
WHOIS blackout period likely starting in May - morninj
https://www.cooley.com/news/insight/2018/2018-04-18-whois-blackout-period-likely-starting-in-may
======
clay_the_ripper
I really wish WHOIS would go away forever. There is absolutely no point to it.
If you don’t pay to get your name private, you get SPAMMED to such an
incredible degree, it’s absolutely awful. Literally 10+ calls a day, emails
voicemails. So you have to buy the “privacy protection” thing, which defeats
the whole purpose anyway. All WHOIS does is create an industry of people
selling privacy to WHOIS. This whole narrative about “journalism” and it being
used for research sounds like nonsense to me. Something tells me these people
have a vested financial interest in this. Would love to hear an alternate
point of view on this.

~~~
akhatri_aus
Whois can also be used to identify who owns IP blocks. Which is crucial to
many applications such as security.

If you don't want your personal information to be visible thats very different
to the full range of what whois can do. You can always use a proxy so there
are options for privacy available. I've never got a single spam email/call
from my whois data.

~~~
Sephr
ARIN already provides public APIs for this without the need for WHOIS.

~~~
kijeda
WHOIS the protocol is not the problem, it is the data it is used to publish.
Then GDPR-related mitigations required would be the same whether you are
publishing with WHOIS, RDAP or something else.

Also, ARIN only has allocations made in North America. Plus, ARIN only covers
North American allocations.

------
kbar13
domain registration data is in a weird place for the modern internet. I can
see the value of having a real registry when it was first developed, but now
it seems like a pretty easy way for people to shoot themselves in the foot
with regards to privacy. Also, some registrars charge a premium for WHOIS
privacy. It should not cost extra to have your legal name and address to be
hidden from the entirety of the internet.

~~~
mort96
Do any registrars not charge a premium for Whois privacy? I know Hover doesn't
have a separate Whois privacy entry price, but the base price at Hover seems
to be about the price of a domain + Whois privacy at other registrars.

~~~
BlueGh0st
Google domains offers it for free and as standard.

~~~
asaph
I wouldn't say _free_. I would say it's _included_ in the $12/year price of
.com registration. I suspect that price is competitive with registrars that
have a base price that doesn't include WHOIS privacy and sell privacy as an
add-on, though I haven't shopped around in a while. All my domains are
registered with Google Domains.

------
phit_
thank god, tired of paying extra for "whois privacy" that various registers
offer

running a hobby project should not require you to share your private contact
details with the world

~~~
lamlam
I like what CIRA (the .ca registration authority) does. The default is for
them to hide your contact information. You have to opt-in to make it public.

They then handle all communications people want to send to you. More
registration authorities should take stances like this.

Now if only they could get DNSSEC support...

~~~
jacekm
I like how people responsible for .pl (Poland) domain handle this. First of
all, they list only very basic data, with no names, addresses, etc. when you
query their whois. To see the full data, you have to go to their website and
type the captcha, which filters out at least some of the bots. But even there
they display the data if it belongs to a company, they won't show any details
if it's registered to a private person.

~~~
dingaling
> you have to go to their website and type the captcha

I'd prefer that they'd charge me 5 eurocents per query rather than using my
time and effort to feed Google's AI.

~~~
Moter8
Not sure why you are saying this, when the site uses a "usual" captcha (that
can probably be solved easily, but that's another thing):
[https://www.dns.pl/cgi-bin/en_whois.pl](https://www.dns.pl/cgi-
bin/en_whois.pl)

See also [https://www.denic.de/webwhois-web20/](https://www.denic.de/webwhois-
web20/) for the .de registry's captcha.

------
robalfonso
In the short term WHOIS is going to be limited to just the registrant
organization, state, country and a masked email address (Admin and Technical
fields will be removed save email). This is short term to come into compliance
with GDPR.

Long term ICANN intends to create a privileged group (other registrars, law
enforcement, etc) Who will be able to get to the full whois data. So a sort of
tiered system. Expect this to take a minimum of a year. The ICANN multi stake
holder model means nothing happens fast.

~~~
forapurpose
> Long term ICANN intends to create a privileged group (other registrars, law
> enforcement, etc) Who will be able to get to the full whois data.

To a substantial degree it's privacy for the powerful and transparency for the
weak. It should be the reverse: The powerful and government institutions
should be transparent, and citizens should have their privacy.

~~~
gred
> The powerful and government institutions should be transparent, and citizens
> should have their privacy.

Hear, hear! The most frustrating part of the Clinton email fiasco to me was
the contrast between the rule bending going on at the highest levels in the
name of privacy, and the pervasive monitoring that the rest of us are
subjected to.

------
holstvoogd
ICANN is scrambling to be compliant they write... We've all had 2 years notice
since the GPDR has been adopted! And if you 'didnt know', you have bigger
organizational problems.

I understand it is a lot of annoying work, but adtech and data brokers (etc
etc) have been gutting privacy and the internet for long enough. We've let it
come this far, now we get regulated.

