Apr 5, 2018 - by Matt Serlin
I think we are all hoping that when ICANN meets with the DPAs (Digital Protection Authorities) a clear path forward will be illuminated. We are all hoping that the DPAs will provide definitive guidance regarding ICANN’s interim model, and that some special allowance will be made so that registrars and registries are provided with additional time to implement a GDPR-compliant WHOIS solution.
But given that a major registry has recently announced their intention to essentially remove all contact data from publicly accessible WHOIS – things are not looking good for the future of WHOIS.
In a week’s time, we are likely to know where things stand, but a week is a long time to wait, especially when we are talking about something that has so many different implications and consequences. Instant access to free, publicly-available WHOIS information has been the norm for over 20 years - so to say the coming changes aren’t significant is to vastly underestimate what’s about to happen.
With that, let me gaze into my infamous crystal ball and share with you who I think the GDPR and WHOIS winners and losers will be.
GDPR is a huge win for privacy advocates. For years, these folks have stood up at ICANN meetings and eloquently spoken about the WHOIS system flying in the face of one’s right to basic privacy online. They have argued the simple act of registering a domain name should not come with the requirement to publish one’s personal contact information in a publicly-available WHOIS database. With GDPR, it becomes clear that registration of a domain name will no longer require publication of personal data in a free and open database.
Individuals Who Own Domain Names
If you’ve registered a gTLD for your personal use within the last few years, you know where I am going with this. The amount of spam and phone calls you’ve probably received has reached new heights. Under GDPR, while you may still receive unwanted email to an anonymized email address or via a web form, hopefully phone calls from telemarketers taking advantage of WHOIS details should cease.
While I’ve long said that information contained within WHOIS records for domains that are used to conduct fraud generally do not contain accurate information, there are sometimes breadcrumbs left behind which can be helpful in tracking down actual individuals, or at a minimum finding associated domain names. Regardless, with GDPR, uncovering ownership becomes much more difficult, and tying groups of domains together will become potentially impossible.
Undoubtedly, there are registrants who unknowingly register domains containing a famous brand. And of course, there are those who are registering domains leveraging the rights of others to drive traffic to their sites. In either case, these registrants win as it will become much more difficult to identify the individuals who have registered these names, and that may cause a drastic decrease in enforcement actions taken against these domain owners.
The ICANN Community
This may seem like an odd one, but the topic of WHOIS and access to domain name registration data has been a topic of debate and contention at ICANN since early on in its history. While maybe not the ideal process for doing so, GDPR may finally “solve” the WHOIS discussion. Clearly not every segment of the ICANN community is going to be pleased with the outcome, but if this is the impetus behind real change that can still result in access to some limited amount of registration data, let’s call that a win.
Without a doubt, enforcement of brands and trademarks online is going to get more complex as a result of changes to WHOIS. Brand holders have relied upon open access to WHOIS for years, as a first step to enforcement on infringing domain names. This once-taken-for-granted utility will become much less speedy and create inefficiencies that simply haven’t existed previously. While there is a proposal for gated-access to WHOIS information for IP enforcement uses, it clearly will not be in place on May 25th and may take months, if not longer. Clearly brand owners are in for some challenging times ahead.
Registrars and Registries
The contracted parties within ICANN are on the front lines of the GDRP regulation, as they collect and store personal information of their customers. It is their responsibility to ensure that they are compliant going forward. Significant development efforts have been underway to make changes to these systems and to ensure that they do not run afoul of these new privacy rules. With penalties up to 4% of annual revenue, the costs of getting it wrong are significant.
Not only will their jobs get more difficult in terms of investigations that require access to WHOIS information and the multiple processes they may have to go through to get access to contact information, other third-parties who no longer have access to WHOIS will begin going to law enforcement to leverage their access. Registries and registrars will generally make special arrangements for law enforcement agencies that others would not benefit from and in doing so, will drive requestors to engage with law enforcement creating additional work on top of already thin resources.
The ICANN Community
Wait, I thought you said the ICANN Community was a winner…what’s going on here?!?!
Well, within the ICANN ecosystem, policy is generally created by the community through a lengthy process where interested individuals participate to create proposals which then go to the ICANN board for review and approval. With GDRP, essentially the actions of an outside party (the European Union Parliament) are forcing changes to ICANN policy. The community has been scrambling for months to determine how the WHOIS system is going to look after the enforcement date and there will most likely be some interim solution in place at that time. The community will, most likely, need to come together to develop an actual policy that can be rolled out which would allow access to WHOIS information that would be GDRP compliant. With a relatively small group of devoted individuals already feeling burnt-out, adding into the workflow something as major as this will certainly be impactful.
As with all things ICANN, it will be interesting to see whether these predictions become reality. I know we are all hoping for the best.
With a focus on security, service and support, Matt Serlin joined Brandsight in 2017 to lead all domain operations, including client services and domain name provisioning. Matt has over 15 years of direct domain name experience most recently with MarkMonitor where he was instrumental in building the industry’s first dedicated client services team, which has become the de facto standard for all corporate registrars.