GDPR: Changes to the Domain WHOIS DatabaseAs recently announced, the EU GDPR is coming into effect on 25th May, bringing in a raft of new data privacy laws. The law has implications for how domain registrations, in particular, how the global WHOIS database works. The aim of this article is to provide some background on what WHOIS actually is, and why the issue of compliance has been and remains a complex issue for domain registrars.
The short answer is that, from May 25th, WHOIS will be going dark - if you're an EU resident, no personal data will be displayed in WHOIS results for domains that you register with Kualo.
What is WHOIS?For those unfamiliar with WHOIS, it is a searchable database containing the details of domain and network owners. It has been online since the birth of the Internet in the 1980s, and was originally designed to display the contact details of domain and network owners, in order to to verify ownership or so that they could be contacted regarding legal issues. It also contains other technical data, such as the registration date and expiration date of a domain, the domain transfer status and other such information.
An example WHOIS search is shown below:
Over the years the WHOIS has undergone many iterations, originally run by a single entity, DARPA, in an age where the modern Internet was emerging from US Military funded ARPANET project. As the Internet evolved, and with an increase in domain registrars and top level domain extensions, it was determined that it was necessary for WHOIS to be run by these respective commercial entities, resulting in multiple diverse databases that were all independently managed. For generic, non-country level domains, these databases are all coordinated by ICANN. For country specific TLDs, such as .co.uk, these are controlled by the individual country's registry, such as Nominet in the UK or Afnic in France . When you conduct a WHOIS search, you will typically be using a proxy WHOIS service that will determine the underlying database that needs to be queried - but the fact remains that though you search from a single place, the data that is stored and returned in the search result comes from different legal entities.
Until 1999, WHOIS searches were highly permissive and even allowed wildcard searches - so you could search by a last name and reveal all of the domains registered to that last name! As the Internet became more commercial, with the rise of unethical spammers, such permissive searching was restricted. Privacy protection services were also introduced by registrars, which allowed your contact information to be masked in the public WHOIS results, but retained you as the legal domain owner and provided an alternative mechanism for you to be contacted with any legal queries.
What are the implications with regard to the GDPR?The WHOIS database poses a two-fold legal issue under the GDPR.
The first issue is that due to the fact that the WHOIS database is controlled by diverse entities, when you register a domain your personal data needs to be sent to the relevant registrar and also the company that manages the specific TLD in order to process that registration. They are therefore considered sub-processors of the personal data that we collect in order to facilitate the registration. They must all be GDPR compliant, and we must have our customers permission to pass that data to the immediate sub-processor in the chain, which will be enshrined in our terms of service.
The second issue relates to the fact that this personal data, including in many cases the registrant's name, email, phone number and physical address, is published in a publicly searchable WHOIS database. Even with privacy protection services available, this is not compliant with the GDPR, as data privacy must be the default state, as opposed to something which you must opt into.
The issue is complicated by the fact that there is no single entity managing WHOIS. Country level TLD registries, such as Nominet, are free to create their own rules and processes. Generic TLD registries are under the direction of ICANN, and it is ICANN who define what should exist in WHOIS for those domains, and indeed, they make it a contractual obligation on the registrar to maintain the WHOIS database.
The fact that there are multiple authorities gives rise to why the data stored in WHOIS results might vary depending on the TLD. In the example above for kualo.co.uk, which is a UK domain under the authority of Nominet, the personal data includes the postal address and registrant name (in this case a company, but it could also be an individual's name). Nominet do not require that the registrant's email address and phone number are included in the WHOIS, which has always been welcome, as it means that you are less likely to receive nuisance emails or phone calls from unscrupulous entities who scrape the WHOIS database. Furthermore, for non-commercial domain name registrations, Nominet also allowed the postal address to be removed from the WHOIS, as it was deemed to only be necessary for commercial domain names so that consumers could be protected by knowing exactly who they were buying from. As such, Nominet never permitted any 'paid privacy protection' services to operate.
ICANN, on the other hand have always required that the WHOIS contains the email address and phone of the registrant. Here's an example of a .com domain WHOIS result, which includes phone number and email address:
ICANN did permit registrars to run privacy protection services, and unless this was taken, these email addresses and phone numbers were almost immediately scraped by spammers upon domain registration.
The problem is that despite having over two years to implement a GDPR compliant solution, ICANN did nothing - and it wasn't until October 2017 that they finally realised that it was not exempt from GDPR legislation. This realisation came only after two European registries stated that they will refuse to run a WHOIS service, because in doing so, they run the risk of falling foul of GDPR regulations and face potential fines. ICANN then sent threatening legal letters, informing them it was their contractual obligation, to which the registrars responded by stating that the contract was "null and void" because it conflicts with EU law. This, finally, woke ICANN up, and they then issued a statement that said that they would not take action against registrars for non-compliance with their contractual obligation to run a WHOIS service, provided that those registrars also shared their proposed model for the future of WHOIS with ICANN.
As you can see, it's unfortunately a very messy quagmire.
How will WHOIS work after 25th May?After 25th May 2018, we can confirm that no personal data of EU residents will exist in the WHOIS for domains registered with Kualo.
This will be welcome news for domain owners, particularly for those customers who register generic domains, such as .com, which are under ICANN's authority, where email addresses and phone numbers were included, which often resulted in spam emails and calls.
The implementation of how this work will vary. For UK domains, Nominet have announced how they will be meeting compliance with GDPR. By the 25th May, any UK domains will no longer have any personal data displayed in the WHOIS whatsoever, unless the domain owner specifically opts in to have that information displayed. Law enforcement agencies will, however, be able to access all registrant data via an enhanced searchable WHOIS database. Other entities who require domain contact information may also request access to this data, via Nominet's data disclosure policy, which operates on a 1 working day turnaround. This will ensure that entities with a legitimate need for registrant details, typically law enforcement agencies and those entities with legal IP right concerns, can reach the registrant.
For generic domains under the authority of ICANN, such as .com, there is unfortunately still no clear direction from ICANN, and it seems likely that nothing concrete will be in place for many months to come. As outlined above, until ICANN can agree a way forward, they will not be legally pursuing registrars for not complying with their legal obligation to maintain an accurate WHOIS service. As such, from 25th May, all of the contact information for a generic domain name registered with Kualo will also be masked in the WHOIS, providing either of the Registrant, Admin, Tech or Billing contacts is identified as being in the EU. Privacy protection will continue to be available, and will allow registrants to receive emails from interested parties via the PrivacyProtect.org website, for example so that they can be contacted in relation to domain sale inquiries. There is generally no risk of spam emails via this service, so if you do want to remain in some way contactable, it allows you to do so without revealing your email and phone number.
As with .uk domains, access to domain registrant data may be granted when such access is necessary for technical reasons, such as for the facilitation of transfers, or for law enforcement agencies with a legal entitlement to access such data.
We hope that this clarifies the current position as regards domain names and WHOIS in the GDPR world, and is a clear demonstration that the legislation is improving privacy on a global scale. The privacy concerns of the WHOIS database have long been known, and to be fair to ICANN, they have been unsuccessfully attempting to reform WHOIS since 2013, but have met opposition, including from the US Government, where the FTC objected to the notion of WHOIS going dark.
We fully welcome these changes to WHOIS and believe that it is fundamentally important that your data is protected in WHOIS. We look forward to seeing further clarity from ICANN with regard to formalised changes to meet GDPR requirements.