Home / Blogs

First Do No Harm: Ensuring Compliance with the EU's GDPR While Preserving Access to WHOIS Data

Brian Winterfeldt

There is growing concern about how ICANN will comply with the EU General Data Protection Regulation (GDPR), whose enforcement sanctions come into force in May of 2018. How will ICANN comply with GDPR without unduly restricting global Internet users' access to the public WHOIS database? For nearly the past 20 years, Internet users, businesses, law enforcement and consumer protection agencies have relied on WHOIS as a necessary resource. GDPR compliance is challenging, but choosing the right compliance model is essential to the stability and security of the Internet. Choosing the wrong model — such as the draft eco model — could pose a longer term, existential threat to ICANN and its contracted parties.

Why is access to WHOIS essential?

Law enforcement agencies regularly use WHOIS to investigate online criminal activity. WHOIS is a key tool for consumer protection agencies to investigate and enforce against online fraud, phishing attacks and deceptive schemes. Cyber-security teams regularly use WHOIS to assess urgent threats to the safety and security of the Internet and combat online attacks. Every day consumers also check the WHOIS database to ensure that the party behind a particular website is legitimate and not affiliated with a scam. Accurate and accessible WHOIS data is equally vital to trademark and copyright owners to identify alleged infringers and protect the public from counterfeits and illegal content, which can contain malware. Trademark owners, for example, use WHOIS data to identify "cybersquatters" who register domain names that are identical to or are common misspellings of trademarks. In order to prove bad faith under the U.S. Anti-Cybersquatting Consumer Protection Act or to bring a UDRP or URS action, trademark owners must rely on WHOIS data to investigate the identity of the registrant, the registrant's country and location of origin, and their email and physical address. WHOIS is also used as a tool to show a pattern of bad faith infringements, including in establishing that the defendant has unlawfully "warehoused" a variety of domain names targeting well-known trademarks.

These are just some examples of the many legitimate uses by global stakeholders relying on access to WHOIS today. These uses play an important public interest and consumer protection function. It is important to keep in mind that checking the WHOIS database is often just the necessary first step users take before pursuing any further action. Stripping away access to that critical first step would create a domino effect of negative consequences for all stakeholders. Online fraud, serious crimes and security risks will continue to proliferate. But law enforcement and consumer protection agencies will no longer have the self-help tools they need to effectively protect the public. IP owners will no longer be able to investigate infringements and will need to presume that every domain name is a potential infringement. Serving millions of subpoenas on ICANN, registrars and registries and incentivizing lawsuits is not in anyone's interests.

So, how will ICANN face this challenge? With the deadline for GDPR compliance looming, ICANN is moving quickly to solicit various possible compliance models. ICANN has urged the community to submit different models with the goal of "ensur[ing] compliance with the GDPR while maintaining WHOIS to the greatest extent possible." [1] ICANN is correct that inherent in any acceptable compliance model is the goal of maintaining access to WHOIS data to the greatest extent possible. The question is now how ICANN will ensure that appropriate access to WHOIS data is preserved. Although many models have been, and will likely soon be submitted to ICANN for its consideration, as a guiding principle, ICANN should not accept any model unless it preserves WHOIS access to the greatest extent possible.

Flaws in the proposed eco model

A European Internet industry trade association known as "eco" has already socialized an early model, which it will likely soon formally submit for ICANN's consideration.

The eco model appears to adopt an overly conservative approach designed to minimize the risk of GDPR penalties levied against ICANN contracted parties by EU Data Protection Authorities (DPAs) at the expense of everyone else. Unfortunately, the eco model fails to include in its analysis the potential legal, geo-political, security and reputational risks of unduly limiting WHOIS data processing. The eco model, unfortunately, is not a solution that achieves the goal of complying with GDPR while maintaining WHOIS to the greatest extent possible.

The eco model makes the flawed assumption that only registrars' use of their customer's data (tied to their particular contract with the customer) is "low risk" while the legitimate needs of third parties to access such data is "medium risk." Even though the GDPR requires an entity to obtain the actual consent of a customer to publish their data as a basis for processing and publishing such data, eco deems obtaining user consent as "high risk." As ICANN's Hamilton law firm has acknowledged, many publicly available EU registries (including trademark registries and corporate registries) exist today providing many of the same data fields to the public as those listed in the WHOIS database. These public-facing registries serve an important public interest function and have managed to exist without being labeled as "high risk" for GDPR compliance purposes. Yet the eco model also asserts that "contrary to what is the case for public trademark and commercial registers, there is no specific legal basis legitimizing or even requiring the operation of a public domain directory." The eco model also makes no attempt to distinguish between data of a natural person and legal person — a key aspect of the scope of the GDPR. (The eco model merely hints at the possibility of such a distinction based on self-identification by the registrant, subject to further input by DPAs.) Because the GDPR only protects the personally identifiable information of "natural persons," this distinction should not be swept aside to figure out later, if at all. Such a distinction should be a key feature of any balanced compliance model from the very start. Numerous public data registers already distinguish between natural and legal persons, including in country-code Top Level Domain (ccTLD) context, where numerous European ccTLDs use self-identification to assess whether data is that of a natural or legal person. [2]

The eco model is also troubling because it concludes that publication of a registrant's email address in WHOIS does not comply with the GDPR. As discussed, there are many reasons why third parties or the registrant itself would need a public facing email address. A user's email address should not be considered any more "personally identifiable" than a user's name or physical address. In today's Internet-connected world, an email address serves a vital function for quickly contacting the registrant and preventing harms. In many cases, registrants themselves would want a published email address, as a point of contact to address business transaction issues or for added security or transparency.

While the eco model minimally acknowledges that others have legitimate interests in WHOIS data, it focuses only on the data necessary for registry operators and registrars. It fails to adequately discuss the legitimate interests of other third parties. For example, the eco model notes that mitigating abuse is a legitimate interest, but proposes that such an activity would be conducted by the registry. Clearly, law enforcement, cyber-security, and consumer protection agencies, among others, would also have a logical role in mitigating abuse, and therefore an equally valid need for this data.

The eco model also suggests that the publication of registration data in a public WHOIS directory "can only be legitimized based on consent by the data subjects, but that publishing WHOIS data based on registrant consent presents a high risk to the data processors." Again, this ignores the other available legal grounds in the GDPR for data processing, including legitimate interests, which can be used in addition to consent by the data subject, to support this data processing.

Instead of considering any kind of tiered access or layered model (where some data might not be public facing but still accessible to certain users through some type of gated access) eco dismisses any form of publicly accessible WHOIS database. Again, this is not consistent with the goal of preserving as much of the current Whois system as possible while complying with GDPR.

Reaching a more balanced solution, which preserves more of the current system at the outset, better serves the interests of the community as a whole, including registries and registrars. While eco places primacy on avoiding GDPR fines, it ignores the other legal, security, geo-political, and reputational risks (and cost burdens) that would follow if ICANN implemented the eco model in its current form.

Other models are being or have been developed, which hopefully will address the shortcomings of the eco model and provide a more balanced compliance approach. Perhaps the old medical saying, "first do no harm," is the best guiding principle ICANN should embrace as it works through the difficult decisions that lie ahead. The principle of "do no harm" should not just apply to ICANN and its contracted parties but to all stakeholders who rely on legitimate access to WHOIS data.

[1] ICANN, Data Protection and Privacy Update – Plans for the New Year (Dec. 21, 2017).
[2] See, e.g., Hamilton Legal Analysis, Part 3, para. 2.8.3.

By Brian Winterfeldt, Founder and Principal at Winterfeldt IP Group
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Hello?? Anyone out there?? Theo Geurts  –  Jan 10, 2018 5:50 AM PDT

The approach/focus is wrong here.

Again we attacking solutions we deem not suitable for whatever reason.

The focus should be, give contracted parties a solution that is GDPR compliant with no risk of fines.

As long that risk is not of the table contracted parties want to play it safe, and who would blame them? Or is there a party/stakeholder out there that will indemnify contracted parties against all WHOIS GDPR related claims?

Hello?? Anyone out there??

I'm still a little slow.... John Berryhill  –  Jan 10, 2018 2:04 PM PDT

I'm still stuck on the definitional problem of "what is the service a registrar provides?" in relation to "registration".  The registry puts the name in the zone and provides resolution of DNS queries to the relevant nameservers.  The function of the registrar, as I've perhaps misunderstood it, is the service of associating a registrant with the domain name - i.e. identifying the registrant AS the registrant of the domain name.  The registrar does not provide the service of "making the domain name work", so there is no functional service provided by the registrar per se (leaving aside add-ons and upsells) beyond the service of indicating "this domain name is registered to this registrant".

In answer to Mr. Geurts, I would suggest that anyone professing to be an expert who proposes a "solution" to GDPR does so at their peril in the event that a registrar relies on said "solution".  That is why the conversation will remain focused on "attacking solutions we deem not suitable" instead of proposing solutions deemed suitable. 

In the domain secondary market, one of the more interesting potential registrar products would be a registrar service under which a domain seller affirmatively wants to be identified as the registrant of the domain name.  For an extra $X per name on an opt-in basis, the registrar can provide relevant registrants the additional service of what has been standard WHOIS until now, for registrants who want prospective purchasers to be able to verify that they are dealing with the actual registrant during the course of a proposed sale.

Sharing the risk Rubens Kuhl  –  Jan 13, 2018 5:58 AM PDT

While I understand IP interests in accessing registration data, it's curious that is being suggested that contracted parties do not use a low-risk approach in order to keep that access. It's somewhat comfortable and self-servicing telling other parties to take a risk, without sharing it.

One possibility would be a wide-range consortium of IP interests that would provide indemnification to contracted parties that kept WHOIS access as it's today and end up fined. Adding another popular saying to the mix, "put your money where your mouth is".

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias