In what we hope is not breaking news for anyone reading the DomainTools blog, GDPR commenced its enforcement period today. We have already seen domain name registrars and registries adjust the data they make available in Whois, with many following the Temporary Specification model that was mandated by the ICANN Board of Directors last week. Recall that ICANN sets policy for the generic TLD space but not for the country code TLD space. Here again are some of the attributes of this interim model:
- Registrars and Registries must continue to collect full Whois data from Registrants and transfer that data to escrow and to ICANN.
- The redaction of Registrant, Administrative and Technical Name, Phone and Fax Number and Street Address fields from the publicly available data set is required.
- An anonymized email or web form in lieu of Registrant Email is required for registrant contactability.
- Registrars and Registries will be allowed to apply this Temporary Specification data model to all domain registrations worldwide, not just those within the EU and not just those registered for personal use, at their discretion.
- Access to full Whois data for parties with a legitimate interest in such data will be governed by a yet-to-be-determined ‘gated access model’. In the interim, Registrars and Registries will independently decide who gets access to full Whois records, and how to request access.v
The Temporary Specification accomplishes some important things. First, it becomes part of the contracts in place between ICANN and Registrars/Registries, meaning that ICANN can enforce compliance to this data model. Second, many useful data fields will remain in the public Whois data set for affected domains, including Registrant Organization, Registrar, Create Date, Expiration Date, Registrant State/Province, Country and Nameservers. Third, higher volume access to the remaining public data fields is still required to be supported. Fourth, it sets a schedule for the ‘gated access model’ to be defined and implemented before year-end.
A lot of people and influential organizations are going to be paying attention to how this new Whois model affects the work of those who feel they have a legitimate interest in accessing the full data. It’s important that practitioners in security, brand and IP enforcement, and consumer protection who currently use Whois data in their workflows, continue to do so and document any increased friction or impairment that comes as a result of reduced access to critical Whois data fields.
DomainTools recently released significant updates to our Iris Investigate platform in order to guide users to useful attribution, context and connections still possible without the Personal Data restricted by GDPR. Still, it remains important to be vocal about the need to access full Whois records and the need to search across Whois data at scale. Constituents in the security, brand protection and related arenas must involve themselves in the creation of the Accreditation Model and demand that their legitimate interests be duly considered. Finally, for more regular updates to GDPR policy, visit our GDPR page.
May 25th is not a finish line, it is a beginning. We hope that our customers and users will continue to communicate with us as to how these changes impact their security posture and join us in fighting for a functional balance between privacy and security, at the intersection of Whois, DNS and the GDPR.
