What if WHOIS Cracks?
WHOIS has been standardized for around 35 years, but will it all end abruptly on Friday May 25, 2018, when the EU’s General Data Protection Regulation (GDPR) takes effect?
A QUERY AND RESPONSE PROTOCOL
WHOIS is a publicly accessible free online domain name lookup service which contains personal data of people and companies who have registered a domain name. The Internet Corporation for Assigned Names and Numbers (ICANN), that is responsible for the entire domain name system (DNS), requires that all domain name registries follow WHOIS.
WHOIS is an essential tool for businesses, consumers, journalists, security professionals, intellectual property (IP) owners, consumer protection agencies and legal experts. It is extremely important for us as an online anti-counterfeiting company to identify who is behind a fraudulent website or one deemed to be selling counterfeit goods.
THE IMPACT OF GDPR
The aim of the GDPR is to protect EU citizens from privacy and data breaches, and at present, WHOIS is not GDPR compliant. When a person registers a domain with a domain name registry they don't currently need to give consent for their personal information to be made public. The GDPR means a registrant is entitled to privacy.
This poses an immense problem for many of the authorities who use WHOIS for security and enforcement purposes, as they won’t be able to easily identify a domain name owner and subsequently prevent online infringements. Potentially, this leaves the doors wide open for online IP abuse and crime.
ICANN has been aware of the issue for some time, and with pressure from various law enforcement bodies to make sure the domain name registration data remains available, it has entertained a number of solutions. Guidance from the European Union’s data protection and privacy advisory group - WP29, argued that ICANN’s proposed WHOIS model to be ‘insufficiently defined’. Furthermore, WP29 does not appear to be sympathetic towards those that rely on WHOIS to facilitate a safe internet, cautioning ICANN to ‘not conflate its own purposes with the concerns and purposes of third parties, no matter how legitimate’. To avoid a fine of 4% of its annual global turnover if in violation of the regulation, ICANN must accommodate GDPR.
For a year, ICANN held numerous discussions with internet stakeholders, data protection authorities and legal experts before publishing three proposed interim models for compliance. On Thursday 17th May, ICANN announced their Board had approved a Temporary Specification for gTLD Registration Data to provide, ‘a single, unified interim model that ensures a common framework for registration data directory services’. With the aim of continued availability of WHOIS to the greatest extent possible while maintaining the security and stability of the Internet's system of unique identifiers.
Key changes to note for the brand protection industry:
- the WHOIS system will remain available and Registry Operators and Registrars are still required to collect all information
- No personal data will be provided when a WHOIS query is submitted, only technical data, status of the registration, and creation and expiration dates will be given
- a layered/tiered access has been identified and supported by European data authorities and various stakeholders
- the layered/tiered access will allow third parties with a legitimate purpose to request access to non-public data through registrars and registry operators
- through an anonymized email address or online form, users will be able to contact the registrant or listed administrative and technical contacts
- Registrants can opt-in to have their full contact information made publicly available
DEtrimental WHOIS fragmentation
WHOIS will change significantly and although these key points provide some solutions to accessing personal data, the WHOIS protocol is limited in its ability to support layered/tiered access and a Registration Data Access Protocol (RDAP) implementation is necessary to support the model. The Temporary Specification is still reliant on WP29 providing guidance as to whether a third-party’s legitimate specified purpose is actually legal. It remains unclear whether a genuine query from an online brand protection provider on behalf a right holder is allowed. Potentially, WHOIS could go dark for rights holders on Friday 25th May 2018.
Pointing out the concerns of law enforcement, cybersecurity processionals, consumer protection agencies, and IP owners, the ICANN President and CEO Mr. Göran Marby, stated "if WHOIS is fragmented, it will have a detrimental impact on the entire Internet". Whilst its clear that WHOIS as we know it will be no more, there still seems be much in the air for a conclusive alternative. Its apparent that with the Temporary Specification, access and the amount of data available will be notably reduced, forcing online brand protection to become problematic.
Pushing for a better long-term solution
Yellow Brand Protection will continue to work with the relevant authorities to push for a better solution, that will allow relevant companies such as ourselves to become part of a formal accredited scheme or similar. The aim of which, is to permit third parties who have a legitimate interest to access the full list of personal data. We will also continue to have contact with major registries and registrars to resolve any imminent issues. We want to ensure as little disruption as possible to carry out our full service and continue to protect rights owner’s IP online.
Any developments and announcements from ICANN will be provided to you as soon as they become available. In the meantime if you have specific questions or would like to discuss the topic further, please feel free to reach out to us directly by contacting us at your nearest location or send an email to [email protected].
More Online Brand Protection News