Home / Blogs

Why Are the EU Data Protection Authorities Taking Away Our Fundamental Right to be Safe?

What if we created a rule that gave everyone—good or bad—the right to hide their license plate, where they live, who they are, and just go incognito? What if we made it a right to walk into any building in the world, and simply say “No, thank you” when the security guards asked for one’s identification? The criminals would celebrate, and we’d all be utterly alarmed. We would immediately be afraid for our personal safety.

And that’s why I am utterly alarmed. This is exactly what is about to happen as the conflict between the European Union’s General Data Protection Regulation (EU GDPR) and the Internet Corporation for Assigned Names and Numbers’ (ICANN) WHOIS policies escalates. In short, the EU GDPR requires that any business that touches European citizens provide a right to privacy. ICANN has long established rules for the WHOIS database that emphasize transparency over privacy. Anyone who registers for a domain name (your virtual address on the Internet) must provide their name, physical address, email address, and telephone numbers for all of us to know who is the owner of the website connected to that domain name. All of this information is publicly available in the WHOIS database—kind of like the white pages for the Internet.

Well, the EU GDPR regulators think that violates their data privacy rules, and so ICANN is looking at limiting access to that data.

As a former federal prosecutor, this data was critical to my work in identifying criminals behind websites posting videos of children getting brutally abused or raped. It was also a critical starting point to build cases against online stalkers promoting stranger rape against their victims. In addition, WHOIS data helped us find movie pirates who were selling illegal online copies of movies that were still in-theater. As the head of internet enforcement for the Motion Picture Association of America, we would build cases using this data and often refer them to law enforcement for action. At Microsoft, we used WHOIS information to investigate cases globally involving hackers, fraudsters, and spammers attacking our customers. At MySpace, we stopped predators, spammers, identity thieves, and gangsters by unmasking criminals and civil no-gooders through the use of this data.

Yes, our online safety is clearly at risk. But, let me be clear, what happens online happens offline—these are not separate worlds. A predator finds their prey online to rape them offline. A thief gets access to life savings safely kept in bank accounts of seniors by setting up fraudulent online websites. A teen dies because she bought illegal drugs from an online drugstore.

Over the past eight years, I have helped real world people with issues that have started online, all through the use of WHOIS data. For example, I helped a revenge porn victim by unearthing the person behind the online postings. Just recently, the WHOIS database helped me identify who was behind multiple online attacks against a prominent actor and his children.

These are the stories that demonstrate the real need for transparency and accountability to help ensure personal safety in the online environment. Of course, respect for data privacy is important, but a myopic focus on privacy that elevates it above public safety and even protection of life itself is utterly unbalanced and dangerous. Unfortunately, the recent guidance issued to ICANN on April 11 by the Article 29 Working Party of European Data Protection Authorities adopts such an unbalanced approach. There are literally hundreds of thousands of people, adults and children, whose personal safety will be directly impacted when we let criminals put on hoodies and hide in the alley by creating a regulatory environment that essentially shuts off the well-lit neighborhoods that the WHOIS database provides. Just ask the over fifty national and international entities that signed a letter to ICANN raising awareness around these issues. These are groups and people from every aspect of our lives—these are people who care about the safety and security of our society.

It’s easy to make rules protecting our desire to be private. It’s much more challenging to write and properly apply regulations to achieve the correct and proportional balance that also recognizes and protects our global and fundamental right to be safe anywhere, anytime, anyplace. It’s a challenge we can’t ignore. Now is the time for the EU Data Protection Authorities to broaden their vision, lean forward and help solve this problem before May 25, 2018, instead of trying to pass the euro to ICANN.

By Hemanshu Nigam, Founder and CEO of SSP Blue

Filed Under


Alarmist nonsense Volker Greimann  –  Apr 22, 2018 6:04 PM

Losing access to whois data does not make the average internet user less safe. ccTLD whois has in many countries a long history of being hidden and those TLDs are in many cases no less safe than .com.

Your examples also make no sense at all. No one is hiding the „number plates“ (=domain names), but not everyone will be able to look up whom a number plate belongs to, which coincidentally is also how access to car registration data works.
And access to content on a web site has never been regulated by whois. Despite what you may think, you do not have a right to know whom a domain belongs to.

It may have been a useful tool for you as law enforcement agent, but no one is taking away the right of law enforcement agencies of appropriate jurisdiction to access the data, and it is not and never has been the only tool, or even the most useful tool. Now public access to registration data is going away in some TLDs. This is nothing new in the global domain name marketplace. Criminals will still get caught. Offensive domain names will still get shut down. Rights holders will still have sufficient means to protect their rights. If you are stumped, it is your lack of creativity of working successfully within the limits of the law. Just ask your colleagues in countris with non-public whois how they manage. Last I checked, .it, .uk, .eu or .fr were no havens of scum and villainy.

