Hacker News new | comments | show | ask | jobs | submit login
WHOIS blackout period likely starting in May (cooley.com)
152 points by morninj 7 months ago | hide | past | web | favorite | 156 comments

I really wish WHOIS would go away forever. There is absolutely no point to it. If you don’t pay to get your name private, you get SPAMMED to such an incredible degree, it’s absolutely awful. Literally 10+ calls a day, emails voicemails. So you have to buy the “privacy protection” thing, which defeats the whole purpose anyway. All WHOIS does is create an industry of people selling privacy to WHOIS. This whole narrative about “journalism” and it being used for research sounds like nonsense to me. Something tells me these people have a vested financial interest in this. Would love to hear an alternate point of view on this.

For what it's worth, I've absolutely used whois for journalism. It's helped me contact people for interviews- usually small business owners or bloggers who aren't particularly trying to hide but don't have their contact info on their actual websites.

Most memorably, I reached someone who imported erectile dysfunction supplements from China, only to have them destroyed by order of the FDA because they were actually made with prescription drugs. He said he felt the manufacturer defrauded him and was happy to talk.

But that hasn't worked for me in at least three years, as far as I can remember. The robocall problem has just gotten ridiculous, so everyone's paying to be anonymous. I briefly had a domain registered without privacy protection a couple of years ago, sort of out of principle, and immediately started getting spammy calls about SEO services.

Whois can also be used to identify who owns IP blocks. Which is crucial to many applications such as security.

If you don't want your personal information to be visible thats very different to the full range of what whois can do. You can always use a proxy so there are options for privacy available. I've never got a single spam email/call from my whois data.

ARIN already provides public APIs for this without the need for WHOIS.

WHOIS the protocol is not the problem, it is the data it is used to publish. Then GDPR-related mitigations required would be the same whether you are publishing with WHOIS, RDAP or something else.

Also, ARIN only has allocations made in North America. Plus, ARIN only covers North American allocations.

The reason whois has been preserved is the intellectual property lawyers that want to threaten website owners, so yeah, fuck them.

I agree WHOIS is completely useless! Anyone can fake this info anyway and anyone using there real info can be SWATTED (https://en.wikipedia.org/wiki/Swatting)

Only if you use your home address. Most people use a PO Box or other forwarding. (or in the case of a business: physical office presence, which is usually published on the website itself)

Anyone who has my name can find my address, voter registration records are easily searched online in many states. I only bother with WHOIS protections (which Gandi includes at no additional charge) to avoid spam, very few people can claim they are truly safe from swatting.

Choose a registrar that doesn't charge you extra? Your name stays in, of course, but your (electronic and snail) mail addresses and phone number can be replaced by registrar-managed ones where they forward you incoming stuff and (mostly) keep the spam.

It's a pretty common thing with European providers, I think.

For example namesilo doesn’t charge for privacy protection.

Another vote for Namesilo. They seem to be out to create a genuinely good service and not a money grab.

Namesilo are fantastic.

Another example is OVH with its owo option which obfuscate Whois datas for years.

OVH is weird, they quite often don't obfuscate all contact data. I switched to namecheap for some and they don't leave any of your original data in there.

OWO is sadly not available for some domains I use (notable .de and .eu don't seem to allow OWO).

WHOIS blackout and redesign under GDPR should address the problem of some registries requiring non-obfuscated WHOIS (some even requiring me to put in the ID number of my ID card)

I've actually found that rotating the email address I have listed in whois quarterly addresses the spam problem pretty well. Phone number goes to my Google Voice account which is set up to send everything directly to voicemail.

domain registration data is in a weird place for the modern internet. I can see the value of having a real registry when it was first developed, but now it seems like a pretty easy way for people to shoot themselves in the foot with regards to privacy. Also, some registrars charge a premium for WHOIS privacy. It should not cost extra to have your legal name and address to be hidden from the entirety of the internet.

When you buy a house, your name and the purchase price are public information. Any one at any time can look up who owns a house, how much they paid for it, and how much they pay in property tax every year.

I get a ton of spam because of this. However, I'd rather have this system than one in which all the owners are secret. I've had to look up owner information before to contact owners of various properties, and having that hidden would have made that task impossible.

You can hide the ownership information of a house, if you pay extra money, by hiring a lawyer to create an entity and put the entity on the property, but then the lawyer has to put their address, and forward any requests on to you, just like the whois privacy folks.

I think it is a good thing that every domain has valid contact info.

Not in my country unless you have a damn good reason to get that info.

The only way to get access to someone's address or phone number is to show up at the local community office and provide sufficient information (which means name + any previous address or known phone number registered with the office)

I think the same should go for domains. Unless you have a good reason (which IMO means spam complain, journalism or legal contact) you shouldn't be able to get any way to contact me. And for the above I have an imprint too which is protected against scrapers and spammers as best as I can unlike the WHOIS.

> However, I'd rather have this system than one in which all the owners are secret.

I don't mean to be cynical, but isn't this system also the one in which some people simply register their houses under a shell company?

Isn't that exactly the same as PrivacyGuard or other WHOIS anonymizing services? If anything, it reinforces the analogy even more.

Yes, but at least the shell company forwards on the messages. And most people don't do it because it's a hassle.

And you lose a 250-500k capital gains exemption if you sell the house and it's not owned & lived in by you directly AFAIK

The issue with this system is it also lets people look up where you live by name alone, which can be bad if you want to own your house and have a stalker problem. The map works 2 ways.

Not true with a revocable trust, which costs under $1000 to establish and provides all the same benefits of owning the real estate directly without disclosing ownership.

Disclaimer: Applies primarily to IL and FL, not an attorney, nor your attorney.

If you do that in CA can you “sell” control of the trust to circumvent reassessment of the real estate taxes after a sale?

My apologies, I’m only familiar with Illinois and Florida real estate law. A CA attorney should be able to answer that with a short, no cost phone consultation (if a trust can’t support such an arrangement, an LLC might).

If a company or other entity is owned by a single person and just owns a single piece of property, this does not work and California will not let the prop 13 tax rate stay with the company. You are obviously trying to cheat to get around the law. As there are more owners of the company and the company has more diverse holdings, California is less likely to insist on resetting the assessed value of the real estate owned by the company upon sale. One REIT buying another REIT is fine. Like many laws, one does not really know what they mean on the edges until you do something and are taken to court.

Is that a US thing? I understand that having some registry with this information is needed (but maybe not with details down to taxation) but... having it behind some officials "firewall" would solve that?

What problem are you trying to solve? The problems that having an open land and property tax register solves are problems like finding fraud, money laundering, tax cheating, better valuation of properties for bank loan purposes, and so forth.

Why would YOU have to do it? For me it's enough that officials have access to this information (and common folks when requested, but with valid motivation). And as a result I don't have problems with my identity being out in the open (and I don't get a single spamy mail)

The reason this is done in public is because plenty of fraud happens when only officials can get access to property ownership and tax info -- even in countries that are relatively less corrupt.

Also, the bit about mortgages means that mortgages rates are lower when appraisals are more accurate; the largest inputs to home value appraisals in the US are sales data and tax data.

But the thing is - not only officials can get that data. Its simply not that easily available (so you can't harvest it like mails on the Web)

As for house market - in other counties (where dará is more hidden) it still works. and as far as I know housing market in the US is quite... weird, so it seems this data doesn't help that much?

A housing market that's full of fraud and that has extra-high interest rates still "works". I don't think you're understanding my point at all, or maybe you don't mind fraud.

But in any case, those are the problems that transparency are trying to help solve.

You seem to be repeating the talking point without addressing the counter-argument. Why is a system where people can access that data, just with a couple of roadblocks to avoid mass harvesting, not enough to avoid fraud?

I'm just describing the problems that the current system appears to be designed to solve. If you want to design a new system, great, have at it. I don't have an opinion about that, other than that you probably should try to solve the same problems.

>I think it is a good thing that every domain has valid contact info.

Does your "valid" include domain registrars that provide WHOIS protection that includes forwarding messages to the protected owner?

And, honest question, why do you think that domains should have contact info?

When I used to work in security, I used Whois every day. In many cases it was to notify a domain owner that their domain had been compromised and was being used for spam. I also used it a lot to track down bad actors because most of them are dumb and don’t hide their Whois.

In germany there is an imprint requirement so you'll always have a contact point for these things.

Unlike WHOIS it's on a website so you can protect this information much more easily from scraping and spamming.

That's where WHOIS protection comes in handy. If you don't want to get even more spam (the imprint has to be clear text, no obfuscation so gets spammed a lot) but a website that could target Germans (or you're in Germany), you'll quickly get costly letters from specialised lawyers. Having Whois protection usually helps, they tend to give up if they can't get your address easily.

Some minor Obfuscation should be okay "mail at example dot com" => "mail@example.com" and similar.

Plus I'm fairly certain providing temporary mail addresses (with decent lifetime) would also be okay.

Specialised Lawyer isn't quite right, a business that competes with you needs to file a complaint (IIRC from law course).

No, minor obfuscation is not ok. The same as a picture can be a problem for blind people, your example can be an issue for people not speaking english (it's a German law). I wouldn't take any risks with these laws.

My sites are all dual-language so I don't see that as a problem.

Not all domains have public websites.

If those create any abuse then you can still contact the registrar.

From what I understand the eventual plan for WHOIS to only allow access if there is truly legitimate interest. Everything else can be filtered over the registrar.

off the top of my head, valid DMCA takedowns?

> When you buy a house, your name and the purchase price are public information. Any one at any time can look up who owns a house, how much they paid for it, and how much they pay in property tax every year.

Uh, really? Where?

It's a US or at least California thing. In many countries this is not reality.

It is the same in Washington state, and I suspect most other states also make this information available. I believe it is required because the taxing authority data is considered public information.

PA, checking in. My county has a website where you search the address, and get back the owners, acreage, square footage, assessed value (land and building(s)), and last sale price and date.

I know that this is all managed by a government department called the "Land Registry" in the UK.

Def true in Canada.

UK too.

If this is true in Europe, I'm curious what the implications are w.r.t. GDPR.

Probably very little. The data will be being made public under a law mandating that, and the GDPR allows for that:

> Processing shall be lawful [...if...] processing is necessary for compliance with a legal obligation to which the controller is subject


EDIT: nevermind, misread the context.

I believe the parent is talking about the example of a land ownership database.

Oh, oops, you're right.

It's not true where I am in Europe, this sort of info is accessible to government employees only.

There is no reason for anyone to contact me outside of methods I publish.

And some jokers like OVH do not charge anything for privacy but fuck it up. I got recently hundreds of emails and a dozen phone calls from various spammers as a result of registering some domain names with them despite chosing the privacy options.

The publication of personal information on whois cannot stop soon enough.

Yep, they only replace owner but not contact details for admin or tech. That way your details are as public as without their "service".

Do any registrars not charge a premium for Whois privacy? I know Hover doesn't have a separate Whois privacy entry price, but the base price at Hover seems to be about the price of a domain + Whois privacy at other registrars.

Gandi.net doesn't charge extra and also has reasonable prices.

Google domains offers it for free and as standard.

I wouldn't say free. I would say it's included in the $12/year price of .com registration. I suspect that price is competitive with registrars that have a base price that doesn't include WHOIS privacy and sell privacy as an add-on, though I haven't shopped around in a while. All my domains are registered with Google Domains.

I just enter phone/address information for one of those whois privacy proxies without bothering to pay for them. What's the point of paying? The only thing real on my domain registrations is a gmail contact - the rest doesn't matter.

Back a few years ago, NomiNet used to post you a certificate proving ownership every time you registered a .co.uk domain. I recently found a couple when moving house.

I have some domains in OVH, they do not charge for privacy. Generally you can check out https://tld-list.com/tld/com for the list of providers which offer free whois privacy for a given domain.

Be careful with OVH, they put your details in Admin-C/Tech-C, same effect as not using their service at all. At least that was my experience a few months back, I then switched to namecheap to avoid that.

You could just lie. Only the contact email really matters, and those are anonymously-routable already.

In practice, this will usually work, but it does violate ICANN rules. If this ever gets enforced, likely due to a disgruntled party making a complaint, it could backfire.

Yep, you could lose the domain. It would be a big risk to take if there's any chance someone wanted to go after the domain.

I shifted my entire domain portfolio from Bulkregister.com to Uniregistry for this issue. Bulk charges $3 per domain per year and I saved thousands a year moving to Uniregisry.

NameSilo doesn't - but they were also recently acquired so there's no guarantee if the new owners will let things be the same or change it.

DreamHost doesn't charge for WHOIS privacy, and they have competitive domain prices.

I would 2nd Gandi.net. No additional fee for their who is privacy option.

iwantmyname.com doesn't charge for whois privacy

i get it free from moniker


It's included on Hover as well.

That's what I meant with "I know Hover doesn't have a separate Whois privacy entry price, but the base price at Hover seems to be about the price of a domain + Whois privacy at other registrars".

WHOIS privacy isn't even an option for some tlds. Nominet require the registrant's legal name and postal address and only offer a discretionary opt-out for non-commercial websites.


thank god, tired of paying extra for "whois privacy" that various registers offer

running a hobby project should not require you to share your private contact details with the world

I've gotten so much telemarketing from my whois. Quite frankly, it's ridiculous. I'm glad that the EU twisted ICANN's arm off and beat them into submission.

