Whois search at risk, and why it matters

To date, the “Whois search” has been a valuable tool for anyone wanting to check the availability of a domain name, or find out who is the registered owner of a domain name.

A Whois search is particularly valuable when trying to identify the owner of a web site featuring defamatory or infringing material.

Further, a Whois search allows a prospective purchaser to directly contact the owner of a domain in order to make an offer to buy.

Conflict between European Union’s General Data Protection Regulation and ICANN’s operations 

The European Union’s General Data Protection Regulation (Regulation) is finalised and set to come into effect on 25 May 2018.  What is not clear is how the Internet Corporation for Assigned Names and Numbers (ICANN) plans to handle the implementation of the Regulation.

The Regulation’s purpose it to protect the privacy of European Union (EU) citizens and residents, and minimise the risk of privacy and data breaches.  It applies to all entities which hold or process information about individuals residing in the EU.

Almost any link to the EU is sufficient to enliven the Regulation, as all organisations will need to comply with the Regulation if they:

  • have an establishment in the EU;
  • offer goods and services in the EU; or
  • monitor the behaviour of individuals in the EU.

ICANN is yet satisfactorily to address the Regulation and adopt a policy to ensure compliance with it.  Tension is building and disagreements have now broken out as to who should be permitted access to domain registration records.

ICANN’s functions include:

  • matching a domain name (for example,) with its IP address, or the series of numbers from which computers on a network identify a website; and
  • the oversight of this domain name registration system.

ICANN also compiles and controls information on registered domains.  Through a Whois search, anyone can find out information held by ICANN on the registration of a domain name, including the name, address, and contact details of the person who registered the domain (Registrant).  This search feature is commonly used by security researchers, journalists, and law enforcement officers who need to track the dissemination of information or malware over the internet.

The Regulation prohibits sharing personally identifiable information with third parties without user consent.  But this is exactly what ICANN does via its domain registrant records.  Providing such through a Whois search may reveal personally identifiable information, in contravention of the Regulation.

Possible solutions

ICANN previously prepared various response plans as “temporary fixes”, but the European Commission responded that they were “underwhelming” and failed to adequately address the need to comply with the Regulation.

Current options include:

  • allowing access to a Registrant's personal data only to searchers who self-certify their legitimate interest in accessing that data;
  • establishing a formal accreditation or certification program under which only a defined set of third-party searchers would be authorised to access a Registrant’s personal data; or
  • limiting access to a Registrant’s personal data under a subpoena or other court order.

None of these solutions are ideal.

Some progress has been made in relation to internal dealings between ICANN and those entities which regulate the Whois searches.  Where ICANN relies on registries and registrars to administer Whois searches, it has advised that it will not take issue with any resultant non-compliance arising from the Regulation.

On 2 November 2017, ICANN published the Statement from Contractual Compliance confirming it will defer taking any action in circumstances where compliance with Whois and other contractual requirements is in conflict with the Regulation at least “during this period of uncertainty”.

In other words, ICANN has agreed not to hold it against registries and registrars if they breach their (shortly to be illegal under the Regulation) contracts with ICANN, on the condition that they help ICANN come up with a solution to this conflict.  Some registrars, such as GoDaddy, have already commenced redacting email addresses, names, and phone numbers from all Whois search results they produce and publish.

Lavan comment

There is a great deal of practicality in being able to conduct a Whois search and ascertain the identity of domain names owners.  However, by placing this information in the public domain, ICANN is in contravention of the Regulation.

If you utilise the services of Whois, or have registered a domain name, it is important to be aware of these impending changes.  The ability to identify individuals behind websites, and subsequently contact them where required (such as to request removal of certain content) may soon no longer be possible.

Further, aggrieved parties may be required to enliven the jurisdiction of a court in order to access information which was previously in the public domain.

In the meantime, it will be a matter of (keep) waiting to see how ICANN resolves this conflict.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.