(disclaimer: I only started working on compliance this year, do as I say, not
as I do ;))

~~~
guitarbill
It's worse than that. Article 29 Working Party (WP29) - which deals with data
protection has said since 2003 (well over a decade!) that Whois is not
compatible with EU law [0]. They just didn't have a way to enforce it before
GDPR.

But ICANN are delusional idiots, maybe because they get so much money from US
intellectual property interests. They did nothing, and then seemed to think
that they could get a moratorium on enforcement. But even their own Non-
Commercial Stakeholders Group basically told them to get lost [1].

It's a fascinating story of just how terrible ICANN is. As always, the
Register has a great write-up [2].

One thing it clear, they deserve it. I do feel bad for registrars though, and
hope they had more sense than ICANN and developed a plan B.

[0]
[http://ec.europa.eu/justice/article-29/documentation/opinion...](http://ec.europa.eu/justice/article-29/documentation/opinion-
recommendation/files/2003/wp76_en.pdf)

[1] [https://www.icann.org/en/system/files/files/gdpr-comments-
nc...](https://www.icann.org/en/system/files/files/gdpr-comments-ncsg-
article-29-wp-whois-23apr18-en.pdf)

[2]
[https://www.theregister.co.uk/2018/04/25/icann_whois_gdpr/](https://www.theregister.co.uk/2018/04/25/icann_whois_gdpr/)

------
becauseiam
The WHOIS blackout has already started, I recently registered a domain with a
non-European ccTLD, but with Gandi for the registrar. The WHOIS reads:

    
    
       Administrative Contact:
          Not displayed due to GDPR

~~~
Semaphor
My .me domain displays (and always has displayed IIRC) nothing but my full
name (not that interesting as the domain is my name). Everything else are the
contact details from Gandi.

~~~
__david__
Must be a Gandi thing. My .io domain from Gandi only shows my name but a .me
domain from another registrar still shows home address, phone number, etc.…

------
walrus01
there is another type of whois that people don't ordinarily interact with, but
is essential for the correct operation of the internet...

ARIN, RIPE, APNIC and AFRINIC run whois databases for IP space. Network
operators use them to find who controls chunks of v4 space (ranging from the
globally-minimum-announceable /24 to /12). ISPs can use tools like SWIP to
point the whois for a block of space in use by a customer to that customer's
whois info.

I sincerely hope that this doesn't become more difficult to use, because it
will make basic network diagnostics at a WAN scale much more annoying.

The good news is that the typical ISP-level info in IP space whois databases
doesn't fall under the GPDR, since most are role accounts (abuse@ispname.com ,
noc@ispname.com, etc). Also generic phone numbers for NOC and network
engineering groups. However, a lot of ISPs _do_ currently have individual
persons listed as points of contact in their whois entries.

------
pferde
I'm just wondering why ICANN is "scrambling to get it GDPR-compliant" just
now, at the eleventh hour. They had just as much time as rest of the world to
do it sooner, without any interim modes, and without any rush and all the
problems that can come from hastiness.

~~~
kijeda
A big factor is that ICANN is comprised of multiple stakeholder communities of
competing interests that have to come up with consensus to make new policies.
Refining the model of what is published in the WHOIS has been the subject of
working groups in ICANN for over 10 years, but consensus was never reached
because you had a huge spread of opinions that never converged. Privacy
advocates argued for no WHOIS, whereas interests from law enforcement,
security research and intellectual property arguing for full disclosure.

------
7ewis
Noticed this the other day, my own domain is already blacked out.

I used to put fake info there anyway, I don't want my domain linked to my home
address, or provide an easy way for spammers to get my email.

~~~
tomyws
And you haven't been called out for Incorrect Whois Information? Complaints
seem automatic, even with obscure domains I seem to register

~~~
7ewis
Not yet, had my domain for a good few years now as well. Been through multiple
renewals, it's never been picked up on.

------
alerighi
Having a public register that tells you who owns a particular domain or IP
address could be useful for a lot of things. Sure, they could take away a lot
of fields that are not necessary and might be a privacy problem, like address
and phone number, today it's useless, and maybe instead add a GPG public key,
so much useful, and keep name and email address.

But don't remove it, it's a useful thing I use a lot, most of the times for
security purpose, you see a suspicious IP address or domain while observing a
packet capture, WHOIS tells you who owns it, you find in a log an IP address
that tries to bruteforce into your server, WHOIS tells you who it is and gives
you an address to contact and ask explanations, you need to find a person to
contact if you have a problem with a website, contact the email address in the
WHOIS record of the domain, you are sure that you are contacting the right
person, even if the site gets hacked in the worst way the WHOIS record can't
change.

------
lima
I work for a popular hosting company and WHOIS data is causing constants
issues - mostly for non-technical customers, but on one occasion, I
accidentally used my work mail address during testing. The WHOIS database for,
say, the .net zone is extensively mined by spammers and telemarketers.

