Whois is dead as Europe hands DNS overlord ICANN its arse

Already fixed?

Neylon also points out that dozens of other registries that are not under ICANN's control already have solutions for the GDPR legislation. The registry for .uk, Nominet, for example, has long withheld the personal details of domain registrants and provides only technical information publicly.

Last month, Nominet's general counsel Nick Wenban-Smith pointed out that even though Nominet has over 10 million domain names, it only receives one or two requests a week for non-public Whois information. The CEO of France's .fr registry, Pierre Bonis, also noted very similar, low levels of requests last month.

If that level of interest is repeated for other internet addresses under ICANN control, like .com, .org and .net, Neylon says it will be "perfectly manageable" from his business' perspective.

There are some however, including security researcher Brian Krebs and the US government itself, that fear a shutdown of the full Whois will result in a spike in online scams.

The US government reportedly told industry leaders at a closed-door meeting at ICANN's recent conference in Puerto Rico that it would consider legislation if broad access to all registration data wasn't included as a part of a revised Whois.

But the Working Party's letter makes it plain that there will have to be clear, legal reasons to grant someone access to that full data. It can no longer be a free-for-all.

It is also far from clear whether Europe's data protection authorities will be willing to make a special exception for ICANN and waive GDPR requirements while it puts a replacement in place.

The law impacts all industries and there has been a two-year lead-up to the deadline. Regardless, ICANN's CEO has said he will attend a meeting of the Article 29 Data Protection Working Party in Brussels later this month to plead his case.

Case study

His best line of attack is likely to be that the GDPR was designed for internet giants like Facebook and Google and their vast databases of personal data but did not properly consider more structural services like Whois.

The six-page letter from the Working Party was itself in response to an explicit request from ICANN, sent last month, to provide feedback on its proposed solution for making Whois complaint with the GDPR.

The letter is precise and outlines a series of concerns with ICANN's proposed solution complete with recommendations for how to fix them. But the upshot is undeniable: the Whois service as it stands is illegal and ICANN's efforts to rejig its current system to work with the new legislation are not going far enough.

As to how ICANN has ended up in this situation, remarkably the Working Party makes plain its view in what amounts to a searing indictment over how the organization operates:

ICANN should take care in defining purposes in a manner which corresponds to its own organizational mission and mandate, which is to coordinate the stable operation of the Internet's unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case.

Which is a not-so-subtle way of telling ICANN that it doesn't care how much money or sway intellectual property lawyers have within its decision-making process. And neither should it. ®