Home / Blogs

WHOIS Users Facing Serious Challenges Caused by Post-GDPR Fragmentation

Brian Winterfeldt

On May 25, 2018, the European General Data Protection Regulation (GDPR) came into effect, meaning that European data protection authorities (DPAs) can begin enforcing the regulation against non-compliant parties.

In preparation, the ICANN Board passed a Temporary Specification for gTLD Registration Data — essentially a temporary policy amendment to its registrar and registry contracts to facilitate GDPR compliance while also preserving certain aspects of the WHOIS system of domain name registration data. Unfortunately, the Temporary Specification permits registrars and registries to significantly reduce publicly-accessible WHOIS data, and does not include a mandatory minimum uniform mechanism for access to non-public WHOIS data for legitimate purposes (such as law enforcement, cybersecurity, or intellectual property rights protection).

The Temporary Specification merely states the following in connection with access to non-public data:

Contracted parties must provide reasonable access to personal data in registration data to third parties (1) on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registrant; or (2) where the Article 29 Working Party/European Data Protection Board, court order of a relevant court of competent jurisdiction concerning the GDPR, applicable legislation or regulation has provided guidance that the provision of specified non-public elements of Registration Data to a specified class of third party for a specified purpose is lawful.

See ICANN, Temporary Specification for gTLD Registration Data, Appendix A, Section 4 (May 25, 2018) (the "Temporary Specification").

Reported Challenges

In light of the limited DPA or jurisprudential guidance concerning the legitimacy of providing any non-public WHOIS data to any class of third party, third parties are dependent on ad hoc determinations as to whether their legitimate interests are outweighed by privacy rights in any given case. While certain contracted parties appear to be providing limited guidance as to what information they require in order to respond favorably to a data access request (of course with no guarantee of success), the vast majority have not provided any such guidance, and all decisions are made on a case-by-case basis with no transparent or predictable criteria.

This problem is not limited to registration authorities based in Europe. It is already being observed throughout the world, including in the United States. In at least one case, a California-based registrar declined a data access request related to a specific intellectual property rights enforcement effort, stating that it "would provide no WHOIS data" at all while failing to provide any rationale for its decision. According to anecdotal reports, the same registrar also has refused to provide a mechanism for contacting their registrants in connection with legitimate purposes, including domain name acquisition inquiries, even though the Temporary Specification requires either an anonymized registrant email address or web form to facilitate registrant contact. See Temporary Specification, Appendix A, Section 2.5.1 ("Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself.").

Further complexity has been added to this problem through an unclear and disparate delineation between registration data that is masked because of a proxy registration service, versus registration data made non-public in response to GDPR. Certain registrars have traditionally treated the former category of data as sacrosanct short of a subpoena or court order. To that end, another registrar reportedly declined to provide registrant contact information in response to a request precipitated by a phishing attack perpetrated using the relevant domain name. It is unclear on what basis the registrar declined to provide critical registration data in light of a well-founded and immediate need. Ironically, consumers are more exposed to theft of their personally identifiable information through domain-based phishing attacks that are now taking much longer to resolve.

Furthermore, it appears that some contracted parties are not even complying with the Temporary Specification, even where it mandates that certain registration data be provided in certain specific contexts. For example, anecdotal reports have already been made about a certain EU-based registrar that was asked by a UDRP provider to confirm the underlying registration data in connection with a UDRP proceeding, where the registrar refused to provide the full data, despite the applicable requirements in the UDRP (an ICANN Consensus Policy), UDRP Rules, and Temporary Specification and other relevant and binding provisions in the registrar's accreditation agreement with ICANN. See, e.g., Temporary Specification, Appendix E, Section 1.1 ("The Registrar MUST provide the UDRP provider with the full Registration Data for each of the specified domain names, upon the UDRP provider notifying the Registrar of the existence of a complaint, or participate in another mechanism to provide the full Registration Data to the Provider as specified by ICANN.").

At a higher level, at least one major global company has already estimated that its ability to effectively enforce their trademark rights against infringing domain names may drop by 24% in the wake of the GDPR effective date and adoption of ICANN's Temporary Specification.

Conclusion and Next Steps

Although it remains early days, the impact of GDPR on the WHOIS system is already being felt by legitimate parties who rely on WHOIS data to protect Internet users from harmful activity. Anecdotal reports are already starting to pour in identifying specific challenges presented by the current fragmented and unpredictable state of WHOIS services.

This is clearly unacceptable. ICANN has been entrusted with the oversight of the domain name system, and, specifically, preserving the security and stability of the Internet. By not including an accreditation model for legitimate purposes, ICANN has destabilized the industry and contributed to the ensuing chaos. ICANN must step in without further delay to lay down a harmonized framework for credentialed access to non-public WHOIS data for specific pre-determined legitimate purposes. ICANN must also bring the full contractual compliance weight, mediation, arbitration and even litigation to bear in order to enforce not only the Temporary Specification, but also the same harmonized framework. In the meantime, businesses, brand owners, cybersecurity professionals, law enforcement and government agents, and others who rely on WHOIS to conduct their vital anti-abuse and consumer protection activities in the public interest should continue to document the harms and challenges caused by the current state of the broken WHOIS system.

By Brian Winterfeldt, Founder and Principal at Winterfeldt IP Group
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Get shielded Theo Geurts  –  Jun 10, 2018 11:50 AM PDT

Perhaps it is an idea for US IP companies like the Winterfeld IP Group to get privacy shield certified?
This would make things a lot easier for EU Registrars.

https://www.privacyshield.gov/PrivacyShield/ApplyNow

WHOIS was already fragmented Rubens Kuhl  –  Jun 11, 2018 11:19 AM PDT

Before GDPR, there were already many WHOIS systems and practices in the world: each regional address registry (there are 5 of them for each region of the world) had one, each ccTLD had one (and there are hundreds of ccTLDs), and even gTLDs had thick WHOIS gTLDs and thin WHOIS gTLDs, and for thin WHOIS ones, thousands of different implementation in registrars. The level of fragmentation now is higher, but not much different than before.

On not complying with the Temp Spec, ICANN issued a policy with an effective date of days after being published… this was prone to generate implementation lag, as ICANN itself recognized by inserting "as soon as commercially reasonable" in most clauses.

When asked by ICANN, contracted parties said on record that last September was the last opportunity for guidance on GDPR implementation that would be assured implementation by the May 25th deadline. Since we are not there yet for some parts, that means we might be looking at a May 25th 2019 deadline *if* things get closed by September.

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC