Nominet drains mug of tea, leans back, calmly explains how to make Whois GDPR-compliant

.UK registry not entirely sure what all the fuss is about

The operator of the .uk domain-name registry has outlined the changes it plans to make to its Whois domain registration system to bring it in line with incoming European privacy legislation.

Nominet ran a short one-month public comment period asking for feedback on a range of proposed changes to its current system and published a summary of feedback [PDF] complete with its planned changes on Thursday.

The most significant change is that it will redact all registration data from Tuesday, May 22 – Europe's General Data Privacy Regulation comes (GDPR) into force three days later on May 25 – unless the domain owner explicitly gives it permission to do otherwise.

Uncle Sam

US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy


Aligned with that change, the company will allow domain name holders to opt-in to having their details made public – something that corporate customers in particular are unlikely to have a problem with.

But, as with a wider debate on how to make the Whois service compliant with the new law, the big question is: who is allowed to access the redacted information and through what mechanism?

Nominet's answer to this is seemingly simple: law enforcement agencies (LEAs) can access that data for no cost at any point through a searchable Whois. Presumably they will be given a login to Nominet's systems.

The company notes in its summary of feedback that only one of 58 respondents to the comment period (which collectively covered over 70 per cent of domains under the .uk registry) was opposed to granting LEAs free access. That respondent felt an LEA should have a warrant before being given the data.

So, the IP lawyers...

The thorny issue however – as has been the case in global DNS overseer ICANN – is whether corporations, and in particular their intellectual property lawyers, should also be granted access.

Unsurprisingly the IP lawyers felt they should.

From the summary: "The feedback from those promoting greater IP rights protection emphasized the role they played in crime prevention and suggested that the proposed approach would prove to be a 'severe hindrance.' It was argued that 'without the redacted information [the searchable WHOIS] is of little value.'"

They also claimed that redacting the information in the public Whois "doesn’t appear to be a proportional response." But others argued the opposite, questioning why anyone other than law enforcement should be granted access to personal data.

In the end, Nominet hit on an interesting two-part compromise. Anyone other than LEAs will be able to pay to have access to the searchable Whois – meaning that they will get an instant response for a fee - but will not get the registrant's name and address.

Or they can use its data disclosure request form – for no fee – and wait for the company to get back: something it says it will aim to do within one working day.

Nominet makes it plain it isn't sure that this system will be the best solution but it is the one is going to go with in the meantime. "We will continue to closely monitor the volumes of data disclosure requests we receive to ensure the data disclosure process remains fit for purpose and adequately resourced," it noted.

And it referenced the ongoing debacle at ICANN, where the US-based company is relying on being granted a one-year moratorium by European data protection agencies in order to come up with a new approach and system.


"Nominet will also be closely monitoring how ICANN's policies and processes adapt to GDPR, particularly in relation to the proposal for an accreditation scheme to grant access to the newly configured Searchable WHOIS for non-LEAs," it notes. "We will consider how best to align ourselves to the emerging industry best practice in this area."

It is worth noting that while the bulk of Nominet's work revolves around the 12 million .uk domain names – which do not come under ICANN's jurisidiction - it also runs the back-end systems for more than 35 "global" top-level domains which do, including .vip, .work, .blog and .london. It is also in charge of the policies for the top-level domains .wales and .cymru – which comes under ICANN jurisidiction.

The adjusted policies outlined in its document this week only cover .uk.

In order to deal with what will inevitably be some degree of confusion, Nominet has promised to provide "illustrative examples" on "the circumstances in which data will be disclosed" before GDPR kicks in.

A related change will be that Nominet will no longer draw a distinction between domain names registered by individuals and used for personal reasons and those registered by corporations for commercial reasons (currently it redacts personal-use domain data).

And it will close its "Privacy Services framework" which was used to provide proxy privacy services and which registrars typically charged a small additional fee for. With its new redaction approach, there is basically no need for the service – something that several registrars complained about since it’s a useful source of additional revenue. But charging someone for something that isn't needed is unlikely to sit well with anyone.

Summing it up, Nominet's chief operating officer Ellie Bradley said: "We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation. While, as a result, we will be publishing less data on the Whois – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests."

In short, the IP lawyers ain't gonna be happy. But tough. They can get the information for a fee, or they can get it for free if they wait a day. Now it remains to be seen whether ICANN can wrestle itself free from the same powerful interests and reach a similar compromise. ®

Narrower topics

Other stories you might like

  • If Twitter forgets your timeline preference, and you're using Safari, this is why
    Privacy through amnesia not ideal for remembering user choice

    Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.

    Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.

    So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022