model was greeted with some scorn, not least by the US government.

Argument over this aspect of the "interim model" took up so much time and energy that ICANN's CEO Göran Marby pleaded with the internet community to focus on other aspects.

"There are still fundamental decisions to be made about the whole model," he told a public forum. "Discussion seems to be focussing on the accreditation model, as if everything else with GDPR compliance for Whois is decided. It's not."

Marby also made a second desperate plea, this time to European GAC members, who he "humbly begged" to contact their data protection authorities to get "firm advice" on what needed to be done to the Whois system to bring it in line with Euro law.

That plea came after the GAC tore up another key part of ICANN's proposed model: that all email addresses in domain ownership records be anonymized.

Cartoon man with hat and tie. Facial features replaced by question mark.

Knock, knock. Whois there? Get ready for anonymized email addresses after domain privacy shake-up


"A rationale is required for the decision to hide certain Whois data elements from the public database," the GAC said in its communiqué [PDF], before schooling ICANN's own Whois experts on what the actual GDPR legislation does and does not require.

"When it comes to personal data, the GDPR permits its processing, including publication, under certain circumstances… such as performance of a contract or the legitimate interests pursued by the controller or by a third party.

"In particular, publication of the registrant's email address should be considered in light of the important role of this data element in the pursuit of a number of legitimate purposes and the possibility for registrants to provide an email address that does not contain personal data."


The GAC also took issue with ICANN's proposal to anonymize non-personal information – such as company names and the contact details of administrative and technical contacts – and pointed out that "legal entities are explicitly excluded from the remit of GDPR."

In short, it argues that the changes proposed by ICANN "are not supported by the necessary analysis and supporting rationale which poses the question whether the choices reflected in the current proposal are required by the law."

In other words, ICANN made bad decisions based on incomplete information and failed to explain how or why it arrived at those decisions.

The failure to come up with a solution could have dangerous knock-on effects, the GAC warned: "As it stands, the proposed system risks hindering the efforts of law enforcement, intellectual property and other actors in combatting illicit activities and mitigating DNS abuse."

That message – that the failure to introduce a system before the end of May would make the internet a more dangerous place – was reiterated by law enforcement at the meeting, with Europol's cybercrime center (EC3) being particularly vocal about the risks.

EC3 repeatedly pushed the idea that the companies that provide domain names to the public – registrars – be obliged to respond to "urgent" law-enforcement requests for Whois information within 24 hours.

That could be a possible short-term solution to the lack of a global Whois policy, but the idea was rejected by registrars who have consistently blocked any effort to make them accountable to third parties.

On the other side of the equation, civil society groups were actually happy with the idea of anonymized email addresses, noting that it would "go a long way to reducing spam and harassment that end-users face."

Next page: Nope and nope

Similar topics

Other stories you might like

  • We can unify HPC and AI software environments, just not at the source code level

    Compute graphs are the way forward

    Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

    This week's motion is: A unified, agnostic software environment can be achieved. We debate the question: can the industry ever have a truly open, unified, agnostic software environment in HPC and AI that can span multiple kinds of compute engines?

    Arguing today FOR the motion is Rob Farber, a global technology consultant and author with an extensive background in HPC and in developing machine-learning technology that he applies at national laboratories and commercial organizations. Rob can be reached at info@techenablement.com.

    Continue reading
  • But why that VPN? How WireGuard made it into Linux

    Even the best of ideas can take their own sweet time making it into the kernel

    Maybe someday – maybe – Zero Trust will solve many of our network security problems. But for now, if you want to make sure you don't have an eavesdropper on your network, you need a Virtual Private Network (VPN).

    There's only one little problem with commercial VPNs: many of them are untrustworthy. So, what can you do? Well, run your own of course is the open-source answer. And, today, your VPN of choice is Linux's built-in VPN: WireGuard.

    Why WireGuard rather than OpenVPN or IKEv2? Because it's simpler to implement while maintaining security and delivering faster speeds. And, when it comes to VPNs, it's all about balancing speed and security.

    Continue reading
  • Boffins demonstrate a different kind of floppy disk: A legless robot that hops along a surface

    This is fine

    Those of us who fear future enslavement by robot overlords may have one more reason not to sleep at night: engineers have demonstrated a few of the legless, floppy variety making some serious leaps.

    Animated pancake-like droids have demonstrated their ability to execute a series of flops in a fashion their creators – soft robotics engineers based in China – describe as "rapid, continuous, and steered jumping."

    "Jumping is an important locomotion function to extend navigation range, overcome obstacles, and adapt to unstructured environments," Rui Chen of Chongqing University and Huayan Pu of Shanghai University said.

    Continue reading

Biting the hand that feeds IT © 1998–2021