Is GDPR going to reflect the activity of the WHOIS database which has been helping law enforcement and security researchers uncover malware operators? According to two cybersecurity and privacy attorneys, GDPR is very likely to interfere with the availability of the dabatase.
What Is WHOIS and Why Is It Useful?
The WHOIS service and database is operated by the Internet Corporation for Assigned Names and Numbers (ICAAN). The service contains information collected by domain name registrars from around the globe. To be able to do so, registrars have signed an agreement with ICAAN that requires them to collect, update and keep available registrant, administrative, and technical contact information for every registered domain.
It is interesting to note that in some countries domain owners can pay for private registration services typically provided by the domain registrars. This way the WHOIS service will only show the registrar’s name and that of a forwarding service instead of the registrant’s personal details.
Now we get to the tricky part. Until GDPR went into effect anyone could submit a query to the WHOIS service. Security researchers and law enforcement representatives, in particular, did so in bulk during their investigations. With GDPR, it becomes unlawful for registrars to provide registrant’s information without their explicit consent. This practically makes the WHOIS service futile.
Since no working solution has been outlined, ICAAN has been forced to implement a temporary specification to guarantee that registrars keep up with the GDPR requirements while providing WHOIS data:
This Temporary Specification for gTLD Registration Data (Temporary Specification) establishes temporary requirements to allow ICANN and gTLD registry operators and registrars to continue to comply with existing ICANN contractual requirements and community – developed policies in light of the GDPR. Consistent with ICANN’s stated objective to comply with the GDPR, while maintaining the existing WHOIS system to the greatest extent possible, the Temporary Specification maintains robust collection of Registration Data (including Registrant, Administrative, and Technical contact information), but restricts most Personal Data to layered/tiered access.
Users with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators. Users will also maintain the ability to contact the Registrant or Administrative and Technical contacts through an anonymized email or web form.
In other words, law enforcement, security researchers and intellectual property holders will need to get in touch with the registrar to ask for access to non-public WHOIS data. Any other party will only get technical data enough to identify the registrar, status of registration, creation and expiration dates for each registration. However, no personal data will be provided, only access to an anonymized email address or a web form to facilitate email communication with the relevant contact for that registration.
More about GDPR
The GDPR regulations are a set of policies that have been in preparation for years in the European Union. In essence they are a complete overhaul of the existing data protection directives and their main goal is to harmonize the laws regarding private data across the member countries. According to the members of Parliament that are behind its creation, the new mechanisms will help strengthen control of the data across the union. The debates and preparations ended when the rules were finally approved on 14 April 2016. GDPR went into effect on 25 May 2018, with the new rules now mandatory.