30, May 2020
WHOIS after GDPR
WHOIS is the standard query and response protocol for all internet resources. For everyone in the domain name business, the WHOIS is synonymous with the domain name itself since it is the source of the “core” information about a domain name.
The WHOIS of a domain name has therefore always been the go-to source for getting the public information regarding a domain name, including (but not limited to) owner information, contact information, name servers, current registrar and more.
As we all know, GDPR greatly affects the way organizations present data. Since the WHOIS for most TLDs (top-level domains) includes entities such as the name, phone number and email of “living individuals” (for example the contacts at the company owning the domain name), it was expected that GDPR was going to drastically change the way WHOIS is going to function in the future.
On May 17th 2018, the ICANN board passed a “Temporary Specification” for gTLD registration data (gTLD being a “generic” top-level domain, such as .COM, .NET and ORG). This was just eight days before the GDPR deadline leaving registries and registrars with a lot of last minute changes in order to be compliant with both GDPR and the temporary specification. The Temporary Specification stipulates for contracted parties how to treat WHOIS going forward. Although, important to understand about the temporary specification is that it is reviewed by the board every 90 days, renewable for max one year.
Under the new specification, WHOIS requirements will be drastically reduced and only include Registrant organization (if provided), State/Province and Country.
However, ICANN remains committed to the collection of full data and require registrars to collect complete contact information in the same manner as before. The full data set must also be transferred to the registry, as well as the escrow provider.
Since the reduced WHOIS information “hides” most of the information about the owner of the domain name (like the registrant’s email address) registrars are also required to provide a way for third parties to contact the registrant of the domain name. This is done either by an anonymized email address set up by the registrar, alternative by a web form. Both forwarded to the registrants actual email address. This solution is also applicable on the admin and tech contact that will otherwise be omitted from WHOIS.
Apart from that, ICANN is obliging registrars to provide access to full WHOIS data for parties with “legitimate” interests to address the concerns of IP attorneys, Trademark/brand protection firms and law enforcement. An accreditation model with access to tiered data has been suggested but nothing of that sort has come into place. Registrars are left with the requirement, but no guidelines as to how this practically can be handled.
The reduced WHOIS output will also affect the transfer process of a domain name, most obvious being the registrant confirmation. In the ICANN stipulated transfer policy, the email address of the registrant or the admin contact is the only email address trusted to accept the Form of Authorization (transfer agreement). In the absence of an email address in WHOIS, the FOA loses its authority in the registrar transfer confirmation. Until ICANN and contracted parties have a new way of safely and securely transfer data, the FOA will be omitted, leaving the authorization code to be the single confirmation token on the right to transfer the domain name to a new registrar. The “loosing” registrar (from which the domain is transferred away) is still required to send the loosing Form of Authorization. The loosing Form of Authorization is an email informing the current registrant that a registrar transfer has been requested, providing the registrant a last resort to cancel the transfer by immediately taking action. No response within five days will allow the transfer to be carried out.
In regards to ccTLDs (country code top-level domains, like .SE for Sweden and .DE for Germany) there is a variety of solutions stretching from hiding all WHOIS data to doing absolutely nothing, leaving the WHOIS as is. The effects on various operations is a smorgasbord of equally as many solutions. With the late awakening of the domain industry to the requirement and impacts of GDPR, it is our belief that we are facing a lot of temporary – and perhaps even hasty – solutions which would suggest recurrent model updates, tweaks and reformulations in the coming months.