Is WHOIS going to go away?

Brian_Kantor · April 14, 2018, 2:06pm

There is concern that the WHOIS database service will be in violation
of the new European GDPR which takes effect May 25th, and may have
to shut down.

http://www.theregister.co.uk/2018/04/14/whois_icann_gdpr_europe/

https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-11apr18-en.pdf

- Brian

Rubens_Kuhl · April 14, 2018, 2:13pm

Some more detailed info available at
http://domainincite.com/22854-panic-stations-as-europe-plays-hardball-on-whois-privacy
.
TL;DR: WHOIS will have less personally identifiable information, it won't
be shutdown.

Rubens

FHR · April 14, 2018, 2:21pm

EURID (.eu) WHOIS already works on a basis that no information about the registrant is available via standard WHOIS.
In order to get any useful information you have to go to https://whois.eurid.eu and make a request there.

Seems like a reasonable solution.

Rubens_Kuhl · April 14, 2018, 2:30pm

GDPR and other privacy regimes apply to both port-43 and WebWHOIS.

Rubens

Antonios_Chariton · April 14, 2018, 2:45pm

Currently .eu and .gr domains do not have any whois records. .eu makes them available online, but .gr is under a much stricter privacy law in Greece, and makes no whois records available to anyone.

This has been so for years, and I can tell you of a few things / observations about this, since I’ve had many domains with both TLDs.

First of all, anything that looks up for an e-mail in the whois records, just doesn’t work. That means that if you want a certificate for this domain, and you follow the traditional, manual, way, you either need a mail serve running there so hostmaster / postmaster / webmaster work, or the only way then is to add files. And that if you have something running on the base domain and you don’t just use this for subdomains.

Second, you never get any spam. If they can’t find your e-mail address, they can’t send you spam.

Third, it blocks legitimate uses of whois by people who need to know the identity of domain operators, such as abuse tracking projects, scam / phish projects, law enforcement, etc.

Finally, there are two ways to contact a domain owner. The first one is to look for a contact page in the website, if there is one. The second is to contact their registrar (the details of the domain registrar are available in the whois), and have them reach out to the owner on your behalf.

In my opinion, not all the information in the whois records should be there, from an individual point of view, but the all or nothing situation right now isn’t great. If I had to choose however, I would choose the no whois for now, over the other, more leaky one.

I personally believe a lot of people would agree, given the fact that there’s an entire market, and a plethora of domains using Whois Guard or in general whois masking tools, for free, or for a fee.

As far as abuse tracking goes, having whois available can help correlate websites, but only if the domain registrar allows only verified data to be added, whois masking is not used, or malicious actors only use the same data over and over. That last part may happen because the registrar does some verification, so it limits their choice of domain registrars.

P.S.: About the first thing, some CAs may e-mail the domain registrar’s e-mail (which is usually admin / support / IT) for domain verification, which I’m not sure if fine..

Rich_Kulawiec · April 14, 2018, 5:14pm

It's not. All WHOIS information should be completely available
with no limits, no restrictions, in bulk form to everyone -- so that
everyone running every operation is identifiable to their peers and thus
accountable to their peers. I understand that some people don't want to
be exposed to that, and that's fine: but then they shouldn't be running
an Internet-connected operation.

The only people served by restriction on WHOIS availability are abusers
and attackers, and the entities (e.g., registrars) who profit from them.

---rsk

Matt_Harris · April 14, 2018, 5:19pm

Not that whois data for domain names has been particularly useful for the
past decade anyhow since most TLDs and registrars either provide for free,
or sell as an addon, "private" registration via some "proxy corporation" or
whatever. Domain name whois for most TLDs has not been the sort of
accountability measure that ICANN seems to think it is for a very long
time, at least in practice.

I'd be much more concerned about RIPE's whois data for AS and IP address
maintainers.

Antonios_Chariton · April 14, 2018, 5:24pm

As far as IP Addresses go (and domains too), currently GDPR recognizes the rights of individuals, not companies, which means that a company can be in the whois query, since it does not have the right to privacy.

My understanding is that this will only affect natural persons.

Aaron_C_de_Bruyn1 · April 14, 2018, 5:29pm

If you register a corp out of Nevada, the only person who gets to know the
names of the owners is the company lawyer unless someone shows up with a
warrant. It costs around $1,200 if I remember correctly.

So I can spin up a legit looking company and put that info into whois and
you essentially end up with useless info unless you can convince a court to
issue a warrant.

So why are you proposing that I can't run my *personal* "I strongly
believe in {insert emotionally-charged issue} site" without letting psychos
know exactly where I live?

-A

Florian_Weimer · April 14, 2018, 5:29pm

* Filip Hruska:

EURID (.eu) WHOIS already works on a basis that no information about the
registrant is available via standard WHOIS.
In order to get any useful information you have to go to
https://whois.eurid.eu and make a request there.

Seems like a reasonable solution.

Why? How does the protocol matter?

Either you may publish individual personal information for use by the
general public, or you may not. Adding a 4 to the port number doesn't
change that.

Rubens_Kuhl · April 14, 2018, 5:38pm

The domain contacts of a domain owned by a legal entity are natural
persons, and are also protected by GDPR. So unless a domain contact is
something generic like "Technical Contact - techpoc@example.com" or similar
role accounts, that contact data is also considered PII.

Rubens

Stephen_Satchell · April 14, 2018, 6:19pm

How does this affect a SWIP of a range of IP addresses where a natural person is the one who is the target of the sub-assignment?

Does the GDPR restrict the unlimited publication of abuse@ addresses associated with the IP range, whether for natural person or legal person?

FHR · April 14, 2018, 8:20pm

The EURID webwhois cannot be scraped, there are anti-bot measures in place (captcha, throttling, all information displayed in images).
Scraping WHOIS systems for thousands domains at once using the WHOIS protocol is easy though. There are "WHOIS History" sites which scrape all domains and then publish the data along with the date of retrieval.

GDPR contains this in relation to the right to erasure:

1. Where the controller has made the personal data public and is
    obliged pursuant to paragraph 1 to erase the personal data, *the
    controller, taking account of available technology and the cost of
    implementation, shall take reasonable steps, including technical
    measures, to inform controllers which are processing the personal
    data that the data subject has requested the erasure* by such
    controllers of any links to, or*copy or replication of, those
    personal data*.

Controller is the TLD operator in this case, other controllers would be WHOIS scrapers. The problem here is the definition of "reasonable steps".
Would doing nothing be reasonable? Or would the TLD operator need to somehow track all those scrapers and contact them?

IANAL, but I see a problem here.

FHR · April 14, 2018, 8:26pm

An individual can also own an ASN and IP space. You don't have to be a company.

Barry_Shein · April 14, 2018, 9:46pm

GDPR only has jurisdiction over individuals who are citizens of
countries which are members of the EU. About 27 countries out of
almost 200 in this world. And companies which manage that data and are
also within the EU's jurisdiction.

But that jurisdiction arises from an individual's EU nation
citizenship.

So why not just have a checkmark at domain registration which asks
whether you believe yourself to be within the EU's jurisdiction and,
if so, no WHOIS publication for you, or very limited.

Stephen_Satchell · April 14, 2018, 9:53pm

FWIW, I've been reading quite a bit of (unverified) information about this subject. If my impressions mean anything, that field would need to say "I am not in EU's jurisdiction", and the default would be *un*checked.

Barry_Shein · April 14, 2018, 10:00pm

I wasn't the one proposing but GDPR basically prohibits your
information from being exposed via WHOIS even if you would like it to
be exposed.

It's not difficult to hide your info, most registrars provide a free
or low cost privacy option so any inquiry just responds with
information about the registrar or some proxy service. Or you can
contract with your own proxy service.

THAT SAID, most countries require you to provide accurate and up to
date contact information if you are doing business with the general
public.

Thus this whole issue is really just a product of the trend towards
personal, non-business (vanity, etc) web sites.

Which itself is the result of inexpensive and ubiquitous always-on
internet connections and the rise of hosting services.

And points out something of a contradiction:

Prohibiting or severely restricting the publication of contact
information (WHOIS) while simultaneously requiring contact information
is made available (to the general public.)

Does anyone believe privacy etc will be enhanced by forbidding your
finding out who owns this domain you were directed towards by a search
engine?

Granted you may not get a satisfactory answer but then maybe you
choose not to do business with them, ok, your choice.

But what if the response is "SORRY BLOCKED BY GDPR"?

Do you do business with them? Or not?

Rubens_Kuhl · April 14, 2018, 10:00pm

GDPR only has jurisdiction over individuals who are citizens of
countries which are members of the EU. About 27 countries out of
almost 200 in this world. And companies which manage that data and are
also within the EU's jurisdiction.

Try finding a company in this area that does not have a subsidiary in the
EU, acquired an EU company, is based in the EU or has EU resellers.

But that jurisdiction arises from an individual's EU nation
citizenship.

So why not just have a checkmark at domain registration which asks
whether you believe yourself to be within the EU's jurisdiction and,
if so, no WHOIS publication for you, or very limited.

For the companies that are subject to GDPR, they have to do this for every
natural person, not only the EU ones.

So this checkmark could in fact be "The registrant is a legal person, not a
natural person".

Rubens

Barry_Shein · April 14, 2018, 10:26pm

>
>
>
> GDPR only has jurisdiction over individuals who are citizens of
> countries which are members of the EU. About 27 countries out of
> almost 200 in this world. And companies which manage that data and are
> also within the EU's jurisdiction.
>
>
>
> Try finding a company in this area that does not have a subsidiary in the EU,
> acquired an EU company, is based in the EU or has EU resellers.

What area? Do you mean geographical or trade?

My company doesn't fit that description.

Non-ccTLD registrars and registries (and RIRs in this case) have a
certain contractual relationship with ICANN.

But ccTLDs seem a pretty good counter-example, I doubt CNNIC accepts
EU legal authority for .CN, there are probably over 150 examples like
that.

Do you imagine the EU will try to hold CNNIC to GDPR requirements?

>
>
>
> But that jurisdiction arises from an individual's EU nation
> citizenship.
>
> So why not just have a checkmark at domain registration which asks
> whether you believe yourself to be within the EU's jurisdiction and,
> if so, no WHOIS publication for you, or very limited.
>
>
> For the companies that are subject to GDPR, they have to do this for every
> natural person, not only the EU ones.
>
> So this checkmark could in fact be "The registrant is a legal person, not a
> natural person".

No, because EU regulation doesn't apply to anything even approaching a
majority of persons on this planet.

There are about 500M people within the EU, and arguably the
regulations can also extend to those doing business with companies
doing any business within the EU.

Nonetheless there are still about 7 billion people on the planet of
which around 3 billion or so regularly use the internet and maybe 300M
who own domain names, etc.

And the extent to which a company might be beholden to an EU
regulation such as this in the case of a non-EU citizen merely due to
EU legal jurisdiction over that company (or one of its subsidiaries)
is, to be kind, unsettled law.

Keith_Medcalf · April 15, 2018, 2:06am

Does anyone believe privacy etc will be enhanced by forbidding your
finding out who owns this domain you were directed towards by a
search engine?

Granted you may not get a satisfactory answer but then maybe you
choose not to do business with them, ok, your choice.

But what if the response is "SORRY BLOCKED BY GDPR"?

Do you do business with them? Or not?

Not.