Welcome to the world where the fundamental human right of millions of registrants their privacy finally counts for something.

At least... Rubens Kuhl  –  Apr 24, 2018 12:37 AM

... the post author doesn't say is ICANN's role to defy law enforcement authorities such as the DPAs because other law enforcement authorities don't like the law. That's a start.

No one can serve two masters. Charles Christopher  –  Apr 24, 2018 1:36 AM

>defy law enforcement authorities .... because other law enforcement authorities Then by your own words there is no true authority. For no one can serve two masters, two "authorities". The trick is convincing people there are multiple "authorities" which must all be simultaneously satisfied. To the extent people buy into that lie, they create their own chaos .....

Different types of LEAs Rubens Kuhl  –  Apr 24, 2018 1:42 AM

It was a mention not to multiple jurisdictions, but to multiple types of LEAs. For instance, in the US you have the FBI, FTC, FCC, ATF and many others... from 61 to 443 depending on criteria. Does that create a chaos in the US ? I'm pretty sure they sometimes issue conflicting advice, but the one in charge of the matter is the one that takes precedence. Same in the EU for DPAs and Europol, for instance...

You are playing both sides.The EU is Charles Christopher  –  Apr 24, 2018 2:16 AM

You are playing both sides. The EU is free to pass all the laws its wants, for which those in the EU are bound to. The US is free to pass all the laws its wants, for which those in the US are bound to. The problem here is the EU telling me in the US I am bound to EU laws. To the extent that I buy into their idea of "truth" I create chaos for myself. The currently expressed thinking results in choice being REMOVED from all registrants. Those in the EU should enjoy CHOICE. If they want GDPR protection, choose a registrar in the EU. If they wish to enjoy third party public instantiation of their whois, then choose a registrar outside the EU. The way it is the EU is in effect removing my choice and I don't live in the EU. That is me being told by the EU that I serve two masters. You play in your sandbox and leave me alone in mine. When you enter my sandbox it's my rules, there is no serving of two masters. GDPR is in effect trying to map EU "jurisdiction" onto the US and the rest of the world. And this needs to be constantly repeated, for 16 years the privacy problem has been addressed and evolved into a working system for domain names. And the EU refuses ICANN attempts for clarification which is more than telling. This is not about registrant privacy, its about the slippery slope of the EU trying to influence the lives of people who do not live in the EU. It is using fear to manipulate others. Let the EU re-present its residents, the EU does not re-present me. This is only the beginning, and its not going to end well ....

Privacy is only for the rich and famous? Volker Greimann  –  Apr 22, 2018 6:09 PM

Btw, this is your companys product, right?

To quote: „Privacy Protect is SSP Blue’s exclusive service for high net worth clients to identify and remove their personally identifiable information from online sites.“

You then go on to ennumerate the benefits of privacy to your clientele. Well guess what: everyone else also benefits from privacy and is at risk of falling victim to the dangers you list.

Sounds very hypocritical to sell a product that serves a need that you on the other end desperately seem to want to keep away from millions of registrants.

Bingo Rubens Kuhl  –  Apr 24, 2018 12:40 AM

I believe the same asymmetry showed up in the privacy-proxy PDP where law firms rejected that they would need to follow PPSAI when providing proxy services to their high paying clientele while registrars that charge a few bucks or nothing should be regulated.

License Plates Are A Bad Analogy John Berryhill  –  Apr 30, 2018 3:19 PM

I would not feel secure, nor would most other people, if anyone was able to look up the name, address, email address, and telephone number corresponding to the owner of any license plate.

Is license plate data available in your jurisdiction?  You can see any automobile on the street, and then know where the owner lives and where the automobile is kept?

I’d like to know in what jurisdiction that is possible, since you seem to assume it is commonly available.

The way it works in most places, if you are injured or otherwise observe an automobile being illegally driven, you can take down the plate number and report it to law enforcement authorities who have access to that data.  I’m surprised that automobile registration data is freely available to the public in your jurisdiction.

The other people who have “taken away our right to security” are the corporate registrars in many states of the US.  Again, in many US jurisdictions, you cannot obtain information about the owners or operators of a private corporation.  You can, however, effect service of process on the registered agent.  The simplest means of WHOIS privacy for many domain registrants is merely to form a Wyoming, Nevada or Delaware corporation, and register domain names to that corporation.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC