The GDPR In Full Effect: What Will Happen to WHOIS?

By Iris Rigter
March 11, 2018

It has been a long time coming, but the General Data Protection Regulation (GDPR) is almost here. This new privacy regulation requires substantial changes to the collection and storage of data and will affect multiple disciplines, including the brand protection industry. One of the ‘victims’ of the new law is the WHOIS database. How will these changes affect its records?

The General Data Protection Regulation

You have probably heard about the GDPR and its consequences a hundred times by now, but for clarity let’s do a quick recap. The GDPR is a new regulation by the European Union created around the storage and processing of personal data. It applies to anyone with a presence in the European Union, or who stores and processes data from people in the European Union including businesses and other legal entities. The GDPR states that you can only collect and keep personal data if you have a legitimate ground to do so, and if you comply with the following prerequisites:

  • The person whose data you are storing has given you unambiguous consent to do so;
  • You need the data for a contract the person has entered;
  • There is a legal obligation to you, for which you need the data;
  • The data is necessary to protect the individual’s vital interests;
  • You need the data to administer justice.

Personal data, in this case, is defined as any information that can lead back to the individual. It includes online identifiers like their IP-address.*

Domain Name Registrations

When a person or business registers a domain name, they need to provide identifying— and contact information. This information includes their name, address, e-mail, phone number and their administrative contact. When you add domain information and data on the registrar and hosting company to that file – you have their WHOIS records. The registrar or registry of the domain name then manages the WHOIS database that these records are in.

You might want to access this WHOIS data for your brand protection efforts. It can be useful to determine the owner of a website that sells trademarked items, for example. Several WHOIS lookup services can provide you with these details. But this handing out of personal information to whoever wants it has also led to a lengthy discussion about the need for, and problems with the WHOIS database.

There is an argument to be made for the people who need WHOIS records to keep their clients or the Internet safe. It is used by brand protection professionals who need the WHOIS to locate and contact those who are violating the terms of a brand. There are also cybersecurity experts who use WHOIS records to detect the person behind a dangerous website or illegal spam efforts. On the other hand, there is a group who thinks that these public WHOIS records are an invasion of privacy. If you register a domain and have your information added to the WHOIS database, you can expect plenty of calls and messages from spammers who try to sell you a service.

To accommodate the second group, there is already a WHOIS privacy service. When in use, the domain’s registrant pays their registrar to his or her keep personal information private. It means that people are less vulnerable to spam but also gives those with bad intentions the opportunity to hide their data.

Two Rules Collide

You might have noticed: the GDPR and WHOIS do not combine. Internet coordinator ICANN has stated that a registrar or registry must publish WHOIS information to comply with the organization’s rules. Now the GDPR makes it a violation of European regulation if that same information comes into the public domain.

The first to take steps in this conflict is ICANN. The organization has said that it will no longer take legal action against a registrar that does not publish WHOIS records to comply with the GDPR – and is hastily looking for a new solution. Unfortunately, the European Union met its three proposed interim models with a skeptic response. The European Commission’s director-general of Technology and Communications, Roberto Viola, wrote in a statement: “Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches. The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests.”

As a reply, ICANN then released an update to say that they are happy with the feedback they have received and that they continue to work on a fitting model. The CEO of ICANN declared: “The final interim model will include a rationale and input received in relation to each component. But it is important to remember that ICANN’s contracted parties need to make their own determination about GDPR and related legal obligations as they relate to their specific situations.”

Meanwhile several of ICANN’s contracted parties have taken matters into their own hands. The registry behind Dutch top-level domains .frl and .amsterdam has announced that it would no longer publish WHOIS records that conflict with European regulation. In February, registrar GoDaddy then followed by stating that it will mask its WHOIS records from now on to protect its customers. This month, registries DENIC and Nominet  came out with a similar approach to the issue.

What You Can Do

Regardless of the decision that ICANN takes on the update or complete change of WHOIS records – it will become difficult for you to find the contact details of a domain owner. The upswing of WHOIS privacy services already played its part in this problem, and it seems that the issue will only get bigger now that registries are starting to mask their registrant information.

If you rely on WHOIS records to track down domain ownership, this created a serious challenge. There are still some workarounds you can try:

  1. Reverse Domain Check

Some websites can help you find a little bit of information. You can then use this as a first clue and continue your investigation from there. The website yougetsignal.com provides you with IP address information and shows you other sites that use the same address. It is possible that one of these domains does not use WHOIS privacy services and leads you to the person you are trying to find. Another option is the SpyOnWeb tool. It can give you DNS server information, a Google Analytics ID and IP addresses based on the domain name. It’s a small step, but it can be the first snippet of information you need to continue your search.

  1. Archived Websites

The Wayback Machine on archive.org can show you what a website looked like in the past. There is a chance you can find contact details that way, but it’s a long shot. The domain may have changed hands several times since then, and it is likely that the contact information you see on the old website does not belong to its current owner. You should thus always be careful when reaching out.

  1. Legal Action

You can also choose to take the legal route. If there are grounds to do so, domain privacy services share information with attorneys and other judicial bodies. It is the option that will most likely get you the information of bad actors – but it also takes a lot of time. In addition, you will need to show evidence that proves your need for the info you request. 

These alternative tools are not the ideal way to find a domain name owner but show that it is not yet impossible. We will have to wait for ICANN’s final model in response to the GDPR to determine what it’s real effects will be. Until then, how will you continue your brand protection efforts? 

* Please note that this is a summary of the GDPR and its legislation. If you need more information on the law and how to comply, please visit the European Union’s website.

The Author

Iris Rigter

Iris Rigter is a communication advisor at Dataprovider.com, a web-crawling company that specializes in indexing and structuring all publicly available information it can find on the Internet for lead generation, online brand protection and more. In her work, Iris focuses on researching the development of websites and domains. She writes about these developments, as well as other Internet-related technologies and legislation, for the company and other publications.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 4 Comments comments. Join the discussion.

  1. Anon March 12, 2018 9:32 am

    How does the data per the Wayback Machine conform to the emerging and prior (a la “right to be forgotten”) aspects of the EU imperatives?

    I might easily imagine that once a digital property changes hands, that those with prior data then may have incurred a duty to “not possess” identifying information.

    Is the notion of “history” alone enough?

  2. Curious March 12, 2018 11:36 am

    Does this mean that a domain registrant no longer needs to pay extra to keep personal information private?
    Also, what if you try to register a domain name and you get the message that the particular name is not available. How are you going to be able to find out if someone is just ‘squatting’ on the domain?

  3. Mark Pope March 12, 2018 12:26 pm

    If the only requirement for bad actors to hide their identity was to pay an annual privacy fee then the only purpose of the requirement to publish this information was to allow domain name registry companies a means to overcharge honest, legitimate domain holders for this service, which they did. Good riddance to a stupid invasion of privacy and spammer enablement prevention extortion fees. Thanks Godaddy.

  4. Iris Rigter March 13, 2018 3:35 am

    @Anon – this is an excellent point you make. I would think that the Wayback Machine complies with legislation such as the right to be forgotten as they can easily be contacted and asked to take down certain websites by the (previous) owner of that page.

    @Curious – It is not yet sure how ICANN will change the WHOIS records in the future to comply with GDPR. It may be that for some registries, the registrant will no longer need to pay to keep their information private, as those registries have already decided that they will stop publishing WHOIS records. The .amsterdam and .frl are an example of this.

    Depending on the new model ICANN proposes for WHOIS, however, the privacy services for the registrant may still be necessary in the future. If ICANN decides on a WHOIS model that complies with GDPR and (for example) hides information from the public domain but still gives access to WHOIS records to those who have been accredited, a registrant can choose to use paid privacy services to keep their information from that select group.

Post a Comment

Respectfully add to the discussion.

Name *
Email *
Website