I received a torrent of marketing mails for months even though I immediately
changed it to a noreply mail address. We receive numerous complaints from
customers who ignored our warnings.

------
lumberingjack
Back in 2002 teenager me used WHOIS to lookup my ISP's (adelphia) phone
number. Some guy picked up the phone in their server room no shit. He answers
the phone like it's a internal only line "server room Jim here how can I
help?" Me: "ya um I have a problem with my SMTP port can you help out?" Net
Admin "How did you get this number! but ya I can help kid"

------
chx
My quick and dirty three step scam website detecting process
[https://travel.stackexchange.com/a/84026/4188](https://travel.stackexchange.com/a/84026/4188)
obviously includes whois but -- I think I will make do without. It's only a
little harder, to be frank.

------
mirimir
So will firms like
[https://www.domaintools.com/](https://www.domaintools.com/) need to redact
their whois history data? They're in Seattle, for whatever that's worth.

------
atesti
Does this also apply to RIPE for the whois of an IP address?

~~~
phicoh
There is a RIPE meeting this week. Tomorrow (Wednesday) there will be an
update regarding GDRP in the database working group:
[https://ripe76.ripe.net/programme/meeting-plan/db-
wg/](https://ripe76.ripe.net/programme/meeting-plan/db-wg/)

------
NoSalt
I'm good with this. I don't like the fact that some yahoo can look me up and
come after me just because he might not like what is on my website.

------
techsin101
whois guard is a joke so i welcome this

------
jiveturkey
good.

-grumpycat

------
oliwarner
I don't understand the problem. When buying a domain you do so in ICANN's
jurisdiction, under their terms. Actively and voluntarily forfeiting your
right to privacy should trump statutory privacy.

And if that isn't enough, ICANN can fix this without compromise. One mass
email. "Respond expressly allowing us to publish your PII, or lose your
domain."

~~~
dragonwriter
> When buying a domain you do so in ICANN's jurisdiction, under their terms.

Contract doesn't trump law, and ICANN isn't a supernation that excludes actual
sovereigns from governing behavior relating to it.

> And if that isn't enough, ICANN can fix this without compromise. One mass
> email. "Respond expressly allowing us to publish your PII, or lose your
> domain."

No, it can't, IIRC, because GDPR specifically excludes this kind of “agree or
no service” from qualifying as effective consent.

~~~
stordoff
> No, it can't, IIRC, because GDPR specifically excludes this kind of “agree
> or no service” from qualifying as effective consent.

It would also set the rather terrible precedent that ICANN can add terms after
the fact.

------
MR4D
This is stupid.

What happens next - do patents and copyrights have owner’s right to be
forgotten?

If so, then who do you sue for stealing your copyright?

The intent is good - let me be clear about that. But the implementation is
having second order affects that are going to f __* with things in a big way
because it wasn’t thought through as thoroughly as it should have been. *

* Key thought here is that it might be extremely difficult to think through all the second order effects, which suggests to me that a better phase in process should have been implemented.

EDIT - Not sure why this is being voted down. If i’m Not clear here, then
please see my follow-on comment for (hopefully) a more clear view of my
position. I’m not saying Whois is stupid - I’m saying GDPR is (due to the lack
of thinking around second-order effects).

~~~
f2n
I don't understand how any of those are remotely related to whois being
removed. It's not like it represented anyone that could feasibly be sued
before, just a whoisguard service, usually

~~~
MR4D
In the US, we have different sites where you can look up patent information.

In fact, IBM and Microsoft run this one, which is a global database. Article:
[https://www.zdnet.com/article/microsoft-ibm-arm-back-open-
pa...](https://www.zdnet.com/article/microsoft-ibm-arm-back-open-patent-
database/) Site: [http://oropo.net/](http://oropo.net/)

So my question, is if Whois had to take their site offline due to GDPR, then
will things like this go offline?

My concern is that GDPR will have a chilling effect not just on free speech,
but on open information of many kinds.

PS - for reference, here is a good overview of the issues that an open patent
database helps solve:
[http://oropo.net/oropo_report_20150615.pdf](http://oropo.net/oropo_report_20150615.pdf)

~~~
zaarn
WHOIS will not be permanently offline, it will be temporarily offline while
the ICANN and others work out how to give access to people who have legitimate
interest in the data, ie people looking for a legal contact, sysadmins looking
to notify someone, registrars themselves, etc.

I don't think the US patent database will go offline, the EU one might hide
personal information like name and address unless you request access under
legitimate interest.

~~~
anfogoat
> how to give access to people who have legitimate interest in the data, ie
> people looking for a legal contact, sysadmins looking to notify someone,
> registrars themselves, etc.

That is, anyone but the public. Oh, EU, you've done it again.

~~~
zaarn
Why does the public need my email and phone number associated with a random
internet string in a database?

