Home / Blogs

Eliminating Access to WHOIS - Bad for All Stakeholders

Steeped deep in discussions around the European Union’s General Data Protection Regulation (GDPR) for the past several months, it has occurred to me that I’ve been answering the same question for over a decade: “What happens if WHOIS data is not accessible?” One of the answers has been and remains the same: People will likely sue and serve a lot of subpoenas.

This may seem extreme, and some will write this off as mere hyperbole, but the truth is that the need for WHOIS data to address domain name matters will not disappear. Without the WHOIS system to reference—including automated access for critical functions—there will be no starting point and nowhere else to turn but to the registries and registrars who would need to address requests on ad-hoc and non-standardized terms. Contracted parties concerned with the cost of doing business should take note!

Today WHOIS data is used to: resolve matters involving domain name use/misuse/ownership; conduct investigations into the myriad of criminal activities involving domain names; carry-out day-to-day business transactions such as the routine tasks associated with managing domain name portfolios; buying and selling domain names; and protecting brands and IP—just to name a few uses.

Creating barriers to WHOIS access for such uses would unnecessarily increase risks and disputes for domain name registrants and create enormous burdens on all stakeholders—not the least of which would include significantly increased registry and registrar compliance burdens with substantial additional expenditure of resources. Simply put, unless an automated system for obtaining or verifying registrant contact information is maintained, we are likely to force a situation where parties need to pursue unprecedented quantities of Doe suits and subpoenas, and enter into motion practice (e.g., motions to compel) to access registrant data.

This is simply unnecessary!

The GDPR offers bases for maintaining a system for obtaining or verifying registrant contact information, including within Art. 6(1)(b) (performance of a contract), Art. (6)(1)(e) (performance of a task carried out in the public interest), and Art. 6((1)f) (legitimate interests). Moreover, having anticipated the GDPR and debated for nearly two decades the privacy aspects and concerns raised by the WHOIS system, the ICANN community has already produced numerous detailed recommendations that go toward addressing many of the concerns under discussion today (e.g., Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service). The existing ICANN community work product should be leveraged to simplify the task of accommodating existing contractual obligations and the GDPR with a model or “Code of Conduct” that reconciles the two. A Code of Conduct (as allowed for and encouraged under Articles 40 and 41 of the GDPR) is an especially attractive and efficient means for associations or other bodies like ICANN representing controllers or processors to demonstrate compliance with the GDPR through binding and enforceable promises that can be developed, approved, and enforced in a uniform manner—reducing risk and creating market efficiencies for all involved through reliance on a uniform “code” that has European Commission approval.

I’m hopeful that before our community heads down a path that could result in a system with fewer benefits for all stakeholders, we recognize that the WHOIS system is an important tool maintained and used to serve the public interest and that we work together to preserve this system in a manner that reconciles existing contractual obligations and the GDPR for the benefit of all involved.

By Fabricio Vayra, Partner at Perkins Coie LLP

Filed Under

Comments

Let's hope the community is willing to Theo Geurts  –  Dec 7, 2017 5:18 PM

Let’s hope the community is willing to work on this solution. A few months ago this idea was discarded within a nanosecond by community members within the RDS WG.

Do you have the magic bullet? Volker Greimann  –  Dec 7, 2017 5:38 PM

Come May 25, open public whois in the shape it is today _will_ be a thing of the past as no contracted party will be willing to expose itself to the very clear and present legal risk of being the first on the list of the DPSs when they after many years of repeatedly telling ICANN finally have the ability to fine violators.

Will that be a bad thing for many, if not all stakeholders? Probably there will be a significant impact, but not an insurmountable one.

On the other hand, anyone who wants to preserve current whois should be prepared to offer up on of two things:
1) A magic bullet - e.g. a plan that will completely resolve any legal issues with the publication of this data, e.g. that finds the loophole in the legal foundations that makes all the troubles go away.
or
2) Be willing to fully indemnify all contracted parties from any and all damages resulting from them not adequately protecting private data. Such an indmenity should of course be covered by bank guarantees that kick in if the indemnifying person or entity goes belly up from paying all those fines.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix