back to article Nominet drains mug of tea, leans back, calmly explains how to make Whois GDPR-compliant

The operator of the .uk domain-name registry has outlined the changes it plans to make to its Whois domain registration system to bring it in line with incoming European privacy legislation. Nominet ran a short one-month public comment period asking for feedback on a range of proposed changes to its current system and …

  1. Tromos

    "the IP lawyers ain't gonna be happy"

    Sounds good to me

    1. Dazed and Confused
      Trollface

      Re: "the IP lawyers ain't gonna be happy"

      Are you sure?

      In short, the IP lawyers ain't gonna be happy. But tough. ------8<------------- they can get it for free if they wait a day.

      They're lawyers, they'll bill for that day.

      They'd probably argue for needing it to be longer than just 1 day.

    2. Anonymous Coward
      Anonymous Coward

      Re: "the IP lawyers ain't gonna be happy"

      We already have "private registrations" that hide whois so we know what the system is.

      The question is...does this work and is it better than a public whois?

      More importantly what's happening for RIPE and ARIN etc.? Their whois generally has more personal info.

    3. Anonymous Coward
      Anonymous Coward

      Re: "the IP lawyers ain't gonna be happy"

      Wait a day!

      My goodness, this is intolerable. Don't you know that IP lawyers have a turn around time of minutes or even seconds. A day would slow down the whole process.

      <OK sarcasm toggle OFF>

      As Chico Marx said

      "Whenever you got business trouble the best thing to do is to get a lawyer. Then you got more trouble, but at least you got a lawyer. "

  2. Pascal Monett Silver badge

    I would agree with only LEAs having full access

    Anyone else should make their case to their local LEA which will judge if it is actually justified, then look it up immediately if it is.

    But access for anyone else should be made difficult. It is time we made personal data something that is just as valuable for the consumer as it is for FaceBook & co.

    1. Hugh McIntyre

      Re: I would agree with only LEAs having full access

      There's also the usage (of whois) for individuals of, for example, "is this acme-service.com website associated with the real company, or some impostor?" But in that latter case you can also look at the HTTPS certificate if the site uses HTTPS and if they filled in name/address info in the certificate.

      As for the rest, the opt-in part of Nominet's plan is reasonable (some of the rest may be debatable). Most registrars already offer a "hide registrant info" which personal registrations can use, so big companies that don't use this option are already effectively opting in to sharing, and hopefully other individuals defaulted to hidden. As such, responding to GDPR by saying "all WHOIS registrations move to hide-registrant mode unless people/companies affirmatively agree to non-hidden" seems like an easy choice even though the number of non-hidden whois entries may end up pretty small.

      On the other hand whether paid-access-for-others stands up might depend on whether the domain owners opt in?

      1. Paul Crawford Silver badge

        Re: I would agree with only LEAs having full access

        On the other hand whether paid-access-for-others stands up might depend on whether the domain owners opt in?

        INAL but I think it should not - after all the right to privacy is not something to be sold without consent. LEA are a different matter, some would say they should get a warrant, others might feel that whois data is not so personal as to need that for a general look-up. Getting other data like IP addresses of those making contact, etc, is another matter.

      2. phuzz Silver badge

        Re: I would agree with only LEAs having full access

        There's also the usage (of whois) for individuals of, for example, "is this acme-service.com website associated with the real company, or some impostor?"

        I'm guessing most companies will opt-out of the data-sharing restrictions (ie they will share their full whois data) for just this reason. It's something like getting an EV certificate, but presumably cheaper.

        1. rg287

          Re: I would agree with only LEAs having full access

          I'm guessing most companies will opt-out of the data-sharing restrictions (ie they will share their full whois data) for just this reason. It's something like getting an EV certificate, but presumably cheaper.

          It wouldn't be terribly awful if they were required to do so - German companies are required to include Impressum statements on various web properties for instance. The real-world details of British businesses are searchable via Companies House so why not their online details too? Business WhoIs listings benefit customers who are able to check a domain - which directly benefits the company who doesn't fall foul to look-a-like imposters.

          Personal registrations can continue to be redacted and correctly handled in accordance with GDPR.

          1. CommanderGalaxian
            Headmaster

            Re: I would agree with only LEAs having full access

            "The real-world details of British businesses are searchable via Companies House so why not their online details too?"

            I think you will find that you have been able to redact that information for quite a while now. Many companies and their directors now simply use (legally) an accommodation address - typically their accounts or solicitors and not their own.

            Nominet's proposals are rather less than Companies House already does.

    2. Wibble

      Re: I would agree with only LEAs having full access

      Can't help but wonder that should this pragmatic approach be adopted by ICANN that there needs to be some monitoring as some LEAs may sell their access as a revenue generation opportunity. Thinking of Hicksville TX not caring for those pinko commie liberals

  3. The Nazz

    same old, same old, oh the irony

    the lawyers "emphasized the role they played in crime prevention"

    Firstly, the majority of their enquiries will be in respect of civil matters.

    Secondly, if you really want to play a role in crime prevention, stop fraudulently billing your clients.

    Nominet should charge them at least £200 per hour, or part there of.

  4. Mark 85

    Nominet's answer to this is seemingly simple: law enforcement agencies (LEAs) can access that data for no cost at any point through a searchable Whois. Presumably they will be given a login to Nominet's systems.

    And all LEO's are honest, would never take a bribe to get some info that someone wanted? Handing out passwords just doesn't have a good feel to it. Maybe a one time password might work. But the devil is in the details so hopefully there will be controls on the LEO's access.

    1. rg287

      And all LEO's are honest, would never take a bribe to get some info that someone wanted?

      Given that a couple of hundred officers a year get disciplined for improperly accessing PII on their Intelligence & Criminal Records Databases, I'd say it's a very significant risk.

      Whilst it's bad that they don't understand (or don't care) about their data protection responsibilities, the good part of that is that Officers are caught and are disciplined. Which means there is functional tracking and auditing of system access. One assumes similar protections would be implemented here.

      A sensible solution would be that nominet don't just hand out passwords to a portal - the Police tap into an API from within their existing systems, so individual usage is tracked and audited. Pulling up a domain registration should be logged exactly the same as accessing someone's criminal record. Whois becomes "just another service" that they have privileged access to, same as Criminal Records, Criminal Intelligence, DVLA Driver Licensing, Car Tax/Insurance, Firearms Licensing, etc.

  5. fluffybunnyuk
    Big Brother

    Talk about borrowing my post on https://forums.theregister.co.uk/forum/3/2018/04/14/whois_icann_gdpr_europe/

    page 3

    4 Days Ago

    Re: Meanwhile in Europe itself...

    I checked nominet in the UK :- https://www.nominet.uk/nominet-opens-comment-period-gdpr-changes-uk/

    From 25 May 2018, the .UK WHOIS will no longer display the registrant’s name or address, unless they have given permission to do so – all other data shown in the current .UK WHOIS will remain the same.

    Any third party seeking disclosure for legitimate interests can continue to request this information via our Data Release policy, free of charge.

    The standard Searchable WHOIS will continue to be available, but will no longer include name and contact details to ensure GDPR compliance. Those outside law enforcement requiring further data to enforce their rights will be able to request this through our existing Data Release policy.

    Seems all reasonable to me. I'm going to be re-registering all my sites/services on May 26th.

    6 thumbs up

    Find your own stories :)

  6. theworm123

    Privacy protection ...

    Now pretty much useless I could have saved money if I waited to renew my org.uk domain.

  7. Anonymous Coward
    Anonymous Coward

    but will not get the registrant's name and address.

    If they don't get the name or address then what use is the information to IP lawyers anyway?

    1. Paul Kinsler

      Re: If they don't get the name or address then what use

      They get a phone number and an email address, from which presumably they will have a reasonable chance - after some not especially taxing detective work - to find out the name & address?

      1. Anonymous Coward
        Anonymous Coward

        Re: If they don't get the name or address then what use

        I did wonder that but the phone company won't give out the details as they are under the GDPR as well and the email is neither here nor there, a pot luck chance.

  8. Kevin Johnston

    Oooh, here's an idea

    Let the IP Lawyers have their access but as part of that, every time they search a domain the owner of the domain gets an alert with the lawyer's FULL details

    Sauce for the goose...

    1. Anonymous Coward Silver badge
      Big Brother

      Re: Oooh, here's an idea

      Give the IP lawyers access but with an explicit statement that the data may be inaccurate (hint: make sure it's inaccurate before releasing it to them)

      Then let them sue and counter-sue themselves to oblivion.

    2. Anonymous Coward
      Anonymous Coward

      Re: the owner of the domain gets an alert ...

      ... and a fiver. To compensate for the stress and inconvenience.

  9. Anonymous Coward
    Anonymous Coward

    The request to nominet will be a SAR (subject access request), and it will only be granted on the basis of GDPR.

    IP lawyers will have to make the case under GDPR as to why they deserve the data, and having read extensively the GDPR law I can see no reason why a SAR should be granted on the basis of " I wants it".

    As to the charges for a SAR that is also clearly defined as a reasonable amount ie £10 or £20 certainly not £200.

  10. greenwood-IT

    Registered Business Address is now private?

    Physical shops and businesses legally have to provide a "registered address" on their websites and paperwork, so what;s the problem with having a registered address on a business domain registration - and making that publicly visible too?

    If the registration is non-business, then keep the personal details secure - if it's a business, then make the information available to all for free.

    As an IT businesses I regularly have to use WhoIS to try and locate who is controlling a domain name registered years beforehand. Last month I had to track down a guy who'd sold his business, which had then changed hands again, but he had forgotten to transfer the domain - this only came to light a week before renewal. Without access to the WhoIS information in this case, the businesses could have lost the domain name and had to re-brand.

    1. Peter2 Silver badge

      Re: Registered Business Address is now private?

      Without access to the WhoIS information in this case, the businesses could have lost the domain name and had to re-brand.

      Why? This could be easily dealt with through the Nominet dispute resolution service?

    2. Anonymous Coward
      WTF?

      Re: Registered Business Address is now private?

      " Without access to the WhoIS information in this case, the businesses could have lost the domain name and had to re-brand."

      That makes no sense whatsoever

      How come the business didn't have a clue who sold them the business?

      Surely the domain was registered to the business address?

      If it was registered to an individual, how would the registrar know it's a business therefore exempt?

      Maybe I'm missing something, but if a business can't tell you who sold them the business, they have bigger issues to worry about, like complete incompetence.

    3. Roland6 Silver badge

      Re: Registered Business Address is now private?

      > regularly have to use WhoIS to try and locate who is controlling a domain name registered years beforehand.

      This is going to be one of those downsides of GDPR, it is going to be harder to detect the oversights and scammers.

      Using Whois to check domain registration is something I automatically do with new clients when giving their IT a lookover. It is surprisingly common to find small businesses and associations that don't actually 'own' their domain.

      What typically seems to happen is that some IT guy registers the domain and sets up the website, everything goes well for a few years, while the guy is around and/or those who know about the arrangement, problems only arise when guy moves on, or key people in the know stepdown and the domain registration needs renewing or business decides to build a new website, change hosting arrangements and discover that the IT guy is now playing hardball and denying the business access to the domain.

  11. Anonymous Coward
    Anonymous Coward

    I use WHOIS for alot of requests every year for IP tracking and reporting (automated process). I dont need to know personal data. I just need the ISP , and their point of contact ie abuse,admin or whatever, and a method of contact.

    Its incredibly rare to get a repeat attack on our devices that connect the internal and external networks as a result of chasing these people.

    If its a proxy provider then the proxy is blocked.

  12. Fat Freddie's Cat

    Whois going away and IP lawyers is an interesting diversion. And anyone who thinks that safety online largely is due to the efforts of LEAs is deluded.

    In an online world, indicators as to identity are few and far between. That John Smith I think I’m talking to could well be Jane Doe. For obvious reasons, this can be important.

    One indicator as to identity is Whois. A whole slew of companies use this data to identify bad actors and/or bad properties online. Identifying IPs and domains associted with phishing, banking fraud, man in the middle attacks, botnet infrastructure, etc, etc.

    As a private person, I have used Whois to check on a company with whom I wish to enter into an online transaction.

    This tool is being taken away from us and it’ll make the online world that little bit less safe.

    The domain name registration business is a multi-million (billion?) dollar business. Whois is a nuisance for that business. Registries have to maintain the database but it’s of little direct benefit to them. Indeed, quite the converse. Security minded organisations using Whois can reduce the number of (bad) registrations thus impacting a registry’s income.

    GDPR is an ideal excuse to get rid of Whois — so away it goes. Make no mistake, this is not a proportional response to GDPR, nor will it help you or I. However, it does benefit the domain name registration business.

    1. Boothy

      Have you understood what is happening?

      Whois is not going away, registrars will still be asking for, and storing the same data they currently do, so no change there for the domain name registration business. It's only the visibility and access of the data that is changing.

      If anything, it's making things slightly more complex, and removing a stream of revenue (making current registrations private), and therefore if anything, this will reduce income and push costs up by a small amount.

  13. Andrew Norton

    personal domain correction

    "A related change will be that Nominet will no longer draw a distinction between domain names registered by individuals and used for personal reasons and those registered by corporations for commercial reasons (currently it redacts personal-use domain data)."

    Not 'quite' the case.It allowed personal users to obscure it, IF (and only if) they decided the site was to be personal. And if your site had an email subscription signup, or it linked to commercial sites (I had a link to a book I wrote available on Amazon) then it would consider the site 'commercial', and there's no way to appeal it. I found this out the hard way a few years ago.

    https://www.theguardian.com/technology/2014/jun/11/nominet-new-rules-uk-domain-end-privacy

  14. UncleDavid

    Wikipedia's use of Whois

    Part of my recent rummaging in Wikipedia is figuring out whether to recommend a block on editing by IP addresses that repeatedly vandalize. To do this right, it's important to find out whether the IP is assigned to a large ISP (so probably an individual customer) or to something like a school or public library (so you are likely blocking innocent users of a public terminal, for example). Whois is the tool of choice for finding out.

    Does this change mean that Wikipedia self-appointed cops and nags will have less information to go on?

  15. M Mouse

    Hmmm, those pen pushers messing about again...

    Nominet makes my head explode whenever I come up against their burocracy.

    Just trying to disentangle myself from a domain registered in the late 90s with my name as registrant, but I don't know what e-mail address was used (and the registered user's e-mail has never been publicly shown). The domain was registered obo a relative who has since sold the business, so I and the relative are now nothing to do with this domain, but to get it transferred to the new business owner will take £20 +VAT thanks to Nominet's damn "security" measures.

    I spoke to someone there who explained how I first have to get back access via my old e-mail address and writing them a letter... and paying money... and can then change registrant, after I pay more money. I did ask the hypothetical "what if I was dead" and was told they'd need proof of it...

    I wonder how much they spend on management flying back and forth to USA since they now have an office over there, given this is a "not for profit" organisation they must have lots of spending to wipe out their profits, or do they just hike up everyone's salary well in excess of 50K a year, 250K plus expenses and first class flights for top level execs?

    I have nothing good to say about them, and the fewer .uk domains I have to have contact with in future, the better. I like that they will hide all contact info, because there were lots of instances where a domain used for business had its details *incorrectly* redacted and Nominet couldn't give a flying fig about it.

    Forget any .uk domains from now on, and go hassle free with something else, is all I can recommend to my clients.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like