How GDPR Will Affect WHOIS Data
GDPR, or General Data Protection Regulation took effect May 25, 2018. The law now protects the all European’s privacy and how their data may or may not be handled by mega-corporations such as Facebook, Google and others.
While GDPR and similar law that deal with privacy are meant to be beneficial, there are times when it could actually make the citizens more vulnerable, especially in platforms beyond the EU’s borders. One prime example is the WHOIS, where individuals, businesses, security researchers and entities who offer services and products mainly rely on WHOIS data but find themselves blocked by the GDPR clause.
What is the GDPR?
At its core, the GDPR is a data privacy regulation that works within all 28 member states. It started with the 1995 EU Data Protection Directive and was created by the collaboration, drafting and negotiation between the European Commission, the European Union Council and the EU Parliament. GDPR is a risk-based data protection rule that’s marked by fairness, accountability and transparency of processing European citizens’ personal data.
Furthermore, the GDPR demands absolute compliance by imposing a hefty penalty for misconduct- 20 million Euros or 4% of the company’s worldwide annual revenue (whichever is greater). Originally, the data privacy regulation was created to protect the citizens of Europe but it also covers any individual within the European border, including residents and visitors alike. Moreover, the law applies to businesses and companies outside the border as they could be offering services or goods to the people within regardless of citizenship or status.
What is WHOIS and It’s Role in Internet Security?
WHOIS is a protocol system that lists contact and registration information for registered domains all around the world. ICANN, or Internet Corporation for Assigned Names & Numbers is the registrar body for WHOIS. It’s arguably the oldest tool on the web that can verify identities, or who owns a particular domain and if there are any contact information, i.e., name, email address and phone number listed.
WHOIS has long been recognized as the de facto source for those who need to find the identity of domain owners for various legal or personal reasons. There are various WHOIS and domain lookup tools available on the web. Anyone who has an internet connection and a browser can look up contact information for any website, including phone number, address and name (unless the owner specifically opted not to).
The lookup platform is an invaluable resource for journalists, archivists, law enforcement and investigators. Here, they’ll be able to contact individuals for possible sources and as a first line of inquiry when malicious activities are detected. Cyber-security firms and researchers utilise the WHOIS database to try and discover the source of a vicious malware attack or a malicious domain, for example. Archivists would also normally go to a WHOIS tool to gain permission as they try to save content in an inactive or abandoned website before it’s lost forever.
How GDPR Is Affecting WHOIS?
Once you’ve determined what GDPR and WHOIS does, then it’s easy to find the link between them.
GDPR’s nature is to protect the private data of people living in Europe. WHOIS is a central platform where people can find anyone who has registered an internet domain by name, email address and phone number. The interference begins when GDPR tries to prevent entities from making a EU individual’s data public, which by definition is what WHOIS does. The long-agreed clause between ICANN, or the Internet Corporation for Assigned Names & Numbers will then be rendered illegal under GDPR’s light as it doesn’t ask for people’s consent when listing their identifiable information and details.
The ensuing situation is tricky at best and non-resolute at worst. In the meantime, security experts state that the confusion may be seen as a weakness by cyber criminals and look to exploit open loopholes during this problematic phase.
The first action was taken in November of 2017, when ICANN stated they wouldn’t impose lawsuits on domain registrars who failed to comply with registration data management procedures. The organization will not penalize those who won’t publish invaluable WHOIS data until the whole GDPR-WHOIS mess has been resolved.
Then, in January 2018 the ICANN revealed three possible solutions for domain registrars to satisfy both requirements for the GDPR and the WHOIS system. But this also poses a problem that more and more WHOIS data will be deleted from the system due to the fact that companies would rather go the easier route than to take the formal steps as outlined in the GDPR. One prime example is GoDaddy, the largest domain registrar and its action to retract WHOIS data for 17 million clients.
GDPR’s stringent rules have reduced the WHOIS system considerably, reducing what was once the world’s largest informational domain database to a restricted form. In May 25, 2018, ICANN Temporary Specification took effect, followed by a proposal to divide the WHOIS database to a “tiered access” system. Under this proposal, WHOIS details will become largely unavailable to everyone but those who have a vested, legitimate interest and have received ICANN accreditation. From there, these parties, which may include law enforcement, data security firms and people who can prevent malicious attacks and cyber crimes.
As it stands, the ICANN is atop a precarious situation with its WHOIS database. The efficacy of the platform is compromised by the GDPR and its far-reaching effects. After all, WHOIS has been the go-to source for identifying domain web owners for decades and has been invaluable in preventing cyber attacks and ensuring the safety of internet users from around the globe.
Security experts mainly rely on WHOIS and its usefulness will be marginalized if GDPR wins the battle. ICANN is in a bind as they have to follow the regulations or else be hit with huge penalties. The right solution will be to find a way to balance user privacy while having the means that WHOIS could provide. Hopefully some kind of compromise and robust solution can be created and decided on in the near future.