Checklist 90: WHOIS GDPR: A Primer
Imagine if whenever you went to buy something — a car, perhaps — the information you handed over in the purchasing process became public record for anyone to see and search. All they’d have to do is plug your license plate in, and they’d be able to see your name, address, and phone number. If you’ve never registered your own website, then you might not know this is pretty much exactly how it works online unless you shell out some extra cash for private registration through a proxy service.
When someone registers a website, vital information about the registrant becomes part of a database maintained by the registrar, known commonly as WHOIS. Whether this is a good thing or a bad thing, has been a subject of fierce debate for many years. This is all about to change thanks to the advent of some new rules and regulations in Europe. The effects of these new rules are large and far-reaching, and they mark a big turning point in efforts for better online privacy.
That’s why today, we’re looking at how the European Union is rolling out a new paradigm for online security, known as GDPR, and how it’s having a global effect on the Internet and the future of the WHOIS database. On our list:
- What is the GDPR?
- WHOIS explained
- How GDPR affects WHOIS
- Can ICANN find a solution?
- The pros and cons of these changes
Let’s start by answering the most basic question: what are these new rules?
What is the GDPR?
The EU often looks for ways to come up with protective, regulatory laws that then apply to all member states in equal measure, with the goal of moving Europe into the future as one unit. Some past examples of this include consumer protection legislation which mandated refunds for software products upon request. The GDPR is the latest in these efforts – the General Data Protection Regulation. As part of the EU’s overall efforts to foster the development of a unified framework for the safe and responsible use of technology, it aims to address many privacy-related problems that have become abundantly clear in the last decade.
The rules contained within the GDPR specifically apply to EU member states, who have been directed to set up “data protection agencies” responsible for enforcement of GDPR rules within their own nations. However, international organizations and businesses that handle the data of EU citizens must also comply with the new law, and the GDPR sets out clear jurisdiction for those who operate in Europe. Since the Internet has no borders, that means many organizations have been hard at work to bring their systems into compliance with the GDPR; some hope that this will have a ripple effect and have positive impacts for those in the US, too.
The core purpose of the GDPR is to eliminate a confusing patchwork of rules and institute standards for everything from the reporting of data breaches to the way sites collect, handle, and store user information. In the US, every state can have different requirements for digital privacy, which leads to inconsistent compliance and plenty of loopholes. The GDPR is the EU’s attempt to go in a different direction. The committee of national representatives who forged the GDPR looked at the current state of digital security and privacy and asked: “How can we do better?”
The final deadline for GDPR compliance is May 25, 2018, and its approach was no secret. The original proposals were unveiled more than two years ago to give companies and countries time to integrate the new rules, formulate plans for compliance, and to implement those practices by the end of May this year. However, many businesses and websites primarily based outside the EU, especially in the US, have exhibited some surprise and a lack of awareness about the obligations they may face from this new law. Remember: if they’re handling the info of an EU citizen, they need to be careful about what they do.
That’s because the GDPR has some serious teeth to back up its provisions. If a business were to breach the most serious rules concerning the proper ways to handle user data, they would face a truly massive fine of 20 million Euros or 4% of the company’s total annual revenue — whichever one is larger! Other, lesser levels of fines remain hefty, coming in at 10 million Euros or 2% of revenue. For companies that try to skirt the GDPR rules, there are big consequences on the table designed to ensure that companies like Google and Facebook understand the need for compliance.
So, what are these rules enforced by such hefty financial threats? Let’s break down a few of the biggest changes EU users will see from these rules before we move on to one of the most direct impacts we’re already seeing in the US.
First up: privacy by design and by default. These two powerful provisions will transform the way companies handle a user’s information from the word “go.” Privacy by default refers to a simple concept we can all appreciate. Remember those boxes that websites always tick for you when you sign up for an account saying that you want to enroll in their newsletter or allow them to gather data about your usage? Now they must default to the setting that shares the least information about you as possible. This will help stop accidental opt-ins and put more power in the user’s hands. Similarly, privacy by design is all about mandating that developers create new systems with privacy in mind from the first concept. By building new systems with privacy and user security at the forefront, the hope is that more people will take seriously the need to steward this information carefully.
Next: the right to be forgotten, a hot topic in recent years. Organizations that hold onto an EU citizen’s data must now delete it entirely within 30 days if certain conditions are met. The most important of these conditions is a user’s withdrawal of consent for sharing their information. Once they submit such a request to the site, it is their right to be “forgotten” by the site altogether. This provision raises many questions about how companies such as Facebook and Google will handle compliance.
The GDPR also implements stronger rules concerning data breaches. Are you tired of finding out that some hackers broke into your favorite website and stole your data months or even years after the actual breach occurred? EU regulators were tired of it, too. The GDPR now mandates that companies report breaches within 72 hours to their country’s data protection agency, and they may be required to report to users as well. Exceptions may be granted, but only if the company can demonstrate a minimal impact from the intrusion. It’s a big win for consistency and transparency when it comes to our data.