I think ICANN is going to quickly realize that they will need to take an active role in brokering communication with domain holders; this way they will have to act as gatekeepers against spam.

Hear hear.

I run a few small web sites, and in the past few years have gotten zero calls from devops types calling about a problem, and dozens, if not hundreds, of telemarketing calls, to a number that is only listed on my whois data.

I like what CIRA (the .ca registration authority) does. The default is for them to hide your contact information. You have to opt-in to make it public.

They then handle all communications people want to send to you. More registration authorities should take stances like this.

Now if only they could get DNSSEC support...

I emailed them about this just last week:

Me: Are people who are not Canadian citizens able to purchase/register .ca domains? I've read that a Canadian phone number is needed for registration. Additionally, can a non-Canadian citizen get CIRA's WHOIS privacy for their domain?

Their Response: Thanks for getting in touch with CIRA, [redacted]. CIRA has 18 Canadian Presence categories, we require full contact information when an individual or a business is registering a .CA domain name. That doesn't mean you have to be in Canada to hold a .CA domain, many Canadian live all over the world and registered .CA domain names. A non Canadian could hold a .CA domain name but that would require them to either register a Canadian Trade Mark, Canadian Corporation, or hold a Permanent Resident card. The WHOIS information is "masked" or "privacy protected" when the .CA category of "Canadian Citizen - Individual" is selected.

So it looks like WHOIS privacy is not easily available if one isn't a Canadian citizen. I still like the model, however.

I like how people responsible for .pl (Poland) domain handle this. First of all, they list only very basic data, with no names, addresses, etc. when you query their whois. To see the full data, you have to go to their website and type the captcha, which filters out at least some of the bots. But even there they display the data if it belongs to a company, they won't show any details if it's registered to a private person.

Seems like it's the same for .eu domains, and (I think) some other EU countries. For private persons you only see the email, and that's after entering the captcha.

> you have to go to their website and type the captcha

I'd prefer that they'd charge me 5 eurocents per query rather than using my time and effort to feed Google's AI.

Not sure why you are saying this, when the site uses a "usual" captcha (that can probably be solved easily, but that's another thing): https://www.dns.pl/cgi-bin/en_whois.pl

See also https://www.denic.de/webwhois-web20/ for the .de registry's captcha.

CIRA has had DNSSEC support since 2014. https://cira.ca/dnssec-faqs

I use Google Domains and it supports DNSSEC on my .ca domains.

Huh. This is great! Might be a NameCheap (my registrar) limitation. The way it's worded in the management page on NameCheap is that DNSSEC is not supported for .ca period. Definitely something I'll look into. Thanks!

Probably. I had to move to baremetal.ca to get DNSSEC support, and even then I had to email the info to their tech support team as the web interface didn't support it

Privacy still has a place, this would not keep someone from knowing what corporation owns a domain - and will not keep the government or other interested parties from finding that out. Privacy services still act as an impediment to keep ownership private far better than this will.

It however brings to a dead stop the push they have been making to make whois privacy a violation of the TOS of registering a domain.

A lot of registrars include privacy for free.

In the short term WHOIS is going to be limited to just the registrant organization, state, country and a masked email address (Admin and Technical fields will be removed save email). This is short term to come into compliance with GDPR.

Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc) Who will be able to get to the full whois data. So a sort of tiered system. Expect this to take a minimum of a year. The ICANN multi stake holder model means nothing happens fast.

> Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc) Who will be able to get to the full whois data.

To a substantial degree it's privacy for the powerful and transparency for the weak. It should be the reverse: The powerful and government institutions should be transparent, and citizens should have their privacy.

> The powerful and government institutions should be transparent, and citizens should have their privacy.

Hear, hear! The most frustrating part of the Clinton email fiasco to me was the contrast between the rule bending going on at the highest levels in the name of privacy, and the pervasive monitoring that the rest of us are subjected to.

> Long term ICANN intends to create a privileged group (other registrars, law enforcement, etc)

And trademark owners, of course. So that the Three Letter Corporation (TLC) can continue sending lawyers to wrestle away control over the domain of Theodore L. Clark's personal homepage initially set up in 1995 (and enthusiastically maintained since).

Because chaos and mayhem would result if there's even a single ccTLD where the "tlc" label is not assigned to the same one entity that just redirects it to their .com anyway.

This is exactly why privacy and proxy services will still be necessary - it will essentially re-balance what GDPR has unbalanced (no judgement on whether that is favorable or not)

Just another way ICANN can make money. You can bet your bottom they will sell the premium access.

> Expect this to take a minimum of a year.

GDPR was announced over 2 years ago, why are they only just starting now?

They aren't but the nature of the process is "Everyone gets an opinion" that takes a lot of time. So they spent over a year soliciting opinions, sorting out legal issues etc, and came up with "we need some kind of authorization system on top of whois" but they've got to build it and they have 0 competence in that realm, so it will need to be put back out to committee. A process will have to be devised, a spec written, spec adopted etc. Its a huge slow bureaucracy. 2 years is fine to expect a business to be compliant with something, for a pseudo governmental organization its not nearly enough time.

That simply not true. The EU data protection Working Party (Article 29 aka. WP29) has being telling them since 2003 that Whois is not compatible with EU law [0]. That's well over a decade.

Even if ICANN only took GDPR seriously, their plan A was awful and their plan B was non-existent, see the thread further up: https://news.ycombinator.com/item?id=17081950

[0] http://ec.europa.eu/justice/article-29/documentation/opinion...

ICANN is scrambling to be compliant they write... We've all had 2 years notice since the GPDR has been adopted! And if you 'didnt know', you have bigger organizational problems.

I understand it is a lot of annoying work, but adtech and data brokers (etc etc) have been gutting privacy and the internet for long enough. We've let it come this far, now we get regulated.

(disclaimer: I only started working on compliance this year, do as I say, not as I do ;))

It's worse than that. Article 29 Working Party (WP29) - which deals with data protection has said since 2003 (well over a decade!) that Whois is not compatible with EU law [0]. They just didn't have a way to enforce it before GDPR.

But ICANN are delusional idiots, maybe because they get so much money from US intellectual property interests. They did nothing, and then seemed to think that they could get a moratorium on enforcement. But even their own Non-Commercial Stakeholders Group basically told them to get lost [1].

It's a fascinating story of just how terrible ICANN is. As always, the Register has a great write-up [2].

One thing it clear, they deserve it. I do feel bad for registrars though, and hope they had more sense than ICANN and developed a plan B.

[0] http://ec.europa.eu/justice/article-29/documentation/opinion...

[1] https://www.icann.org/en/system/files/files/gdpr-comments-nc...

[2] https://www.theregister.co.uk/2018/04/25/icann_whois_gdpr/

We've all had 2 years notice since the GPDR has been adopted!

Have we really? The first it cropped up on my radar was late 2017 and I'm in a business that adheres very strictly to EU DP best practices (so was already mostly GDPR compliant).

I'm not sure whose job it was to promote awareness of this but Britain's data protection agency certainly didn't do a good job of it given they've had my email address for years(!)

The WHOIS blackout has already started, I recently registered a domain with a non-European ccTLD, but with Gandi for the registrar. The WHOIS reads:

   Administrative Contact:
      Not displayed due to GDPR

My .me domain displays (and always has displayed IIRC) nothing but my full name (not that interesting as the domain is my name). Everything else are the contact details from Gandi.

Must be a Gandi thing. My .io domain from Gandi only shows my name but a .me domain from another registrar still shows home address, phone number, etc.…

there is another type of whois that people don't ordinarily interact with, but is essential for the correct operation of the internet...

ARIN, RIPE, APNIC and AFRINIC run whois databases for IP space. Network operators use them to find who controls chunks of v4 space (ranging from the globally-minimum-announceable /24 to /12). ISPs can use tools like SWIP to point the whois for a block of space in use by a customer to that customer's whois info.

I sincerely hope that this doesn't become more difficult to use, because it will make basic network diagnostics at a WAN scale much more annoying.

The good news is that the typical ISP-level info in IP space whois databases doesn't fall under the GPDR, since most are role accounts (abuse@ispname.com , noc@ispname.com, etc). Also generic phone numbers for NOC and network engineering groups. However, a lot of ISPs do currently have individual persons listed as points of contact in their whois entries.

I'm just wondering why ICANN is "scrambling to get it GDPR-compliant" just now, at the eleventh hour. They had just as much time as rest of the world to do it sooner, without any interim modes, and without any rush and all the problems that can come from hastiness.

A big factor is that ICANN is comprised of multiple stakeholder communities of competing interests that have to come up with consensus to make new policies. Refining the model of what is published in the WHOIS has been the subject of working groups in ICANN for over 10 years, but consensus was never reached because you had a huge spread of opinions that never converged. Privacy advocates argued for no WHOIS, whereas interests from law enforcement, security research and intellectual property arguing for full disclosure.

Noticed this the other day, my own domain is already blacked out.

I used to put fake info there anyway, I don't want my domain linked to my home address, or provide an easy way for spammers to get my email.

And you haven't been called out for Incorrect Whois Information? Complaints seem automatic, even with obscure domains I seem to register

Not yet, had my domain for a good few years now as well. Been through multiple renewals, it's never been picked up on.

Having a public register that tells you who owns a particular domain or IP address could be useful for a lot of things. Sure, they could take away a lot of fields that are not necessary and might be a privacy problem, like address and phone number, today it's useless, and maybe instead add a GPG public key, so much useful, and keep name and email address.

But don't remove it, it's a useful thing I use a lot, most of the times for security purpose, you see a suspicious IP address or domain while observing a packet capture, WHOIS tells you who owns it, you find in a log an IP address that tries to bruteforce into your server, WHOIS tells you who it is and gives you an address to contact and ask explanations, you need to find a person to contact if you have a problem with a website, contact the email address in the WHOIS record of the domain, you are sure that you are contacting the right person, even if the site gets hacked in the worst way the WHOIS record can't change.

I work for a popular hosting company and WHOIS data is causing constants issues - mostly for non-technical customers, but on one occasion, I accidentally used my work mail address during testing. The WHOIS database for, say, the .net zone is extensively mined by spammers and telemarketers.

I received a torrent of marketing mails for months even though I immediately changed it to a noreply mail address. We receive numerous complaints from customers who ignored our warnings.

Back in 2002 teenager me used WHOIS to lookup my ISP's (adelphia) phone number. Some guy picked up the phone in their server room no shit. He answers the phone like it's a internal only line "server room Jim here how can I help?" Me: "ya um I have a problem with my SMTP port can you help out?" Net Admin "How did you get this number! but ya I can help kid"

My quick and dirty three step scam website detecting process https://travel.stackexchange.com/a/84026/4188 obviously includes whois but -- I think I will make do without. It's only a little harder, to be frank.

So will firms like https://www.domaintools.com/ need to redact their whois history data? They're in Seattle, for whatever that's worth.

Does this also apply to RIPE for the whois of an IP address?

There is a RIPE meeting this week. Tomorrow (Wednesday) there will be an update regarding GDRP in the database working group: https://ripe76.ripe.net/programme/meeting-plan/db-wg/

I'm good with this. I don't like the fact that some yahoo can look me up and come after me just because he might not like what is on my website.

whois guard is a joke so i welcome this



I don't understand the problem. When buying a domain you do so in ICANN's jurisdiction, under their terms. Actively and voluntarily forfeiting your right to privacy should trump statutory privacy.

And if that isn't enough, ICANN can fix this without compromise. One mass email. "Respond expressly allowing us to publish your PII, or lose your domain."

> When buying a domain you do so in ICANN's jurisdiction, under their terms.

Contract doesn't trump law, and ICANN isn't a supernation that excludes actual sovereigns from governing behavior relating to it.

> And if that isn't enough, ICANN can fix this without compromise. One mass email. "Respond expressly allowing us to publish your PII, or lose your domain."

No, it can't, IIRC, because GDPR specifically excludes this kind of “agree or no service” from qualifying as effective consent.

> No, it can't, IIRC, because GDPR specifically excludes this kind of “agree or no service” from qualifying as effective consent.

It would also set the rather terrible precedent that ICANN can add terms after the fact.

Yeah, that's not how the law works, sorry about that. Every human has rights that cannot simply be waived because a website says so.

Everyone has a right to privacy, and that's what the GDPR is about ensuring for EU subjects. Your thinking is extinct and I strongly suggest changing it, or fading away like everyone else who feels the same way.

> Everyone has a right to privacy

This is far from an absolute. Each country more or less dictates the rights of their people, and many countries do not directly provide this right. As an example, the Indian supreme court only declared it a right last year, and most articles talking about it only list a very select few other countries as ones that provide this right.

Indian government mandates original information to be filled in RABT else the domain registrar can cancel your account.

And since GST, if you register a domain you are supposedly a business owner and need to provide a GST number mandatorily. Check these out with Net4.

Indian govt sucks big time when it comes to privacy.

And even where it is a right, it's not an absolute right - it has to be balanced with other rights and may be limited by laws.

This is stupid.

What happens next - do patents and copyrights have owner’s right to be forgotten?

If so, then who do you sue for stealing your copyright?

The intent is good - let me be clear about that. But the implementation is having second order affects that are going to f* with things in a big way because it wasn’t thought through as thoroughly as it should have been. *

* Key thought here is that it might be extremely difficult to think through all the second order effects, which suggests to me that a better phase in process should have been implemented.

