In less than ten days time, on 25th May, the GDPR becomes law in every EU jurisdiction. Officially, the GDPR began its journey towards this state of grace in 2012, when the European Commission published its draft proposal, although to my certain knowledge informally the discussions about what it should say began in 2010. Probably they got going even earlier than that. The GDPR completed the legislative processes in early 2016 although the final shape was clear before the end of 2015.
It would therefore be hard for anyone to argue they were surprised to discover that a new set of rules was about to come into force. Yet only hours away from the commencement huge arguments are going on about the proper meaning of the GDPR in relation to the WHOIS database. In fact only two days ago ICANN issued yet another note on the subject but it is a note with no conclusion as it insists various (vital) matters have still to be discussed within “the community”. By that they mean among themselves. This opens up the possibility that large parts of the database will “go dark” on or shortly after 25th May.
WHOIS should be up to date, accurate and accessible
From the very beginning of the modern internet WHOIS was meant to be an up to date, accurate and publicly accessible database of who owns and operates web sites.
It long ago ceased to be that. Last time I checked only about a quarter (23%) of WHOIS entries were fully accurate in the way they were meant to be. In other words accuracy was the exception rather than the rule.
I can see a case where, in exceptional circumstances, certain data for certain sites might be withheld from routine public scrutiny e.g. by allowing the use of privacy or proxy services, but the key word there is “exceptional” and even if withheld from public view the information that is stored should be accurate.
ICANN has shown zero interest in or sense of urgency about putting things right i.e. in improving the level of accuracy within WHOIS. On the contrary they have come up with a litany of excuses, essentially for delaying doing anything meaningful. For example, they go on about the “changing nature of the internet” and how this requires them to “look again at the role and purpose of WHOIS.” OK. But accuracy is accuracy whichever way you cut it. One senses the major constituent parts of ICANN would be entirely content if the only information anyone needed to collect and keep was that which allowed them to receive payments and that should be privy only to them.
As long as the money keeps rolling in
If the Registries, Registrars, and ultimately ICANN, keep getting the money from the sale of domains why should they care? If bad guys do bad things with the sites they provide that’s a problem for the cops or someone else, not them. I exaggerate for effect, but not by very much.
The upshot? WHOIS has been getting ever more inaccurate.
Yet it remains an important source of information for law enforcement and the wider online security industry. Crooks and fraudsters of all kinds still have to register some details and these can often provide vital clues for investigators to follow.
Will WHOIS “go dark”?
As already mentioned, right now there is a severe risk that WHOIS will “go dark” on or about 25th May, certainly to the wider internet security industry but possibly also even to cops. Probably not all top level domains will be equally affected but a great many could be.
Just so we are clear what that means: a source of data previously available to law enforcement for the purposes of investigating crime will no longer be there. Why? Because ICANN did not think this was important enough to get everything sorted out in time.
ICANN has come up with a proposed scheme which would provide what they call “layered” access to various interests but this requires an accreditation scheme to be established and no one knows how long that would take. Even a short hiatus could be a huge boon to wrongdoers.
Thus does ICANN’s arrogance stand out. Governments and legislatures can change whatever laws they like. Multistakeholderism means ICANN will consider how to respond as and when it suits them. And if it doesn’t suit them then that’s just tough. ICANN floats above us all.
Article 29 have not being playing it too cleverly either. For more on that please read the letter the UK’s children’s charities have sent to the Chair of Article 29. It will also be going to the UK’s Information Commissioner’s Office and I hope sympathisers in other EU Member States will consider writing to their DPA in a similar vein.
I will leave you with this thought.
WHOIS and ICANN were never discussed at political level
In the original proposal for the GDPR ICANN and WHOIS were not mentioned. Neither are they mentioned in the final text or in any of the Recitals. In fact I can find no record of ICANN or WHOIS being discussed or referred to at any point as the measure progressed through the legislative process.
I find it hard to believe any set of politicians in a democracy would deliberately vote to create or allow a system to continue that undermines people’s confidence in the internet and does so much harm to individuals and legitimate businesses.
Article 29 and the DPAs should be interpreting the GDPR in that light. Their failure so to do may well invite further, possibly urgent, corrective legislative action and undermine people’s confidence in DPAs for taking such a narrow and blinkered view.
Article 29 and the DPAs should have no hesitation in insisting that the identity and contact details of every web site are fully transparent and accessible, particularly to the police and the cyber security industry but the case for maintaining public access is also very strong. Children, parents and indeed every internet user ought to have the option to check the credentials of a web site before they engage with it.
Finally, and I apologise for coming back to the point about accuracy, it is imperative that all data within any and every possible future version of WHOIS are accurate. Anything less will only help criminals. Who voted for that? Nobody.