The WHOIS internet domain directory is at the center of a GDPR-related lawsuit that should clarify at least one of the many unknowns when it comes to achieving compliance with the data-privacy regulation.
The suit was filed last week by ICANN, the nonprofit body responsible for administering the assignment of a large portion of domain names on the internet. ICANN is also the keeper of WHOIS, which serves a phonebook-like purpose of making contact information available for those who have registered domains. ICANN contractually requires the collection of three sets of contact data by over 2,500 registrars and registries: administrative and technical contacts as well the registrant’s personal details, including name, email and telephone number.
Given the “data minimization” tenet of the EU’s General Data Protection Regulation (GDPR), which went into effect last Friday, the WHOIS data governance practices are one of the gray areas that exist when it comes to implementing the law. The GDPR requires that organizations collect only as much data as it needs for a specific business purpose, no more; as such, collecting three sets of potentially overlapping data may violate the law.
Thanks to the uncertainty, some European DNS registrars have decided to no longer collect WHOIS information, for fear of drawing a hefty fine from regulators in an enforcement action. One of those is, EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group; it said that ICANN’s contract “not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the admin and tech contacts.”
It argued that in most cases, the admin and tech details are the same as the registrant’s, making the extra data collection “meaningless.”
In response, and with a stated goal of gaining clarity around the law, ICANN filed injunction proceedings against EPAG, seeking a court ruling to ensure the continued collection of all three sets of WHOIS data.
“EPAG recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules,” ICANN said in a statement. “ICANN requires that information to be collected, via its contract with EPAG which authorizes it to sell generic top-level domain name registrations.”
Modernizing WHOIS?
WHOIS data, which has been collected for decades, has been a boon to law enforcement during cyber-threat investigations and is often a crucial tool when it comes to protecting intellectual property rights. But that public good isn’t outweighed by the privacy concerns, the EU told ICANN back in April, when it rejected an interim WHOIS refurb. Regulators also took issue with a lack of specificity in ICANN’s proposal.
“Providing ‘legitimate access” to ‘accurate, reliable and uniform registration data,’ for example, does not amount to a specified purpose within the meaning of article 5(1)b GDPR, as it does not allow to determine what kind of processing is or is not included, nor does it enable a subsequent assessment of compliance or compatibility in case access is provided,” regulators said in a letter.
Removing most WHOIS information from public view is one idea, they added: “The WP29 welcomes the proposal to significantly reduce the types of personal data that shall be made publicly available, as well as its proposal introduce alternative methods to contact registrants or administrative and technical contacts, without public disclosure of registrants’ personal email addresses (referred to as ‘anonymized email, web form, or other technical means’).”
Trying to satisfy the requirements, ICANN released a new Temporary Specification last Friday regarding how WHOIS data should be collected and which parts may be published, which ICANN “believes is consistent with the GDPR.”
It still requires registry operators and registrars to collect all registration data, but a public query will return only “thin” data in return, which includes “technical data sufficient to identify the sponsoring registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.” Those submitting queries will also get anonymized email address or a web form to facilitate email communication with the relevant contact for that registration.
Third parties – such as law enforcement – has a legitimate interest in gaining access to the non-public data, they can “can look up the sponsoring registrar and contact them, and they are obligated to respond to you in a reasonable time.”
However, this can be problematic.
“To the casual observer, it makes sense to remove WHOIS from the public, or at the very least, hide data deemed personal,” said Brandon Dixon, vice president at RiskIQ. “In doing so, these changes make it difficult for cyber-threat analysts to differentiate between legitimate, compromised and malicious domains. Additionally, without point-of-contact information for a domain owner, it’s even more difficult to communicate when a website may be compromised or infringing on a company’s trademarks or brand.”
One proposal to minimize WHOIS disruption, while still respecting privacy concerns, would be requiring individual email addresses to be hashed using the same encrypted hash algorithm across databases, he added.
“The idea being that the registrant email would be hashed uniformly allowing for analysts to pivot off it, while still obscuring the personal email address itself,” Dixon said, but added, “There is no consensus that providing this pivoting mechanism in a public WHOIS directory would be GDPR-compliant, as it may allow connections to be drawn that would identify a person not otherwise identifiable.”
The lawsuit should clarify many of the discussions around WHOIS, and could result in WHOIS effectively being killed in Europe. In any event, ICANN has asked the court for guidance.
“EPAG’s position has identified a disagreement with ICANN and others as to how the GDPR should be interpreted,” it said. “This lawsuit seeks to clarify that difference in interpretation.”