There are many more rules, but we’ll turn to the one at the heart of today’s discussion: pseudonymization. Now, businesses will need to take care that a user’s identifying information is not publicly available. They must also take steps to obfuscate this data to make it impossible to identify to whom it relates. These rules, along with a slew of others governing the use of public data, are at the heart of the current storm of controversy and concern in the US. That’s because these rules would have a massive impact on the availability of public WHOIS databases of website registration information, which until now has been a requirement around the world.
Why does that matter? Answering that requires an understanding of what WHOIS really means in the first place.
Technically, WHOIS is a protocol, not an actual database; in practice, the name for the method has become the name for the repository the method searches. In short, this is a system for saving and retrieving information about to whom a particular web domain belongs. This practice has its roots all the way back in ARPANET, the first precursor to the Internet when there were highly centralized records for who owned which domains. Today, there is no single central record of every domain registration. Instead, each registrar is required to maintain their own complete, detailed list, which can be queried through the WHOIS protocol.
WHOIS has undergone substantial evolution over the years, and its current iteration is nearly 20 years old. In 1999, the Internet Corporation for Assigned Names and Numbers, aka ICANN, began to manage major top-level domains like .com and .org. ICANN is an American nonprofit that exerted considerable influence over domain name servers and domain registration in general in prior years. At the time ICANN took over domain regulation, they switched to the current decentralized system and made WHOIS a requirement for using ICANN’s domains.
Querying these lists is easy. If you go to any domain registrar or even ICANN’s own website and plug in any web address, you can find out some basic information about who registered it — and it includes more than you might think. A WHOIS entry will include the registrant’s name, full street address, business name, phone number, any listed fax numbers, and the email address used to register the account. In the 1990s and early 2000s, it wasn’t uncommon to be able to find websites registered to someone’s home address and phone number. The idea, of course, is that this adds accountability and makes it easier for the authorities to know who operates a domain if used illegally.
As we mentioned above, though, users who pay the registrar or a third-party service an additional fee can exercise some privacy by shielding their information from public view. Today, all major organizational registrations and many personal ones use these services. Overall, there are both benefits and downsides to WHOIS in its current format, but there has been fierce debate over its usefulness for years before the GDPR came onto the scene.
In fact, ICANN itself has discussed abolishing the WHOIS system several times in the past with the goal of replacing it with a more private, restricted-access implementation. It’s rather ironic as we’ll shortly discuss how this precise situation is what has caused ICANN a great deal of consternation. Each of the prior proposals fell flat, though, after pressure from industry lobbying groups who rely on WHOIS data. So why is WHOIS in trouble because of the GDPR?
How GDPR affects WHOIS
If you read through the description of the GDPR and then learned about how WHOIS works and thought: “These don’t sound like they could work together at all,” you’d be right! The GDPR’s requirements for hiding user information from public view mean that continuing to operate WHOIS systems around the world as-is would be nearly impossible. That is because to continue showing info publicly; the system would have to fragment: European data would be walled off, while registrants in non-EU countries would still be visible to anyone who cared to look.
The specific rule states that those who collect user information must minimize the amount of processing it receives and restrict its access only to those who need it for providing services. In other words, this would be an enforcement nightmare. ICANN already has its hands full trying to determine how to comply with these rules without fragmenting the entire WHOIS system.
That means when the GDPR goes into effect, we can almost assuredly expect widespread, open, and public access to registration information to come to an end. That doesn’t mean the information wouldn’t still be gathered, of course, but it would be the responsibility of registrars to keep that data under lock and key so that only those with strict authorization could access it at all.
How big of an effect will this have on the web? For the average person, there won’t be any noticeable change at all. The rush of headlines proclaiming “GDPR kills WHOIS” at the end of April and the beginning of May seemed to paint the EU’s efforts as a targeted blow. However, the reality is much simpler: WHOIS is a large-scale example of the kind of system the EU believes its citizens would be better off without.
Registrars in Europe have worked towards compliance in this regard for some time now, and in fact, it was an EU registrar that woke ICANN up to its responsibilities. The US nonprofit, whose own regulations were the ones stipulating the maintenance of WHOIS, seems to have taken too much time trying to formulate a response to the GDPR. In fact, perhaps they didn’t even take it seriously at first. That brings us to where we are today, with the sunset on the horizon for this long-standing bastion of information on the Internet.
Can ICANN find a solution?
Recall that the EU put the initial rules proposals on the table nearly two years ago, and that the approach of the GDPR has been a hot topic in the technology sector for a long period as a result. However, authorities at ICANN seem to have missed the memo. Some speculate that those at ICANN believed they were exempt from the GDPR due to their status, or that perhaps they did not recognize the extent to which the new laws would apply to their existing procedures and systems.
