To date, the “Whois search” has been a valuable tool for anyone wanting to check the availability of a domain name, or find out who is the registered owner of a domain name.
A Whois search is particularly valuable when trying to identify the owner of a web site featuring defamatory or infringing material.
Further, a Whois search allows a prospective purchaser to directly contact the owner of a domain in order to make an offer to buy.
The European Union’s General Data Protection Regulation (Regulation) is finalised and set to come into effect on 25 May 2018. What is not clear is how the Internet Corporation for Assigned Names and Numbers (ICANN) plans to handle the implementation of the Regulation.
The Regulation’s purpose it to protect the privacy of European Union (EU) citizens and residents, and minimise the risk of privacy and data breaches. It applies to all entities which hold or process information about individuals residing in the EU.
Almost any link to the EU is sufficient to enliven the Regulation, as all organisations will need to comply with the Regulation if they:
ICANN is yet satisfactorily to address the Regulation and adopt a policy to ensure compliance with it. Tension is building and disagreements have now broken out as to who should be permitted access to domain registration records.
ICANN’s functions include:
ICANN also compiles and controls information on registered domains. Through a Whois search, anyone can find out information held by ICANN on the registration of a domain name, including the name, address, and contact details of the person who registered the domain (Registrant). This search feature is commonly used by security researchers, journalists, and law enforcement officers who need to track the dissemination of information or malware over the internet.
The Regulation prohibits sharing personally identifiable information with third parties without user consent. But this is exactly what ICANN does via its domain registrant records. Providing such through a Whois search may reveal personally identifiable information, in contravention of the Regulation.
ICANN previously prepared various response plans as “temporary fixes”, but the European Commission responded that they were “underwhelming” and failed to adequately address the need to comply with the Regulation.
Current options include:
None of these solutions are ideal.
Some progress has been made in relation to internal dealings between ICANN and those entities which regulate the Whois searches. Where ICANN relies on registries and registrars to administer Whois searches, it has advised that it will not take issue with any resultant non-compliance arising from the Regulation.
On 2 November 2017, ICANN published the Statement from Contractual Compliance confirming it will defer taking any action in circumstances where compliance with Whois and other contractual requirements is in conflict with the Regulation at least “during this period of uncertainty”.
In other words, ICANN has agreed not to hold it against registries and registrars if they breach their (shortly to be illegal under the Regulation) contracts with ICANN, on the condition that they help ICANN come up with a solution to this conflict. Some registrars, such as GoDaddy, have already commenced redacting email addresses, names, and phone numbers from all Whois search results they produce and publish.
There is a great deal of practicality in being able to conduct a Whois search and ascertain the identity of domain names owners. However, by placing this information in the public domain, ICANN is in contravention of the Regulation.
If you utilise the services of Whois, or have registered a domain name, it is important to be aware of these impending changes. The ability to identify individuals behind websites, and subsequently contact them where required (such as to request removal of certain content) may soon no longer be possible.
Further, aggrieved parties may be required to enliven the jurisdiction of a court in order to access information which was previously in the public domain.
In the meantime, it will be a matter of (keep) waiting to see how ICANN resolves this conflict.
