
Whois public database is in breach of GDPR, according to European authorities - chasontherobot
https://www.theregister.co.uk/2018/04/14/whois_icann_gdpr_europe/
======
ckastner
Note that since the issue is GDPR compliance, this should only be a problem
for registrants who are natural persons. So if Whois data were only collected
and published for corporations, there shouldn't be a problem.

I always felt uncomfortable having to submit my personal data, specifically:
my address and phone number, and for it to be published like that (regarding
domains where Whois protection services are not allowed). I can understand the
motivation for this with regards to corporations and organizations, but what
benefit is there with regards to natural persons?

~~~
Lunatic666
Most of the whois hiding services cost money, so if I get this “service” for
free now, I don’t have much sympathy with the whois guys.

If it’s about contacting people, they could make the abuse@ or webmaster@
address mandatory, then you can separate it from your normal email accounts,
because the majority will be spam anyway.

~~~
nabc45
>Most of the whois hiding services cost money

Where? I never paid a dime

~~~
pc86
Please do share the registrar that blocks all whois data for free!

~~~
facetube
Gandi

~~~
bringtheaction
Gandi user here. After I read your comment I tried to enable this but it
doesn't work.

When I change whois privacy to enabled and press save it just says "Unable to
update the contact."

This happens both with my .com and my .net domain.

~~~
facetube
Weird; I have active domains where it's working. Given it requires a contact
info update, could be an unrelated bug. I'd definitely file a ticket.

------
ttul
A little-known fact: WHOIS is extensively relied on by spam fighters like
Spamhaus to do their good work, which collectively saves all of us from an
enormous tidal wave of spam that would otherwise consume vast resources.
Internally, the anti-spam and more generally the anti-abuse community builds a
huge and mostly real-time cross-referenced database of information about
domains and IP addresses. This database would be impossible to build without
WHOIS.

For example, if one domain shares the same contact email address as another,
then the domains are related somehow. Doing some data mining on a variety of
signals which are apparent in the WHOIS records can help to cluster related
domains to help anti-abuse researchers find newly problematic domains by
following the trail through WHOIS.

I'm not sure how researchers will do their job effectively without WHOIS. This
development is truly a disaster for anti-abuse.

~~~
gojomo
Never mind the WHOIS, those other anti-spam databases may be GDPR-violating,
as well. Did that spammer affirmatively opt-in to having his origin
addresses/domains/IPs and response phone-numbers/etc tracked in your anti-spam
data? Probably not!

~~~
anonymouz
That doesn't seem to be personal information.

~~~
theptip
I believe IP addresses are considered "PII" under GDPR, since they can be used
to identify an individual.

[https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)

[https://eugdprcompliant.com/personal-
data/](https://eugdprcompliant.com/personal-data/)

~~~
anonymouz
"PII" only seems to exist in US law, GDPR has "personal data".

I am far from an expert an GDPR, but it doesn't seem to be so clear cut. Even
if IP addresses in this context are considered personal data, there may be
"legitimate interest" in processing them for blacklists, e.g. [https://gdpr-
info.eu/recitals/no-49/](https://gdpr-info.eu/recitals/no-49/) could apply. I
am confident a workable solution for spam blacklists will be found.

I have the impression that a lot of the fear around GDPR is unfounded if one
uses a reasonable and restrictive approach of processing and storing personal
data.

~~~
theptip
Yes, IPs and any other information can be kept if there is a legitimate
interest. For example if another regulation requires you to keep full
information for AML or tax purposes, you can't immediately comply with a
right-to-be-forgotten request to delete all the data you hold.

It's still personal information though (which was my original point), and so
you still need to comply with GDPR by minimizing usage, not sharing it to
processors without permission, having a procedure for telling users what data
you hold on them, etc. And I think you'd have a harder time claiming that the
other stuff is required too, specifically the addresses and phone numbers. You
can do spam detection without that information, even if it would be less
effective.

The problem I see with GDPR is just that we won't know precisely where the
boundaries are until there's some case law to set precedent. It may prove to
be easy to comply with, or it may prove to have some sharp edges that are
expensive to comply with; we really can't tell.

------
verroq
Whois is no longer such a good idea in this age of doxing anyway. I don’t know
anyone who isn’t hiding their whois details and writing fake names and
addresses.

I had the misfortune of using namecheap and entered my real details once.
Their whois privacy didn’t apply to the particular gtld and I only found out
once the spam arrived. Never putting any real details ever again.

~~~
return1
Spam is only the beginning. Wait until a crazy person gets angry at yuor site.

~~~
egg_head12
Oh no someone is sending nasty messages. If your on the web it's to be
expected.

~~~
jacquesm
It's all fun & games until your doorbell rings.

~~~
TazeTSchnitzel
Or you hear the police shouting.

------
chiefalchemist
> From the article -

"Critics point out that ICANN has largely brought these problems on itself,
having ignored official warnings from the Article 29 Working Party for nearly
a decade, and only taking the GDPR requirements seriously six months ago when
there has been a clear two-year lead time."

> From:
> [https://www.icann.org/resources/pages/what-2012-02-25-en](https://www.icann.org/resources/pages/what-2012-02-25-en)

"ICANN was formed in 1998. It is a not-for-profit partnership of people from
all over the world dedicated to keeping the Internet secure, stable and
interoperable. It promotes competition and develops policy on the Internet’s
unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it
doesn’t deal with access to the Internet. But through its coordination role of
the Internet’s naming system, it does have an important impact on the
expansion and evolution of the Internet."

\---

Editorial: The disconnect is frightening.

------
anilakar
One month to adapt? They have had two years. Also, I fail to see how this is a
problem, considering that quite a few domains nowadays seem to use WhoisGuard
or a similar service anyway.

~~~
peoplewindow
Hardly. ICANN is not an EU organisation. The idea that GDPR is a global law is
a new thing.

Also,

 _The letter also has harsh words for ICANN 's proposed interim solution,
criticizing its vagueness_

Of all the people to criticize others for vagueness, EU data protection people
are the very last who should be talking. GDPR is _nothing but_ vagueness.

~~~
detaro
It's not like WHOIS wasn't problematic before, e.g. even inside ICANN people
have been pointing out conflicts with data protection laws for over a decade.
And ICANN not being from regions with stricter regulation isn't actually
_that_ relevant, since ICANN doesn't directly run WHOIS. The registries and
registrars do it, many of which _are_ in the stricter jurisdictions.

GDPR being globally applied certainly ups the overall pressure, and is the
reason they want to change the overall wHOIS rules instead of making special
rules for individual countries, but the key thing seems to be the fear that
there actually might be painful fines now.

------
tehabe
It is always the same, a law is enacted and it includes a window of a few
years to give everybody time to implement it. A few weeks before the law goes
into effect, everybody is screaming that they need more time. I guess we don't
leave university after all.

------
Anthony-G
Original blog post from Michele Neylon of Blacknight (registrar based in
Ireland): [https://blacknight.blog/game-over-for-public-whois-
article-2...](https://blacknight.blog/game-over-for-public-whois-
article-29-gives-icann-the-advice-it-asked-for.html)

As an ex-customer, I've found that Blacknight are generally supportive of
Internet freedoms and they do a lot to advocate the adoption of IPv6.

~~~
DanBC
That's a much better article.

------
billpg
Why does WHOIS need someone's phone number anyway? I didn't have a phone
number between 1993 and 1998 and I would have liked to have had a domain back
then. (I almost did buy one, except they were too expensive back then.)

~~~
giancarlostoro
Probably all so they know which direction to point lawyers / government
agencies towards when they come knocking about your domain.

~~~
realusername
They could just send an email to abuse@[domain] like anybody else.

~~~
chrismorgan
In my experience of recent years, addresses like abuse@, webmaster@,
hostmaster@ and postmaster@ normally bounce. It’s a real nuisance when I want
to report bugs in web systems, or in email systems where they’re doing enough
things badly wrong that they trip (or get close to tripping) spam filters, _et
cetera_.

~~~
giancarlostoro
Sadly I never setup any of those, usually only admin@ and then move on. To be
fair I usually list one of the available emails on my sites where it makes
sense, or provide some way of contacting me directly. I will definitely create
those and forward them to admin@ from now on though. But the issue still
remains as others said, now you can claim you never got an email.

------
y7
Interesting, I just queried the WHOIS records of a .im domain which used to
display my personal information, but now it displays:

    
    
                    This information has been redacted to comply with European Union General Data Protection Regulations (GDPR). Please contact us at info@nic.im if you have any further queries.
    
        Domain Managers
        Name: Redacted
        Address
        Redacted
        Domain Owners / Registrant
        Name: Redacted
        Address
        Redacted
        [...]

~~~
Symbiote
Particularly interesting, as the Isle of Man isn't in the European Union.

