On Friday I was on a surprisingly interesting session at Rightscon 2018 in Toronto about GDPR and WHOIS. The panel consisted of Eleeza Agoopian from ICANN staff; Avri Doria who was recently appointed to the ICANN board; Elliot Noss who runs large registrar Tucows; Stephanie Perrin who has done a lot of privacy work for the Canadian government and as an ICANN volunteer, and me; Milt Mueller, who is now at Georgia Tech, moderated. There was a lot of overlap of roles on the panel. For example, I was there as a security researcher, but I’ve also resold Tucows’ service for almost 20 years.

I expected a lot of repetition of familiar arguments but was pleasantly surprised. Milt and others reminded us that they’d been telling ICANN about the privacy issues with WHOIS for 15 years and suddenly with GDPR there is a last minute panic. (In my experience there often were too many absolutist demands on both sides to make any progress.)

WHOIS is a service that was inherited from the pre-ICANN registries and has never had a formal definition or rationale beyond that’s the way it’s always been. None of the attempts to rationalize WHOIS have gone anywhere, and there was a broad agreement that the processes had been repeatedly derailed by trademark lawyers who want a one-stop source for whom to sue if someone utters their client’s name in vain.

Elliot said with considerable emphasis that WHOIS data has been used and misused for a long time, a great deal of it by third-party aggregators who stole it (his term) and resell it. With the GDPR looming in a week, the registrars will do what they have to do to stay within the law and if they have to choose between a fight with ICANN and a fight with governments, they’ll choose the former.

He also said that the ICANN WHOIS compliance rules are arbitrary and widely abused. His registrar gets lots of complaints about missing fax numbers which are in obvious bad faith, often domain speculators hoping that the domain will be canceled and they can snipe it and resell it. On the other hand, I have seen plenty of domains at other registrars with obviously fake data, so we can’t just trust the registrars.

Everyone agreed that some kind of tiered access is coming, with far too many of the details yet to be worked out. The privacy advocates often assumed that the people designing it hadn’t thought through the issues. They were mostly wrong but I didn’t see any reason to press the point, e.g., they assume that anyone who purports to be law enforcement gets access, while in fact, we are quite aware that it is hard to tell who is really LE and who is not. There are further questions about whether it’s a single bit—you see everything or you see nothing—or there are more complex access policies.

The Q&A;started out with a guy from the Article 29 work party whose name I didn’t catch talking about the view from his side. Everyone agrees that the GDPR never contemplated anything like ICANN or its situation. The rules that apply to ICANN were clearly written with large commercial marketers in mind. They work with ICANN as best they can, but they have to follow their rules. They can’t give waivers, e.g., to delay the enforcement date, since the law doesn’t allow them. A woman who does investigative journalism asked whether we’d thought about accrediting journalists (no, and it’s another hard problem since every blogger is one in some sense) and about allowing queries without alerting the target (yes, security researchers and LE also have that issue.)

Elliot said, and we all agreed, that the registrars and registries and the people who need access will figure out private arrangements to get access since he was quite aware that the day after GDPR goes into effect, there will be legit requests for data just as there are now. We’ll figure it out, and it will most likely be handed back to ICANN as a fait accompli.