The end of WHOIS? Where are we at?

It looks like the ICANN community missed every opportunity or ignored every opportunity to get ahead of the Data Protection issue that has been present for two decades or more?

Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet
Adopted at the 27th meeting of the Working Group on 4/5 May 2000 in Rethymnon / Crete. Berlin common position 2000 on WHOIS

This three pager of a document created in 2000 sums up the RDS WG struggle since January 2016. The RDS WG is tasked to replace the current WHOIS and has weekly conference call meetings for 90 minutes and met face to face at every ICANN meeting.

The RDS WG will not be finished before the GDPR.
ICANN is still figuring out how they fit in into this Data Protection landscape as a community and organization. Rather strange though, privacy by design is used a lot by folks who deal with security, and the data protection principles are old also. It is like the ICANN community was not aware, and not able to look ahead.


Where does this leave us?
Thick WHOIS Migration.
Until ICANN has not figured out, it’s legal position CPH’s cannot create contracts. So we have legal impediment here. Perhaps this gets solved at ICANN 60, but I am not counting on it.

Registrars, some of them already started offering privacy protect for free.
Some Registrars will come up with a privacy “lite” version masking most PII.
Registries will limit port 43 server WHOIS lookups and place captcha’s on the web WHOIS; this is already happening, though this won’t be enough.
The GDPR requires an adequate level of data protection an open system as WHOIS has no level of data protection whatsoever.

Hot seat
Unless the ICANN community does not adopt the data protection principles and privacy by design during the PDP’s they will keep pushing ICANN Org into the data controller hot seat. This needs to change.

Privacy and Proxy Services Accreditation Implementation IRT
This IRT could turn into a barrier for contracted parties when it comes to offering privacy services in the future. Currently, the contractual requirements are high, the accreditation process complex, small Registrars or Registries will have a hard time to implement this. It also could be in violation of data protection laws.



By no means the above drafts are final. I assume this IRT will be finished somewhere around 2020, reality should provide us with guidance overtime.

Thanks to Stephanie Perrin for the Berlin position PDF.



Theo Geurts PPSAI IRT member