~~~
furyg3
If the TLD authority on the Island is offering a good/service to an EU person,
even if they are outside the EU, they will need to protect that data in the
way that the GDPR specifies. So they can either decide to not publicize that
info for EU persons (based on address?), or not publish any natural person's
data.

But let's say they didn't want to. No consequences, right? Not quite... the
.im authority allows EU businesses (domain registrars) to register domain
names (for example, I can go to transip.nl and register a .im domain name).
TransIP has to comply with the GDPR. If TransIP collects my information to
pass it outside the EU, they need to be certain that the organization they
provide it to is also GDPR compliant. If they don't have those assurances,
they can't give them the info. So not being GDPR compliant is not great for
the .im revenue stream.

Finally, I have no clue about the legal regime on the Isle of Man. If I were
them, I would probably try to sync up a lot of my laws with the UK (and thus
EU, for now) laws. So my guess is they have some sort of data protection act,
and that it's in line with the GDPR (or will be very soon).

------
dz0ny
Whois can perfectly have only technical data.

\- domain expiry

\- domain registration date

\- nameservers

Everything else is not needed and as such would comply with GDPR.

~~~
vegardx
If you want EV certs you definitively need more information than that, part of
the idea is that there is public verifiable information that only the owner
can change.

~~~
merinowool
But does it need to be personal information?

~~~
vegardx
I think the short answer: It depends.

In some cases it's not enough to register the domain on a legal entity, it
needs to be a person, and that person needs to exist in the company and needs
to be contactable. You cannot get around this with EV certifications.

------
realusername
It sounds like a positive policy to me, I don't understand the backlash of the
author of this article, personal details have no relation to domain names and
I don't see why they should.

~~~
EpicEng
Personal details related to a car, right? And real estate? I don't understand
your argument.

~~~
ysleepy
So write your name, address and telephone number on the back of your car.
Maybe you don't want to, and thats ok.

~~~
EpicEng
...I think you're forgetting about that whole registration thing you do each
year.

------
sbov
I didn't mind my info being in whois records. Until websites started hosting
that info. And Google started crawling those websites.

There's a big difference between your wife's ex guessing your domain and
running whois on it to find her home address, vs just being able to Google her
name to find it.

~~~
noja
Isn't every single one of those websites violating that TOS of the registry,
that the data may be queried, but not stored?

(queue the "there's no difference" brigade - yes there is)

~~~
sbov
I'm guessing they didn't actually store it, because it got cleaned up shortly
after I deregistered the domain.

------
jiveturkey
Completely unacceptable response from ICANN. They don't need a special
exemption. Turn the service off until you can fix it. And they had plenty of
time!

------
TekMol
If whois is not public, how do I even know if I own my domain?

What if the company that I register my domain with just registers it for
themselfes and when I have built a million dollar business on it, they sell it
to somebody else?

~~~
jstarfish
The .tk domain is notorious for this.

------
martin-adams
I wonder if Companies House in the UK is also affected. I tried to get them to
remove personal information a while back as it wasn't a requirement for new
businesses. They said no.

I supplied that information long before Companies House made it easily
available.

I will try again after the GDPR is place.

~~~
sethgecko
> it wasn't a requirement for new businesses

Companies house asks for director name/address/dob when you register a company

~~~
martin-adams
Correct, but new directors can opt to keep that information private and out of
the public domain. So what I meant was, having the information public is no
longer a requirement.

------
romanovcode
Don't see a problem. I don't get why do I need to provide my full name,
address and a phone number to register domain. What's even worse is that
someone can just look it up.

------
kevin_b_er
This will end WHOIS I think. It should provide interesting to see the side
effects of abuse/spam where they can't be identified as easily anymore. On the
flip side, mass IP demand letters will become much harder when you can't
target someone as easily.

------
tschellenbach
It would be fun to compile a list of EU government websites that don't comply
with GDPR.

------
textmode
Why did ICANN require "thick" whois data from registrars?

Ms. Jelinek's letter suggests that collecting this user data , possibly for
the benefit of various "stakeholders", was outside the scope of ICANN's
charter.

Why was it a requirement for ICANN-approved registrars to collect and share
this user data? What was the rationale?

~~~
mschout
I believe the main reason for this (along with the requirement that registrars
"escrow" contact info for all of their domains with an approved third party
such as Iron Mountain) is so that the domain ownership information can be
recovered in the case of a registrar failure. E.g.: registrar closes
unexpectedly, or registrar suffers some catastrophe and loses the contact
info.

------
gwbas1c
I get so much SPAM from WHOIS, email, phone, and texts. My hosting service
wants to charge me to anonymize it.

Twisting ICANN's arm to hide this information is desperately needed.

------
icedchai
Absurd. Users "consented" when they signed up for a domain. Don't like it? Use
a whois service to anonymize.

~~~
CydeWeys
GDPR requires "freely given, specific, informed and unambiguous" consent. It
also says that "Silence, pre-ticked boxes or inactivity, however, is presumed
inadequate to confer consent."

This kind of explicit consent was not given in the case of most domain
registrations, and anyway, GDPR allows for withdrawal of consent, so even if
you did grant it in the past, you can withdraw it now.

~~~
icedchai
That's why I put "consent" in quotes. (I think GDPR is a waste of resources,
even though I have profited from some implementation activities.)

~~~
CydeWeys
They didn't consent though, not by the standards of the GDPR, so their
personal information _cannot_ be published in WHOIS. So, no, paying extra for
an anonymizing WHOIS service is not necessary; this will be the default level
of service from a registrar.

I'm not sure what your intended argument is; can you rewrite in plain English
and without scare quotes?

~~~
icedchai
Yes, I understand that. Consent was originally in quotes because it wasn't
actually consent in GDPR terms.

However, I will continue to argue that it was consent in a more general sense:
They bought a domain, therefore their info is published in whois. It is
necessary to provide the service. If they do not want their info published,
they could have taken action to prevent it (whois service, alternate name,
alternate email.)

~~~
CydeWeys
It is not necessary in the purchasing of a domain name to publish personal
information in WHOIS. Come GDPR implementation date, it is likely that the
vast majority of newly purchased domains will not publish information into
WHOIS. Given that _most_ of these domains won't have private info go into
WHOIS, how can you possibly argue that it's necessary?

All that's needed for the domain name system to work is to configure
nameservers on the domain. That's it. Anything else is certainly not
necessary. All WHOIS has ever done for me is resulted in fake domain renewal
mailings, spam emails, and unsolicited spam/phishing calls. None of this is
anything close to necessary.

~~~
icedchai
ICANN and domain registries think WHOIS is necessary. Therefore, it is
necessary. Technically, it is not required, you are correct.

And guess what? All that spam and stuff is still going to happen without whois
and with the GDPR. It's cute that you think otherwise, but once your info is
out there, there's no getting it back. Spammers don't care about your
"consent" or your "right to be forgotten."

~~~
CydeWeys
Source on domain registries thinking that WHOIS is necessary. It's a cost
center, not a profit center, and some of us would rather not have to do it.

And no, that info would _not_ be out there, and certainly not in such an
easily discoverable format, without WHOIS. There's plenty of incoming spam
I've received, both physical mail, email, and phone calls, that can be solely
attributed to registering a new domain name with publicly visible info in
WHOIS. Had that information not been public, I would not have gotten that
spam, full stop.

------
otakucode
So block Europe from all DNS. Simple.

~~~
cosinetau
That would be a very aggressive response from ICANN, though it might work from
an arms race perspective.

I don't think cold war era thinking alone is the solution to these issues;
there are likely other, less destructive, paths.

~~~
otakucode
It would be a pretty aggressive response, and certainly not one anyone would
be pleased with at all. Not consumers, not ICANN, and not anyone really.
But... the European Union is being extremely aggressive here to start with.
They are seeking to dictate global policy and threatening gigantic sanctions
if not responded to on a very short timetable. One would have to presume that
they would prefer the database being blocked from access to its continued
accessibility, and that might be the only possible option in order to avoid
those sanctions.

I certainly do hope there are other less destructive solutions, but it's not
like GDPR or the problems it has with WHOIS just sprung up suddenly. The EU
knew this was going to be challenging and would require discussion, but the
discussion has apparently reached the point where they have decided going on
the offensive is their best option. It's not like ICANN could just flip a
switch and change everything to be in compliance but they're refusing to. What
the EU wants is a huge change, and you can't just stamp your feet and expect
it to magically happen. But that's the unreasonable path they've chosen.

------
DoctorOetker
nobody mentions namecoin?

------
nailer
Pity this is flagged. It's hacker relevant, the Register is a well regarded
technology site, and I'd rather a plain speaking title with some mildly rude
words than some Vox clickbait.

~~~
jwilk
> the Register is a well regarded technology site

Is it? (Honest question, I have no idea.)

