Home / Blogs

GDPR and WHOIS - Winners and Losers

I think we are all hoping that when ICANN meets with the DPAs (Digital Protection Authorities) a clear path forward will be illuminated. We are all hoping that the DPAs will provide definitive guidance regarding ICANN’s interim model and that some special allowance will be made so that registrars and registries are provided with additional time to implement a GDPR-compliant WHOIS solution.

But given that a major registry has recently announced their intention to essentially remove all contact data from publicly accessible WHOIS—things are not looking good for the future of WHOIS.

In a week’s time, we are likely to know where things stand, but a week is a long time to wait, especially when we are talking about something that has so many different implications and consequences. Instant access to free, publicly-available WHOIS information has been the norm for over 20 years—so to say the coming changes aren’t significant is to vastly underestimate what’s about to happen.

With that, let me gaze into my infamous crystal ball and share with you who I think the GDPR and WHOIS winners and losers will be.

The Winners

Privacy Advocates – GDPR is a huge win for privacy advocates. For years, these folks have stood up at ICANN meetings and eloquently spoken about the WHOIS system flying in the face of one’s right to basic privacy online. They have argued the simple act of registering a domain name should not come with the requirement to publish one’s personal contact information in a publicly-available WHOIS database. With GDPR, it becomes clear that registration of a domain name will no longer require publication of personal data in a free and open database.

Individuals Who Own Domain Names – If you’ve registered a gTLD for your personal use within the last few years, you know where I am going with this. The amount of spam and phone calls you’ve probably received has reached new heights. Under GDPR, while you may still receive unwanted email to an anonymized email address or via a web form, hopefully, phone calls from telemarketers taking advantage of WHOIS details should cease.

Fraudsters – While I’ve long said that information contained within WHOIS records for domains that are used to conduct fraud generally do not contain accurate information, there are sometimes breadcrumbs left behind which can be helpful in tracking down actual individuals, or at a minimum finding associated domain names. Regardless, with GDPR, uncovering ownership becomes much more difficult, and tying groups of domains together will become potentially impossible.

Infringers – Undoubtedly, there are registrants who unknowingly register domains containing a famous brand. And of course, there are those who are registering domains leveraging the rights of others to drive traffic to their sites. In either case, these registrants win as it will become much more difficult to identify the individuals who have registered these names, and that may cause a drastic decrease in enforcement actions taken against these domain owners.

The ICANN Community – This may seem like an odd one, but the topic of WHOIS and access to domain name registration data has been a topic of debate and contention at ICANN since early on in its history. While maybe not the ideal process for doing so, GDPR may finally “solve” the WHOIS discussion. Clearly not every segment of the ICANN community is going to be pleased with the outcome, but if this is the impetus behind real change that can still result in access to some limited amount of registration data, let’s call that a win.

The Losers

Brand Owners – Without a doubt, enforcement of brands and trademarks online is going to get more complex as a result of changes to WHOIS. Brand holders have relied upon open access to WHOIS for years, as a first step to enforcement on infringing domain names. This once-taken-for-granted utility will become much less speedy and create inefficiencies that simply haven’t existed previously. While there is a proposal for gated-access to WHOIS information for IP enforcement uses, it clearly will not be in place on May 25th and may take months, if not longer. Clearly, brand owners are in for some challenging times ahead.

Registrars and Registries – The contracted parties within ICANN are on the front lines of the GDRP regulation, as they collect and store personal information of their customers. It is their responsibility to ensure that they are compliant going forward. Significant development efforts have been underway to make changes to these systems and to ensure that they do not run afoul of these new privacy rules. With penalties up to 4% of annual revenue, the costs of getting it wrong are significant.

Law Enforcement – Not only will their jobs get more difficult in terms of investigations that require access to WHOIS information and the multiple processes they may have to go through to get access to contact information, other third-parties who no longer have access to WHOIS will begin going to law enforcement to leverage their access. Registries and registrars will generally make special arrangements for law enforcement agencies that others would not benefit from and in doing so, will drive requestors to engage with law enforcement creating additional work on top of already thin resources.

The ICANN Community – Wait, I thought you said the ICANN Community was a winner… what’s going on here?!?! Well, within the ICANN ecosystem, policy is generally created by the community through a lengthy process where interested individuals participate to create proposals which then go to the ICANN board for review and approval. With GDRP, essentially the actions of an outside party (the European Union Parliament) are forcing changes to ICANN policy. The community has been scrambling for months to determine how the WHOIS system is going to look after the enforcement date and there will most likely be some interim solution in place at that time. The community will, most likely, need to come together to develop an actual policy that can be rolled out which would allow access to WHOIS information that would be GDRP compliant. With a relatively small group of devoted individuals already feeling burnt-out, adding into the workflow something as major as this will certainly be impactful.

As with all things ICANN, it will be interesting to see whether these predictions become reality. I know we are all hoping for the best.

By Matt Serlin, Domain Name Industry Veteran and Advisor

Filed Under


Right on the money Volker Greimann  –  Apr 13, 2018 2:42 PM

Matt is absolutely right in his analysis.

Sadly, the response from the DPAs has been exactly as many in the community expected:
“Thank you for showing us your work so far, but it is sadly not sufficient. Please come back when you have something that would be in compliance with the GDPR next time!”

And in the meantime ICANN lost another couple of irreplaceable weeks spent waiting on an evaluation of a clearly deficient proposal that could have been spent on refining this proposal to a point where it would be closer to compliance. Many in the community pointed out the very deficiencies that the Art 29 WP now did as well. Had ICANN listened instead of hoping for outside assistance, we would be in a better place.

A good summary Matt.Yet you forgot the Derek  –  Apr 20, 2018 5:55 PM

A good summary Matt.

Yet you forgot the category “Biggest Losers”:
They will be the ordinary folks who will now be at the mercy of registrars and law enforcement to enforce their rights to not be defrauded. Looking at law enforcement is akin to purchasing a ticket in a lottery. Law enforcement is grossly overworked. We just saw the UK Met releasing stats that they only manage to convict in 1% of the cases. http://www.dailymail.co.uk/news/article-5570959/Just-one-100-crimes-web-ends-conviction.html

Consider the UK Met is doing more than most. Consider those are not all consumer facing fraud issues. We can split cyber fraud into three categories; governmental, commercial and consumer. Consumers are the most vulnerable and face threats that government and commerce does not see, so have very little support. The best party to protect the consumer is the consumer himself. Now he has to rely on other parties where other issues takes precedence. It’s not going to end well.

Privacy is finicky when there is no transparency.  The internet user may now just as well ask criminals now if they are criminals. If they say no, they are just protecting their privacy ... or so the logic goes. The answer is just as predictable as the result.

But wait! This was meant to protect consumers? The GDPR is great to enforce consumer rights when it comes to legitimate businesses, but fails totally when it comes to cyber crime. More so, this fail affects each consumer worldwide.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC