Whois is dead as Europe hands DNS overlord ICANN its arse The Whois public database of domain name registration details is dead. In a letter [PDF] sent this week to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force. The letter also has …
just remove content of those fields from the DB or replace it with the AS#.
That is exactly the information which IPR trolls need to throw seize and desist and threat letters.
They and specifically the entertainment industry lobby are the ones behind the current ICANN position as this will mean that they will now have to use a proper court order to make the SP disclose the end-user information.
To which I think many are thinking "Boo f**king hoo."
Coming for a decade and still not ready.
Funny how it's the US that thinks it's laws apply everywhere and when other countries or institutions push back you hear that whiny corporate tone "Please don't do that, we can't, we're special."
I despise corporate whining
"the stable operation of the Internet's unique identifier systems" has been possible for many years because it's possible to discover who is (ab)using any particular registration. And contact them if necessary for operational purposes.
Changing this will make illicit or ham-fisted operations much harder to stop. It will be ironic if EU privacy rules make criminal activities easier to get away with.
Don't they need to get all registrants to sign a waiver?
> a shutdown of the full Whois will result in a spike in online scams
Not really, since most scammers (a) give false details, (b) hide behind registrars who obfuscate the details for them, and/or (c) use short-lived domains and discard them when finished.
> If operator's details are found to be not correct the domain gets suspended
And with about 140 million domains in dot com alone, how much actual verification is done on each one, apart from sending a confirmation E-mail to the registered contact mailbox and checking it doesn't bounce?
Is so, many US registrars would be suspend wholly .Many of them hosted a large number of spammers and fake sites without giving a toss about it - as long as they got paid., even with stole credit cards. Most of them decided that it was more profitable to sell a large number of cheap domain names, without checking registration data - of course that means to close both eyes on who registered what.
ICANN acts the same way, as long as it people are paid handsomely for looking at their bellies buttons, they don't care at all about actual issues and upcoming ones - as we've see in this case.
GDPR wasn't meant against FB or Google - it was meant to protect citizens' data, regardless who collects and manages them.
"Don't they need to get all registrants to sign a waiver?"
The authors of GDPR saw that one coming. One aspect of the regulations is that you can't tie provision of a service to a waiver on data that GDPR covers. Breaking that one would just bring bigger fines.
"you can't tie provision of a service to a waiver on data that GDPR covers"
Citation needed!
Try the ICO guide to GDPR.
Basically, if you are saying that you won't provide the service without the person giving consent then that consent is't "freely given" - so don't bother.
However, that doesn't automatically stop you collecting and processing data because you can collect and process information that is REQUIRED for the performance of a contract. In the case of domain registrations and whois, the registrar is entitled to collect certain information for performance of it's contract. BUT, making that publicly available via whois is not required for the performance of the contract and so must only be done with consent and the person must be able to withhold that consent without affecting the ability to have domains registered.
That's just an opinion piece that borders on wishful thinking. I want to see chapter and verse of law.
Read the bloody regulations yourself then: it's not as if it isn't publicly available. The poster you originally responded to stated GDPR say this and you demanded a citation despite that in itself being one. Now the ICO counts as 'opinion' despite them being one party responsible for enforcing it.
It's clear enough that your opinion is worth fuck all, your IQ is clearly way too low for you have anything meaningful to contribute and are far happier spouting meaningless tripe than even stopping to read the very references you demand.
This is law and not subject to alternative facts if you happen not to like it. Yes, you can ignore it if you like but if it comes back to bitch slap you then you only have yourself to blame.
It's clear enough that your opinion is worth fuck all, your IQ is clearly way too low for you have anything meaningful to contribute and are far happier spouting meaningless tripe than even stopping to read the very references you demand.
Blimey! Some-one needs a hug! :-)
“Changing this will make illicit or ham-fisted operations much harder to stop”
You’ve completely misunderstood everything about this. Literally nobody is saying ICANN shouldn’t collect and store the information. They should and they will, just like Nominet do. For official purposes the information can still be requested through proper channels. The only difference is that our details won’t be available for anyone to access. They should never have been in the first place, and this case shows why GDPR is so important given how hard people are trying to keep doing things they shouldn’t have done in the first place. It’s always harder to get privacy back than to never let it go.
"The only difference is that our details won’t be available for anyone to access."
Exactly. So the public isn't able to discover who registered dodgybusiness.com without expensive and cumbersome due process. That seriously reduces consumer protection. Privacy is a two-edged sword and GDPR doesn't seem to recognise it. Fraudsters are pleased.
"Exactly. So the public isn't able to discover who registered dodgybusiness.com without expensive and cumbersome due process. "
You are assuming that dodgybusiness.com was so inept as to register with their correct details. You are also misunderstanding the point of GDPR. Dodgybusiness.com is a business and so must publish it's contact details and is not protected in that way by GDPR. But they probably used a registrat that doesn't care or check the details anyway.
the public isn't interested in the first place, willing to keep their privacy shunned by F book without changing their privacy settings, much less actively looking up who is doing the rest of the dodgy interwebs hackingdoodledumbsies
>My registrar charges a few dollars a year to keep my ID 'private', standard option. I wonder if I'll get that service free now.
If your registrar had any sense, they would have made 'private' their standard offering.
There is no discount for positively opting out, because they now have to maintain records of your consent.
In some respects, I'm a little lost as to why this is such a big issue, the EU registrars seem to already have in place the relevant mechanisms to protect their domain holders data they just seem to be reluctant to use them.
"The only difference is that our details won’t be available for anyone to access. They should never have been in the first place"
Glad that this is being changed.
I wonder if companies house is allowed to continue under GDPR, I never understood how they were allowed to publish officers addresses without any comeback... Problem is once its published, you cant take it back.
MrXavia I was coming here to make that very point. As soon as I setup my own business and people saw it at CH I started getting spammed by IT resellers and dodgy accountants promising 95% take home. I really hope that they have their house in order for GDPR.
> I wonder if companies house is allowed to continue under GDPR
I wonder whether the concept of a limited company will be allowed to continue under GDPR.
The idea of Companies House publishing your details is because you are asking people you do business with to do so on the basis of trust. If you do business with a limited company you have to accept that you may not get paid and that ultimately their liability is limited to the share capital of the company (usually a couple of quid). So you need to be able to find out whether the directors are people you are prepared to trust. Publishing their details at least holds them (me) to a certain amount of accountability. If you aren't allowed to find out who they are why should you trust them? Business people being able to use the right to be forgotten to hide their past illegal behaviour is bad enough. Letting conmen have complete anonymity seems to be an unexpected consequence of the new rules, unless you subscribe to the black helicopter view of things.
"I wonder whether the concept of a limited company will be allowed to continue under GDPR."
Nope.
GDPR, exactly like the DPD before it, sets out a series of justifications for processing data. Put into context that means that publishing data is absolutely legal under GDPR as long as you can suitably justify it. In the case of something like companies house, the fact that the law requires the CH register to be public trumps the protections in GDPR. Even if it did not then there would be a strong legitimate interests argument.
ICANN have made no effort to come up with such a justification. Given that many registries already don't publish, that anyone can already register anonymously (for a fee, funnily enough) and the level of abuse of the public registries, such a justification is likely to simply not exist.
"And contact them if necessary for operational purposes."
This problem has already been addressed. Any well setup domain has e-mail addresses as per RFC2142, i.e.:
abuse@example.com
hostmaster@example.com
postmaster@example.com
The solution is as simple as ICANN mandating these addresses are valid and if they're found not to be, you'll forfeit your domain registration, maybe after a few strikes.
WHOIS contact details are a relic of the 1990s, when everyone ran fingerd and identd and sysadmins could solve problems by calling each other up for a friendly chat.
Nowadays putting that kind of personal information publicly on the Internet is just asking to be scammed and abused. Last time I published my real phone number in a WHOIS record, I got about a dozen telemarketing and scammer calls a day for weeks. My phone is still largely unusable for incoming calls (because I just ignore it.) At this point it's just a way for registrars to make more money by selling "domain privacy" packages.
Nope.
The illegal operators had fishy details.. while law abiding citizens put real data and big companies could throw them under the legal system bus.
Same as with gun laws.
I do recognize that some trollish ppl will be harder to stop, but ICANN must respect the law of the land.. even if they think it makes no sense.. as they do with China and Russia... yet dont want to do with the EU..
The only use I had of WHOIS having my details is getting a random phone call from a chap wanting to buy my domain name off me, which back in 2003 I made about £600 for. Personally I'll be glad to see the back of it as I think it's completely unnecessary to have those details exposed. It's made a mockery of with privacy services anyway and I balk at the cost of those on top of the domain. It's not going to make any difference to anyone having this shut off, only the registrar and the naming authority need my details.
What is going to be affected is verified SSL certificates, although I imagine there's an opportunity for registrars to make some money out of a verification API. I'm sure someone will be right on that.
I am unclear why respect for someone's privacy makes their website any more prone to being dodgy.
If I need to look into a website, for that trait, I see location as much more indicative.
EU - least likely
and so on......
USA - could be. Who knows?
Russia - bet it is
I suppose it depends on what you consider dodgy. My criteria there is "takes my money and does not give me what I want/expect". Alternatively "takes my information and may deliberately pass it on to dodgy organisations like mafia, NSA, CIA, FSB or similar outposts of organised crime.
If I do not know someone's name and home phone number to pass directly to a lawyer, this does not matter. If the laws are broken here, we have a look egalitarian system which can provide warrants in valid cases. This keeps pretend ones out of my hair!
Alternatively "takes my information and may deliberately pass it on to dodgy organisations like mafia, NSA, CIA, FSB or similar outposts of organised crime.
So, Google, Facebook & the like, Apple, Microsoft, your bank, your ISP, your utility providers and the list goes on.
Tinfoil much?
"And important part of malware email handling consists in finding out who they are from, or who they are redirecting you to."
And you rely on the domain names given to be definitive, do you?
If you want to handle malware, you go for the IP "whois" (e.g. AS lookup), which is an entirely different kettle of fish. But domain names resolve to IPs. What makes you think they can't just change the domain they are using in seconds?
There's no practical reason to have publicly visible names and addresses (except of abuse contacts at the ISP in question) for anything any more. It used to be there so you COULD call up John Bloggs who worked at X University and talk about a problem with his system. Nowadays, that's just not feasible.
And a vast, vast, vast portion of domains are now owned by private individuals. It's like requiring me to put my name, home address and phone number inside the front cover of every book I write, song I record, game I create, etc. which is just silly.
It's outdated. It's illegal (always has been in the EU, which is why Nominet gave the whois opt-out for personal information - the GDPR is nothing more than ratification of DPA case law into written statute). It's stupid. And it's useless, because of the sheer number of ways to put fake information there because it has way less verification than even an SSL certificate. It should have died decades ago.
>There's no practical reason to have publicly visible names and addresses (except of abuse contacts at the ISP in question) for anything any more.
You're probably not old enough to remember something called a "phone directory". These were very handy back in the day, you could look up a person's address and phone number in them.
They became a nuisance only when the cost of calls dropped to free so they could be used by telemarketers and scammers. Whois type records are the phone directory of the Internet; its useful but easy to abuse because there's no cost to the abuser. So, once again, we fix a problem by not fixing it but by degrading the overall capability of the system.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