EDIT - Not sure why this is being voted down. If i’m Not clear here, then please see my follow-on comment for (hopefully) a more clear view of my position. I’m not saying Whois is stupid - I’m saying GDPR is (due to the lack of thinking around second-order effects).

I don't understand how any of those are remotely related to whois being removed. It's not like it represented anyone that could feasibly be sued before, just a whoisguard service, usually

In the US, we have different sites where you can look up patent information.

In fact, IBM and Microsoft run this one, which is a global database. Article: https://www.zdnet.com/article/microsoft-ibm-arm-back-open-pa... Site: http://oropo.net/

So my question, is if Whois had to take their site offline due to GDPR, then will things like this go offline?

My concern is that GDPR will have a chilling effect not just on free speech, but on open information of many kinds.

PS - for reference, here is a good overview of the issues that an open patent database helps solve: http://oropo.net/oropo_report_20150615.pdf

WHOIS will not be permanently offline, it will be temporarily offline while the ICANN and others work out how to give access to people who have legitimate interest in the data, ie people looking for a legal contact, sysadmins looking to notify someone, registrars themselves, etc.

I don't think the US patent database will go offline, the EU one might hide personal information like name and address unless you request access under legitimate interest.

> how to give access to people who have legitimate interest in the data, ie people looking for a legal contact, sysadmins looking to notify someone, registrars themselves, etc.

That is, anyone but the public. Oh, EU, you've done it again.

Why does the public need my email and phone number associated with a random internet string in a database?

Not a lawyer, but I don't think it will affect these kinds of sites. The personal information collected in patents is collected due to government regulation. This is one of the lawful bases for using the data. The data is public information (as a result of that regulation). Affected people will have to be notified when creating a patent that their information will be used in that way -- something I think patent offices already do.

There are lots things that fall under that category, but I haven't really looked into it deeply because in my work we don't have any data collected due to government regulations.

If so, then who do you sue for stealing your copyright?

I don't even understand the question. Why would anyone "stealing" your copyright or patent register themselves in those databases? The purpose of those databases is to let the legitimate inventor/author inform everyone else that they "own" the thing, not to catch infringers.

Yikes - I worded that poorly! What I’m trying to say is that now proving ownership of something is more expensive. I can’t just say, “here’s the link to my patent” because no names will be attached.

So somebody’s random claim would look just as real as mine.

Sure, lawyers will have access to this, but now you have to talk with a lawyer to see if that job candidate really does own the patent.

It’s things like this that are stupid.

The GDPR doesn't have a blanket ban on publishing personal data! The problem with the WHOIS database is that it's forced upon individuals. The EU has no problem with a WHOIS database that allows people to freely opt-in to publish their data (Whois "privacy" services don't count - privacy must be the default, and you certainly can't be forced to pay for it).

The reason the database is going dark is that ICANN has completely bungled this process, failing to address the GDPR in time (it was adopted two years ago!), and so now they have no choice but to take it down until they can fix it. And it might be that the future WHOIS database won't let you publish data, but that's ICANN's decision, not the EU's.

So to take it to the patent database, all that means is that the patent database must ask consent from the patent author and owner (assuming it's an individual) to show their personal data.


But let's assume they actually couldn't show names at all (which, again, is not the case). All you'd have to do with to get a (digitally signed) certificate from the patent office saying that you're the author, and then you'd send a copy of that to whoever you want. Hardly a terrible thing.

As a one-off, no, it's not terrible. But factor in the millions of little things, and all the time spent by all those people, and this ends up being a big waste.

I'll say it again - people are underestimating the unintended consequences. And I believe they are severely underestimating it as well.

And with state-sanctioned things like patents, the creator or rights-holder being published could always be a legal requirement (not sure if it is, wouldn't surprise me though)

The GDPR was proposed in 2012 and has been heavily discussed since then. It was adopted in 2016 and as of 25 May 2018 will be enforceable.

Anyone who uses the data of EU citizens should have known about it. They certainly had plenty of time to consider the effects of it on their own operations.

ICANN is a US company. Technically, the rules don’t apply to them, because it is an EU law, not a global one.

However, the maliciousness that the EU is proposing to go after any company, whether they operate in the EU or not, is going to break things in ways they have not thought of.

So regardless of how long ago it came out (and trust me, 2 years is nothing for dealing with something like this), it still wasn’t well thought thru.