In fact, it wasn’t until the registrar responsible for the .amsterdam and .frl domains refused to operate a WHOIS database than ICANN realized it had a problem. After the registrar’s refusal, ICANN sent a legal warning to the business, alleging breach of contract and threatening the revocation of that registrar’s right to sell access to its domains. However, the registrar responded with a stern letter of its own, arguing that EU regulations overrode ICANN’s provisions and made that portion of their contract unenforceable.
At this point, the proverbial lightbulb went off in someone’s head. This event kicked off a huge rush to try and figure out a way to change or preserve the WHOIS system so that it would comply with the new rules. More than a dozen proposals were submitted by ICANN members and circulated, with none of them reaching a majority consensus. Why does ICANN put up so much resistance to the idea of simply hiding away user information from public view?
One reason could be those lobbying efforts we mentioned. Law enforcement and copyright enforcement attorneys both view WHOIS as a valuable tool in the fight against bad actors. Because they often rely on WHOIS data in investigations, they put up the most strenuous resistance to the abolition of the system. Now it looks like the EU has taken that initiative away from those lobbies, but their effects remain as ICANN tries to navigate this mess of its own design.
With no clear way to proceed, ICANN has since asked the data protection agencies in Europe for a time extension or a special exemption from enforcement of the new law while they seek a way to modify the WHOIS system. This isn’t likely; the EU is disinclined to start carving out exemptions left and right, especially when it’s an individual’s privacy at stake. Will ICANN face any of the huge fines set out in the GDPR? That’s a question whose answer remains to be seen, but it means the stage is set for a serious showdown, a bureaucratic nightmare, or both at the same time.
ICANN has proposed a bare-bones system that would maintain privileged, verified access for law enforcement, and the GDPR authorities have expressed some positive thoughts that this could be a workable solution. However, all of ICANN’s proposed solutions will take from months to years to fully implement if they choose to avoid simply shutting the whole thing down. As a result, it’s a given that ICANN will blow the May 25th deadline — but what will happen after that is still anyone’s guess.
It’s important to note that this situation was entirely avoidable since many tech companies have taken the time and deployed the resources to become compliant. Was there perhaps some hubris in play when ICANN downplayed the impact of the GDPR on one of the oldest systems on the web as we know it? Maybe so — but we’ll have to watch closely to see how things develop from here.
The pros and cons of these changes
While ICANN tries to sort itself out and come up with a solution that works in conjunction with the GDPR, what can we take away from this change? WHOIS, as we know it right now, is surely going away; it only remains to be seen what form it takes in the future, or if a newer, different system altogether will take its place. Whatever happens, though, gone will be the days of looking up who owns websites on a whim or for research.
On the one hand, this is a very positive development on several levels. First and foremost, of course, is the clear privacy advantage: who wants their name, address, and phone number out there on the Internet for anyone to find if you don’t pay extra to keep it hidden? It’s an archaic system that the modern Internet has outgrown, and the need for improved privacy could be worth the sacrifice. In places where political conditions might make anonymity and privacy protections all the more important, the end of WHOIS could be seen as a very good thing.
The loss of WHOIS will be a blow to spammers, too, which is a victory for every other Internet user out there on the Web. WHOIS data has long been an easy source for spammers to scrape for information, whether it’s for credit card phishing calls or malware-laden spam emails clogging up your inbox. Though most registrars have anti-spam-scraping CAPTCHAs and other anti-automation tools in place, they aren’t always a deterrent when it comes to a spammer determined to grab as many free and easy to access emails as possible. Since they could count on a registrant’s email being valid (no one would sell you a domain without one), it was a surefire way to know you were getting a real potential target. GDPR makes that a thing of the past.
There are some downsides, though. For law enforcement and those IP lawyers, of course, they will lose access in the short term, and perhaps the long term depending on how the legal wrangling between ICANN and the EU plays out over time. Security researchers will feel the impact of GDPR too, though. Often, it’s a valuable tool that helps researchers uncover connections that ultimately lead to a better understanding of a particular malware threat. For example, a reverse WHOIS search might allow a researcher to find a group of websites all registered to the same email account used by a malware author.
That might reveal the digital location of important command and control servers, other sites serving up malware or malicious advertising, and in some cases, it can even point towards the author themselves. That makes it a useful tool to have in one’s arsenal, but with the loss of the public side of the info, the security sector won’t be able to follow these leads any further — and it seems unlikely that any independent researcher could earn credentials to view the data like a police officer. As this vestige of the old Internet passes into the history books, malware researchers will need to look elsewhere for information on the bad guys.
It’s important to note this story continues to develop. How things proceed for ICANN and non-EU businesses after the May 25 deadline is still anyone’s guess. With all the good things that GDPR brings to the table, though, it will be interesting to watch and see how it affects the Internet, the technology sector in Europe, and the world, too. Will it inspire any similarly smart approaches to privacy on this side of the Atlantic? Only time will tell.