Hover, GDPR, and WHOIS Privacy
With all the recent talk about privacy, your personal data and the General Data Protection Regulation (GDPR), you might be wondering what is happening to Whois privacy services.
The short answer to the question of “what happens to Whois in a post-GDPR world?” is that nobody really knows just yet. This is despite the fact that it’s now just a few days until the enforcement of GDPR begins on May 25, 2018. The longer answer is that it’s all very complicated and will probably will take quite some time (maybe even years) to really figure out.
What is Whois and Whois Privacy?
The Whois directory is a public lookup system that allows anyone to find out who the owner of almost any given domain name is. A public Whois lookup system seemed like a really good idea back in the very early days of the internet, but over the years it became clear that publishing the full name, phone number, email address, and home or business address of all domain registrants wasn’t always a good idea.
As you might expect, it’s very common to see widespread misuse of Whois data. Scammers and spammers recognized that the Whois provides an excellent source of vast troves of email addresses and other information they can use to target victims and flood inboxes with unsolicited emails.
More recently, various groups and people started using the Whois to find and target people for their political opinions, religious beliefs or sexual orientation as part of a particularly nasty trend called doxxing.
It’s not all bad, though. Whois can be very handy to see if a domain is really owned by a specific company or person. For example, a Whois lookup on Hover.com shows that the domain belongs to Tucows and provides our address and contact information for our offices in Toronto. Many companies and some individuals might actually want to have their contact information publicly available for a variety of reasons.
Other interests like law enforcement rely on Whois to find and track down suspects as a part of investigations related to fraud, phishing, online illicit drug sales, acts of copyright infringement and other serious crimes.
Enter Whois Privacy
In order to provide a level of privacy protection while still maintaining the existing public Whois lookup system, Whois privacy was created and it worked pretty well for a long time. The basic idea of Whois privacy is that registrants can choose to have their own “real” information published in the Whois, or they could use a Whois privacy service and have that other company’s proxied data published instead. Some registrars offer that privacy protection as a paid add-on, others, including Hover, offer it for free.
With Whois privacy enabled for a domain name, the general public would see the proxied registration information when doing a public Whois lookup, but law enforcement or other agencies with a legitimate interest are able to access the “real” data for the registrants when required by contacting the registrar and having the registrant “unmasked” using a court order or other mechanism.
What’s Next? It’s All Very Complicated
The GDPR contains a bunch of provisions related to data collection and sharing that, in the opinion of some, are incompatible with the idea of a public Whois system. There are a wide range of opinions about what to do about Whois ranging from “shut it down” to “leave it as is” and everything in between.
Over the last couple of years, a group of interested parties had already been considering the future of the Whois system. Work is already underway on something called the Registration Data Access Protocol (RDAP) that is intended to completely replace Whois. Stakeholders include ICANN, law enforcement agencies, governments, intellectual property organizations, registries, registrars and, of course, domain registrants.
Balancing the right to privacy and protection of data for domain registrants alongside the ability for law enforcement to do its work, or for intellectual property rights holders to find and shut down infringers is always going to be a difficult task. There are a number of competing interests with a wide range of opinions on who should have access to registration data on demand and who shouldn’t. As you might expect, it’s going to take some time for the various stakeholders to work all of this out and (hopefully) find consensus.
What Does it Mean for Whois Privacy Today?
As of today, there are still many unknowns specific to GDPR and public Whois.
Because of this uncertainty, Hover will to continue to offer and automatically enable Whois privacy on domain registrations (where supported) leading up to and after May 25, 2018 when GDPR enforcement begins.
It very well may be a redundant level of protection depending on the specific registry and how they’ve interpreted GDPR requirements but given all the uncertainty, we feel that continuing to offer Whois privacy for any extensions that support it is the best option to help continue to protect the personal information of our customers.
As far as we’re concerned, there’s no harm in adding that additional layer of privacy protection, especially since we don’t charge extra for Whois privacy.