Who's there? The EU proposed to hide the data of domain name owners

On May 25, the General Data Protection Regulation (GDPR) will enter into force in the European Union . The decree will change the way of storing and processing personal data by companies operating in the EU. However, some of its provisions still raise questions from the community .

Thus, the Corporation for the Management of Domain Names and IP Addresses (ICANN) proposes to exclude information about domain owners (name, address, etc.) from WHOIS in order to bring the principles of the system in accordance with GDPR.

We understand why this is necessary and who will affect.


/ Pixabay / SplitShire / CC

Why WHOIS is Not Friendly with GDPR


The GDPR will replace the EU Data Protection Directive, which has been in force since 1995. The main feature of the new resolution is the tightening of requirements for the storage and processing of personal data.

The regulation significantly expands the rights of individuals to control their own confidential information. Users will be more aware of how their personal data is used. They will be able to prohibit their processing and actively use the right to oblivion . The GDPR imposes severe fines for companies for violations of the new rules - up to 20 million euros or 4% of the organization's annual turnover.

The WHOIS network protocol, which is used to obtain registration data on domain name owners - names / names and contact information - "conflicts" with GDPR regulations. ICANN considered that from the point of view of the new regulation this information is considered confidential, so its publication in the public domain can be interpreted as a violation of the new rules for the processing of personal data.


/ WHOIS data about wikipedia.org

What ICANN offers


WHOIS administration responsibilities rest with ICANN. The corporation enters into agreements with thousands of domain registrars around the world and requires them to provide reliable data. ICANN is currently participating in the preparation of new GDRP provisions and is making recommendations. One of them came from the president and CEO of ICANN Göran Marby (Göran Marb).

To bring WHOIS into line with GDPR, he offers three models:

  1. The first model - works only in the European Economic Area. The personal data of domain owners will be hidden, but those people and organizations who will prove the need to obtain this information will be able to contact them. This model is slightly different from the current one, but does not describe the criteria for assessing the legality of access to PD.
  2. The second is a multi-level system in which most of the data is closed, but a certain group of people can get access to them after passing accreditation.
  3. Third - most of the PD is hidden. Access to them is possible only by court order. This model meets the basic ideas of the GDPR.

From the point of view of an ordinary user who wants to use the WHOIS system, access to the personal data of domain name owners in all three cases will look like this: all information is closed, but there is an anonymous email address. Through it, the letter will be redirected to the real address of the owner.

Now WHOIS is used to communicate with administrators, resolve technical issues, conduct transactions for the sale of domains, and clarify the address of the company. Law enforcement agencies also use this information. For example, the data of the owners of the domains with which cyber attacks are associated can identify the perpetrators.

Supposed that the development of an accreditation system will rest with the Government Advisory Committee (GAC). So, according to ICANN, it will be possible to comply with the law and state interests.

ICANN also explains the need for change with the fact that WHOIS is used to send spam, phishing and cybercrime. The main damage to this activity is caused to domain name owners who are clients of registrars. Therefore, the latter are interested in revising the current system.


/ Flickr / veni / cc
recently icann stated that they would no longer sue registrars who do not publish personal data in WHOIS. The largest domain name registrar in the world - GoDaddy has already begun to hide PD. The vice president of the company explained that in this way they protect customers from spam.

The fate of the initiative


Last week, the ICANN plan was rejected by the European Commission. This was because ICANN's suggestions are based on incomplete GDPR information. At the same time, the need for such measures was not sufficiently substantiated and was not supported by statistics or analytical information.

Another reason for the refusal was concerns about anonymous cybercrimes. WHOIS data is a key tool in the fight against cybercrime. The model in which law enforcement agencies must obtain permission to access information through a court impedes the prompt investigation of such cases. This position was taken by the center of cybercrime Europol.

The anonymity of domain owners will also affect lawyers working with intellectual property issues. WHOIS data helps them find people who distribute pirated content. WHOIS databases are often accessed by investigative journalists. ICANN does not clarify whether they will be able to obtain accreditation.

Although the ICANN initiative was rejected, members of the European Commission recommended that companies continue to work on new policies. Therefore, probably, discussion of this issue will be resumed in the near future.

Some materials from our corporate blog: