The GDPR In Full Effect: What Will Happen to WHOIS?

It has been a long time coming, but the General Data Protection Regulation (GDPR) is almost here. This new privacy regulation requires substantial changes to the collection and storage of data and will affect multiple disciplines, including the brand protection industry. One of the ‘victims’ of the new law is the WHOIS database. How will these changes affect its records?

The General Data Protection Regulation

You have probably heard about the GDPR and its consequences a hundred times by now, but for clarity let’s do a quick recap. The GDPR is a new regulation by the European Union created around the storage and processing of personal data. It applies to anyone with a presence in the European Union, or who stores and processes data from people in the European Union including businesses and other legal entities. The GDPR states that you can only collect and keep personal data if you have a legitimate ground to do so, and if you comply with the following prerequisites:

• The person whose data you are storing has given you unambiguous consent to do so;
• You need the data for a contract the person has entered;
• There is a legal obligation to you, for which you need the data;
• The data is necessary to protect the individual’s vital interests;
• You need the data to administer justice.

Personal data, in this case, is defined as any information that can lead back to the individual. It includes online identifiers like their IP-address.*

Domain Name Registrations

When a person or business registers a domain name, they need to provide identifying— and contact information. This information includes their name, address, e-mail, phone number and their administrative contact. When you add domain information and data on the registrar and hosting company to that file – you have their WHOIS records. The registrar or registry of the domain name then manages the WHOIS database that these records are in.

You might want to access this WHOIS data for your brand protection efforts. It can be useful to determine the owner of a website that sells trademarked items, for example. Several WHOIS lookup services can provide you with these details. But this handing out of personal information to whoever wants it has also led to a lengthy discussion about the need for, and problems with the WHOIS database.

There is an argument to be made for the people who need WHOIS records to keep their clients or the Internet safe. It is used by brand protection professionals who need the WHOIS to locate and contact those who are violating the terms of a brand. There are also cybersecurity experts who use WHOIS records to detect the person behind a dangerous website or illegal spam efforts. On the other hand, there is a group who thinks that these public WHOIS records are an invasion of privacy. If you register a domain and have your information added to the WHOIS database, you can expect plenty of calls and messages from spammers who try to sell you a service.

To accommodate the second group, there is already a WHOIS privacy service. When in use, the domain’s registrant pays their registrar to his or her keep personal information private. It means that people are less vulnerable to spam but also gives those with bad intentions the opportunity to hide their data.

Two Rules Collide

You might have noticed: the GDPR and WHOIS do not combine. Internet coordinator ICANN has stated that a registrar or registry must publish WHOIS information to comply with the organization’s rules. Now the GDPR makes it a violation of European regulation if that same information comes into the public domain.

The first to take steps in this conflict is ICANN. The organization has said that it will no longer take legal action against a registrar that does not publish WHOIS records to comply with the GDPR – and is hastily looking for a new solution. Unfortunately, the European Union met its three proposed interim models with a skeptic response. The European Commission’s director-general of Technology and Communications, Roberto Viola, wrote in a statement: “Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches. The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests.”

As a reply, ICANN then released an update to say that they are happy with the feedback they have received and that they continue to work on a fitting model. The CEO of ICANN declared: “The final interim model will include a rationale and input received in relation to each component. But it is important to remember that ICANN’s contracted parties need to make their own determination about GDPR and related legal obligations as they relate to their specific situations.”

Meanwhile several of ICANN’s contracted parties have taken matters into their own hands. The registry behind Dutch top-level domains .frl and .amsterdam has announced that it would no longer publish WHOIS records that conflict with European regulation. In February, registrar GoDaddy then followed by stating that it will mask its WHOIS records from now on to protect its customers. This month, registries DENIC and Nominet  came out with a similar approach to the issue.

What You Can Do

Regardless of the decision that ICANN takes on the update or complete change of WHOIS records – it will become difficult for you to find the contact details of a domain owner. The upswing of WHOIS privacy services already played its part in this problem, and it seems that the issue will only get bigger now that registries are starting to mask their registrant information.

If you rely on WHOIS records to track down domain ownership, this created a serious challenge. There are still some workarounds you can try:

1. Reverse Domain Check

Some websites can help you find a little bit of information. You can then use this as a first clue and continue your investigation from there. The website yougetsignal.com provides you with IP address information and shows you other sites that use the same address. It is possible that one of these domains does not use WHOIS privacy services and leads you to the person you are trying to find. Another option is the SpyOnWeb tool. It can give you DNS server information, a Google Analytics ID and IP addresses based on the domain name. It’s a small step, but it can be the first snippet of information you need to continue your search.

2. Archived Websites

The Wayback Machine on archive.org can show you what a website looked like in the past. There is a chance you can find contact details that way, but it’s a long shot. The domain may have changed hands several times since then, and it is likely that the contact information you see on the old website does not belong to its current owner. You should thus always be careful when reaching out.

3. Legal Action

You can also choose to take the legal route. If there are grounds to do so, domain privacy services share information with attorneys and other judicial bodies. It is the option that will most likely get you the information of bad actors – but it also takes a lot of time. In addition, you will need to show evidence that proves your need for the info you request. 

These alternative tools are not the ideal way to find a domain name owner but show that it is not yet impossible. We will have to wait for ICANN’s final model in response to the GDPR to determine what it’s real effects will be. Until then, how will you continue your brand protection efforts? 

* Please note that this is a summary of the GDPR and its legislation. If you need more information on the law and how to comply, please visit the European Union’s website.