Most of the links at
[https://news.ycombinator.com/from?site=theregister.co.uk](https://news.ycombinator.com/from?site=theregister.co.uk)
are dead for some reason.

~~~
andybak
Yes. I often disagree with it and they are often sensationalist and abrasive
but I always enjoy reading it.

~~~
jholman
Yeah, I think "often disagree and often sensationalist" is a good assessment.
For any given Reg article, I won't rule out that maybe the author is a nutter,
but they're usually well-informed or interesting or amusing or some
combination.

~~~
nailer
Yeah, I expect they know what they're talking about, and have an opinion which
they'll make obvious - which I may not necessarily agree with.

Sysadmin folks would know the term 'BofH' which got popularised by The
Register.

------
labster
Wow, this is the first time I've seen a [dead] article on the front page. Not
sure I understand the front page algorithm. Vouched, of course, as it's
definitely newsworthy to hackers to know that the law is potentially going to
shut down the whois service.

~~~
djsumdog
I think the previous version was removed because it used The Register's
sensational title. Also, I thought you couldn't submit anything from The
Register. Every time I've tried I've gotten an error, and their titles are
always sensational anyway.

~~~
Doctor_Fegg
It’s not particularly sensational, it’s just British slang. Very much in the
tradition of Private Eye et al. I find it a little disappointing that HN mods
believe British slang is a reason to depart from the original-headline-only
policy when any amount of SV hype is let through unchallenged, tbh.

------
shironineja
First ... they came for ICANN, and I did not speak out.

~~~
GenericsMotors
A bit melodramatic, don't you think?

Corporations will continue to have their details listed, this covers what info
can be stored and published about actual persons.

------
megaman22
Yikes, GDPR is a well-intentioned shitshow. It's trying to graft new
requirements onto something that was never designed to support them. And it
looks like it is going about as well as trying to slap multiplayer on top of a
hoary old single-player game engine.

~~~
DanBC
These aren't new requirements. They've been part of EU law since 1995.

------
interdrift
Correct move :). ave Evropa

------
therealmarv
I hope ICANN will get a huge penalty for continuing their whois service after
end of May.

------
anfilt
I really don't see why DNS records should be in the purview of the GDPR. I
also think they are not public enough. It can be hard to contact people.
Information is outdated, false or just hidden. Usually being able to call the
person responsible for a domain and say hey your email server has relaying
enabled and pushing out a lot spam gets them to fix it.

I can understand person not wanting to put their address, but I say phone,
email, name and points contact should be necessary. It is a public system
after all.

Spam can be a problem as well, but these records do serve a purpose. They also
are important for ownership of a domain if a dispute was to arise.

~~~
Tharkun
You've obviously never been threatened, harassed or stalked simply for running
a blog with real contact information in the whois records.

~~~
egg_head12
Stalking really? Threats and harassment. Just tell them to gtfo!

I would be more worried about swatting with the address component. I can see
that for corporations/businesses.

~~~
krageon
Telling them to GTFO doesn't really comfort you if you receive fake
(hopefully) bomb packages at home or whatever else (frequent mailings of poop
for example). The local police generally also doesn't do very much for you
(unless it's _really_ bad, like a real immediate threat to your life from an
actual pipe bomb). Even if they do, that doesn't mean it will stop anytime
soon.

In the meantime it's slowly eating away at your sanity: Is this real mail? Can
I go outside for groceries without getting stabbed? These are not fun concerns
to have to have. Seeing as it's 100% avoidable and unnecessary to have this
information available in this way, I don't think it is a bad thing to remove
it.

~~~
anfilt
I must be made of sterner stuff. I have had what I suspect was a used condom
mailed to me. I have had people call my work before. Calls that just hang up.
Lots of spam and other angry emails.

I find it more amusing that people would waste their only life on such stupid
things.

I do think the adress requirement is perhaps a bit much for an individual.
Thats why I mentioned that. Kinda wish I used a PO box for my domains.
However, its already there already. So I dont worry about it much anymore.

The only thing I consider personal is your adress. If your name and phone
number and contact email are problem. Then a phone book is just as much of a
problem.

~~~
wsy
You can publish your own personal data as much as you like.

This is about people who don't like that and are forced to do it if they want
to own a domain.

And of course phone books are subject to GPDR as well: in a EU country, if you
don't want your phone number to appear in the phone book, just inform your
phone provider, and your record will be deleted. (I guess in the future you
will even have to give explicit consent to let the number appear there.)