For what it’s worth, this law affects my company, as we have clients that are EU citizens. But only those that live in the US with a social security number. (I work in finance). My company has one office with just a few people. I never heard about GDPR until earlier this year. So my question is what happens if someone files a GDPR issue with my company? My clients information is available all over the world via login to our staff. We travel to various places. So what happens now? Some law in a place I’ve not been in a decade (exempting EU-controlled islands in the Caribbean) has just put my company in a strange legal position. Am I going to spend tens of thousands of dollars with lawyers and consultants to figure it out? No. Why? Because it would put me out of business. Plus, as a financial company, I have a requirement for saving information for 7 years. All data? Hard to say, as the IS law leaves that discretion to my company (as it should be).

So this law was horribly thought thru. I’ll probably get downvotes for this, but wait a couple years and see how crazy fines affect companies large and small for innocent issues, and I’ll be proven right.

If the laws didn't apply to them, they would just ignore them. The fact that they haven't proves otherwise.

The GDPR has been discussed for well over 2 years. It came out in 2012. Before then, it was being discussed publicly. Its predecessor, the Data Protection Directive, has been around for a long time.

You really have no justification for calling it horribly thought through. Laws like this don't appear overnight and without wide consultation. In any case, if the requirement was to apply the law out every scenario before implementing it, pretty much no law would ever be implemented.

The aim of the GDPR is to make organisations treat personal information properly, not to penalise them for every little infringement. I very much doubt there will be enough capacity to deal with every minor offence; it's more likely that large companies or those with many complaints against them will be the first targets.

Ultimately, if you're not sure about something, you most likely aren't the only one. Things will become clearer as regulations and guidelines appear, and the first complaints are dealt with. If you believe you're behaving fairly, you're probably fine or at least that's something you can argue.

> However, the maliciousness that the EU is proposing to go after any company, whether they operate in the EU or not, is going to break things in ways they have not thought of.

Hmm, so you're saying the US doesn't do anything like this? DCMA, FBAR & FATCA, etc, etc.

The only reason Americans are complaining about this one is that they're the ones having to comply with a very sane law. Or because they haven't read it, and have no fucking clue how it or privacy works.

> are EU citizens. But only those that live in the US with a social security number. [...] So my question is what happens if someone files a GDPR issue with my company?

Read the GDPR. Only companies outside the EU that specifically go after EU residents are in scope. It has nothing to do with e.g. EU nationals residing abroad.

So enough of this "woe is us" bollocks. It happens every post about GDPR, and I'm sick of the FUD tactics.

Not a FUD tactic on my part, so please don't put "woe is me" on me.

For what it's worth, FATCA, DCMA , et al really suck too, and I think those have terrible unintended consequences. But this post was about GDPR because that's what the topic of the oringinal post is.

And no, I'm not complaining about it - I'm saying it's poorly implemented.

And before you go off on Americans having to comply with a law OUTSIDE OUR JURISDICTION, how about we hold all of our crappy laws over your head. And fine you 4% of revenues for one of our bullshit laws? You wouldn't like it either, WHICH IS MY POINT - it's a poorly implemented law.

My company has a (damn good) privacy policy. We take privacy very seriously. But fuck all if some other country wants to put a regulation on MY interaction with someone from their country in my hometown. (And I have the same opinion if the US wants to regulate some American doing something in another country - the US should fuck-off then as well).

You seem super supportive of this law, but what will your position be when China "improves" their Social Credit system to require anybody in any country who deals with a Chinese national to report their information/conversation/etc to the Chinese govt within 24 hours of gathering the data? Will you support that because the Chinese have the noble goal of social stability? Or will you decide that in this particular case, and because you don't like their extra-territorial law, that "they can't do it." ?

I have no intention of reading the GDPR because IT'S NOT MY LAW ! Does that not resonate with you? I don't expect you to read the DMCA, FATCA, Patriot Act, etc, so why do you expect me to read yours? It has nothing to do with me (except for those unintended consequences that I'm trying to explain above).

For what it's worth, FATCA, DCMA , et al really suck too, and I think those have terrible unintended consequences. But this post was about GDPR because that's what the topic of the oringinal post is.

And before you go off on Americans having to comply with a law OUTSIDE OUR JURISDICTION, how about we hold all of our crappy laws over your head. And fine you 4% of revenues for one of our bullshit laws?

Kind of hard to reconcile those two positions, given that the former is just a perfect example of the latter.

You need to reread my post. Those two comments are perfectly in line.

My point is that GDPR sucks (as does DMCA, etc). Extra-territorial laws have wide ranging unintended consequences, and hence should be avoided. That's why we have treaties.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact