WHOIS vs GDPR Dispute: Does WHOIS Have a Future Under GDPR Rule?
The EU’s General Data Protection Regulation, or GDPR for short, saw the light of the day on 25th May, 2018 and it’s a buzzword in the IT world. Not surprisingly, opinions about GDPR differ from one side to the other and nowhere is this more evident than in the case of WHOIS.
The big question here is how does GDPR affect WHOIs and can you even use WHOIS registrars under GDPR?
The conflict basically boils down to this: once you register a domain, your name, address, phone number and email address are published in the WHOIS registrar. Well, that’s now become illegal under the GDPR as these information are classified as personally identifiable data and you can’t collect those without the other person’s explicit consent.
So where does this take us? Is there life for WHOIS now that GDPR is in full effect?
Two Schools of Opinion on WHOIS vs. GDPR
There are two schools of opinion on whether GDPR’s impact on privacy and cybersecurity will be positive or negative.
For one thing, privacy advocates claim that by restricting the availability of data this way, GDPR will lead to significantly less cyber-attacks.
In a way, this reasoning makes sense if we take into account that WHOIS registrar is freely available to all and is susceptible to misuse as much as it can be helpful.
For another, many security specialists are of the opinion that hackers in particular could use GDPR to hide behind it. For security researchers, restricting WHOIS this way is a big no-no as this will make distinguishing between safe and compromised Internet domains all but impossible.
GDPR is Already Making an Impact
It didn’t take long for WHOIS and GDPR to start clashing. More precisely, the Internet Corporation for Assigned Names and Numbers (ICANN) got into a legal dispute with the German-based domain registrar EPAG over GDPR, and the ICANN is losing badly.
What’s the story? EPAG has a contract with ICANN which states that it must collect the domain owners’ contact details (name, address, emails, phone numbers, etc.) for ICANN. However, as we already established, this is now illegal under GDPR in the EU and, knowing this, EPAG was looking to sell domain names without collecting this data.
Upon hearing this, ICANN took EPAG to an EU court one in Germany, looking to force the German domain registrar to collect data for WHOIS or be prohibited from selling domain names.
Unfortunately for ICANN, the court in Cologne didn’t see things its way and it has rejected ICANN’s claim three times now. The latest being just a few days ago on 7th August.
The Appellate Court dismissed ICANN’s charge against EPAG, saying that it didn’t “provide credible reason for seeking an injunction against EPAG”.
In the announcement following the court’s decision ICANN said:
“ICANN is considering its next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system and will provide additional information in the coming days.”
CAB ForumAddresses GDPR Before it becomes a Problem
If there is one criticism that we can put on ICANN here, it is that the organization didn’t adequately see GDPR as something that they’d need to address until the courts got involved. We can’t say the same for the Certificate Authority/Browser Forum (CAB).
On 1st August, CAB Forum introduced two new changes regarding the requirements for issuing digital certificates. Namely, Certificate Authorities can no longer use two of the ten methods, methods #1 and method #5, in order to validate the owner of the domain.
Why are these two methods important?
Because method #1 includes WHOIS lookups. This means that using WHOIS lookups is now not allowed and continuing to use it may lead to the CA being revoked.
CAB could have done the same thing as ICANN there and take it to court, but probably realized the futility of that effort. Instead, it did the reasonable thing and moved on without WHOIS.
Of course, what CAB had going for itself was the fact that CA have eight other methods with which to validate domain ownership, so one or two fewer isn’t such a big deal, especially since the other method banned (#5) was not even used that much by CAs. This method allowed attorneys to write letters in which they could state the ownership of a particular domain. However, according to CAB, this is not something they are competent enough to assess.
Restricting WHOIS Access is Good News… for Spammers
Reading about ICANN’s court case, it’s easy to put all the blame on ICANN for not doing more to make WHOIS in line with GDPR. However, that is until you hear the other side of the story.
There are some for whom restricting WHOIS access will be undoubtedly good news. But it’s not exactly who you or I would necessarily want to have. We are talking about spammers, of course.
According to the Canadian anti-spam activist Neil Schwartzman restricting WHOIS access would only bring more spam.
His reasoning is that anti-spam software needs WHOIS data to discover spam. Without it, spammers would get free reign to obtain anyone’s contact info from any place on the Web, be it social media, data warehouse or somewhere else.
Anti-spam and cybersecurity specialists rely heavily on WHOIS access. Reducing this access could potentially leave websites more vulnerable to spam and third-party attacks.
It’s really a fine line that needs to be balanced between security on one and privacy on the other here.
What is the Future of WHOIS with GDPR?
The EU only accounts for 1/14 of the world’s population, but despite this, the impact of GDPR is far greater than this, because it affects any company, whether in the EU or not, that wants to collect data from EU citizens.
As a result, many, including domain registrars, are not particularly keen on messing with the regulation so they are likely to adopt new, GDPR-reliant standards even to customers that don’t have to be affected.
This doesn’t necessarily mean WHOIS is entirely incompatible with GDPR. However, ICANN and other domain registrars will need to find a way to collect their information without breaching someone’s privacy.
One way this could be done to hash individual email addresses with the same hash algorithm across databases. The theory is that this will hide the personal email addresses, but still allow security analysts make use of it.
The problem with hiding a WHOIS record this way is that, despite it likely being compliant with GDPR, it provides no record context or OSINT research avenues.
Of course, ICANN isn’t unaware of the WHOIS privacy problem. In 2012, it proposed to use the Registration Directory Service or RDS, as a database in which the domain registration information from registries would be compiled, much like with WHOIS. The only difference is that this database would be “gated” and not available publicly.
That was six years ago and if you haven’t heard anything new about it ever since, that’s because there wasn’t.
The bottom line is that WHOIS, whether we want to admit it or not, has had a problem for a while now. But that’s not to say that its time is over and that it should be tossed aside. No, WHOIS is not perfect, but neither is GDPR. But, where one “fails”, the other thrives. So, instead of putting them opposite each other, it is important to see how we can bring them closer as GDPR can definitely help where WHOIS seems to need help the most – privacy.